Perform Quarantine/UnQuarantine Host Action on Asset
For API version information, refer to the API Version History section.
Non-Versioned
This API allows you to perform quarantine or unquarantine host action on selected assets.
Input Parameter |
Mandatory/Optional |
Format |
Description |
---|---|---|---|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken |
remediationSource | Mandatory | String | This is the source for the remediation. For example, EDR. |
user | Mandatory | String | The name of the user executing the action. For example, John Doe. |
userId | Mandatory | String | A unique identifier assigned to the user. For example, "qaedr_jd". |
comment | Mandatory | String | A short comment describing the action taken. For example, "QH". |
requestTime | Mandatory | String (ISO 8601 Date-Time) | The timestamp indicates when the request was made. For example, "2024-12-12T04:52:39.711Z". |
assetActionParameter | Mandatory | Object (contains asset actions) | This includes parameters related to the action performed on the asset (e.g., quarantine). |
assetActionParameter.assetActions | Mandatory | Array of Objects | A list of actions taken on assets; for instance, this case includes a quarantine action for the host. |
assetActionParameter.assetActions. eventId |
Mandatory | String | A unique identifier assigned to the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7". |
assetActionParameter.assetActions. action |
Mandatory | String | Action to be taken on the asset. For example, "QUARANTINE_HOST" (the asset is being quarantined). |
assetActionParameter.assetActions. agentId |
Mandatory | String | A unique identifier for the agent associated with the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7". |
assetActionParameter.assetActions. eventType |
Mandatory | String | The event type. For example, 'AGENT' indicating an event was triggered by an agent. |
assetActionParameter.assetActions. overrideConfig |
Optional | Boolean | Specifies the flag to override the configuration if needed. For example, set to true, in this case. |
assetActionParameter.assetActions. |
Mandatory | String | The version of the agent executing the action. For example, "5.5.25.0". |
assetActionParameter.hostConfig | Optional | Object | This is the configuration related to the affected host, including exclusion settings and notifications. |
assetActionParameter.hostConfig. excludedWhitelistingConfig |
Optional | Object | This contains configuration details for excluded allowed-list applications, IPs, and domains. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedApplicationsConfigs |
Optional | Array of Objects | This is a list of applications to exclude from quarantine checks, including their path and platform. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedApplicationsConfigs. applicationPath |
Mandatory | String | The file path of the excluded application. For example, "asdfasf". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedApplicationsConfigs.platform |
Mandatory | Integer | The platform type for the exclusion. For example, 1. Here, platform type 1 is assumed to refer to a specific operating system (OS). |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs |
Optional | Array of Objects | This is a list of IP configurations to be excluded from quarantine, which includes the IP address, subnet mask, and type. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.ipAddress |
Mandatory | String | The IP address of the excluded host. For example, "X0.1X.XX1.00". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.subnetMask |
Mandatory | String | The subnet mask for the IP exclusion. For example, "255.255.255.255". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.platform |
Mandatory | Integer | The platform type for the exclusion. For example, 1. (1 is referring to a specific OS). |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.type |
Mandatory | String | The type of IP (IPv4/IPv6). For example, "v4". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedDomainConfigs |
Optional | Array of Objects | This is a list of domain configurations to be excluded from quarantine checks, which includes the domain and platform. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedDomainConfigs.domain |
Mandatory | String | The domain to exclude from quarantine. For example, "tradingview.com". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedDomainConfigs.platform |
Mandatory | Integer | The platform type for the exclusion. For example, 1. (1 is referring to a specific OS). |
assetActionParameter.hostConfig. quarantineAssetNotifications |
Mandatory | Object | Notifications related to the quarantined asset. |
assetActionParameter.hostConfig. quarantineAssetNotifications.title |
Mandatory | String | Title of the quarantine notification. For example, "QH". |
assetActionParameter.hostConfig. quarantineAssetNotifications. description |
Mandatory | String | Description of the notification. For example, "quarantined". |
assetActionParameter.hostConfig. quarantineAssetNotifications.platform |
Mandatory | Integer | The platform type for the notification. For example, 1. (1 is referring to a specific OS). |
assetActionParameter.hostConfig. quarantineAssetNotifications.emailIdList |
Optional | String | A list of email addresses to notify. For example, "abc@qualys.com". |
assetActionParameter.hostConfig. quarantineAssetNotifications.phoneNo |
Optional | String | A phone number to notify. For example, "1234567890". |
moduleMetadata | Optional | String | Metadata related to the module. For example, "Quarantine Host". |
Prerequisites
- Linux Cloud Agent: 6.0.0.0.x and above
- Windows Cloud Agent: 4.9.0.x and above
If the prerequisites for Quarantine/UnQuarantine Host Action on Asset API are not met, the process might be stuck in the In-Progress or Failed state.
API request
curl -X POST "<qualys_base_url>/ioc/remediation-actions/performQuarantineHostAction?<user=username&userId=XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX>" --header "accept: */*" --header "Authorization: Bearer <token>"-H "Content-Type: application/json" -d "<JSON payload>"
Sample JSON Payload
{
"remediationSource": "EDR",
"user": "John Doe",
"userId": "qaedr_jd",
"comment": "QH",
"requestTime": "2024-12-12T04:52:39.711Z",
"assetActionParameter": {
"assetActions": [
{
"eventId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
"action": "QUARANTINE_HOST",
"agentId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
"eventType": "AGENT",
"overrideConfig": true,
"agentVersion": "5.5.25.0"
}
],
"hostConfig": {
"excludedWhitelistingConfig": {
"excludedApplicationsConfigs": [
{
"applicationPath": "asdfasf",
"platform": 1
},
{
"applicationPath": "asdfasf",
"platform": 1
}
],
"excludedIpConfigs": [
{
"ipAddress": "X0.1X.XX1.00",
"subnetMask": "255.255.255.255",
"platform": 1,
"type": "V4"
}
],
"excludedDomainConfigs": [
{
"domain": "tradingview.com",
"platform": 1
}
]
},
"quarantineAssetNotifications": {
"title": "QH",
"description": "quarantined",
"platform": 1,
"emailIdList": "jd@example.com",
"phoneNo": "1234567890"
}
}
},
"moduleMetadata": "cfsdfsfdgfdsg"
}
Response
{ "requestId": "cdbf7081-7e94-484a-bf53-6ca00c4d9cd4", "message": "Request created successfully and its in progress", "responseCode": 1009, "remark": "QH", "status": "queued" }
Response Field DescriptionsResponse Field Descriptions
Dataset Name |
Field Name |
Data Type |
Description |
---|---|---|---|
remediation-actions | requestID | String | The unique identifier for the request. |
message | String | A message providing information about the status or progress of the request. | |
responseCode | Integer | A numerical code representing the response status. | |
remark | String | A brief remark or comment related to the request. | |
status | String | The current status of the request (e.g., "queued", "in progress"). |
V1.0
This API allows you to perform quarantine or unquarantine host action on selected assets.
Input Parameter |
Mandatory/Optional |
Format |
Description |
---|---|---|---|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken |
remediationSource | Mandatory | String | This is the source for the remediation. For example, EDR. |
user | Mandatory | String | The name of the user executing the action. For example, John Doe. |
userId | Mandatory | String | A unique identifier assigned to the user. For example, "qaedr_jd". |
comment | Mandatory | String | A short comment describing the action taken. For example, "QH". |
requestTime | Mandatory | String (ISO 8601 Date-Time) | The timestamp indicates when the request was made. For example, "2024-12-12T04:52:39.711Z". |
assetActionParameter | Mandatory | Object (contains asset actions) | This includes parameters related to the action performed on the asset (e.g., quarantine). |
assetActionParameter. assetActions |
Mandatory | Array of Objects | A list of actions taken on assets; for instance, this case includes a quarantine action for the host. |
assetActionParameter. assetActions.eventId |
Mandatory | String | A unique identifier assigned to the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7". |
assetActionParameter. assetActions.action |
Mandatory | String | Action to be taken on the asset. For example, "QUARANTINE_HOST" (the asset is being quarantined). |
assetActionParameter. assetActions.agentId |
Mandatory | String | A unique identifier for the agent associated with the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7". |
assetActionParameter.assetActions. eventType |
Mandatory | String | The event type. For example, 'AGENT' indicating an event was triggered by an agent. |
assetActionParameter.assetActions. overrideConfig |
Optional | Boolean | Specifies the flag to override the configuration if needed. For example, set to true, in this case. |
assetActionParameter.assetActions. agentVersion |
Mandatory | String | The version of the agent executing the action. For example, "5.5.25.0". |
assetActionParameter.hostConfig | Optional | Object | This is the configuration related to the affected host, including exclusion settings and notifications. |
assetActionParameter.hostConfig. excludedWhitelistingConfig |
Optional | Object | This contains configuration details for excluded allowed-list applications, IPs, and domains. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedApplicationsConfigs |
Optional | Array of Objects | This is a list of applications to exclude from quarantine checks, including their path and platform. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedApplicationsConfigs. applicationPath |
Mandatory | String | The file path of the excluded application. For example, "asdfasf". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedApplicationsConfigs.platform |
Mandatory | Integer | The platform type for the exclusion. For example, 1. Here, platform type 1 is assumed to refer to a specific operating system (OS). |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs |
Optional | Array of Objects | This is a list of IP configurations to be excluded from quarantine, which includes the IP address, subnet mask, and type. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.ipAddress |
Mandatory | String | The IP address of the excluded host. For example, "X0.1X.XX1.00". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.subnetMask |
Mandatory | String | The subnet mask for the IP exclusion. For example, "255.255.255.255". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.platform |
Mandatory | Integer | The platform type for the exclusion. For example, 1. (1 is referring to a specific OS). |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedIpConfigs.type |
Mandatory | String | The type of IP (IPv4/IPv6). For example, "v4". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedDomainConfigs |
Optional | Array of Objects | This is a list of domain configurations to be excluded from quarantine checks, which includes the domain and platform. |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedDomainConfigs.domain |
Mandatory | String | The domain to exclude from quarantine. For example, "tradingview.com". |
assetActionParameter.hostConfig. excludedWhitelistingConfig. excludedDomainConfigs.platform |
Mandatory | Integer | The platform type for the exclusion. For example, 1. (1 is referring to a specific OS). |
assetActionParameter.hostConfig. quarantineAssetNotifications |
Mandatory | Object | Notifications related to the quarantined asset. |
assetActionParameter.hostConfig. quarantineAssetNotifications.title |
Mandatory | String | Title of the quarantine notification. For example, "QH". |
assetActionParameter.hostConfig. quarantineAssetNotifications. description |
Mandatory | String | Description of the notification. For example, "quarantined". |
assetActionParameter.hostConfig. quarantineAssetNotifications. platform |
Mandatory | Integer | The platform type for the notification. For example, 1. (1 is referring to a specific OS). |
assetActionParameter.hostConfig. quarantineAssetNotifications. emailIdList |
Optional | String | A list of email addresses to notify. For example, "abc@qualys.com". |
assetActionParameter.hostConfig. quarantineAssetNotifications.phoneNo |
Optional | String | A phone number to notify. For example, "1234567890". |
moduleMetadata | Optional | String | Metadata related to the module. For example, "Quarantine Host". |
Prerequisites
- Linux Cloud Agent: 6.0.0.0.x and above
- Windows Cloud Agent: 4.9.0.x and above
If the prerequisites for Quarantine/UnQuarantine Host Action on Asset API are not met, the process might be stuck in the In-Progress or Failed state.
API request
curl -X POST "<qualys_base_url>/ioc/v1/remediation-actions/performQuarantineHostAction?<user=username&userId=XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX>" --header "accept: */*" --header "Authorization: Bearer <token>"-H "Content-Type: application/json" -d "<JSON payload>"
Sample JSON Payload
{
"remediationSource": "EDR",
"user": "John Doe",
"userId": "qaedr_jd",
"comment": "QH",
"requestTime": "2024-12-12T04:52:39.711Z",
"assetActionParameter": {
"assetActions": [
{
"eventId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
"action": "QUARANTINE_HOST",
"agentId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
"eventType": "AGENT",
"overrideConfig": true,
"agentVersion": "5.5.25.0"
}
],
"hostConfig": {
"excludedWhitelistingConfig": {
"excludedApplicationsConfigs": [
{
"applicationPath": "asdfasf",
"platform": 1
},
{
"applicationPath": "asdfasf",
"platform": 1
}
],
"excludedIpConfigs": [
{
"ipAddress": "X0.1X.XX1.00",
"subnetMask": "255.255.255.255",
"platform": 1,
"type": "V4"
}
],
"excludedDomainConfigs": [
{
"domain": "tradingview.com",
"platform": 1
}
]
},
"quarantineAssetNotifications": {
"title": "QH",
"description": "quarantined",
"platform": 1,
"emailIdList": "jd@example.com",
"phoneNo": "1234567890"
}
}
},
"moduleMetadata": "cfsdfsfdgfdsg"
}
Response
{ "requestId": "cdbf7081-7e94-484a-bf53-6ca00c4d9cd4", "message": "Request created successfully and its in progress", "responseCode": 1009, "remark": "QH", "status": "queued" }
Response Field DescriptionsResponse Field Descriptions
Dataset Name |
Field Name |
Data Type |
Description |
---|---|---|---|
remediation-actions | requestID | String | The unique identifier for the request. |
message | String | A message providing information about the status or progress of the request. | |
responseCode | Integer | A numerical code representing the response status. | |
remark | String | A brief remark or comment related to the request. | |
status | String | The current status of the request (e.g., "queued", "in progress"). |
API Version History
The following table depicts the information about the different versions of this API along with the status:
API Version | API Status | Release Date |
/ioc/remediation-actions/quarantineHost | Active | |
/ioc/v1/remediation-actions/quarantineHost | Active | May 2025 |