elastic · tomsonpl · Sep 23, 2025 · Aug 4, 2025 · Aug 4, 2025 · Aug 5, 2025
@@ -10990,6 +10990,29 @@ paths:
       x-metaTags:
         - content: Kibana, Elastic Cloud Serverless
           name: product_name
+  /api/endpoint/action/cancel:
+    post:
+      description: Cancel a running or pending response action (Applies only to some agent types).
+      operationId: CancelAction
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody'
+        required: true
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
+          description: Successfully cancelled the response action
+      summary: Cancel a response action
+      tags:
+        - Security Endpoint Management API
+      x-metaTags:
+        - content: Kibana, Elastic Cloud Serverless
+          name: product_name
   /api/endpoint/action/execute:
     post:
       description: Run a shell command on an endpoint.
@@ -69362,6 +69385,49 @@ components:
         - microsoft_defender_endpoint
       example: endpoint
       type: string
+    Security_Endpoint_Management_API_CancelRouteRequestBody:
+      type: object
+      properties:
+        action_id:
+          description: ID of the response action to cancel
+          example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d
+          minLength: 1
+          type: string
+        agent_type:
+          default: endpoint
+          description: The agent type to target for the action
+          enum:
+            - endpoint
+            - sentinel_one
+            - crowdstrike
+            - microsoft_defender_endpoint
+          type: string
+        alert_ids:
+          description: If defined, any case associated with the given IDs will be updated
+          items:
+            minLength: 1
+            type: string
+          minItems: 1
+          type: array
+        case_ids:
+          description: Case IDs to be updated
+          items:
+            minLength: 1
+            type: string
+          minItems: 1
+          type: array
+        comment:
+          description: Optional comment explaining the reason for canceling the action
+          type: string
+        endpoint_ids:
+          description: A list of endpoint IDs whose hosts will be isolated
+          items:
+            minLength: 1
+            type: string
+          minItems: 1
+          type: array
+      required:
+        - action_id
     Security_Endpoint_Management_API_CloudFileScriptParameters:
       type: object
       properties:

@@ -13975,6 +13975,36 @@ paths:
       x-metaTags:
         - content: Kibana
           name: product_name
+  /api/endpoint/action/cancel:
+    post:
+      description: |-
+        **Spaces method and path for this operation:**
+
+        <div><span class="operation-verb post">post</span>&nbsp;<span class="operation-path">/s/{space_id}/api/endpoint/action/cancel</span></div>
+
+        Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
+
+        Cancel a running or pending response action (Applies only to some agent types).
+      operationId: CancelAction
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody'
+        required: true
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
+          description: Successfully cancelled the response action
+      summary: Cancel a response action
+      tags:
+        - Security Endpoint Management API
+      x-metaTags:
+        - content: Kibana
+          name: product_name
   /api/endpoint/action/execute:
     post:
       description: |-
@@ -82397,6 +82427,49 @@ components:
         - microsoft_defender_endpoint
       example: endpoint
       type: string
+    Security_Endpoint_Management_API_CancelRouteRequestBody:
+      type: object
+      properties:
+        action_id:
+          description: ID of the response action to cancel
+          example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d
+          minLength: 1
+          type: string
+        agent_type:
+          default: endpoint
+          description: The agent type to target for the action
+          enum:
+            - endpoint
+            - sentinel_one
+            - crowdstrike
+            - microsoft_defender_endpoint
+          type: string
+        alert_ids:
+          description: If defined, any case associated with the given IDs will be updated
+          items:
+            minLength: 1
+            type: string
+          minItems: 1
+          type: array
+        case_ids:
+          description: Case IDs to be updated
+          items:
+            minLength: 1
+            type: string
+          minItems: 1
+          type: array
+        comment:
+          description: Optional comment explaining the reason for canceling the action
+          type: string
+        endpoint_ids:
+          description: A list of endpoint IDs whose hosts will be isolated
+          items:
+            minLength: 1
+            type: string
+          minItems: 1
+          type: array
+      required:
+        - action_id
     Security_Endpoint_Management_API_CloudFileScriptParameters:
       type: object
       properties:

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Cancel Action Schema
+ *   version: 2023-10-31
+ */
+
+import { z } from '@kbn/zod';
+
+import { ResponseActionCreateSuccessResponse } from '../../../model/schema/common.gen';
+
+export type CancelRouteRequestBody = z.infer<typeof CancelRouteRequestBody>;
+export const CancelRouteRequestBody = z
+  .object({
+    /**
+     * A list of endpoint IDs whose hosts will be isolated
+     */
+    endpoint_ids: z.array(z.string().min(1)).min(1).optional(),
+    /**
+     * If defined, any case associated with the given IDs will be updated
+     */
+    alert_ids: z.array(z.string().min(1)).min(1).optional(),
+    /**
+     * Case IDs to be updated
+     */
+    case_ids: z.array(z.string().min(1)).min(1).optional(),
+    /**
+     * Optional comment explaining the reason for canceling the action
+     */
+    comment: z.string().optional(),
+    /**
+     * The agent type to target for the action
+     */
+    agent_type: z
+      .enum(['endpoint', 'sentinel_one', 'crowdstrike', 'microsoft_defender_endpoint'])
+      .optional()
+      .default('endpoint'),
+  })
+  .merge(
+    z.object({
+      /**
+       * ID of the response action to cancel
+       */
+      action_id: z.string().min(1),
+    })
+  );
+
+export type CancelActionRequestBody = z.infer<typeof CancelActionRequestBody>;
+export const CancelActionRequestBody = CancelRouteRequestBody;
+export type CancelActionRequestBodyInput = z.input<typeof CancelActionRequestBody>;
+
+export type CancelActionResponse = z.infer<typeof CancelActionResponse>;
+export const CancelActionResponse = ResponseActionCreateSuccessResponse;
@@ -0,0 +1,79 @@
+openapi: 3.0.0
+info:
+  title: Cancel Action Schema
+  version: '2023-10-31'
+  description: Schema for canceling response actions
+paths:
+  /api/endpoint/action/cancel:
+    post:
+      summary: Cancel a response action
+      operationId: CancelAction
+      description: Cancel a running or pending response action (Applies only to some agent types).
+      x-codegen-enabled: true
+      x-labels: [ ess, serverless ]
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/CancelRouteRequestBody'
+      responses:
+        '200':
+          description: Successfully cancelled the response action
+          content:
+            application/json:
+              schema:
+                $ref: '../../../model/schema/common.schema.yaml#/components/schemas/ResponseActionCreateSuccessResponse'
+components:
+  schemas:
+    CancelRouteRequestBody:
+      allOf:
+        - type: object
+          properties:
+            # Base action request properties would be referenced here if base schema existed
+            endpoint_ids:
+              type: array
+              items:
+                type: string
+                minLength: 1
+              minItems: 1
+              description: A list of endpoint IDs whose hosts will be isolated
+            alert_ids:
+              type: array
+              items:
+                type: string
+                minLength: 1
+              minItems: 1
+              description: If defined, any case associated with the given IDs will be updated
+            case_ids:
+              type: array
+              items:
+                type: string
+                minLength: 1
+              minItems: 1
+              description: Case IDs to be updated
+            comment:
+              type: string
+              description: Optional comment explaining the reason for canceling the action
+            agent_type:
+              type: string
+              enum: [ endpoint, sentinel_one, crowdstrike, microsoft_defender_endpoint ]
+              default: endpoint
+              description: The agent type to target for the action
+        - type: object
+          required:
+            - action_id
+          properties:
+            action_id:
+              type: string
+              minLength: 1
+              description: ID of the response action to cancel
+              example: '7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d'
+
+  examples:
+    CancelActionRequestExample:
+      summary: Cancel a response action
+      value:
+        action_id: '7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d'
+        endpoint_ids: [ '2f8e9c3a-5d4e-4f5a-9b1c-3e4f5a6b7c8d' ]
+        comment: 'Cancelling action due to change in requirements'
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { TypeOf } from '@kbn/config-schema';
+import { schema } from '@kbn/config-schema';
+import { BaseActionRequestSchema } from '../../common/base';
+
+const CancelActionRequestBodySchema = schema.object({
+  ...BaseActionRequestSchema,
+  action_id: schema.string({
+    minLength: 1,
+    validate: (value) => {
+      if (!value.trim().length) {
+        return 'action_id cannot be an empty string';
+      }
+    },
+  }),
+});
+
+export const CancelActionRequestSchema = {
+  body: CancelActionRequestBodySchema,
+};
+
+export type CancelActionRequestBody = TypeOf<typeof CancelActionRequestSchema.body>;
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './cancel';
@@ -25,6 +25,7 @@ export * from './actions/response_actions/execute';
 export * from './actions/response_actions/upload';
 export * from './actions/response_actions/scan';
 export * from './actions/response_actions/run_script';
+export * from './actions/response_actions/cancel';
 
 export * from './metadata';
 

@@ -126,6 +126,10 @@ import type {
   EndpointGetActionsListRequestQueryInput,
   EndpointGetActionsListResponse,
 } from './endpoint/actions/list/list.gen';
+import type {
+  CancelActionRequestBodyInput,
+  CancelActionResponse,
+} from './endpoint/actions/response_actions/cancel/cancel.gen';
 import type {
   EndpointExecuteActionRequestBodyInput,
   EndpointExecuteActionResponse,
@@ -560,6 +564,22 @@ If asset criticality records already exist for the specified entities, those rec
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  /**
+   * Cancel a running or pending response action.
+   */
+  async cancelAction(props: CancelActionProps) {
+    this.log.info(`${new Date().toISOString()} Calling API CancelAction`);
+    return this.kbnClient
+      .request<CancelActionResponse>({
+        path: '/api/endpoint/action/cancel',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
+        },
+        method: 'POST',
+        body: props.body,
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   /**
     * Create a clean draft Timeline or Timeline template for the current user.
 > info
@@ -3007,6 +3027,9 @@ export interface AlertsMigrationCleanupProps {
 export interface BulkUpsertAssetCriticalityRecordsProps {
   body: BulkUpsertAssetCriticalityRecordsRequestBodyInput;
 }
+export interface CancelActionProps {
+  body: CancelActionRequestBodyInput;
+}
 export interface CleanDraftTimelinesProps {
   body: CleanDraftTimelinesRequestBodyInput;
 }