Perform Quarantine/UnQuarantine Host Action on Asset

For API version information, refer to the API Version History section.

Non-Versioned | V1.0

Non-Versioned

This API allows you to perform quarantine or unquarantine host action on selected assets. 

POST/ioc/remediation-actions/quarantineHost

Input Parameters for Quarantine/UnQuarantine Host Action on AssetInput Parameters for Quarantine/UnQuarantine Host Action on Asset

Input Parameter

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space.

For example: Bearer authToken

remediationSource Mandatory  String This is the source for the remediation. For example, EDR. 
user Mandatory String The name of the user executing the action. For example, John Doe.
userId Mandatory String A unique identifier assigned to the user.
For example, "qaedr_jd".
comment Mandatory String A short comment describing the action taken. For example, "QH".
requestTime Mandatory String (ISO 8601 Date-Time) The timestamp indicates when the request was made.
For example, "2024-12-12T04:52:39.711Z".
assetActionParameter Mandatory Object (contains asset actions) This includes parameters related to the action performed on the asset (e.g., quarantine).
assetActionParameter.assetActions Mandatory Array of Objects A list of actions taken on assets; for instance, this case includes a quarantine action for the host.
assetActionParameter.assetActions.
eventId
Mandatory String A unique identifier assigned to the event. 
For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.assetActions.
action
Mandatory String Action to be taken on the asset. For example,  "QUARANTINE_HOST" (the asset is being quarantined).
assetActionParameter.assetActions.
agentId
Mandatory String A unique identifier for the agent associated with the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.assetActions.
eventType
Mandatory String The event type. For example, 'AGENT' indicating an event was triggered by an agent.
assetActionParameter.assetActions.
overrideConfig
Optional Boolean Specifies the flag to override the configuration if needed. For example, set to true, in this case.

assetActionParameter.assetActions.
agentVersion

Mandatory String The version of the agent executing the action. For example, "5.5.25.0".
assetActionParameter.hostConfig Optional Object This is the configuration related to the affected host, including exclusion settings and notifications. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig
Optional Object This contains configuration details for excluded allowed-list applications, IPs, and domains.
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs
Optional Array of Objects This is a list of applications to exclude from quarantine checks, including their path and platform. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.
applicationPath
Mandatory String The file path of the excluded application. For example, "asdfasf". 
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.platform
Mandatory Integer The platform type for the exclusion. For example, 1. Here, platform type 1 is assumed to refer to a specific operating system (OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs
Optional Array of Objects  This is a list of IP configurations to be excluded from quarantine, which includes the IP address, subnet mask, and type.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.ipAddress
Mandatory String The IP address of the excluded host. For example, "X0.1X.XX1.00".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.subnetMask
Mandatory String The subnet mask for the IP exclusion. For example, "255.255.255.255".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.platform
Mandatory Integer The platform type for the exclusion. For example, 1.  (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.type
Mandatory String The type of IP (IPv4/IPv6). For example, "v4".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs
Optional Array of Objects This is a list of domain configurations to be excluded from quarantine checks, which includes the domain and platform.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.domain
Mandatory String The domain to exclude from quarantine. For example, "tradingview.com".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.platform
Mandatory Integer The platform type for the exclusion. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications
Mandatory Object Notifications related to the quarantined asset.
 assetActionParameter.hostConfig.
quarantineAssetNotifications.title
Mandatory String Title of the quarantine notification. For example, "QH".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
description
Mandatory String Description of the notification. For example, "quarantined".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.platform
Mandatory Integer The platform type for the notification. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications.emailIdList
Optional String A list of email addresses to notify. For example, "abc@qualys.com".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.phoneNo
Optional String A phone number to notify. For example, "1234567890".
 moduleMetadata Optional String Metadata related to the module. For example, "Quarantine Host".

Prerequisites

  • Linux Cloud Agent: 6.0.0.0.x and above
  • Windows Cloud Agent: 4.9.0.x and above

If the prerequisites for Quarantine/UnQuarantine Host Action on Asset API are not met, the process might be stuck in the In-Progress or Failed state.

Sample - Quarantine/UnQuarantine Host Action on AssetSample - Quarantine/UnQuarantine Host Action on Asset

API request

curl -X POST "<qualys_base_url>/ioc/remediation-actions/performQuarantineHostAction?<user=username&userId=XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX>" --header "accept: */*" --header "Authorization: Bearer <token>"-H "Content-Type: application/json" -d "<JSON payload>"  

Sample JSON Payload

{
  "remediationSource": "EDR",
  "user": "John Doe",
  "userId": "qaedr_jd",
  "comment": "QH",
  "requestTime": "2024-12-12T04:52:39.711Z",
  "assetActionParameter": {
    "assetActions": [
      {
        "eventId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "action": "QUARANTINE_HOST",
        "agentId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "eventType": "AGENT",
        "overrideConfig": true,
        "agentVersion": "5.5.25.0"
      }
    ],
    "hostConfig": {
      "excludedWhitelistingConfig": {
        "excludedApplicationsConfigs": [
          {
            "applicationPath": "asdfasf",
            "platform": 1
          },
          {
            "applicationPath": "asdfasf",
            "platform": 1
          }
        ],
        "excludedIpConfigs": [
          {
            "ipAddress": "X0.1X.XX1.00",
            "subnetMask": "255.255.255.255",
            "platform": 1,
            "type": "V4"
          }
        ],
        "excludedDomainConfigs": [
          {
            "domain": "tradingview.com",
            "platform": 1
          }
        ]
      },
      "quarantineAssetNotifications": {
        "title": "QH",
        "description": "quarantined",
        "platform": 1,
        "emailIdList": "jd@example.com",
        "phoneNo": "1234567890"
      }
    }
  },
  "moduleMetadata": "cfsdfsfdgfdsg"
} 
 

Response

{
  "requestId": "cdbf7081-7e94-484a-bf53-6ca00c4d9cd4",
  "message": "Request created successfully and its in progress",
  "responseCode": 1009,
  "remark": "QH",
  "status": "queued"
}

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

remediation-actions     requestID String The unique identifier for the request.
  message String A message providing information about the status or progress of the request.
  responseCode Integer A numerical code representing the response status.
  remark String A brief remark or comment related to the request.
  status String The current status of the request (e.g., "queued", "in progress").

V1.0

This API allows you to perform quarantine or unquarantine host action on selected assets. 

POST/ioc/v1/remediation-actions/quarantineHost

Input Parameters for Quarantine/UnQuarantine Host Action on AssetInput Parameters for Quarantine/UnQuarantine Host Action on Asset

Input Parameter

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space.

For example: Bearer authToken

remediationSource Mandatory  String This is the source for the remediation. For example, EDR. 
user Mandatory String The name of the user executing the action. For example, John Doe.
userId Mandatory String A unique identifier assigned to the user.
For example, "qaedr_jd".
comment Mandatory String A short comment describing the action taken. For example, "QH".
requestTime Mandatory String (ISO 8601 Date-Time) The timestamp indicates when the request was made.
For example, "2024-12-12T04:52:39.711Z".
assetActionParameter Mandatory Object (contains asset actions) This includes parameters related to the action performed on the asset (e.g., quarantine).
assetActionParameter.
assetActions
Mandatory Array of Objects A list of actions taken on assets; for instance, this case includes a quarantine action for the host.
assetActionParameter.
assetActions.eventId
Mandatory String A unique identifier assigned to the event. 
For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.
assetActions.action
Mandatory String Action to be taken on the asset. For example,  "QUARANTINE_HOST" (the asset is being quarantined).
assetActionParameter.
assetActions.agentId
Mandatory String A unique identifier for the agent associated with the event. For example, "9589ad4e-670a-460a-8d69-43184b3df1a7".
assetActionParameter.assetActions.
eventType
Mandatory String The event type. For example, 'AGENT' indicating an event was triggered by an agent.
assetActionParameter.assetActions.
overrideConfig
Optional Boolean Specifies the flag to override the configuration if needed. For example, set to true, in this case.
assetActionParameter.assetActions.
agentVersion
Mandatory String The version of the agent executing the action. For example, "5.5.25.0".
assetActionParameter.hostConfig Optional Object This is the configuration related to the affected host, including exclusion settings and notifications. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig
Optional Object This contains configuration details for excluded allowed-list applications, IPs, and domains.
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs
Optional Array of Objects This is a list of applications to exclude from quarantine checks, including their path and platform. 
assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.
applicationPath
Mandatory String The file path of the excluded application. For example, "asdfasf". 
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedApplicationsConfigs.platform
Mandatory Integer The platform type for the exclusion. For example, 1. Here, platform type 1 is assumed to refer to a specific operating system (OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs
Optional Array of Objects  This is a list of IP configurations to be excluded from quarantine, which includes the IP address, subnet mask, and type.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.ipAddress
Mandatory String The IP address of the excluded host. For example, "X0.1X.XX1.00".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.subnetMask
Mandatory String The subnet mask for the IP exclusion. For example, "255.255.255.255".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.platform
Mandatory Integer The platform type for the exclusion. For example, 1.  (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedIpConfigs.type
Mandatory String The type of IP (IPv4/IPv6). For example, "v4".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs
Optional Array of Objects This is a list of domain configurations to be excluded from quarantine checks, which includes the domain and platform.
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.domain
Mandatory String The domain to exclude from quarantine. For example, "tradingview.com".
 assetActionParameter.hostConfig.
excludedWhitelistingConfig.
excludedDomainConfigs.platform
Mandatory Integer The platform type for the exclusion. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications
Mandatory Object Notifications related to the quarantined asset.
 assetActionParameter.hostConfig.
quarantineAssetNotifications.title
Mandatory String Title of the quarantine notification. For example, "QH".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
description
Mandatory String Description of the notification. For example, "quarantined".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
platform
Mandatory Integer The platform type for the notification. For example, 1. (1 is referring to a specific OS).
 assetActionParameter.hostConfig.
quarantineAssetNotifications.
emailIdList
Optional String A list of email addresses to notify. For example, "abc@qualys.com".
 assetActionParameter.hostConfig.
quarantineAssetNotifications.phoneNo
Optional String A phone number to notify. For example, "1234567890".
 moduleMetadata Optional String Metadata related to the module. For example, "Quarantine Host".

Prerequisites

  • Linux Cloud Agent: 6.0.0.0.x and above
  • Windows Cloud Agent: 4.9.0.x and above

If the prerequisites for Quarantine/UnQuarantine Host Action on Asset API are not met, the process might be stuck in the In-Progress or Failed state.

Sample - Quarantine/UnQuarantine Host Action on AssetSample - Quarantine/UnQuarantine Host Action on Asset

API request

curl -X POST "<qualys_base_url>/ioc/v1/remediation-actions/performQuarantineHostAction?<user=username&userId=XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX>" --header "accept: */*" --header "Authorization: Bearer <token>"-H "Content-Type: application/json" -d "<JSON payload>"  

Sample JSON Payload

{
  "remediationSource": "EDR",
  "user": "John Doe",
  "userId": "qaedr_jd",
  "comment": "QH",
  "requestTime": "2024-12-12T04:52:39.711Z",
  "assetActionParameter": {
    "assetActions": [
      {
        "eventId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "action": "QUARANTINE_HOST",
        "agentId": "9589ad4e-670a-460a-8d69-43184b3df1a7",
        "eventType": "AGENT",
        "overrideConfig": true,
        "agentVersion": "5.5.25.0"
      }
    ],
    "hostConfig": {
      "excludedWhitelistingConfig": {
        "excludedApplicationsConfigs": [
          {
            "applicationPath": "asdfasf",
            "platform": 1
          },
          {
            "applicationPath": "asdfasf",
            "platform": 1
          }
        ],
        "excludedIpConfigs": [
          {
            "ipAddress": "X0.1X.XX1.00",
            "subnetMask": "255.255.255.255",
            "platform": 1,
            "type": "V4"
          }
        ],
        "excludedDomainConfigs": [
          {
            "domain": "tradingview.com",
            "platform": 1
          }
        ]
      },
      "quarantineAssetNotifications": {
        "title": "QH",
        "description": "quarantined",
        "platform": 1,
        "emailIdList": "jd@example.com",
        "phoneNo": "1234567890"
      }
    }
  },
  "moduleMetadata": "cfsdfsfdgfdsg"
} 
 

Response

{
  "requestId": "cdbf7081-7e94-484a-bf53-6ca00c4d9cd4",
  "message": "Request created successfully and its in progress",
  "responseCode": 1009,
  "remark": "QH",
  "status": "queued"
}

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

remediation-actions     requestID String The unique identifier for the request.
  message String A message providing information about the status or progress of the request.
  responseCode Integer A numerical code representing the response status.
  remark String A brief remark or comment related to the request.
  status String The current status of the request (e.g., "queued", "in progress").

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/ioc/remediation-actions/quarantineHost Active  
/ioc/v1/remediation-actions/quarantineHost Active May 2025