This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Release an isolated host Suspend a process »
Elastic Docs Elastic Security Solution [master] Elastic Security APIs Endpoint management API

Terminate a process

edit

Terminate a process

edit

Terminates a process on a host running Elastic Defend or a supported third-party agent type.

You must have the Process Operations privilege and an Enterprise license to perform this action.

Request URL

edit

POST <kibana host>:<port>/api/endpoint/action/kill_process

Request body

edit

A JSON object with these fields:

Name Type Description Required

endpoint_ids

Array (String)

The IDs of endpoints where you want to issue this action.

Yes

agent_type

String

The type of Agent that the host is running with. Accepted values are:

  • endpoint (default)
  • sentinel_one (currently in Technical Preview)

No

alert_ids

Array (String)

If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

No

case_ids

Array (String)

The IDs of cases where the action taken will be logged.

No

comment

String

Attach a comment to this action’s log. The comment text will appear in associated cases.

No

parameters.pid

Number

The process ID (PID) of the process to terminate.

Yes, must provide either parameters.pid or parameters.entity_id, but not both

parameters.entity_id

String

The entity ID of the process to terminate.

Yes, must provide either parameters.pid or parameters.entity_id, but not both

parameters.process_name

String

SentinelOne agent_type only. The name of the process to terminate.

Yes. This is the only parameter accepted for SentinelOne

Example requests

edit

Terminates the process with entity_id abc123 on a host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 and comments terminate the process:

POST /api/endpoint/action/kill_process
{
  "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"],
  "parameters": {
    "entity_id": "abc123"
  },
  "comment": "terminate the process"
}

Response code

edit
200
Indicates a successful call.
403
Indicates insufficient user privilege (Process Operations required), or unsupported license level (Enterprise license required).
500
General error. A response message will provide additional details.

Response payload

edit

A JSON object with the details of the response action created.

Example response

edit
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": ["ed518850-681a-4d60-bb98-e22640cae2a8"],
    "command": "kill-process",
    "agentType": "endpoint",
    "isExpired": false,
    "isCompleted": true,
    "wasSuccessful": true,
    "errors": [],
    "startedAt": "2022-07-29T19:08:49.126Z",
    "completedAt": "2022-07-29T19:09:44.961Z",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "createdBy": "myuser",
    "comment": "terminate the process",
    "parameters": {
      "entity_id": "abc123"
    }
  }
}
« Release an isolated host Suspend a process »