Perform Quarantine/UnQuarantine Host Action on Asset

For API version information, refer to the API Version History section.

Non-Versioned | V1.0

Non-Versioned

This API allows you to perform quarantine or unquarantine host action on selected assets. 

POST/ioc/remediation-actions/quarantineHost

Input Parameters for Quarantine/UnQuarantine Host Action on AssetInput Parameters for Quarantine/UnQuarantine Host Action on Asset

Input Parameter

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space.

For example: Bearer authToken
remediationSource Mandatory  String This is the source for the remediation. For example, EDR. 
user Mandatory String The name of the user executing the action. For example, John Doe.
userId Mandatory String A unique identifier assigned to the user.
For example, "qaedr_jd".
comment Mandatory String A short comment describing the action taken. For example, "QH".
requestTime Mandatory String (ISO 8601 Date-Time) The timestamp indicates when the request was made.
For example, "2024-12-12T04:52:39.711Z".
assetActionParameter Mandatory Object (contains asset actions) This includes parameters related to the action performed on the asset (e.g., quarantine).
assetActionParameter.assetActions Mandatory Array of Objects A list of actions taken on assets; for instance, this case includes a quarantine action for the host.
assetActionParameter.assetActions.
eventId		 Mandatory String A unique identifier assigned to the event. 
For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.assetActions.
action		 Mandatory String Action to be taken on the asset. For example,  "QUARANTINE_HOST" (the asset is being quarantined).
assetActionParameter.assetActions.
agentId		 Mandatory String A unique identifier for the agent associated with the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.assetActions.
eventType		 Mandatory String The event type. For example, 'AGENT' indicating an event was triggered by an agent.
assetActionParameter.assetActions.
overrideConfig		 Optional Boolean Specifies the flag to override the configuration if needed. For example, set to true, in this case.

assetActionParameter.assetActions.
agentVersion

 Mandatory String The version of the agent executing the action. For example, "5.5.25.0".
assetActionParameter.hostConfig Optional Object This is the configuration related to the affected host, including exclusion settings and notifications. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig		 Optional Object This contains configuration details for excluded allowed-list applications, IPs, and domains.
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs		 Optional Array of Objects This is a list of applications to exclude from quarantine checks, including their path and platform. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.
applicationPath		 Mandatory String The file path of the excluded application. For example, "asdfasf". 
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.platform		 Mandatory Integer The platform type for the exclusion. For example, 1. Here, platform type 1 is assumed to refer to a specific operating system (OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs		 Optional Array of Objects  This is a list of IP configurations to be excluded from quarantine, which includes the IP address, subnet mask, and type.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.ipAddress		 Mandatory String The IP address of the excluded host. For example, "X0.1X.XX1.00".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.subnetMask		 Mandatory String The subnet mask for the IP exclusion. For example, "255.255.255.255".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.platform		 Mandatory Integer The platform type for the exclusion. For example, 1.  (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.type		 Mandatory String The type of IP (IPv4/IPv6). For example, "v4".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs		 Optional Array of Objects This is a list of domain configurations to be excluded from quarantine checks, which includes the domain and platform.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.domain		 Mandatory String The domain to exclude from quarantine. For example, "tradingview.com".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.platform		 Mandatory Integer The platform type for the exclusion. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications		 Mandatory Object Notifications related to the quarantined asset.
 assetActionParameter.hostConfig.
quarantineAssetNotifications.title		 Mandatory String Title of the quarantine notification. For example, "QH".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
description		 Mandatory String Description of the notification. For example, "quarantined".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.platform		 Mandatory Integer The platform type for the notification. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications.emailIdList		 Optional String A list of email addresses to notify. For example, "abc@qualys.com".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.phoneNo		 Optional String A phone number to notify. For example, "1234567890".
 moduleMetadata Optional String Metadata related to the module. For example, "Quarantine Host".

Prerequisites

  • Linux Cloud Agent: 6.0.0.0.x and above
  • Windows Cloud Agent: 4.9.0.x and above

If the prerequisites for Quarantine/UnQuarantine Host Action on Asset API are not met, the process might be stuck in the In-Progress or Failed state.

Sample - Quarantine/UnQuarantine Host Action on AssetSample - Quarantine/UnQuarantine Host Action on Asset

API request

curl -X POST "<qualys_base_url>/ioc/remediation-actions/performQuarantineHostAction?<user=username&userId=XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX>" --header "accept: */*" --header "Authorization: Bearer <token>"-H "Content-Type: application/json" -d "<JSON payload>"  

Sample JSON Payload

{
  "remediationSource": "EDR",
  "user": "John Doe",
  "userId": "qaedr_jd",
  "comment": "QH",
  "requestTime": "2024-12-12T04:52:39.711Z",
  "assetActionParameter": {
    "assetActions": [
      {
        "eventId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "action": "QUARANTINE_HOST",
        "agentId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "eventType": "AGENT",
        "overrideConfig": true,
        "agentVersion": "5.5.25.0"
      }
    ],
    "hostConfig": {
      "excludedWhitelistingConfig": {
        "excludedApplicationsConfigs": [
          {
            "applicationPath": "asdfasf",
            "platform": 1
          },
          {
            "applicationPath": "asdfasf",
            "platform": 1
          }
        ],
        "excludedIpConfigs": [
          {
            "ipAddress": "X0.1X.XX1.00",
            "subnetMask": "255.255.255.255",
            "platform": 1,
            "type": "V4"
          }
        ],
        "excludedDomainConfigs": [
          {
            "domain": "tradingview.com",
            "platform": 1
          }
        ]
      },
      "quarantineAssetNotifications": {
        "title": "QH",
        "description": "quarantined",
        "platform": 1,
        "emailIdList": "jd@example.com",
        "phoneNo": "1234567890"
      }
    }
  },
  "moduleMetadata": "cfsdfsfdgfdsg"
} 
 

Response

{
  "requestId": "cdbf7081-7e94-484a-bf53-6ca00c4d9cd4",
  "message": "Request created successfully and its in progress",
  "responseCode": 1009,
  "remark": "QH",
  "status": "queued"
}

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description
remediation-actions     requestID String The unique identifier for the request.
  message String A message providing information about the status or progress of the request.
  responseCode Integer A numerical code representing the response status.
  remark String A brief remark or comment related to the request.
  status String The current status of the request (e.g., "queued", "in progress").

V1.0

This API allows you to perform quarantine or unquarantine host action on selected assets. 

POST/ioc/v1/remediation-actions/quarantineHost

Input Parameters for Quarantine/UnQuarantine Host Action on AssetInput Parameters for Quarantine/UnQuarantine Host Action on Asset

Input Parameter

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space.

For example: Bearer authToken
remediationSource Mandatory  String This is the source for the remediation. For example, EDR. 
user Mandatory String The name of the user executing the action. For example, John Doe.
userId Mandatory String A unique identifier assigned to the user.
For example, "qaedr_jd".
comment Mandatory String A short comment describing the action taken. For example, "QH".
requestTime Mandatory String (ISO 8601 Date-Time) The timestamp indicates when the request was made.
For example, "2024-12-12T04:52:39.711Z".
assetActionParameter Mandatory Object (contains asset actions) This includes parameters related to the action performed on the asset (e.g., quarantine).
assetActionParameter.
assetActions		 Mandatory Array of Objects A list of actions taken on assets; for instance, this case includes a quarantine action for the host.
assetActionParameter.
assetActions.eventId		 Mandatory String A unique identifier assigned to the event. 
For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.
assetActions.action		 Mandatory String Action to be taken on the asset. For example,  "QUARANTINE_HOST" (the asset is being quarantined).
assetActionParameter.
assetActions.agentId		 Mandatory String A unique identifier for the agent associated with the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.assetActions.
eventType		 Mandatory String The event type. For example, 'AGENT' indicating an event was triggered by an agent.
assetActionParameter.assetActions.
overrideConfig		 Optional Boolean Specifies the flag to override the configuration if needed. For example, set to true, in this case.
assetActionParameter.assetActions.
agentVersion		 Mandatory String The version of the agent executing the action. For example, "5.5.25.0".
assetActionParameter.hostConfig Optional Object This is the configuration related to the affected host, including exclusion settings and notifications. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig		 Optional Object This contains configuration details for excluded allowed-list applications, IPs, and domains.
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs		 Optional Array of Objects This is a list of applications to exclude from quarantine checks, including their path and platform. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.
applicationPath		 Mandatory String The file path of the excluded application. For example, "asdfasf". 
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.platform		 Mandatory Integer The platform type for the exclusion. For example, 1. Here, platform type 1 is assumed to refer to a specific operating system (OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs		 Optional Array of Objects  This is a list of IP configurations to be excluded from quarantine, which includes the IP address, subnet mask, and type.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.ipAddress		 Mandatory String The IP address of the excluded host. For example, "X0.1X.XX1.00".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.subnetMask		 Mandatory String The subnet mask for the IP exclusion. For example, "255.255.255.255".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.platform		 Mandatory Integer The platform type for the exclusion. For example, 1.  (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.type		 Mandatory String The type of IP (IPv4/IPv6). For example, "v4".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs		 Optional Array of Objects This is a list of domain configurations to be excluded from quarantine checks, which includes the domain and platform.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.domain		 Mandatory String The domain to exclude from quarantine. For example, "tradingview.com".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.platform		 Mandatory Integer The platform type for the exclusion. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications		 Mandatory Object Notifications related to the quarantined asset.
 assetActionParameter.hostConfig.
quarantineAssetNotifications.title		 Mandatory String Title of the quarantine notification. For example, "QH".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
description		 Mandatory String Description of the notification. For example, "quarantined".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
platform		 Mandatory Integer The platform type for the notification. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
emailIdList		 Optional String A list of email addresses to notify. For example, "abc@qualys.com".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.phoneNo		 Optional String A phone number to notify. For example, "1234567890".
 moduleMetadata Optional String Metadata related to the module. For example, "Quarantine Host".

Prerequisites

  • Linux Cloud Agent: 6.0.0.0.x and above
  • Windows Cloud Agent: 4.9.0.x and above

If the prerequisites for Quarantine/UnQuarantine Host Action on Asset API are not met, the process might be stuck in the In-Progress or Failed state.

Sample - Quarantine/UnQuarantine Host Action on AssetSample - Quarantine/UnQuarantine Host Action on Asset

API request

curl -X POST "<qualys_base_url>/ioc/v1/remediation-actions/performQuarantineHostAction?<user=username&userId=XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX>" --header "accept: */*" --header "Authorization: Bearer <token>"-H "Content-Type: application/json" -d "<JSON payload>"  

Sample JSON Payload

{
  "remediationSource": "EDR",
  "user": "John Doe",
  "userId": "qaedr_jd",
  "comment": "QH",
  "requestTime": "2024-12-12T04:52:39.711Z",
  "assetActionParameter": {
    "assetActions": [
      {
        "eventId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "action": "QUARANTINE_HOST",
        "agentId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "eventType": "AGENT",
        "overrideConfig": true,
        "agentVersion": "5.5.25.0"
      }
    ],
    "hostConfig": {
      "excludedWhitelistingConfig": {
        "excludedApplicationsConfigs": [
          {
            "applicationPath": "asdfasf",
            "platform": 1
          },
          {
            "applicationPath": "asdfasf",
            "platform": 1
          }
        ],
        "excludedIpConfigs": [
          {
            "ipAddress": "X0.1X.XX1.00",
            "subnetMask": "255.255.255.255",
            "platform": 1,
            "type": "V4"
          }
        ],
        "excludedDomainConfigs": [
          {
            "domain": "tradingview.com",
            "platform": 1
          }
        ]
      },
      "quarantineAssetNotifications": {
        "title": "QH",
        "description": "quarantined",
        "platform": 1,
        "emailIdList": "jd@example.com",
        "phoneNo": "1234567890"
      }
    }
  },
  "moduleMetadata": "cfsdfsfdgfdsg"
} 
 

Response

{
  "requestId": "cdbf7081-7e94-484a-bf53-6ca00c4d9cd4",
  "message": "Request created successfully and its in progress",
  "responseCode": 1009,
  "remark": "QH",
  "status": "queued"
}

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description
remediation-actions     requestID String The unique identifier for the request.
  message String A message providing information about the status or progress of the request.
  responseCode Integer A numerical code representing the response status.
  remark String A brief remark or comment related to the request.
  status String The current status of the request (e.g., "queued", "in progress").

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/ioc/remediation-actions/quarantineHost Active  
/ioc/v1/remediation-actions/quarantineHost Active May 2025

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.