# Response Actions When you execute a [response action](https://help.radiantsecurity.ai/radiant-cases/radiant-cases/response-actions-in-cases) during incident response, such as disabling a compromised user account or isolating an infected endpoint, it's essential to understand what that action does, which systems it affects, and whether it can safely be reversed. This comprehensive reference guide documents all available response actions across your integrated security platforms, including their required parameters, API endpoints, impact levels, and - most importantly - their undo capabilities. Many actions can be automatically reversed with a single click, giving you full control to contain threats confidently and restore normal operations when incidents are resolved. Use this guide to make informed decisions during incident response and understand the full scope of each remediation action. ### Prerequisites * [ ] Before you can execute any response actions documented in this guide, you must have the appropriate action connectors configured and enabled in your environment. ### Find your action connector * [CrowdStrike](#crowdstrike-actions) * [Google Workspace](#google-workspace-actions) * [KnowBe4](#knowbe4-actions) * [Microsoft 365](#microsoft-365-actions) * [Mimecast](#mimecast-actions) * [Netskope](#netskope-actions) * [Okta](#okta-actions) * [Proofpoint](#proofpoint-actions) * [SentinelOne](#sentinelone-actions) ### CrowdStrike Actions CrowdStrike action connectors use the **CrowdStrike Falcon API** to perform endpoint detection and response (EDR) actions. These actions are commonly used for **endpoint containment, threat intelligence, and indicator management** during incident response. CrowdStrike Falcon provides cloud-native endpoint protection with real-time threat intelligence. > **Primary use cases:** Endpoint containment, custom IOC management, threat blocking
Action: Block File Blocks a file by hash in CrowdStrike Falcon using custom Indicators of Compromise (IOCs). Supports SHA256, SHA1, and MD5 hashes. Blocked files are prevented from executing on all managed endpoints.
FIELDDETAILS
Required ParametersAt least one of: hash_sha256, hash_sha1, or hash_md5
API EndpointsPOST /iocs/entities/indicators/v1
Undo ActionNo
Required PermissionsIOCs (Indicators of Compromise): Write
Impact LevelHigh - Blocks file across all endpoints
Action: Isolate Device Isolates a device in CrowdStrike Falcon, preventing it from communicating with other devices on the network.
FIELDDETAILS
Required Parametersdevice_id (Falcon sensor ID/AID)
API EndpointsPOST /devices/entities/devices-actions/v2?action_name=contain
Undo ActionYes - via release_device action
Required PermissionsHosts: Write
Impact LevelHigh - Device network isolated
Action: Release Device Releases an isolated device in CrowdStrike Falcon (lift containment), restoring normal network communication.
FIELDDETAILS
Required Parametersdevice_id (Falcon sensor ID/AID)
API EndpointsPOST /devices/entities/devices-actions/v2?action_name=lift_containment
Undo ActionYes - via isolate_device action
Required PermissionsHosts: Write
Impact LevelLow - Restores network access
### Google Workspace Actions Google Workspace action connectors use the **Google Workspace Admin SDK** and **Gmail API** to perform email security and user management actions. These actions are commonly used for **email threat remediation and sender blocking** during incident response. Google Workspace provides cloud-based productivity and collaboration tools with integrated security controls. > **Primary use cases:** Phishing email removal, malicious sender blocking
Action: Block Sender Blocks an email sender for all users with mailbox setup in the Google Workspace organization. Creates Gmail filters for each user that automatically deletes emails from the blocked sender.
FIELDDETAILS
Required Parametersemail_from
API EndpointsGET /admin/directory/v1/users (with customer: "my_customer")
POST /gmail/v1/users/me/settings/filters
Undo ActionNo - Manual filter removal required for each user
Required Permissionshttps://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/gmail.settings.basic
Impact LevelHigh - Affects all users in the organization
Action: Find and Soft Delete Emails Finds emails matching sender and subject across all user mailboxes in Google Workspace and moves them to trash (soft delete). Emails remain in trash for 30 days before automatic permanent deletion. Uses Gmail search query with sender and subject criteria.
FIELDDETAILS
Required Parametersemail_from, email_subject
API EndpointsGET /admin/directory/v1/users (with customer: "my_customer")
GET /gmail/v1/users/me/messages (with query)
POST /gmail/v1/users/me/messages/${id}/trash
Undo ActionNo - Manual recovery from trash required
Required Permissionshttps://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/gmail.modify
Impact LevelMedium - Emails can be recovered from trash
Action: Find and Hard Delete Emails Finds emails matching sender and subject across all user mailboxes in Google Workspace and permanently deletes them (hard delete). This action bypasses trash and cannot be undone. {% hint style="danger" %} **Warning:** This action is **irreversible**. Use soft delete when possible. {% endhint %}
FIELDDETAILS
Required Parametersemail_from, email_subject
API EndpointsGET /admin/directory/v1/users (with customer: "my_customer")
GET /gmail/v1/users/me/messages (with query)
DELETE /gmail/v1/users/me/messages/${id}
Undo ActionNo - Permanent deletion
Required Permissionshttps://www.googleapis.com/auth/admin.directory.user.readonly, and https://mail.google.com/
Impact LevelHigh - Irreversible action
### KnowBe4 Actions KnowBe4 action connectors use the **KnowBe4 Reporting API** to perform security awareness training actions. These actions are commonly used for **phishing training enrollment and user education** during and after security incidents. KnowBe4 provides security awareness training and simulated phishing campaigns. > **Primary use cases:** Post-incident training, phishing awareness education
Action: Enroll in Phishing Training Enrolls a user in phishing training via KnowBe4. Uses the case number and user display name for context in the training enrollment event. This helps track training related to specific security incidents.
FIELDDETAILS
Required Parametersuser_principal_name
API EndpointsPOST /events
Undo ActionNo - Training enrollment cannot be undone
Required PermissionsUser Event API: Write
Impact LevelLow - Educational action only
### Microsoft 365 Actions Microsoft 365 action connectors use **Microsoft Graph API**, **Microsoft Defender for Endpoint API**, and **Exchange Online API** to perform response actions across endpoints, email, identity, and security controls. These actions are commonly used for **containment, remediation, and account protection** during incident response. The connector integrates with multiple Microsoft security services including Azure AD, Exchange Online, and Microsoft Defender. > **Primary use cases:** Account compromise response, email security, endpoint containment, malware blocking
Action: Disable Users and Terminate Active Sessions Composite action that disables a user account and revokes all sign-in sessions in Microsoft 365. This is a combination of `disable_user` and `revoke_sign_in_sessions` actions, providing immediate account lockdown across all Microsoft services.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id
API EndpointsPATCH /users/${userIDorEmail} (with {accountEnabled: false})
POST /users/${userIDorEmail}/revokeSignInSessions
Undo ActionYes - via enable_user action
Required PermissionsUser.ReadWrite.All, User.RevokeSessions.All
Impact LevelHigh - User cannot access Microsoft 365 services
Action: Terminate Active Sessions Required PermissionsRevokes all sign-in sessions for a user in Microsoft 365, forcing them to re-authenticate. The user account remains enabled but all refresh tokens are invalidated.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id
API EndpointsPOST /users/${userIDorEmail}/revokeSignInSessions
Undo ActionNo - Sessions already terminated
Required PermissionsUser.RevokeSessions.All
Impact LevelMedium - User can re-authenticate
Action: Enable User Enables a previously disabled user account in Microsoft 365, allowing them to sign in again. Restores access to all Microsoft 365 services.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id
API EndpointsPATCH /users/${userIDorEmail} (with {accountEnabled: true})
Undo ActionYes - via disable_users_and_terminate_active_sessions action
Required PermissionsUser.ReadWrite.All, User.EnableDisableAccount.All
Impact LevelLow - Restores normal access
Action: Reset User Password Resets a user's password in Microsoft 365 and revokes all sign-in sessions, forcing them to change password on next sign-in.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id
API EndpointsPATCH /users/${userIDorEmail} (with {passwordProfile: {forceChangePasswordNextSignIn: true}})
POST /users/${userIDorEmail}/revokeSignInSessions
Undo ActionNo - Password already changed
Required PermissionsUser.ReadWrite.All, User.RevokeSessions.All, User.EnableDisableAccount.All, andDirectory.AccessAsUser.All (delegated permission)
Impact LevelHigh - User must reset password
Action: Disable All Forward Rules Disables all email forwarding rules for a user in Microsoft 365 Exchange Online. Rules remain configured but are set to inactive, preventing unauthorized email forwarding while preserving rule configurations.
FIELDDETAILS
Required Parametersuser_principal_name
API EndpointsGET /users/${userID}/mailFolders/inbox/messageRules
PATCH /users/${userID}/mailFolders/inbox/messageRules/${ruleID} (with {isEnabled: false})
Undo ActionNo - Manual re-enablement required
Required PermissionsMailboxSettings.ReadWrite
Impact LevelMedium - Stops email forwarding
Action: Delete External Forward Rules Deletes all email forwarding rules that forward to external domains (domains not in the organization's verified domain list). Internal forwarding rules are preserved.
FIELDDETAILS
Required Parametersuser_principal_name
API EndpointsGET /domains
GET /users/${userID}/mailFolders/inbox/messageRules
DELETE /users/${userID}/mailFolders/inbox/messageRules/${ruleID}
Undo ActionNo - Rules permanently deleted
Required PermissionsDomain.Read.All, MailboxSettings.ReadWrite
Impact LevelHigh - Permanently removes rules
Action: Find and Soft Delete Emails Finds emails matching sender and subject in recipient mailboxes and moves them to the Deleted Items folder (soft delete). Emails can be recovered from Deleted Items. Searches each recipient's mailbox individually using sender + subject criteria.
FIELDDETAILS
Required Parametersemail_from, email_subject, email_to (array of recipient email addresses)
API EndpointsGET /domains
GET /users/${userIDorEmail}/messages/ (with filter subject eq '...' and sender/emailAddress/address eq '...')
POST /users/${userIDorEmail}/messages/${messageID}/move (with {destinationId: "deleteditems"})
Undo ActionYes - via restore_soft_deleted_emails action
Required PermissionsMail.ReadWrite
Impact LevelLow - Emails can be recovered
Action: Find and Hard Delete Emails Finds emails matching sender and subject in recipient mailboxes and permanently deletes them (hard delete). This action bypasses the Deleted Items folder and cannot be undone. {% hint style="danger" %} **Warning:** This action is **irreversible**. Use soft delete when possible. {% endhint %}
FIELDDETAILS
Required Parametersemail_from, email_subject, email_to (array of recipient email addresses)
API EndpointsGET /users/${userIDorEmail}/messages/ (with filter subject eq '...' and sender/emailAddress/address eq '...')
DELETE /users/${userIDorEmail}/messages/${messageID}
Undo ActionNo - Permanent deletion
Required PermissionsMail.ReadWrite
Impact LevelHigh - Irreversible action
Action: Restore Soft Deleted Emails Restores soft-deleted emails from the Deleted Items folder back to the recipient's inbox. This is the reversal action for `find_and_soft_delete_emails`.
FIELDDETAILS
Required Parametersemail_from, email_subject, email_to (array of recipient email addresses)
API EndpointsGET /users/${userIDorEmail}/mailFolders/deleteditems/messages/ (with filter)
POST /users/${userIDorEmail}/messages/${messageID}/move (with {destinationId: "inbox"})
Undo ActionYes - via find_and_soft_delete_emails action
Required PermissionsMail.ReadWrite
Impact LevelLow - Restores emails
Action: Isolate Device Isolates a device using Microsoft Defender for Endpoint, preventing it from communicating with other devices on the network. The device can still communicate with Defender services for management.
FIELDDETAILS
Required Parametersdevice_id (Defender sensor ID)
API EndpointsPOST https://api.securitycenter.microsoft.com/api/machines/${sensorID}/isolate
Undo ActionYes - via release_device action
Required PermissionsMachine.Isolate
Impact LevelHigh - Device network isolated
Action: Release Device Releases a device from isolation in Microsoft Defender for Endpoint, restoring normal network communication.
FIELDDETAILS
Required Parametersdevice_id (Defender sensor ID)
API EndpointsPOST https://api.securitycenter.microsoft.com/api/machines/${sensorID}/unisolate
Undo ActionYes - via isolate_device action
Required PermissionsMachine.Isolate
Impact LevelLow - Restores network access
Action: Block File Blocks a file by hash using Microsoft Defender for Endpoint Indicators API. Supports SHA256, SHA1, and MD5 hashes with priority: SHA256 > SHA1 > MD5. Blocked files are prevented from executing across all managed endpoints.
FIELDDETAILS
Required Parametersfile_name, and at least one of: hash_sha256, hash_sha1, or hash_md5
API EndpointsPOST https://api.securitycenter.microsoft.com/api/indicators
Undo ActionYes - via unblock_file action
Required PermissionsTi.ReadWrite or Ti.ReadWrite.All
Impact LevelHigh - Blocks file execution globally
Action: Unblock File Unblocks a previously blocked file by removing its indicator from Microsoft Defender for Endpoint. This is the reversal action for `block_file`.
FIELDDETAILS
Required Parametersfile_name, and at least one of: hash_sha256, hash_sha1, or hash_md5
API EndpointsGET https://api.securitycenter.microsoft.com/api/indicators (with filter)
DELETE https://api.securitycenter.microsoft.com/api/indicators/${indicatorID}
Undo ActionYes - via block_file action
Required PermissionsTi.ReadWrite or Ti.ReadWrite.All
Impact LevelLow - Removes file block
Action: Block Domain Blocks a domain using Microsoft Defender for Endpoint Indicators API, preventing access to all URLs under that domain across all managed endpoints.
FIELDDETAILS
Required Parametersfqdn (fully qualified domain name)
API EndpointsPOST https://api.securitycenter.microsoft.com/api/indicators
Undo ActionNo - Manual removal required
Required PermissionsTi.ReadWrite or Ti.ReadWrite.All
Impact LevelHigh - Blocks domain access globally
Action: Block IP (Azure) Blocks an IP address in Microsoft 365 using Azure AD Conditional Access. Creates or updates a named location with blocked IPs and ensures a conditional access policy blocks authentication attempts from that location.
FIELDDETAILS
Required Parametersip_address
API EndpointsGET /identity/conditionalAccess/namedLocations (with filter)
POST /identity/conditionalAccess/namedLocations
PATCH /identity/conditionalAccess/namedLocations/${namedLocationID}
POST /identity/conditionalAccess/policies
Undo ActionNo - Manual policy removal required
Required PermissionsPolicy.Read.All, Policy.ReadWrite.ConditionalAccess, and Application.Read.All
Impact LevelHigh - Blocks authentication from IP
### Mimecast Actions Mimecast action connectors use the **Mimecast API V2** to perform email security and threat protection actions. These actions are commonly used for **email sender blocking, URL blocking,** and **threat containment** during incident response. Mimecast provides cloud-based email security, archiving, and continuity services. > **Primary use cases:** Phishing sender blocking, malicious URL blocking, domain-based threat prevention {% hint style="info" %} **Note:** The group `radiantsecurity_blocked_senders` is automatically created if it doesn't exist and is used for sender blocking policies. {% endhint %}
Action: Block Sender Blocks a specific email sender address in Mimecast by adding it to the "radiantsecurity\_blocked\_senders" group. The group is created automatically if it doesn't exist, along with the necessary blocked sender policy.
FIELDDETAILS
Required Parametersemail_from
API EndpointsPOST /api/directory/find-groups
POST /api/directory/create-group
POST /api/policy/blockedsenders/create-policy
POST /api/directory/add-group-member
Undo ActionNo - Manual removal from group required
Required Permissions

Directories | Groups | All,

Gateway Menu | Policies | All

Directories Menu | Managed Senders | All (in case it exists on the UI), and

Gateway Menu | Managed Senders | All

Impact LevelMedium - Blocks sender for organization
Action: Block Sender Domain Blocks an entire sender domain in Mimecast by adding it to the "radiantsecurity\_blocked\_senders" group. Extracts the domain from the `email_from` field and blocks all emails from that domain.
FIELDDETAILS
Required Parametersemail_from (domain is extracted from email address)
API EndpointsPOST /api/directory/find-groups
POST /api/directory/create-group
POST /api/policy/blockedsenders/create-policy
POST /api/directory/add-group-member
Undo ActionNo - Manual removal from group required
Required Permissions

Directories | Groups | All,

Gateway Menu | Policies | All

Directories Menu | Managed Senders | All (in case it exists on the UI), and

Gateway Menu | Managed Senders | All

Impact LevelHigh - Blocks entire domain
Action: Block URL Blocks a specific URL (exact path match) in Mimecast using Managed URLs. Creates a managed URL entry with action "block" that prevents users from accessing the exact URL.
FIELDDETAILS
Required Parametersfull_url
API EndpointsPOST /api/ttp/url/create-managed-url
Undo ActionNo - Manual removal from managed URLs required
Required PermissionsMonitoring Menu | URL Protection | All
Impact LevelMedium - Blocks specific URL
Action: Block URL Domain Blocks an entire URL domain (wildcard match) in Mimecast using Managed URLs. Creates a managed URL entry with `matchType: "domain"` that blocks access to all URLs under that domain.
FIELDDETAILS
Required Parametersfull_url (domain is extracted from URL)
API EndpointsPOST /api/ttp/url/create-managed-url (with matchType: "domain")
Undo ActionNo - Manual removal from managed URLs required
Required PermissionsMonitoring Menu | URL Protection | All
Impact LevelHigh - Blocks entire domain
### Netskope Actions Netskope action connectors use the **Netskope REST API v2** to perform cloud access security broker (CASB) and secure web gateway (SWG) actions. These actions are commonly used for **URL blocking** and **web content filtering** during incident response. Netskope provides cloud-native security for SaaS, IaaS, and web traffic. > **Primary use cases:** Malicious URL blocking, web threat containment
Action: Block URL Blocks a specific URL in Netskope by adding it to the Radiant Security URL list. {% hint style="warning" %} **Prerequisites:** Requires the URL list "RADIANT\_SECURITY\_BLOCK\_URL\_POLICY" to be pre-created in Netskope Admin Console and configured in a Real-time Protection policy. {% endhint %}
FIELDDETAILS
Required Parametersfull_url
API EndpointsGET /api/v2/policy/urllist
PATCH /api/v2/policy/urllist/${urllistID}/append
POST /api/v2/policy/urllist/deploy
Undo ActionNo - Manual removal from URL list required
Required Permissions/api/v2/policy/urllist endpoints with Read and Write privilege
Impact LevelMedium - Blocks URL access
### Okta Actions Okta action connectors use the **Okta Management API** to perform identity and access management operations. These actions are commonly used for **account security, session management,** and **network access control** during incident response. Okta serves as a centralized identity provider for managing user authentication and authorization. > **Primary use cases:** User account lockdown, session termination, IP-based access control
Action: Disable Users and Terminate Active Sessions Composite action that disables a user account and terminates all active sessions. This is a combination of `disable_user` and `terminate_active_sessions` actions, providing immediate account lockdown.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id (user identifier)
API EndpointsGET /api/v1/users/${userEmail}
POST /api/v1/users/${id}/lifecycle/suspend
DELETE /api/v1/users/${id}/sessions
Undo ActionYes - via enable_user action
Required Permissionsokta.users.read, okta.users.manage, okta.users.userSessions.clear, and okta.users.lifecycle.suspend
Impact LevelHigh - User cannot access any systems
Action: Terminate Active Sessions Terminates all active sessions for a user in Okta, forcing them to re-authenticate. The user account remains enabled but all existing sessions are invalidated.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id (user identifier)
API EndpointsGET /api/v1/users/${userEmail}
DELETE /api/v1/users/${id}/sessions
Undo ActionNo - Sessions already terminated
Required Permissionsokta.users.read, okta.users.manage, and okta.users.userSessions.clear
Impact LevelMedium - User can re-authenticate
Action: Enable User Enables a previously disabled user account in Okta, allowing them to sign in again. Use this to restore access after an incident has been resolved.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id (user identifier)
API EndpointsGET /api/v1/users/${userEmail}
POST /api/v1/users/${id}/lifecycle/unsuspend
Undo ActionYes - via disable_users_and_terminate_active_sessions action
Required Permissionsokta.users.read, okta.users.manage, and okta.users.lifecycle.unsuspend
Impact LevelLow - Restores normal access
Action: Reset User Password Resets a user's password in Okta and forces them to change it on next sign-in. The account is temporarily suspended and unsuspended to ensure password expiration takes effect.
FIELDDETAILS
Required Parametersuser_principal_name, user_id, or service_account_id (user identifier)
API EndpointsGET /api/v1/users/${userEmail}
POST /api/v1/users/${id}/lifecycle/expire_password
POST /api/v1/users/${id}/lifecycle/suspend
POST /api/v1/users/${id}/lifecycle/unsuspend
Undo ActionNo - Password already changed
Required Permissionsokta.users.read, okta.users.manage, okta.users.lifecycle.suspend, and okta.users.lifecycle.unsuspend
Impact LevelHigh - User must reset password
Action: Block IP Blocks an IP address in Okta using Network Zones. Creates a dedicated network zone with the blocked IP and marks it as a blocklist. Each IP gets its own zone for granular control and easier management.
FIELDDETAILS
Required Parametersip_address
API EndpointsPOST /api/v1/zones
Undo ActionYes - via unblock_ip action
Required Permissionsokta.networkZones.manage
Impact LevelHigh - Blocks access from IP globally
Action: Unblock IP Unblocks a previously blocked IP address by deleting its network zone in Okta. This is an idempotent operation - if the network zone doesn't exist, it succeeds silently.
FIELDDETAILS
Required Parametersip_address
API EndpointsGET /api/v1/zones
DELETE /api/v1/zones/${zoneId}
Undo ActionYes - via block_ip action
Required Permissionsokta.networkZones.read, okta.networkZones.manage
Impact LevelLow - Restores IP access
### Proofpoint Actions Proofpoint action connectors use the **Proofpoint API** to perform email security and threat protection actions. These actions are commonly used for **email sender blocking and spam prevention** during incident response. Proofpoint provides advanced email security, threat intelligence, and compliance solutions. > **Primary use cases:** Malicious sender blocking, phishing prevention
Action: Block Sender Blocks an email sender address in Proofpoint, preventing emails from that sender from being delivered to any user in the organization. Blocked senders are added to the organization's blocked sender list.
FIELDDETAILS
Required Parametersemail_from
API EndpointsPATCH /api/v1/orgs/${domain}/sender-lists
Undo ActionNo - Manual removal from sender list required
Required PermissionsScope: admin-level access
Impact LevelMedium - Blocks sender for organization
### SentinelOne Actions SentinelOne action connectors use the **SentinelOne Management Console API** to perform endpoint protection and response actions. These actions are commonly used for **endpoint containment, threat remediation,** and **malware blocking** during incident response. SentinelOne provides autonomous endpoint protection with AI-driven threat detection. > **Primary use cases:** Endpoint isolation, malware scanning, file hash blocking
Action: Block File Blocks a file by SHA1 hash on SentinelOne for all OS types (Windows, Linux, macOS). The file is blocked across all supported operating systems and all managed endpoints within the account.
FIELDDETAILS
Required Parametershash_sha1
API EndpointsGET /web/api/v2.1/agents (to get accountId)
POST /web/api/v2.1/restrictions (called for each OS: windows, linux, macOS)
Undo ActionNo - Vendor API does not support unblocking
Required PermissionsBlocklist: View, Edit, Delete, and Create
Impact LevelHigh - Blocks file across all endpoints
Action: Isolate Device Isolates a device on SentinelOne, preventing it from communicating with other devices on the network. The device can still communicate with the SentinelOne management console for administration.
FIELDDETAILS
Required Parametersdevice_id (SentinelOne device ID)
API EndpointsPOST /web/api/v2.1/agents/actions/disconnect
Undo ActionYes - via release_device action
Required PermissionsAgents: Network Quarantine Control
Impact LevelHigh - Device network isolated
Action: Release Device Releases a device from isolation on SentinelOne, restoring normal network communication.
FIELDDETAILS
Required Parametersdevice_id (SentinelOne device ID)
API EndpointsPOST /web/api/v2.1/agents/actions/connect
Undo ActionYes - via isolate_device action
Required PermissionsAgents: Network Quarantine Control
Impact LevelLow - Restores network access
Action: Run Full Disk Scan Initiates a full disk scan on a device in SentinelOne to detect threats and malware. The scan runs in the background and may impact device performance.
FIELDDETAILS
Required Parametersdevice_id (SentinelOne device ID)
API EndpointsPOST /web/api/v2.1/agents/actions/initiate-scan
Undo ActionNo - Scan already initiated
Required PermissionsAgents: Initiate Scan
Impact LevelLow - Background scan process
### Revert Capabilities #### **Understand revert capabilities** Revert capability determines if an action can be automatically reversed through the platform. Actions with revert support have a paired reversal action. For example, `isolate_device` can be undone with `release_device`, and `disable_user` can be reversed with `enable_user`. This gives you confidence to act decisively, knowing you can quickly restore normal operations. #### How to reverse an action If you need to **undo** a remediation step (for example, re-enabling a user after an investigation clears them), you can often do so directly from the same view. 1. Go to the table where you ran the action and find the affected artifact. 2. **Click** to open the right side drawer menu. 3. Look for the **undo** button in the **Action history** section. 4. Confirm to revert the action.
Some actions are **inherently irreversible** due to their nature or vendor API limitations. The [Actions without revert support](#actions-without-revert-support) table lists why certain actions cannot be automatically reversed. For irreversible actions, we recommend extra caution and choosing less destructive alternatives when possible (e.g., soft delete instead of hard delete an email). {% stepper %} {% step %} ### Actions with revert support
ActionReversal ActionVendors

disable_users_and_

terminate_active_sessions

enable_userOkta, MS365
enable_user

disable_users_and_

terminate_active_sessions

Okta, MS365
isolate_devicerelease_deviceMS365 Defender, SentinelOne, CrowdStrike
release_deviceisolate_deviceMS365 Defender, SentinelOne, CrowdStrike
block_ipunblock_ipOkta
unblock_ipblock_ipOkta
find_and_soft_delete_emailsrestore_soft_deleted_emailsMS365
restore_soft_deleted_emailsfind_and_soft_delete_emailsMS365
block_fileunblock_file

MS365

Defender

unblock_fileblock_file

MS365

Defender

{% endstep %} {% step %} ### Actions without revert support
ActionReasonVendors
terminate_active_sessionsSessions already terminatedOkta, MS365
reset_user_passwordPassword already changedOkta, MS365
disable_all_forward_rulesManual re-enablement requiredMS365
delete_external_forward_rulesRules permanently deletedMS365
find_and_hard_delete_emailsPermanent deletionMS365, Google Workspace
block_domainManual removal requiredMS365 Defender
block_fileVendor API does not support unblockingSentinelOne, CrowdStrike
run_full_disk_scanScan already initiatedSentinelOne
block_urlManual removal from URL list/managed URLs requiredNetskope, Mimecast
block_url_domainManual removal from managed URLs requiredMimecast
block_senderManual removal from sender list/filters requiredProofpoint, Google Workspace, Mimecast
block_sender_domainManual removal from group requiredMimecast
block_ipManual policy removal requiredMS365
enroll_in_phishing_trainingTraining enrollment cannot be undoneKnowBe4
{% endstep %} {% endstepper %} ### **Impact Level Definitions** * **High:** Significant operational impact; requires immediate attention to restore. * **Medium:** Moderate operational impact; users can work around limitation. * **Low:** Minimal operational impact, easily reversible or limited to enrichment only.