[Internal]: Cancel response action for Microsoft Defender Endpoint #2866
Description
Description
Introduce full support for cancelling (cancel response action) ongoing machine actions for Microsoft Defender for Endpoint (MDE).
This functionality enables users to force-cancel actions that are stuck in a pending state, unblocking further use of the Response Console.
cancel --help
About
Cancel an ongoing action on the host
Usage
cancel --action [--comment]
Example
cancel --action="copy.sh" --comment="Canceled because it is stuck"
Required parameters
--action - The response action to cancel (selected from popup list)
Optional parameters
--comment - A comment to go along with the action
Background & resources
- PR: [EDR Workflows] Add Cancel response action to MDE kibana#230399
- Implementation issues are referenced in this Meta issue: https://github.com/elastic/security-team/issues/13402
- Point of contact: @tomsonpl
- Test environments: Create cloud env. and enable feature flag
microsoftDefenderEndpointCancelEnabled
Which documentation set does this change impact?
ESS and serverless
ESS release
Feature will be included in v9.2.0
Serverless release
Week of October 6 2025
Feature differences
Feature is identical in both ESS and Serverless
API docs impact
OpenAPI docs will be updated by Dev to include new API parameters applicable to Cancel for MDE
Prerequisites, privileges, feature flags
- Feature flag (
microsoftDefenderEndpointCancelEnabled) will be enabled in the after Feature Freeze - just prior to release for Serverless