Response actions
Response actions are discrete, reversible containment operations that Sentinel executes autonomously or that you trigger via the API. Every action is logged with full context and can be undone.
Available actions
| Name | Type | Required | Description |
|---|---|---|---|
| isolate_device | action | No | Cut device network access. Management channel remains active. |
| deisolate_device | action | No | Restore full network access to an isolated device. |
| kill_process | action | No | Terminate a specific process by PID or name on a device. |
| quarantine_file | action | No | Move a file to quarantine storage on the device. |
| disable_account | action | No | Disable a user account across connected identity providers. |
| revoke_sessions | action | No | Invalidate all active sessions for a user. |
| force_mfa | action | No | Require MFA re-challenge on next login. |
| block_ip | action | No | Block an IP at the Cloudflare/firewall layer. |
| unblock_ip | action | No | Remove an IP block. |
| run_scan | action | No | Trigger a full AV/EDR scan on a device. |
Trigger a response action
bash
POST /v1/sentinel/actionsbash
curl -X POST https://api.hldgroup.org/v1/sentinel/actions \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"action": "isolate_device",
"target_type": "device",
"target_id": "dev_01hxyz",
"incident_id": "inc_01hxyz",
"reason": "Suspicious outbound traffic — isolating pending investigation."
}'The action object
json
{
"id": "act_01hxyz",
"action": "isolate_device",
"status": "completed",
"target_type": "device",
"target_id": "dev_01hxyz",
"incident_id": "inc_01hxyz",
"triggered_by": "api",
"reason": "Suspicious outbound traffic — isolating pending investigation.",
"created_at": "2025-06-01T03:14:09Z",
"completed_at": "2025-06-01T03:14:11Z",
"reversible": true,
"reversed_at": null
}Reverse an action
All reversible actions can be undone. The reversal is a new action tied to the same incident.
bash
POST /v1/sentinel/actions/:id/reverse
{
"reason": "Investigation complete — device cleared. Restoring access."
}Tip:Always provide a
reason when triggering or reversing actions. It becomes part of the permanent incident timeline and is included in audit reports.List actions for an incident
bash
GET /v1/sentinel/incidents/:incident_id/actions