Skip to main content

Cyware Orchestrate

Respond (CFTR)

App Vendor: Cyware

App Category: Cyware Product

Connector Version: 4.0.5

API Version: CFTR v3

About App

The Respond connector app allows security teams to integrate with the Respond application, a threat response automation platform. The connector app enables analysts to perform actions related to incident response and management, threat actor management, vulnerability management, malware management, triage management, and more that help you automate threat response.

Note

Respond (v4.0.0) includes major updates that may not be compatible with previous versions. Major updates include adding new actions, deprecating a few actions, and more. We recommend you review all the playbooks and actions before upgrading.

The Respond app is configured with Orchestrate to perform the following actions:

Action Name

Description

Add Asset Software 

This action adds an asset software in the Software module.

Add Asset User 

This action adds an asset user to the Users module.

Add Comment 

This action adds comments in a specific component.

Add Comment in Custom Module (Deprecated) 

This action adds a comment in the custom module.

Add Device 

This action adds a device to the Devices module.

Advanced Search for Modules

This action retrieves a list of module entries based on the specified payload and query parameters.

Bulk Create Threat Intel (IOCs) 

This action creates multiple IOCs in the Threat Intel module.

Connect Modules 

This action connects modules to reflect in the Connect the Dots of each module.

Create Action 

This action creates an action in the application.

Create a Malware 

This action created malware in the application.

Create a PIR 

This action creates a PIR (Priority Intel Requirement).

Create Asset Application 

This action creates an asset application in the Applications module.

Create a Threat Briefing 

This action adds a new threat briefing record to the application.

Create Attack Tactic-Technique Pair 

This action creates an attack tactic and technique pair.

Create Campaign 

This action creates a new campaign in the application.

Create Custom Module Entry 

This action creates a new custom module entry.

Create Enhancement 

This action creates an enhancement.

Create Incident 

This action creates an incident.

Create Threat Actor 

This action adds a threat actor.

Create Vulnerability 

This action adds a new vulnerability.

Fetch Health Console Status 

This action retrieves the console status.

Get Action Details 

This action retrieves the details of an action using the ID of the action.

Get Asset Application Details 

This action retrieves the details of an application using the ID of the application.

Get Assets Impacted by Vulnerability

This action retrieves the details of the assets impacted by a vulnerability.

Get Asset Software Details 

This action retrieves details of the asset software using the ID.

Get Asset User Details 

This action retrieves the details of an asset user.

Get ATT&CK Tactic Details 

This action retrieves the details of an ATT&CK tactic.

Get ATT&CK Tactics 

This action retrieves a list of ATT&CK tactics from the ATT&CK Navigator module.

Get ATT&CK Technique Details 

This action retrieves the details of an ATT&CK technique.

Get ATT&CK Techniques 

This action retrieves a list of ATT&CK techniques from the ATT&CK Navigator module.

Get Business Unit Details 

This action retrieves the details of a business unit.

Get Campaign Details 

This action retrieves the details of a campaign.

List Actions 

This action retrieves a list of actions based on the query parameters.

List Asset Applications 

This action retrieves a list of asset applications from the Applications module.

List Asset Software 

This action retrieves a list of asset software from the Software module.

List Asset Users 

This action retrieves a list of asset users from the Users module.

List Attachments 

This action retrieves the attachments of an entry.

List Business Units 

This action retrieves a list of business units.

List Campaigns 

This action retrieves a list of campaigns.

Get CFTR User Details 

This action retrieves the details of a user.

List CFTR Users 

This action retrieves a list of users from the User Management module.

List Comments 

This action retrieves the comments for an entry.

List Countries 

This action retrieves a list of countries from the application.

Get Custom Module Entry Detail 

This action retrieves the details of a custom module entry.

Get Device Details 

This action retrieves the details of a device using the ID of a device.

List Devices 

This action retrieves a list of devices from the devices module.

Get Enhancement Details 

This action retrieves the enhancement details using the ID of the enhancement.

List Enhancements 

This action retrieves a list of enhancement records using query string and query parameters.

Get Incident Details 

This action retrieves the details of an incident.

List Incidents 

This action retrieves a list of incidents from the application.

Get Incident Workflow Details 

This action retrieves the details of an incident workflow.

Get Label Details 

This action retrieves the details of a label.

Get Labels 

This action retrieves a list of labels from the application.

List Threat Intel (IOCs) 

This action is used to retrieve a list of threat intel (IOCs).

Get List of Threat Intel Types 

This action retrieves a list of threat intel types from the application.

Get Location Details 

This action retrieves the details of a location using the ID of the location.

List Locations 

This action retrieves a list of locations from the application.

Get Malware Details 

This action retrieves the details of malware using malware ID.

Get Manufacturer Details 

This action is used to retrieve the details of a manufacturer.

List Manufacturers 

This action is used to retrieve a list of manufacturers from the application.

Get OS Type Details 

This action retrieves the details of an OS type.

List OS Types 

This action retrieves a list of operating system (OS) types from the application.

Get PIR Details 

This action retrieves the details of a PIR (Priority Intel Requirement) using the ID of the PIR.

List PIRs 

This action retrieves a list of PIR (Priority Intel Requirement) using query string and query parameters.

Get Recommended Users for an Incident 

This action retrieves a list of users who are automatically recommended by Respond for assigning to a specific incident based on their roster and the history of incidents handled.

Get Roster 

This action retrieves the list of rosters from the application.

Get Source Details 

This action retrieves the details of a source.

List Sources 

This action retrieves a list of sources from the application.

Get Templates 

This action retrieves the list of templates from the application.

Get Threat Actor Details 

This action retrieves the details of a threat actor using the ID of the threat actor.

List Threat Actors 

This action retrieves a list of threat actors.

Get Threat Briefing Details 

This action retrieves the details of a threat briefing.

List Threat Briefings 

This action retrieves a list of threat briefings.

Get Threat Intel Form Structure 

This action retrieves the form field structure of the threat intel component.

Get Threat Intel (IOC) Details 

This action retrieves the details of an IOC.

Get User Group Details 

This action retrieves the details of a user group.

List User Groups 

This action retrieves a list of user groups from the application.

List Vulnerabilities 

This action retrieves a list of vulnerabilities.

Get Vulnerability Details 

This action retrieves the details of a vulnerability.

List Custom Module Entries 

This action retrieves all the entries of a custom module with their details.

List Custom Modules 

This action retrieves the list of custom modules.

List Incident Workflows 

This action retrieves a list of all the incident workflows with details from the application.

List Malware 

This action retrieves a list of malware.

Merge Incidents 

This action merges incidents with a parent incident.

Update Action Details 

This action updates the details of an action using the ID of an action.

Update Asset Application Details 

This action updates the details of an application using the ID and additional fields.

Update Asset Software Details 

This action updates the details of asset software.

Update Asset User Details 

This action updates the details of an asset user.

Update Campaign Details 

This action updates the details of a campaign.

Update Custom Module Entry 

This action updates a custom module entry.

Update Device Details 

This action updates the details of a device using the ID of the device.

Update Enhancement Details 

This action updates the details of an enhancement using the ID of the enhancement.

Update Incident Details 

This action updates the details of an incident.

Update Malware Details 

This action updates the details of a malware record using a malware ID.

Update PIR Details 

This action updates a PIR (Priority Intel Requirement) record using the ID of the PIR.

Update Threat Actor Details 

This action updates the details of a threat actor.

Update Threat Briefing Details 

This action updates the details of a threat briefing.

Update Threat Intel (IOC) 

This action updates threat intel (IOC) using its ID.

Update Vulnerability Details 

This action updates the details of a vulnerability.

Upload Attachment 

This action uploads an attachment to a component.

Get Incident Summary 

This action retrieves the executive summary of the incident using its ID.

Generic Action 

This is a generic action to perform any additional use case in the application.

Note

The actions Get a list of vendors and Get vendor are deprecated. Additionally, the action Create a Threat Intel (IOC) is no longer supported, you can instead use the action Bulk Create Threat Intel (IOC).

Configuration Parameters

The following configuration parameters are required for the Respond app to communicate with the Respond enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL 

Enter the base URL to access the Respond application using the open API.

Text

Required

Access ID 

Enter the access ID to access the Respond application using the open API.

Text

Required

Secret Key 

Enter the secret key to access the Respond application using the open API.

Password

Required

TLS verification 

Choose your preference to verify TLS while making requests. We recommend you set this option to yes. If no is passed, it may result in an incorrect connection establishment, resulting in a broken connection

Boolean

Optional

Default value: 

true 

Allowed values: 

  • true

  • false

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Respond application. It is recommended to set the value between 60 and 70 seconds.

Integer

Optional

 Available range: 

15-120 seconds

Default value: 

15 seconds

Action: Add Asset Software

This action adds an asset software in the Software module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Readable Type

Enter true to add an application using the values of locations, business units, and labels. 

Boolean

Optional

Default value: 

false

Asset Software Name 

Enter the name of the asset software. 

Example: 

Cyware Orchestrate

Text

Required

Software Publisher ID 

Enter the ID of the software publisher. 

Example: 

v53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

Software Type 

Enter the software type as a list of comma-separated strings. 

Example:

[system security, financial software]

List

Required

Software ID 

Enter the software ID. 

Example:

w83ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

Additional Information 

Enter the details in key-value pairs to be added to the asset software.

Example: 

purpose : security

Key Value

Optional

Example Request 

[
  {
    "title": "VirusTotal",
    "software_publisher": "VirusTotal",
    "software_id": "w83ff8942-612d-4bc1-b54f-d8195c002404",
    "software_type": ["system security","financial software"],
    "extra_fields":
    {
      “BU_name": "Business Unit 1"
    }  
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the software.

created 

String

Software creation date and time.

modified 

String

Software last updated date and time.

title 

String

Name of the software.

software_id 

String

ID of the software.

software_type 

List

Type of the software. For example, Development Software.

title_display 

String

Name of software.

readable_id 

String

Readable ID of software. For example, SFT115.

software_status 

String

Current status of the software.

purchase_date 

String

Purchase date of the software.

created_by 

String

user_id of the user who created the software.

created_by_data 

Object

Details of user who added the software.

labels 

List

List of unique_id labels that are added to the software.

labels_data 

List of Objects

Details of the labels that are added to the software.

business_units_data 

List of Objects

Details of business units that are impacted by the software

locations_data 

List of Objects

Details of locations that are impacted by the software.

software_type_data 

Object

Details of the software type.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities .

malwares 

Array of UUID Strings

List of unique_id of the connected connected malwares.

malwares_data 

Array of Objects

Details of the connected malwares .

endpoints 

Array of UUID Strings

List of unique_id of the connected connected devices.

endpoint_data 

Array of Objects

Details of the connected devices.

Action: Add Asset User

This action adds an asset user to the Users module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Employee Name 

Enter the name of the asset user.

Example:

John Doe

Text

Required

Employee Code 

Enter the employee code of the asset user.

Example: 

EMP_111

Text

Required

Email Address 

Enter the email address of the asset user. 

Example: 

john.doe@cyware.com

Text

Required

Business Unit (BU) 

Enter the IDs of business units in a comma-separated list. 

Example: [728277db-83be-4108-a8d7-e52c5deefc2c, 928277db-83be-4108-a8d7-e52c5deefc2n]

List

Required

Additional Information 

Enter the details in key-value pairs to be added to the asset user. 

Example:

full_name: John Doe

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create an asset user using the values of labels and business units.

Boolean

Optional

Default value: 

false

Example Request

[
  {
    "employee_name": "John Dan",
    "employee_code": "EMP_111",
    "email": "john.dan@example.com",
    "business_units": "Business Unit",
    {
        "extra_fields":
        {
          "full_name": "John Dan"
        }  
      }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the user.

created 

String

User creation date and time.

modified 

String

User last updated date and time.

employee_name 

String

Name of the user.

email 

String

Email ID of the user.

display_name 

String

Name of the user.

readable_id 

String

Readable ID of the user.

user_status 

String

Current Status of the user.

hire_date 

String

Hiring date of the user.

created_by 

String

user_id of the CFTR user who created the asset user.

created_by_data 

Object

Details of the CFTR user who created the asset user.

labels 

List

List of unique_id of labels that are added to the user.

labels_data 

List of Objects

Details of the labels that are added to the user.

business_units_data 

List of Objects

Details of business units of the user.

owned_applications 

Array of UUID Strings

List of unique_id of the applications owned by the user.

owned_applications_data 

Array of Objects

Details of the applications owned by the user.

managed_applications 

Array of UUID Strings

List of unique_id of the applications managed by the user.

managed_applications_data 

Array of Objects

Details of the managed applications.

managed_endpoints 

Array of UUID Strings

List of unique_id of the devices managed by the user.

managed_endpoints_data 

Array of Objects

Details of the managed devices.

owned_endpoints 

Array of UUID Strings

List of unique_id of the devices owned by the user.

owned_endpoints_data 

Array of Objects

Details of the managed devices.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

Action: Add Comment

This action adds a comment to a specific component.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Component Name 

Enter the name of a component.

Example:

incident

Text

Required

Allowed values: 

action, application, asset software, campaign, device, enhancement, incident, IOC, malware, PIR, threat-briefing, vulnerability

Unique ID 

Enter the unique ID of the component entry to which you want to add comments. 

Example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

If the component name is incident, the unique ID must be specific to the incident.

Comment 

Enter the comment to be added. 

Example:

IP address blocked

Text

Required

Mentioned Users 

Enter the list of usernames of users mentioned in the comment.

Example:

[a1c03ad2-8147-4834-a575-f1710be628b0, b3184a17-e59f-46cb-82c3-d8aabbefff7e]

List

Optional

Example Request 

[
  {
    "component_name": "incident",
    "unique_id": "f0900171-be25-490e-bddc-fa8bf29d6453",
    "comment": "IP address blocked",  
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id

String

Unique ID of the comment.

description

Text

Content of the comment.

created_by

Object

Details of the user who added the comment.

modified_by

Object

Details of the user who last updated the comment.

mentioned_users

List of UUID

List of user_id of users mentioned in the comment.

mentioned_users_data

List of Objects

Details of the users mentioned in the comment.

created

String

Comment creation time.

modified

String

Comment last updated time.

comment_type

String

Type of Comment. 

Examples: 

discussion: Notes added in any instance. 

handoff: Handoff notes added while updating the assignee or assigned group. 

closure: Closure Notes added while closing an incident.

content_object

String

Component in which the comment is added. 

Example: incident, action, ioc, and so on.

content_object_readable_id

String

readable_id of the instance in which comment is added

content_object_unique_id

String

unique_id of the instance in which comment is added

description_with_img_src

Text

Content of the content with the image URLs (if any image is added in the comment).

Action: Add Comment in Custom Module (Deprecated)

This action adds a comment in the custom module. 

Note

This action is deprecated and it is recommended to use the action Add Comment.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier 

Enter the component identifier of the module. 

Example: 

module21

Text

Required

You can retrieve the list of components and their IDs using the following action:

List Custom Modules

Instance Unique ID 

Enter the unique ID of the entry to which you want to add a comment. 

Example: 

822c2781-8ea0-4122-8176-8995a4c81dca

Text

Required

Description 

Enter the content for the comment. 

Example:

note for custom module

Text

Required

Mentioned Users Usernames 

Enter the list of usernames of the users to be added in the comment. 

Example:

[a1c03ad2-8147-4834-a575-f1710be628b0, b3184a17-e59f-46cb-82c3-d8aabbefff7e]

List

Optional

Example Request 

[
  {
    "component_identifier": "module21",
    "unique_id": "822c2781-8ea0-4122-8176-8995a4c81dca",
    "comment": "note for custom module" 
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id

String

Unique ID of the comment.

description

Text

Content of the comment.

created_by

Object

Details of the user who added the comment.

modified_by

Object

Details of the user who last updated the comment.

mentioned_users

List of UUIDs

List of user_id of users mentioned in the comment.

mentioned_users_data

List of Objects

Details of the users mentioned in the comment.

created

String

Comment creation time.

modified

String

Comment last updated time.

comment_type

String

Type of Comment. 

Examples: 

discussion: Notes added in any instance. 

handoff: Handoff notes added while updating the assignee or assigned group. 

closure: Closure Notes added while closing an incident.

content_object

String

Custom module in which the comment is added. 

Example: incident, action, ioc, and so on.

content_object_readable_id

String

readable_id of the entry in which the comment is added

content_object_unique_id

String

unique_id of the entry in which the comment is added

description_with_img_src

Text

Content of the comment with the image URLs (if any image is added in the comment).

pinned

Boolean

Displays if the comment is pinned or not.

Action: Add Device

This action adds a device to the Devices module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Hostname 

Enter the name of the device. 

Example:

information security

Text

Required

IP Address 

Enter the IP address of the device. 

Example:

11.1.1.11

Text

Required

Additional Information 

Enter the additional information in the form of key-value pairs.

Example:

endpoint_type: desktop

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to add devices using the values of locations, business units, manufacturers, labels, and operation system types.

Boolean

Optional

Default: 

false

Example Request

[
  {
    "hostname": "EC2AMAZ-8V2J535",
    "ip_address": "1.1.1.1",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "endpoint_status": "clean"
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the device.

created 

String

Device creation time in EPOCH time format.

modified 

String

Device Last Updated Time in EPOCH time format.

serial_number 

String

Serial number of the device.

hostname 

String

Hostname of the device.

readable_id 

String

Readable ID of the device. For example, DVC116.

endpoint_status 

String

Current status of the device.

owner 

String

Owner of the device.

physical_location 

String

Physical location of the device.

title_display 

String

Hostname of the device

ip_address 

Float

IP address of the device.

created_by 

String

user_id of the user who created the device.

created_by_data 

Object

Details of user who created the device. Details include: 

username, first_name, last_name, user_id and more.

status 

String

Status of the device.

labels 

List

List of unique_id labels that are added to the device.

labels_data 

List of Objects

Details of the labels that are added to the device.

business_units_data 

List of Objects

Details of business units that are impacted by the device.

locations_data 

List of Objects

Details of locations that are impacted by the device.

risk 

String

Risk level of the device.

risk_data 

Object

Details of the risk of the device.

priority 

String

Priority of the device.

endpoint_type 

String

Type of the endpoint. For example, Desktop.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

owner_data 

Object

Details of the owner of device.

manager_data 

Object

Details of the manager of device.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

actions_data 

Array of Objects

Details of the actions that are added to the device.

Action: Advanced Search for Modules

This action retrieves a list of module entries based on the specified payload and query parameters.

Action Input Parameters 

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Component Identifier 

Enter the identifier of a component.

Text

Required

Allowed values: 

incident, action, vulnerability, threat-actor, campaign, threat-briefing, malware, enhancement, pir, general-user, device, application, asset-software

Advanced Search Payload 

Enter the readable key of parameters and the respective values in key-value pairs to search entries. Include the operator to apply to the parameters. 

Example: 

{'assigned_group': '3bf12078-4f1d-4fb7-b2ba-3239137ea9e1,'ip_reputation': 'Malicious','operator': 'OR' }

Key value

Required

Allowed values:

OR and AND 

Default value:

AND

Query Parameter 

Enter the query parameter and the respective value to filter results. 

Example: 

{'status':'open'}

Key value

Optional

Example Request

[
  {
    "query": {},
    "component_identifier": "incident",
    "advanced_search_payload": {
      "operator": "OR",
      "assigned_group": "a1a18016-9df5-4521-a0b7-ec4064fa5c1e",
      "incident_state": "Untriaged"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link

Object

This parameter includes two keys:

previous and next.

previous key returns the API endpoint to the previous page.

next key returns the API endpoint to the next page.

count

Integer

Returns the total number of module entries in the application based on the parameters passed in the query and payload.

results

List of Objects

Returns a list of module entries with details.

Action: Bulk Create Threat Intel (IOCs)

This action creates multiple IOCs in the threat intel module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOCs

Enter the IOC type and the respective values in key-value pairs. 

Examples:

  • {'ioc_email':['test@email.com']}

  • {'ioc_ip': [11.11.21.31]}

  • {'ioc_domain': [domain_value]}

  • {'ioc_url': [https://example.com/sample}

  • {'ioc_SHA1': [c32f4b04626ccf49c788496e9340bb6f0a4aa782]}

  • {'ioc_SHA256': [6a3578c1fc17c0d1421e1e7d2d3e522187c35bdc512537f7ec5d77a0e89b63c3]}

  • {'ioc_MD5': [d41d8cd98f00b204e9800998ecf8427e]}

Key Value

Required

Action Response Parameters

Parameter 

Type 

Description 

iocs 

Object

Key-value pairs of Threat Intel type and the corresponding Threat Intel unique_id.

iocs_data 

Object

Key-value pairs of Threat Intel type and the corresponding Threat Intel data. 

Threat Intel data includes the following details: value, tlp, status, and unique_id.

Action: Connect Modules

This action is used to connect modules displayed in Connect the Dots of each module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Data 

Enter the IDs of the modules that you want to connect. 

Example: 

{

"incident": ["1d9509c9-501b-4261-ba85-a9690acc5100", "49b46c68-b10d-41fd-82e7-1681fd8b7787"], 

"vulnerability": ["b4afd23b-a13f-4a4a-bacb-99e6aa465d42","eda602cc-4118-48b7-9394-e2bf954c7135"]

}

Key Value

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Returns status code 200 for a successful execution.

Action: Create Action

This action creates an action in the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action Title 

Enter a title for the action.

Example:

block the IP address

Text

Required

Assigned Group ID 

Enter the unique ID of the assigned group.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

Retrieve the list of user groups and their IDs using the following action:

Get User Groups

Additional Information 

Enter the additional information in the form of key-value pairs.

Example:

status: open

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create actions using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value:

false

Example Request

[
  {
    "title": "New Action",
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "open"
    }
  }
]

Action Response Parameters

Parameters 

Type 

Description 

title 

String

The title of the action.

unique_id 

String

Unique ID of the action.

created 

String

Created date of the action in EPOCH time format.

modified 

String

Last modified date of the action in EPOCH time format.

description 

String

Description of the action.

assigned_to 

String

User_id of the assigned user.

assigned_to_data 

Object

Details of the assigned user.

assigned_group 

String

Group_comm_id of the assigned user group.

assigned_group_data 

Object

Details of the assigned user group.

status 

String

Status of the action.

readable_id 

String

Readable ID of the action. For example, ACT381

created_by_data 

Object

Details of the user who created the action. Details include: 

username, email ,first name, last name, and so on.

can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

is_bookmarked 

Boolean

True: Action is bookmarked. 

False: Action is not bookmarked.

closed_by_data 

Object

Details of the user who closed the action. Details include: 

username, email ,first name, last name, and so on.

closed_on 

String

Closure date of the action in EPOCH time format.

resolved_on 

String

Resolved date of the action in EPOCH time format.

assignment_sla 

String

Details of assignment SLA details of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_sla 

String

Details of resolution SLA of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_due_date 

String

Resolution due date of the action.

sla_stopped_on 

String

Date and time at which the SLA stopped for the action.

type 

String

Type of the action.

priority 

String

Priority level of the action

type_data 

Object

Details of the type of the action.

priority_data 

Object

Details of the priority level of the action.

created_from_template 

Boolean

Shows if the action is created using a template or not.

users 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

softwares 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected software.

softwares_data 

Array of Objects

Details of the connected software.

applications 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected applications.

applications_data 

Array of Objects

Details of the connected applications.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns_data 

Array of Objects

Details of the connected campaigns.

incidents_data 

Object

Details of the connected incidents.

malwares_data 

Array of Objects

Details of the connected malware.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

Action: Create a Malware

This action adds malware to the Malware module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Readable Type

Enter true to add a malware using the values of labels. 

Boolean

Optional

Default: 

false

Malware Name 

Enter the name of the malware. 

Example:

ransomware

Text

Required

Malware Type 

Enter the malware types in a comma-separated list. 

Example: 

[

 "Destructive",

 "Ransomware",

  "Trojan",

  "Worm"

   ]

List

Required

Affected Platforms 

Enter the platforms affected by the malware in a comma-separated list.

Example:

[

       "Windows Server 2012",

       "Windows XP",

       "Linux",

       “Mac”

]

List

Required

Status 

Enter the status of the malware.

Example:

active

Text

Optional

Allowed values: 

  • ACTIVE

  • INACTIVE

Default value:

ACTIVE

Additional Information 

Enter the additional information in the form of key-value pairs. 

Example: 

is_bookmarked: false

Key Value

Optional

Example Request 

[
  {
    "title": "New Malware",
    "malware_type": "Ransomware",
    "platform": "Windows Server 2k12",
    "status": "active"
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "file_type": "dll"
    }
  }
]

Action Response Parameters 

Parameters 

Type 

Description 

type 

Object

Type of the malware.

ioc_email 

Object

Unique IDs of the email IOC type.

platform 

Object

List of affected platforms.

ioc_ip 

Object

Unique IDs of the IP IOC type.

ioc_md5 

Object

Unique IDs of the MD5 Hash IOC type.

file_type 

Object

File types of the malware. For example, dll, exe, docx, zip.

ioc_domain 

Object

Unique IDs of the domain IOC type.

ioc_sha1 

Object

Unique IDs of the SHA1 IOC type.

ioc_sha256 

Object

Unique IDs of the SHA256 IOC type.

ioc_url 

Object

Unique IDs of the URL IOC type.

unique_id 

String

Unique ID of the malware.

readable_id 

String

Readable ID of the malware.

created 

String

Created date of the malware in EPOCH time format.

modified 

String

Last modified date of the malware in EPOCH time format.

title 

String

Title of the malware.

description 

String

Description of the malware.

incidents 

Object

Unique ID of the linked incidents.

status 

String

Status of the malware.

briefings 

Object

Unique ID of the linked threat briefings.

briefings_data 

Object

Details of the linked threat briefings.

incidents_data 

Object

Details of the linked incidents.

is_bookmarked 

Boolean

Shows if the malware is bookmarked or not.

actions_data 

Object

Details of the linked actions.

campaigns 

Object

Unique ID of the linked campaigns.

campaigns_data 

Object

Details of the linked campaigns.

vulnerabilities 

Object

Unique ID of the linked vulnerabilities.

vulnerabilities_data 

Object

Details of the linked vulnerabilities.

threat_actors 

Object

Unique ID of the linked threat actors.

threat_actors_data 

Object

Details of the linked threat actors.

pirs_data 

Object

Details of the linked PIRs.

attachments_data 

Object

Details of the attachments.

created_by_data 

Object

Details of the user who created the malware. Details include: 

username, email, first name, last name, and so on.

labels 

Object

Unique ID of the linked labels.

labels_data 

Object

Details of the linked labels.

tactic_technique_pair_data 

Object

Details of the linked tactic technique pairs.

first_seen 

String

Date on which malware is seen for the first time.

last_modified 

Object

Last modified date of the malware.

applications 

Object

Unique ID of the linked applications.

applications_data 

Object

Details of the linked applications.

asset_softwares 

Object

Unique ID of the linked software.

asset_softwares_data 

Object

Details of the Linked Asset Softwares.

endpoints 

Object

Unique ID of the linked devices.

endpoints_data 

Object

Details of the linked devices.

enhancements 

Object

Unique ID of the linked enhancements.

enhancements_data 

Object

Details of the linked enhancements.

type_data 

Object

Details of the malware type.

file_type_data 

Object

Details of the malware file type.

platform_data 

Object

Details of the affected platforms.

Action: Create a PIR

This action creates a PIR (Priority Intel Requirement).

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

PIR Title 

Enter the PIR title. 

Example:

Requesting credentials to access the app

Text

Required

Assigned Group ID 

Enter the unique ID of the assigned group. 

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

Retrieve the list of user groups and their IDs using the following action: 

Get User Groups

PIR Priority 

Enter the priority level of the PIR.

Example:

  • low

  • medium

  • high

Text

Optional

PIR Description 

Enter a short description for the PIR. 

Example:

Request to provide credentials to access an application for data.

Text

Optional

Additional Information 

Enter additional information in the form of key-value pairs. 

Example:

status: open

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create a PIR using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value: 

false

Example Request

[
  {
    "title": "Security Strategy",
    "assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3",
    "priority": "low",
    "description": "Strategizing threats prevention",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the PIR.

unique_id 

String

Unique ID of the PIR in UUID-4 format.

readable_id 

String

Readable ID of the PIR.

description 

Text

Description of the PIR.

created 

String

Creation date and time of the PIR in ISO format.

modified 

String

Last updated date and time of the PIR in ISO format.

status 

String

Current status of the PIR. 

Allowed values: 

open 

closed 

created_by_data 

Object

Details of user who created the PIR.

closed_by 

String

user_id of the user who closed the PIR.

closed_by_data 

Object

Details of user who closed the PIR.

closed_on 

String

Closing date and time of the PIR in ISO format.

is_bookmarked 

Boolean

Shows whether the PIR is bookmarked or not.

labels 

List of String

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

priority 

String

Priority level of the PIR. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

priority_data 

Object

Details of the priority of the PIR.

assigned_to 

List of Stings

List of Unique IDs of the assigned users in UUID-4 format.

assigned_to_data 

List of Objects

Details on the list of assigned users of the PIR. Details include: 

username, email, first_name, last_name, and so on.

assigned_group 

String

Unique ID of the assigned user group in UUID-4 format.

assigned_group_data 

Object

Details of the assigned user group. Details include: 

group name and group ID

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

Action: Create Asset Application

This action creates an asset application in the Applications module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Application Name 

Enter the name of the asset application. 

Example:

google chrome

Text

Required

Business Units (BU) 

Enter the comma-separated list of Business Units that are affected by the application.

Example:

[9750d6df-2d7f-4899-b20d-bfbba0a9084d, 7950d6fd-2d7f-4899-b20d-bfbba0a0849a]

List

Required

You can retrieve the list of business units and their IDs using the following action:

Get Business Units

Application Status 

Enter the status of the asset application.

Text

Required

 Allowed values: 

  • live

  • decommissioned

  • sunset

  • pre-funding

Locations 

Enter the impacted locations by the application in a comma-separated list. 

Example:

[671961e6-0119-460c-8d55-9b697f6e2d6e, 719661e6-0119-460c-8d55-9b697f6e2d6e]

List

Required

Application URL 

Enter the URL of the application if the application is internet-hosted.

Text

Optional

Additional Information 

Enter the details in key-value pairs to be added to the asset application. 

Example:

application_type: Security

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create applications using the values of locations, business units, and labels.

Boolean

Optional

Default value: 

false

Example Request 

[
  {
    "app_name": "Google Chrome",
    "business_units": ["a8007b20-bf76-4ce8-a761-45a453512479", "a8007b20-bf76-4ce8-a761-45a453512470"],
    "app_status": "Live",
    "locations": ["a8007b20-bf76-4ce8-a761-45a453512471", "a8007b20-bf76-4ce8-a761-45a453512472"],
    "app_url": "www.google.com",
    "extra_fields":
    {
       "version": "1.0.0"
    }  
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the application.

created 

String

Application creation date and time.

modified 

String

Application last updated date and time.

title 

String

Title of the application.

version 

Float

Version of the application.

title_display 

String

Title of the application.

readable_id 

String

Readable ID of the application.

status 

String

Current status of the the application.

application_type 

String

Type of the application. For example, Security.

application_status 

String

Status of the application. For example, Live.

production_date 

String

Production date of the application.

created_by 

String

user_id of the user who created the application.

created_by_data 

Object

Details of user who created the application.

labels 

List

List of unique_id labels that are added to the application.

labels_data 

List of Objects

Details of the labels that are added to the application.

business_units_data 

List of Objects

Details of business units that are impacted by the application

locations_data 

List of Objects

Details of locations that are impacted by the application.

application_url 

URL

URL of the application.

owner_data 

Object

Details of the owner of the application.

owner 

String

UUID of the application owner.

manager_data 

Object

Details of the manager of the application.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

Action: Create a Threat Briefing

This action adds a new threat briefing record to the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Threat Briefing Title 

Enter a title for the threat briefing. 

Example:

new threat briefing

Text

Required

Business Units (BU) 

Enter the business unit IDs in a comma-separated list. 

Example:

$LIST[w53ff8942-612d-4bc1-b54f-d8195c002404, t73ff8942-612d-4bc1-b54f-d8195c002404]

List

Required

You can retrieve the list of business units and their IDs using the following action:

Get Business Units

Locations 

Enter the location IDs in a comma-separated list. 

Example:

[4882e471-e997-43ec-a317-e244d8286690, 4882e471-e997-43ec-a317-e244d8286560].

List

Required

You can retrieve the list of available locations and their titles using the following action:

Get Locations

Description 

Enter a short description related to the threat briefing. 

Example:

New threat briefing added

Text

Optional

Additional Information 

Enter the additional information related to the threat briefing in the form of key-value pairs. 

Example:

labels: important

Key Value

Optional

Readable Type 

Select true to create threat briefings using the values of locations, business units, and labels.

Boolean

Optional

Default value:

false

Example Request 

[
  {
    "title": "New Threat Briefing",
    "description": "new threat briefing added",
    "business_units": ["941563df-d8be-4c0e-9d3c-ac6906107300"],
    "locations": ["941563df-d8be-4c0e-9d3c-ac6906107399"],
    "extra_fields":
    {
      "state": "62044014-dc5f-4e6d-8a07-c9cab089dccd",
      "modified": "2019-12-19T09:48:06.402132Z"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the Threat Briefing.

readable_id 

String

Readable ID of the Threat Briefing.

title 

String

Title of the Threat Briefing.

description 

Text

Description of the threat briefing.

status 

String

Current status of the Threat Briefing. 

Allowed values: 

- ACTIVE 

- INACTIVE

created 

String

Created date and time of the Threat Briefing.

modified 

String

Last updated date and time of the Threat Briefing.

title_display 

String

Title of the Threat Briefing.

is_bookmarked 

Boolean

Shows whether the Threat Briefing is bookmarked or not.

labels 

List

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

locations_data 

List of Objects

Details of the locations linked to the Threat Briefing.

business_units_data 

List of Objects

Details of the business units linked to the Threat Briefing.

created_by 

String

Unique ID of the user who created the Threat Briefing.

created_by_data 

Object

Details of the user who created the Threat Briefing.

attachments_data 

Array of Objects

Details of each attachment of the Threat Briefing.

actions_data 

Array of Objects

Details of the actions that are added for the Threat Briefing.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the Threat Briefing.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the Threat Briefing.

pirs_data 

Array of Objects

Details of the PIRs that are added for the Threat Briefing.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

Action: Create ATT&CK Tactic-Technique Pair

This action creates an ATT&CK tactic and technique pair.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ATT&CK Technique ID 

Enter the ID of the attack technique.

Example:

4882e471-e997-43ec-a317-e244d5686690

Text

Required

You can retrieve the list of attack techniques and their IDs using the following action:

Get ATT&CK Techniques

ATT&CK Tactic ID 

Enter the attack tactic ID. 

Example:

5662e471-e997-43ec-a317-e244d5686690

Text

Required

You can retrieve the list of attack tactics and their IDs using the following action:

Get ATT&CK Tactics

Example Request 

[
  {
    "technique_uid": "Example Unique ID",
    "tactic_uid": "Example Unique ID"
  }
]
Action: Create Campaign

This action creates a new campaign in the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Campaign Name 

Enter a name for the campaign. 

Example: 

analytics campaign

Text

Required

Campaign Description 

Enter a description for the campaign. 

Example: 

This is an important campaign

Text

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create campaigns using the values of labels.

Boolean

Optional

Default: 

false

Additional Information 

Enter additional information about the campaign in the form of key-value pairs. 

Example:

label: important

Key Value

Optional

Example Request 

[
  {
    "title": "Spearphishing Campaign",
    "description": "New campaign created",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z"
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id

String

Unique ID of the campaign in UUID-4 format.

readable_id

String

Unique readable ID of the campaign. It starts with CMP followed by a unique number. 

Example: CMP101

created

String

Campaign creation date and time.

description

Text

Description of the campaign.

modified

String

Last updated date and time of the campaign.

title

String

Title of the campaign.

title_display

String

Title of the campaign.

status

String

Current status of the campaign. 

Allowed values: 

ACTIVE 

INACTIVE 

is_bookmarked

Boolean

Shows if the campaign is bookmarked or not.

created_by_data

Object

Details of the user who created the campaign. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

Unique ID of the labels associated with the campaign in UUID-4 format.

labels_data

List of Objects

Details of labels added to the campaign. Details include: 

title, unique_id, color_code, and so on.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

incidents 

Array UID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

malwares 

Array UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

actions_data 

Array of Objects

Details of the actions that are added to the campaign.

pirs_data 

Array of Objects

Details of the PIRs that are added to the campaign.

enhancements_data 

Array of Objects

Details of the enhancements that are added to the campaign.

Action: Create Custom Module Entry

This action creates a new custom module entry.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier 

Enter the component identifier of the module. 

Example: 

module21

Text

Required

You can retrieve the list of custom modules and their identifiers using the following action:

List Custom Modules

Title 

Enter a title for the entry.

Example:

Impacted users

Text

Required

Description 

Enter a description of the entry.

Example:

Users impacted by the incident

Text

Required

Additional Parameters

Enter the additional information to be added in the custom module entry in key-value pairs. Use the field_readable_key of the custom fields as keys.

Key value

Optional

Action Response Parameters 

Parameter 

Type 

Description 

title 

String

Title of the entry.

unique_id 

String

Unique ID of the entry.

status 

String

Current status of the entry.

description 

Text

Description of the entry.

created_by_user_id 

String

user_id of the user who created the entry.

modified_by_user_id 

String

user_id of the user who last modified the entry.

created_by_data 

Object

Details of the user who created the entry.

modified_by_data 

Object

Details of the user who last modified the entry.

created 

String

Creation date and time of the entry.

modified 

String

Last updated date and time of the entry.

is_bookmarked 

Boolean

Shows if the entry is bookmarked or not.

can_update_instance 

Boolean

Shows whether the entry can be updated by the user who requested it or not.

labels 

Array

List of the labels that are added to the entry.

labels_data 

Array of Objects

Details of the labels that are added to the entry.

is_removed 

Boolean

Displays if the entry is in deleted state or not.

status_data 

Array of Objects

Displays the details of the status of the entry.

attachments_data 

Array of Objects

Details of each attachment of the entry.

Action: Create Enhancement

This action creates an enhancement.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Enhancement Title 

Enter the title of the enhancement. 

Example:

security update

Text

Required

Assigned Group  

Enter the unique ID of the assigned group. 

Example:

j53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

Enhancement Priority 

Enter the priority of the enhancement.

Examples:

  • very high

  • high

  • medium

  • low

  • very low

Text

Required

Additional Information 

Enter the additional information related to the enhancement in the form of key-value pairs. 

Example:

description: added a new enhancement

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create enhancements using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value: 

false

Example Request 

[
  {
    "title": "New Enhancement",
    "assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3",
    "priority": "high",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "open"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id

String

Unique ID of the enhancement in UUID-4 format.

readable_id

String

Unique readable ID of the enhancement. It starts with ENHfollowed by a unique number. 

Example: ENH101

created

Datetime

Enhancement creation date and time.

description

Text

Description of the enhancement.

modified

Datetime

Last updated date and time of the enhancement.

title

Text

Title of the enhancement.

status

String

Current status of the enhancement. 

Allowed values: 

- open

- closed

priority

String

Priority level of the enhancement.

priority_data

Object

Details of the priority assigned. Details include: 

unique_id

option_name, and so on.

priority_data.unique_id

String

Unique ID of the priority in UUID-4 format.

priority_data.option_name

String

Display Name of the priority

priority_data.color_code

String

Hex value of the priority display color.

is_bookmarked

Boolean

Shows if the enhancement is bookmarked or not.

modified_by_data

Object

Details of the user who last updated the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_group

String

Unique ID of the user group the enhancement belongs to in UUID-4 format.

assigned_group_data

Object

Details of the assigned user group. Details include group name and group ID.

created_by_data

Object

Details of the user who created the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_to

String

Unique ID of the assigned user of the enhancement in UUID-4 format.

assigned_to_data

Object

Details of the assigned user. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

List of Unique IDs of the labels attached to the enhancement in UUID-4 format.

labels_data

List of Objects

Details of labels added to the enhancement. Details include: 

title, unique_id, color_code, and so on.

labels_data.unique_id

String

Unique ID of the label in UUID-4 format.

labels_data.option_name

String

Display name of the label

labels_data.color_code

String

Hex value of the label display color.

enhancement_type

List of Strings

Option name of the enhancement types associated with the enhancement.

enhancement_type_data

List of Objects

Details of the enhancement types associated with the enhancement.

enhancement_type_data.unique_id

String

Unique ID of the enhancement in UUID-4 format.

enhancement_type_data.option_name

String

Display Name of the enhancement type

enhancement_type_data.color_code

String

Hex value of the enhancement type display color.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

attachments_data 

Array of Objects

Details of each attachment of the enhancement.

Action: Create Incident

This action creates an incident in the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Title 

Enter a title for the incident.

Example:

Found a Phishing Email 

Text

Required

Description 

Enter a description of the incident.

Example:

Incident detected

Text

Optional

Status 

Enter the status of the incident.

Example:

untriaged

Text

Optional

Allowed values: 

  • open

  • closed 

  • untriaged

  • merged

Default value: 

untriaged

Incident Type 

Enter the type of the incident. 

Example:

  • malware

  • phishing 

  • Ransomware

Text

Optional

Business Unit Impacted 

Enter the unique IDs of the impacted business units. 

Example:

$LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b]

List

Optional

You can retrieve the list of available Business Units and their IDs using the following action:

Get Business Units

Locations Impacted 

Enter the unique IDs of the impacted locations. 

Example:

$LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b]

List

Optional

You can retrieve the list of available locations and their titles using the following action:

Get Locations

Source 

Enter the unique IDs of the impacted sources. 

Example:

7c81cbda-11d8-4026-ae2f-287eaa643a9b

Text

Optional

You can retrieve the list of all available sources and their IDs using the following action:

Get Sources

Incident Date 

Enter the date of when the incident occurred in ISO 8601-time format. 

Example:

2021-10-28t19:37:16.321856z

Text

Optional

Detection Date 

Enter the date when the incident was detected as malicious in ISO 8601 time format. 

Example:

2021-10-28t19:37:16.321856z

Text

Optional

Level 

Enter the severity level of the incident. 

Example

  • critical

  • high

  • low

Text

Optional

Assigned Group 

Enter the group_comm_id of the group that needs to be assigned to the incident.

Example:

4e046ee1-5bc9-4320-965f-3bf24dbb9256

Text

Optional

You can retrieve the list of user groups and their IDs using the following action:

Get User Groups

Extra Fields 

Enter the key-value pairs of additional information to add to this incident.

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create incidents using the values of locations, business units, sources, assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value: 

false

Example Request 

[
  {
    "title": "New Incident",
    "description": "Incident Detected,
    "status": "Open",
    "ie_incident_type": "Malware",
    "business_unit_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "locations_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "source": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "incident_date": "2021-10-28T19:37:16.321856Z", 
    "detection_date": "2021-10-28T19:37:16.321856Z", 
    "level": "Critical", 
    "assigned_group": "AssignmentID_12"
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Returns the response retrieved from the app action.

app_instance.response.title 

String

Title of the incident.

app_instance.response.unique_id 

String

Unique Identifier String of UUID-4 format of the incident.

app_instance.response.readable_id 

String

Readable ID of the incident. For example, INC320.

app_instance.response.incident_date 

String

Date and time of when the incident happened.

app_instance.response.detection_date 

String

Date and time when the incident was detected as malicious.

app_instance.response.status 

String

Status of the incident workflow. 

Possible values: 

  • active

  • inactive

app_instance.response.phase 

String

Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow.

app_instance.response.machine_generated 

Boolean

Displays if the incident is machine-generated or not.

app_instance.response.phase_data 

JSON Object

Details of the current phase of the incident.

app_instance.response.level 

String

Severity level of the incident. For example, high.

app_instance.response.level_data 

JSON Object

Details of the severity level of the incident.

app_instance.response.created_by 

String

user_id of the user who created the incident.

app_instance.response.is_protected 

Boolean

Shows if the incident is protected or not.

app_instance.response.is_removed 

Boolean

Shows if the incident is in the deleted state or not.

app_instance.response.created_by_data 

JSON Object

Details of the user who created the incident.

app_instance.response.modified_by_data 

JSON Object

Details of the user who last modified the incident.

app_instance.response.closed_by_data 

JSON Object

Details of the used who closed the incident.

app_instance.response.created 

String

Incident creation date and time.

app_instance.response.modified 

String

Last updated date and time of the incident.

app_instance.response.Opened_on 

Timestamp

Date and time when the incident was opened.

app_instance.response.closed_on 

Timestamp

Date and time when the incident was closed. 

If the incident is not closed, the value of this parameter is null.

app_instance.response.ie_num_of_pii_exposed 

Integer

Number of PIRs that were exposed in the incident.

app_instance.response.description 

String

Description of the Incident.

app_instance.response.assigned_to 

String

user_id of the assigned user.

app_instance.response.assigned_to_data 

Object

Details of the assigned user.

app_instance.response.assigned_group 

String

group_comm_id of the assigned user group.

app_instance.response.assigned_group_data 

Object

Details of the assigned user group.

app_instance.response.assignment_sla 

String

Assignment SLA details of the incident. This includes the following two keys: 

  • color: Associated color code (according to SLA breach level). 

  • data: This includes two keys: 

    • sla_duration: SLA Breach time. 

    • elapsed_time: Time elapsed between incident opening and SLA completion.

app_instance.response.ie_incident_type 

Strings

The type of incident. Example: hacking.

app_instance.response.days_open 

Integer

Number of days the incident is open.

app_instance.response.resolution_sla 

String

Resolution SLA details of the incident. This includes two keys: 

  • color: Associated color code(according to SLA breach level). 

  • data: This includes two keys: 

    • sla_duration: SLA Breach time. 

    • elapsed_time: Time elapsed between incident opening and SLA completion.

app_instance.response.notification_sla 

String

Details of the Incident notifications (if enabled in admin).

app_instance.response.total_cost 

Integer

Total cost incurred due to the incident.

app_instance.response.is_bookmarked 

Boolean

Shows if the incident is bookmarked or not.

app_instance.response.permanently_closed 

Boolean

Shows if the incident is permanently closed or not.

app_instance.response.resolution_due_date 

String

Resolution SLA breach date of the incident.

app_instance.response.can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

app_instance.response.is_paused 

Boolean

Shows if the incident is paused or not.

app_instance.response.paused_by 

String

user_id of the user who paused the incident.

app_instance.response.paused_by_data 

JSON Object

Details of the user who paused the incident.

app_instance.response.schema 

String

Unique ID of the Incident Workflow that is being used by the incident.

app_instance.response.schema_type 

String

Type of the incident Workflow. 

Allowed values: 

'draft' or 'published'

app_instance.response.schema_data 

JSON Object

Details of the Incident Workflow that is being used by the incident.

app_instance.response.sources 

Array

List of the sources for the incident.

app_instance.response.sources_data 

Array of JSON Objects

Details of the sources for the incident.

app_instance.response.labels 

Array

List of the labels that are added to the incident.

app_instance.response.labels_data 

Array of JSON Objects

Details of the labels that are added to the incident.

app_instance.response.tactic_technique_pair 

Array

List of the tactics and techniques used by the incident.

app_instance.response.tactic_technique_pair_data 

Array of JSON Objects

Details of the tactics and techniques used by the incident.

app_instance.response.business_units_impacted_data 

Array of JSON Objects

List of business units that are impacted by the incident.

app_instance.response.locations_impacted_data 

Array of JSON Objects

List of locations that are impacted by the incident.

app_instance.response.incident_state 

String

Current state of the incident.

Possible values:

  • open

  • closed

  • merged

app_instance.response.status_data 

JSON Object

Details of the status of the incident.

app_instance.response.applications 

Array of UUID Strings

List of unique_id of the connected applications.

app_instance.response.applications_data 

Array of JSON Objects

Details of the connected applications.

app_instance.response.softwares 

Array of UUID Strings

List of unique_id of the connected software.

app_instance.response.softwares_data 

Array of JSON Objects

Details of the connected software.

app_instance.response.users 

Array of UUID Strings

List of unique_id of the connected users.

app_instance.response.users_data 

Array of JSON Objects

Details of the connected users.

app_instance.response.endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

app_instance.response.endpoints_data 

Array of JSON Objects

Details of the connected devices.

app_instance.response.briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

app_instance.response.briefings_data 

Array of JSON Objects

Details of the connected threat briefings.

app_instance.response.campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

app_instance.response.campaigns_data 

Array of JSON Objects

Details of the connected campaigns.

app_instance.response.malwares 

Array of UUID Strings

List of unique_id of the connected malware.

app_instance.response.malwares_data 

Array of JSON Objects

Details of the connected malware.

app_instance.response.threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

app_instance.response.threat_actors_data 

Array of JSON Objects

Details of the connected threat actors.

app_instance.response.vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

app_instance.response.vulnerabilities_data 

Array of JSON Objects

Details of the connected vulnerabilities.

app_instance.response.enhancements 

Array of UUID Strings

List of unique_id of the connected enhancements.

app_instance.response.enhancements_data 

Array of JSON Objects

Details of the connected enhancements.

app_instance.response.actions_data 

Array of JSON Objects

Details of the actions that are added to the incident.

app_instance.response.attachments_data 

Array of JSON Objects

Details of the attachments uploaded to the incident.

app_instance.status_code 

Integer

HTTP status code of the API request received from the instance.

Action: Create Threat Actor

This action adds a threat actor to the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Threat Actor Title 

Enter the name of the threat actor. 

Example:

Hacktivist Groups

Text

Required

Base Countries 

Enter the IDs of countries in a comma-separated list. 

Example:

[4882e471-e997-43ec-a317-e244d8286690, 8e2beaff-7aaf-4b72-bcc0-d61b25e822f3]

List

Required

Use the following action to retrieve the list of countries with their IDs:

Get Countries

Threat Actor Type 

Enter the type of threat actor. 

Example:

hacktivist

Text

Required

Additional Information 

Enter the additional information in the form of key-value pairs.

Example:

description: A new threat actor found

Key Value

Optional

Example Request 

[
  {
    "title": "NewThreatActor",
    "threat_actor_type": "Hacktivist",
    "countries_data": [4882e471-e997-43ec-a317-e244d8286690, 8e2beaff-7aaf-4b72-bcc0-d61b25e822f3]
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "active"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

title 

String

Title of the threat actor.

unique_id 

String

Unique ID of the threat actor.

readable_id 

String

Readable ID of the threat actor.

description 

Text

Description of the threat actor.

created 

String

Creation time of the threat actor in ISO format.

modified 

String

Last Updated time of the threat actor in ISO format.

status 

String

Current status of the threat actor. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the threat actor. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the threat actor. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the threat actor.

closed_by 

String

user_id of the user who closed the threat actor.

closed_by_data 

Object

Details of user who closed the threat actor.

closed_on 

String

Closing date of the threat actor in ISO format.

is_bookmarked 

Boolean

Shows whether the threat actor is bookmarked or not.

attachments_data 

Array of Objects

Details of each attachment of the threat actor.

actions_data 

Array of Objects

Details of the actions that are added for the threat actor.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the threat actor.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the threat actor.

pirs_data 

Array of Objects

Details of the PIRs that are added for the threat actor.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

ioc_SHA1 

Array of UUID Strings

List of unique_id of the connected SHA1 Threat Intels.

ioc_SHA1_data 

Array of Objects

Details of the connected SHA1 Threat Intels.

ioc_MD5 

Array of UUID Strings

List of unique_id of the connected MD5 Threat Intels.

ioc_MD5_data 

Array of Objects

Details of the connected MD5 Threat Intels.

ioc_SHA256 

Array of UUID Strings

List of unique_id of the connected SHA256 Threat Intels.

ioc_SHA256_data 

Array of Objects

Details of the connected SHA256 Threat Intels.

ioc_ip 

Array of UUID Strings

List of unique_id of the connected IP Threat Intels.

ioc_ip_data 

Array of Objects

Details of the connected IP Threat Intels.

ioc_url 

Array of UUID Strings

List of unique_id of the connected URL Threat Intels.

ioc_url_data 

Array of Objects

Details of the connected URL Threat Intels.

ioc_domain 

Array of UUID Strings

List of unique_id of the connected domain Threat Intels.

ioc_domain_data 

Array of Objects

Details of the connected domain Threat Intels.

ioc_email 

Array of UUID Strings

List of unique_id of the connected email Threat Intels.

ioc_email_data 

Array of Objects

Details of the connected email Threat Intels.

Action: Create Vulnerability

This action adds a new vulnerability.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Vulnerability Name 

Enter the name of the vulnerability. 

Example:

missing data encryption

Text

Required

Risk Level 

Enter the risk level of the vulnerability. 

Example:

very low

Text

Required

Allowed values: 

  • very low

  • low

  • medium

  • high

  • very high

Sources 

Enter the sources of the vulnerability in a comma-separated list. 

Example:

[anti virus, threat mailbox]

List

Required

You can retrieve the list of available sources using the following action:

Get Sources

Priority Level 

Enter the priority level of the vulnerability. 

Example:

low

Text

Required

Allowed values: 

  • very low

  • low

  • medium

  • high

  • very high

Additional Information 

Enter the additional information to be added in key-value pairs. 

Example: 

is_bookmarked: false

Key Value

Optional

Example Request 

[
  {
    "title": "New Vulnerability",
    "risk": "Low",
    "priority": "Low",
    "extra_fields":
    {
      "BU_name": "Business Unit 1"
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the vulnerability.

unique_id 

String

Unique ID of the vulnerability.

readable_id 

String

Readable ID of the vulnerability.

description 

Text

Description of the vulnerability.

created 

String

Creation time of the vulnerability in ISO format.

modified 

String

Last Updated time of the vulnerability in ISO format.

status 

String

Current status of the vulnerability. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the vulnerability. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the vulnerability. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the vulnerability.

closed_by 

String

user_id of the user who closed the vulnerability.

closed_by_data 

Object

Details of user who closed the vulnerability.

closed_on 

String

Closing date of the vulnerability in ISO format.

is_bookmarked 

Boolean

Shows whether the vulnerability is bookmarked or not.

attachments_data 

Array of Objects

Details of each attachment of the vulnerability.

actions_data 

Array of Objects

Details of the actions that are added for the vulnerability.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the vulnerability.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the vulnerability.

pirs_data 

Array of Objects

Details of the PIRs that are added for the vulnerability.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

ioc_SHA1 

Array of UUID Strings

List of unique_id of the connected SHA1 Threat Intels.

ioc_SHA1_data 

Array of Objects

Details of the connected SHA1 Threat Intels.

ioc_MD5 

Array of UUID Strings

List of unique_id of the connected MD5 Threat Intels.

ioc_MD5_data 

Array of Objects

Details of the connected MD5 Threat Intels.

ioc_SHA256 

Array of UUID Strings

List of unique_id of the connected SHA256 Threat Intels.

ioc_SHA256_data 

Array of Objects

Details of the connected SHA256 Threat Intels.

ioc_ip 

Array of UUID Strings

List of unique_id of the connected IP Threat Intels.

ioc_ip_data 

Array of Objects

Details of the connected IP Threat Intels.

ioc_url 

Array of UUID Strings

List of unique_id of the connected URL Threat Intels.

ioc_url_data 

Array of Objects

Details of the connected URL Threat Intels.

ioc_domain 

Array of UUID Strings

List of unique_id of the connected domain Threat Intels.

ioc_domain_data 

Array of Objects

Details of the connected domain Threat Intels.

ioc_email 

Array of UUID Strings

List of unique_id of the connected email Threat Intels.

ioc_email_data 

Array of Objects

Details of the connected email Threat Intels.

Action: Fetch Health Console Status

This action retrieves the console status.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Key Value

Optional

Allowed values: 

  • created_date__gte (epoch time)

  • created_date__lte (epoch time)

Example Request

[
  {
    "query_params":
    {
      "created_date__gte": "1627835818",
      "created_date__lte": "1596299815"
    }
  }
]
Action: Get Action Details

This action retrieves the details of an action using the ID of the action.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action ID 

Enter the unique ID of the action. 

Example:

k53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of actions and their IDs using the following action:

Get Actions

Example Request 

 [
  {
    "unique_id": "k53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameters 

Type 

Description 

title 

String

The title of the action.

unique_id 

String

Unique ID of the action.

created 

String

Created date of the action in EPOCH time format.

modified 

String

Last modified date of the action in EPOCH time format.

description 

String

Description of the action.

assigned_to 

String

User_id of the assigned user.

assigned_to_data 

Object

Details of the assigned user.

assigned_group 

String

Group_comm_id of the assigned user group.

assigned_group_data 

Object

Details of the assigned user group. Details include: 

group_comm_id and group_name of the user group.

status 

String

Status of the action.

readable_id 

String

Readable ID of the action. For example, ACT379.

created_by_data 

Object

Details of the user who created the action. Details include: 

username, email ,first name, last name, and so on.

can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

is_bookmarked 

Boolean

True: Action is bookmarked. 

False: Action is not bookmarked.

closed_by_data 

Object

Details of the user who closed the action. Details include: 

username, email ,first name, last name, and so on.

closed_on 

String

Closure date of the action in EPOCH time format.

resolved_on 

String

Resolved date of the action in EPOCH time format.

assignment_sla 

String

Details of assignment SLA details of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_sla 

String

Details of resolution SLA of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_due_date 

String

Resolution due date of the action.

sla_stopped_on 

String

Date and time at which the SLA stopped for the action.

type 

String

Type of the action.

priority 

String

Priority level of the action

type_data 

Object

Details of the type of the action.

priority_data 

Object

Details of the priority level of the action.

created_from_template 

Boolean

Displays if the action is created using template or not.

users 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

softwares 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected software.

softwares_data 

Array of Objects

Details of the connected software.

applications 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected applications.

applications_data 

Array of Objects

Details of the connected applications.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns_data 

Array of Objects

Details of the connected campaigns.

incidents_data 

Object

Details of the connected incidents.

malwares_data 

Array of Objects

Details of the connected malware.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

Action: Get Asset Application Details

This action retrieves the details of an application using the ID of the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Application ID 

Enter the unique ID of the application.

Example:

v53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of asset applications and their IDs using the following action:

Get Asset Applications

Example Request 

[
  {
    "unique_id": "v53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the application.

created 

String

Application creation date and time.

modified 

String

Application last updated date and time.

title 

String

Title of the application.

version 

Float

Version of the application.

title_display 

String

Title of the application.

readable_id 

String

Readable ID of the application.

status 

String

Current status of the the application.

application_type 

String

Type of the application. For example, Security.

application_status 

String

Status of the application. For example, Live.

production_date 

String

Production date of the application.

created_by 

String

user_id of the user who created the application.

created_by_data 

Object

Details of user who created the application.

labels 

List

List of unique_id labels that are added to the application.

labels_data 

List of Objects

Details of the labels that are added to the application.

business_units_data 

List of Objects

Details of business units that are impacted by the application

locations_data 

List of Objects

Details of locations that are impacted by the application.

application_url 

URL

URL of the application.

owner_data 

Object

Details of the owner of the application.

owner 

String

UUID of the application owner.

manager_data 

Object

Details of the manager of the application.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

Action: Get Assets Impacted by Vulnerability

This action retrieves the details of assets impacted by the vulnerability.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

CVE ID 

Enter the CVE ID of the vulnerability. 

Example: 

CVE-2024-4746

Text

Required

Example Request 

[
  {
    "cve_id": "CVE-2024-4746"
  }
]

Action Response Parameters 

Parameter

Type

Description

app_instance_test

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

Object

This parameter indicates the response data of the query.

app_instace.applications_data

Array

Displays an array of application objects.

app_instance.description

String (HTML)

Displays the description of the vulnerability.

app_instace.endpoints_data

Array

Displays an array of endpoint objects.

app_instance.softwares_data

Array

Displays an array of software objects.

app_instance.response.title

String

Displays the title of the issue

Example:

CVE-2024-4746

Action: Get Asset Software Details

This action retrieves asset software details using the ID of the software.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Asset Software ID 

Enter the unique ID of the asset software.

Example:

fb487600-8a14-43df-8e96-5f759aa61cf0

Text

Required

You can retrieve the list of asset software and their IDs using the following action:

Get Asset Software List

Example Request 

[
  {
    "unique_id": "fb487600-8a14-43df-8e96-5f759aa61cf0"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the software.

created 

String

Software creation date and time.

modified 

String

Software last updated date and time.

title 

String

Name of the software.

software_id 

String

ID of the software.

software_type 

List

Type of the software. For example, Development Software.

title_display 

String

Name of software.

readable_id 

String

Readable ID of software. For example, SFT115.

software_status 

String

Current status of the software.

purchase_date 

String

Purchase date of the software.

created_by 

String

user_id of the user who created the software.

created_by_data 

Object

Details of user who added the software.

labels 

List

List of unique_id labels that are added to the software.

labels_data 

List of Objects

Details of the labels that are added to the software.

business_units_data 

List of Objects

Details of business units that are impacted by the software

locations_data 

List of Objects

Details of locations that are impacted by the software.

software_type_data 

Object

Details of the software type.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities .

malwares 

Array of UUID Strings

List of unique_id of the connected connected malwares.

malwares_data 

Array of Objects

Details of the connected malwares .

endpoints 

Array of UUID Strings

List of unique_id of the connected connected devices.

endpoint_data 

Array of Objects

Details of the connected devices.

Action: Get Asset User Details

This action is used to retrieve the details of an asset user.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

General User ID 

Enter the unique ID of an asset user. 

Example:

226086de-dff4-44dd-8f48-dbd4e6569eb4

Text

Required

You can retrieve the list of asset users and their IDs using the following action:

Get Asset Users

Example Request 

[
  {
    "unique_id": "226086de-dff4-44dd-8f48-dbd4e6569eb4"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the user.

created 

String

User creation date and time.

modified 

String

User last updated date and time.

employee_name 

String

Name of the user.

email 

String

Email ID of the user.

display_name 

String

Name of the user.

readable_id 

String

Readable ID of the user.

user_status 

String

Current Status of the user.

hire_date 

String

Hiring date of the user.

created_by 

String

user_id of the CFTR user who created the asset user.

created_by_data 

Object

Details of the CFTR user who created the asset user.

labels 

List

List of unique_id of labels that are added to the user.

labels_data 

List of Objects

Details of the labels that are added to the user.

business_units_data 

List of Objects

Details of business units of the user.

owned_applications 

Array of UUID Strings

List of unique_id of the applications owned by the user.

owned_applications_data 

Array of Objects

Details of the applications owned by the user.

managed_applications 

Array of UUID Strings

List of unique_id of the applications managed by the user.

managed_applications_data 

Array of Objects

Details of the managed applications.

managed_endpoints 

Array of UUID Strings

List of unique_id of the devices managed by the user.

managed_endpoints_data 

Array of Objects

Details of the managed devices.

owned_endpoints 

Array of UUID Strings

List of unique_id of the devices owned by the user.

owned_endpoints_data 

Array of Objects

Details of the managed devices.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

Action: Get ATT&CK Tactic Details

This action retrieves the details of an ATT&CK tactic.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ATT&CK Tactic ID 

Enter the ID of the ATT&CK tactic. 

Example:

37e5c89c-5a62-4236-b81e-f81202a0cde5

Text

Required

You can retrieve the list of attack tactics and their IDs using the following action:

Get Attack Tactics

Example Request 

[
  {
    "unique_id": "37e5c89c-5a62-4236-b81e-f81202a0cde5"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title

String

The title of the MITRE ATT&CK tactic.

slug

String

Slug of the MITRE ATT&CK tactic, used for URLs and identifiers.

domain

String

Domain to which the MITRE ATT&CK tactic belongs.

phase

String

Phase of the MITRE ATT&CK tactic.

url

String

URL to the detailed information about the MITRE ATT&CK tactic.

unique_id

String

Unique identifier for the MITRE ATT&CK tactic.

external_mitre_attack_id

String

External MITRE ATT&CK identifier.

Action: Get ATT&CK Tactics

This action retrieves a list of attack tactics from the ATT&CK Navigator module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

link

Object

Contains related links for pagination and other resources.

count

Integer

Total number of MITRE ATT&CK tactics available.

results

Array of Objects

List of MITRE ATT&CK tactics.

results.title

String

The title of the MITRE ATT&CK tactic.

results.slug

String

Slug of the MITRE ATT&CK tactic, used for URLs and identifiers.

results.domain

String

Domain to which the MITRE ATT&CK tactic belongs.

results.phase

String

Phase of the MITRE ATT&CK tactic.

results.url

String

URL to the detailed information about the MITRE ATT&CK tactic.

results.unique_id

String

Unique identifier for the MITRE ATT&CK tactic.

results.external_mitre_attack_id

String

External MITRE ATT&CK identifier.

Action: Get ATT&CK Technique Details

This action retrieves the details of an ATT&CK technique.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ATT&CK Technique ID 

Enter the unique ID of the ATT&CK technique. 

Example:

37e5c89c-5a62-4236-b81e-f81202a0cde5

Text

Required

You can retrieve the list of attack techniques and their IDs using the following action:

Get Attack Techniques

Example Request 

[
  {
    "unique_id": "37e5c89c-5a62-4236-b81e-f81202a0cde5"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title

String

Title of the ATT&CK technique.

tactics

Array of Strings

Array of tactic IDs associated with the technique.

type

String

The type of the action (e.g., attack-pattern).

mitre_technique_id

String

MITRE unique ID of the ATT&CK technique.

unique_id

String

System unique ID of the ATT&CK technique.

external_mitre_attack_id

String

External ID of the MITRE ATT&CK technique (e.g., T1548).

Action: Get ATT&CK Techniques

This action retrieves a list of  ATT&CK techniques from the ATT&CK Navigator module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

link

Object

Contains related links for pagination and other resources.

count

Integer

Total number of MITRE ATT&CK tactics available.

results

Array of Objects

List of MITRE ATT&CK tactics.

title

String

Title of the ATT&CK technique.

tactics

Array of Strings

Array of tactic IDs associated with the technique.

type

String

The type of the action (e.g., attack-pattern).

mitre_technique_id

String

MITRE unique ID of the ATT&CK technique.

unique_id

String

System unique ID of the ATT&CK technique.

external_mitre_attack_id

String

External ID of the MITRE ATT&CK technique (e.g., T1548).

Action: Get Business Unit Details

This action retrieves the details of a business unit.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Business Unit ID 

Enter the unique ID of the business unit.

Example:

67ff8942-612d-4bc1-b54f-d8195c002907

Text

Required

You can retrieve the list of the Business Units and their IDs using the following action:

Get Business Units

Example Request 

{
    "unique_id": "67ff8942-612d-4bc1-b54f-d8195c002907"
}

Action Response Parameters

Parameter 

Type 

Description 

title 

String

The title of the Business Unit.

description 

Text

Description of the Business Unit.

unique_id 

String

Unique ID of the Business Unit in UUID-4 format.

created 

String

Creation date and time of the Business Unit in ISO format.

modified 

String

Last modified date and time of the Business Unit in ISO format.

readable_id 

String

Unique readable ID of the Business Unit. It starts with BU followed by a unique number. 

Example: "BU102"

email_list 

String

Emails of the recepients to whom the notifications are sent.

Action: Get Campaign Details

This action retrieves the details of a campaign.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Campaign ID 

Enter the details of the campaign using the unique ID. 

For example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

You can retrieve the list of campaigns and their IDs using the following action:

Get Campaigns

Example Request 

[
  {
    "unique_id": "f0900171-be25-490e-bddc-fa8bf29d6453"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id

String

Unique ID of the campaign in UUID-4 format.

readable_id

String

Unique readable ID of the campaign. It starts with CMP followed by a unique number. 

Example: CMP101

created

String

Campaign creation date and time.

description

Text

Description of the campaign.

modified

String

Last updated date and time of the campaign.

title

String

Title of the campaign.

title_display

String

Title of the campaign.

status

String

Current status of the campaign. 

Allowed values: 

ACTIVE 

INACTIVE 

is_bookmarked

Boolean

Shows if the campaign is bookmarked or not.

created_by_data

Object

Details of the user who created the campaign. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

Unique ID of the labels associated with the campaign in UUID-4 format.

labels_data

List of Objects

Details of labels added to the campaign. Details include: 

title, unique_id, color_code, and so on.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

incidents 

Array UID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

malwares 

Array UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

actions_data

Array of Objects

Details of the actions that are added to the campaign.

pirs_data

Array of Objects

Details of the PIRs that are added to the campaign.

enhancements_data

Array of Objects

Details of the enhancements that are added to the campaign.

Action: Get CFTR User Details

This action retrieves the details of users.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User ID 

Enter the unique ID of a user. 

Example: 

9ca5d44c-4f16-410c-ab6b-db26ce6f0b42

Text

Required

You can retrieve the list of users and their IDs using the following action:

Get CFTR Users

Example Request 

{
    "unique_id": "9ca5d44c-4f16-410c-ab6b-db26ce6f0b42"
}

Action Response Parameters

Parameter 

Type 

Description 

user_id 

String

Unique ID of the user in UUID-4 format.

permission 

List of String

The list of permissions configured for the user in the CFTR application. 

Note: The permissions depend on the user groups of the user.

last_login 

String

Last log in date and time of the user in ISO Format.

first_name 

String

First name of the user.

last_name 

String

Last name of the user.

email 

String

Email ID of the user.

title 

String

Job title of the user.

display_pic 

String

The link to the display picture of the user.

groups 

List of String

List of unique IDs of group_comm_id of the User Groups in UUID-4 format.

groups_data 

List of Objects

Details of the User Groups. Each object includes the details of one User Group such as group_comm_id, group_name, and description.

groups_data.group_comm_id 

String

Unique ID of the User Group in UUID-4 format.

groups_data.group_name 

String

Name of the User Group.

groups_data.description 

Text

Description of the User Group.

country_code 

String

Country code of the user.

contact_number 

String

Contact number of the user.

username 

String

Username of the user.

location 

String

Unique ID of the location of the user in UUID-4 format.

location_data 

Object

Details of the user location.

allowed_locations 

List of Strings

List of unique IDs of the allowed locations of the user in UUID-4 format.

allowed_locations_data 

List of Objects

Details of the allowed locations of the user. Each object includes the details of one location. 

Details include: 

title, unique_id, and is_active.

allowed_locations_data.title 

String

Title of the location

allowed_locations_data.unique_id 

String

Unique ID of the location in UUID-4 format.

allowed_locations_data.is_active 

Boolean

Shows if the location is active or not.

business_unit 

String

Unique ID of the Business Unit of the user in UUID-4 format.

business_unit_data 

Object

Details of the Business Unit of the user.

allowed_business_units 

List of Strings

List of unique IDs of the allowed Business Units of the user in UUID-4 format.

allowed_business_units_data 

List of Objects

Details of the allowed Business Units of the user. Each object includes the details of one Business Unit. 

Details include: 

title, description, unique_id, created,and so on

allowed_business_units_data.title 

String

Title of the Business Unit.

allowed_business_units_data.description 

Text

Description of the Business Unit.

allowed_business_units_data.unique_id 

String

Unique ID of the Business Unit in UUID-4 format.

allowed_business_units_data.created 

String

Creation date and time of the Business Unit in ISO format.

allowed_business_units_data.modified 

String

Last modified date and time of the Business Unit in ISO format.

allowed_business_units_data.readable_id 

String

Unique readable ID of the Business Unit. It starts with BU followed by a unique number 

Example: "BU101"

is_active 

Boolean

Shows whether the user is an active user or not.

date_joined 

Datetime

Joining date and time of the user in ISO format.

is_onboarded 

Boolean

Shows whether the user has activated their account using the confirmation link or not.

date_onboarded 

String

Onboarding date and time of the user in ISO format.

is_bot 

Boolean

Shows whether the user is a bot user or not.

is_admin 

Boolean

Shows whether the user is an admin in the CFTR application or not.

show_related_incidents 

Boolean

Shows whether the user has access to view related incidents in the Connect The Dots section or not.

show_related_assets 

Boolean

Shows if the user has access to view the related assets in Connect the Dots or not.

show_briefings_escalation 

Boolean

Shows if the user has access to view briefings escalations.

date_onboarded 

String

Date and time of when the user was onboarded.

landing_component 

String

Unique ID of the landing component configured for the user in UUID-4 format.

landing_component_data 

Object

Details of the landing component configured for the user.

landing_component_data.component_comm_id 

String

Unique ID of the component in UUID-4 format.

landing_component_data.component_name 

String

Name of the component.

landing_component_data.code_name 

String

Code name of the component.

landing_component_data.component_identifier 

String

Identification string of the component.

allowed_components 

List of Objects

Details of the allowed components of the user. Each object includes the details of one component. 

Details include: 

component_comm_id, component_name, code_name, and component_identifier.

allowed_components.component_comm_id 

String

Unique ID of the component in UUID-4 format.

allowed_components.component_name 

String

Name of the component.

allowed_components.code_name 

String

Code name of the component.

allowed_components.component_identifier 

String

Identification string of the component.

last_active 

String

Last active date and time of the user in ISO format.

last_device 

String

Details of the last device used by the user.

last_device_ip 

String

Generic IP address of the device last used by the user.

currency 

String

Currency choice associated with the user. 

Allowed values: INR, USD, GBP, EUR, andAED.

invited_by 

String

Unique ID of the user who invited the current user.

ldap_id 

String

Unique ID of LDAP associated with the user.

full_name 

String

Full name of the user.

password_update_time 

String

Last updated date and time of the password of the user in ISO format.

analyst_cost 

Float

Maximum value of analyst cost associated with each user group of the user.

is_system_user 

Boolean

Shows whether the user is a system user or not.

invite_status 

String

Shows whether the user has accepted the invite or not. 

Allowed values: 

- INVITED: Invite yet to be accepted. 

- ACCEPTED: Invite accepted.

is_on_prem_client 

Boolean

Displays if the user is a on prem client.

is_readonly_user 

Boolean

If the user is has only ready-only access.

number_of_incidents_per_day 

Integer

The number of incidents that can be created by the user.

number_of_business_units 

Integer

Number of business units

Action: Get Custom Module Entry Detail

This action retrieves the details of a custom module entry.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier 

Enter the component identifier of the module. 

Example: 

module21

Text

Required

You can retrieve the list of custom modules and their component identifier using the following action:

List Custom Modules

Instance Unique ID 

Enter the unique ID of a custom module entry. 

Example: 

822c2781-8ea0-4122-8176-8995a4c81dca

Text

Required

You can retrieve the list of custom module entries and their IDs using the following action:

List Custom Module Entries

Action Response Parameters 

Parameter 

Type 

Description 

title 

String

Title of the entry.

unique_id 

String

Unique ID of the entry.

status 

String

Current status of the entry.

description 

Text

Description of the entry.

created_by_user_id 

String

user_id of the user who created the entry.

modified_by_user_id 

String

user_id of the user who last modified the entry.

created_by_data 

Object

Details of the user who created the entry.

modified_by_data 

Object

Details of the user who last modified the entry.

created 

String

Creation date and time of the entry.

modified 

String

Last updated date and time of the entry.

is_bookmarked 

Boolean

Shows if the entry is bookmarked or not.

can_update_instance 

Boolean

Shows whether the entry can be updated by the user who requested it or not.

labels 

Array

List of the labels that are added to the entry.

labels_data 

Array of Objects

Details of the labels that are added to the entry.

is_removed 

Boolean

Displays if the entry is in deleted state or not.

status_data 

Array of Objects

Displays the details of the status of the entry.

attachments_data 

Array of Objects

Details of each attachment of the entry.

Action: Get Device Details

This action retrieves the details of a device using the ID of the device.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID 

Enter the unique ID of the device. 

Example:

e53fe8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of devices and their IDs using the following action:

Get Devices

Example Request 

[
  {
    "unique_id": "e53fe8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the device.

created 

String

Device creation time in EPOCH time format.

modified 

String

Device Last Updated Time in EPOCH time format.

serial_number 

String

Serial number of the device.

hostname 

String

Hostname of the device.

readable_id 

String

Readable ID of the device. For example, DVC116.

endpoint_status 

String

Current status of the device.

owner 

String

Owner of the device.

physical_location 

String

Physical location of the device.

title_display 

String

Hostname of the device

ip_address 

Float

IP address of the device.

created_by 

String

user_id of the user who created the device.

created_by_data 

Object

Details of user who created the device. Details include: 

username, first_name, last_name, user_id and more.

status 

String

Status of the device.

labels 

List

List of unique_id labels that are added to the device.

labels_data 

List of Objects

Details of the labels that are added to the device.

business_units_data 

List of Objects

Details of business units that are impacted by the device.

locations_data 

List of Objects

Details of locations that are impacted by the device.

risk 

String

Risk level of the device.

risk_data 

Object

Details of the risk of the device.

priority 

String

Priority of the device.

endpoint_type 

String

Type of the endpoint. For example, Desktop.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

owner_data 

Object

Details of the owner of device.

manager_data 

Object

Details of the manager of device.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

actions_data 

Array of Objects

Details of the actions that are added to the device.

Action: Get Enhancement Details

This action retrieves the enhancement details using the ID of the enhancement.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Enhancement ID 

Enter the unique ID of the enhancement. 

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of enhancements and their IDs using the following action:

Get Enhancements

Example Request 

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" 
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id

String

Unique ID of the enhancement in UUID-4 format.

readable_id

String

Unique readable ID of the enhancement. It starts with ENHfollowed by a unique number. 

Example: ENH101

created

Datetime

Enhancement creation date and time.

description

Text

Description of the enhancement.

modified

Datetime

Last updated date and time of the enhancement.

title

Text

Title of the enhancement.

status

String

Current status of the enhancement. 

Allowed values: 

- open

- closed

priority

String

Priority level of the enhancement.

priority_data

Object

Details of the priority assigned. Details include: 

unique_id

option_name, and so on.

priority_data.unique_id

String

Unique ID of the priority in UUID-4 format.

priority_data.option_name

String

Display Name of the priority

priority_data.color_code

String

Hex value of the priority display color.

is_bookmarked

Boolean

Shows if the enhancement is bookmarked or not.

modified_by_data

Object

Details of the user who last updated the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_group

String

Unique ID of the user group the enhancement belongs to in UUID-4 format.

assigned_group_data

Object

Details of the assigned user group. Details include group name and group ID.

created_by_data

Object

Details of the user who created the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_to

String

Unique ID of the assigned user of the enhancement in UUID-4 format.

assigned_to_data

Object

Details of the assigned user. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

List of Unique IDs of the labels attached to the enhancement in UUID-4 format.

labels_data

List of Objects

Details of labels added to the enhancement. Details include: 

title, unique_id, color_code, and so on.

labels_data.unique_id

String

Unique ID of the label in UUID-4 format.

labels_data.option_name

String

Display name of the label

labels_data.color_code

String

Hex value of the label display color.

enhancement_type

List of Strings

Option name of the enhancement types associated with the enhancement.

enhancement_type_data

List of Objects

Details of the enhancement types associated with the enhancement.

enhancement_type_data.unique_id

String

Unique ID of the enhancement in UUID-4 format.

enhancement_type_data.option_name

String

Display Name of the enhancement type

enhancement_type_data.color_code

String

Hex value of the enhancement type display color.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

attachments_data

Array of Objects

Details of each attachment of the enhancement.

Action: Get Incident Details

This action retrieves the details of an incident.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID 

Enter the unique ID of the incident. 

Example:

t53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the IDs of the incident using the following action:

Get Incidents

Example Request 

[
  {
    "unique_id": "t53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Returns the response retrieved from the app action.

app_instance.response.title 

String

Title of the incident.

app_instance.response.unique_id 

String

Unique Identifier String of UUID-4 format of the incident.

app_instance.response.readable_id 

String

Readable ID of the incident. For example, INC320.

app_instance.response.incident_date 

String

Date and time of when the incident happened.

app_instance.response.detection_date 

String

Date and time when the incident was detected as malicious.

app_instance.response.status 

String

Status of the incident workflow. 

Possible values: 

  • active

  • inactive

app_instance.response.phase 

String

Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow.

app_instance.response.machine_generated 

Boolean

Displays if the incident is machine-generated or not.

app_instance.response.phase_data 

JSON Object

Details of the current phase of the incident.

app_instance.response.level 

String

Severity level of the incident. For example, high.

app_instance.response.level_data 

JSON Object

Details of the severity level of the incident.

app_instance.response.created_by 

String

user_id of the user who created the incident.

app_instance.response.is_protected 

Boolean

Shows if the incident is protected or not.

app_instance.response.is_removed 

Boolean

Shows if the incident is in the deleted state or not.

app_instance.response.created_by_data 

JSON Object

Details of the user who created the incident.

app_instance.response.modified_by_data 

JSON Object

Details of the user who last modified the incident.

app_instance.response.closed_by_data 

JSON Object

Details of the used who closed the incident.

app_instance.response.created 

String

Incident creation date and time.

app_instance.response.modified 

String

Last updated date and time of the incident.

app_instance.response.Opened_on 

Timestamp

Date and time when the incident was opened.

app_instance.response.closed_on 

Timestamp

Date and time when the incident was closed. 

If the incident is not closed, the value of this parameter is null.

app_instance.response.ie_num_of_pii_exposed 

Integer

Number of PIRs that were exposed in the incident.

app_instance.response.description 

String

Description of the Incident.

app_instance.response.assigned_to 

String

user_id of the assigned user.

app_instance.response.assigned_to_data 

Object

Details of the assigned user.

app_instance.response.assigned_group 

String

group_comm_id of the assigned user group.

app_instance.response.assigned_group_data 

Object

Details of the assigned user group.

app_instance.response.assignment_sla 

String

Assignment SLA details of the incident. This includes the following two keys: 

  • color: Associated color code (according to SLA breach level). 

  • data: This includes two keys: 

    • sla_duration: SLA Breach time. 

    • elapsed_time: Time elapsed between incident opening and SLA completion.

app_instance.response.ie_incident_type 

Strings

The type of incident. Example: hacking.

app_instance.response.days_open 

Integer

Number of days the incident is open.

app_instance.response.resolution_sla 

String

Resolution SLA details of the incident. This includes two keys: 

  • color: Associated color code(according to SLA breach level). 

  • data: This includes two keys: 

    • sla_duration: SLA Breach time. 

    • elapsed_time: Time elapsed between incident opening and SLA completion.

app_instance.response.notification_sla 

String

Details of the Incident notifications (if enabled in admin).

app_instance.response.total_cost 

Integer

Total cost incurred due to the incident.

app_instance.response.is_bookmarked 

Boolean

Shows if the incident is bookmarked or not.

app_instance.response.permanently_closed 

Boolean

Shows if the incident is permanently closed or not.

app_instance.response.resolution_due_date 

String

Resolution SLA breach date of the incident.

app_instance.response.can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

app_instance.response.is_paused 

Boolean

Shows if the incident is paused or not.

app_instance.response.paused_by 

String

user_id of the user who paused the incident.

app_instance.response.paused_by_data 

JSON Object

Details of the user who paused the incident.

app_instance.response.schema 

String

Unique ID of the Incident Workflow that is being used by the incident.

app_instance.response.schema_type 

String

Type of the incident Workflow. 

Allowed values: 

'draft' or 'published'

app_instance.response.schema_data 

JSON Object

Details of the Incident Workflow that is being used by the incident.

app_instance.response.sources 

Array

List of the sources for the incident.

app_instance.response.sources_data 

Array of JSON Objects

Details of the sources for the incident.

app_instance.response.labels 

Array

List of the labels that are added to the incident.

app_instance.response.labels_data 

Array of JSON Objects

Details of the labels that are added to the incident.

app_instance.response.tactic_technique_pair 

Array

List of the tactics and techniques used by the incident.

app_instance.response.tactic_technique_pair_data 

Array of JSON Objects

Details of the tactics and techniques used by the incident.

app_instance.response.business_units_impacted_data 

Array of JSON Objects

List of business units that are impacted by the incident.

app_instance.response.locations_impacted_data 

Array of JSON Objects

List of locations that are impacted by the incident.

app_instance.response.incident_state 

String

Current state of the incident.

Possible values:

  • open

  • closed

  • merged

app_instance.response.status_data 

JSON Object

Details of the status of the incident.

app_instance.response.applications 

Array of UUID Strings

List of unique_id of the connected applications.

app_instance.response.applications_data 

Array of JSON Objects

Details of the connected applications.

app_instance.response.softwares 

Array of UUID Strings

List of unique_id of the connected software.

app_instance.response.softwares_data 

Array of JSON Objects

Details of the connected software.

app_instance.response.users 

Array of UUID Strings

List of unique_id of the connected users.

app_instance.response.users_data 

Array of JSON Objects

Details of the connected users.

app_instance.response.endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

app_instance.response.endpoints_data 

Array of JSON Objects

Details of the connected devices.

app_instance.response.briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

app_instance.response.briefings_data 

Array of JSON Objects

Details of the connected threat briefings.

app_instance.response.campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

app_instance.response.campaigns_data 

Array of JSON Objects

Details of the connected campaigns.

app_instance.response.malwares 

Array of UUID Strings

List of unique_id of the connected malware.

app_instance.response.malwares_data 

Array of JSON Objects

Details of the connected malware.

app_instance.response.threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

app_instance.response.threat_actors_data 

Array of JSON Objects

Details of the connected threat actors.

app_instance.response.vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

app_instance.response.vulnerabilities_data 

Array of JSON Objects

Details of the connected vulnerabilities.

app_instance.response.enhancements 

Array of UUID Strings

List of unique_id of the connected enhancements.

app_instance.response.enhancements_data 

Array of JSON Objects

Details of the connected enhancements.

app_instance.response.actions_data 

Array of JSON Objects

Details of the actions that are added to the incident.

app_instance.response.attachments_data 

Array of JSON Objects

Details of the attachments uploaded to the incident.

app_instance.status_code

Integer

HTTP status code of the API request received from the instance.

Action: Get Incident Summary

This action retrieves the executive summary of the incident using the incident ID.

App Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID 

Enter the incident ID to retrieve the summary.

Example:

INC103

Text

Required

Example Request 

[
  {
    "incident_id": "INC103"
  }
]

Action Response Parameters 

Parameter

Type

Description

app_instance

Object

Returns the root object containing the response and status code.

app_instance.response

Object

Displays the response data of the query.

app_instance.status_code

Integer

Returns the HTTP status code of the response.

app_instance.response.actions_data

Array

Returns an array of action objects.

app_instance.response.actions_data.readable_id

String

Returns the Readable ID of the action.

app_instance.response.actions_data.title

String

Return the title of the action in the incident.

app_instance.response.actions_data.title_display

String

Displays the title of the action linked to the incident.

app_instance.response.applicable_compliance

Array

Returns the list of applicable compliance standards to the incident.

app_instance.response.applicable_compliance_data

Array

Returns an array of compliance option objects.

app_instance.response.applicable_compliance_data[].option_name

String

Returns the name of the compliance option.

app_instance.response.applications_data

Array

Returns an array of application objects.

app_instance.response.attack_vector

Null

Returns attack vector linked to the incident.

app_instance.response.attack_vector_data

Null

Returns the details of the Attack vector linked to the incident. 

app_instance.response.base_line_changes

Null

Returns the baseline changes.

app_instance.response.briefings_data

Array

Returns an array of briefing objects.

app_instance.response.business_impact

Array

Returns an array of business units impacted by the incident.

app_instance.response.business_impact_data

Array

Returns an array of business units impacted option objects.

app_instance.response.business_impact_data.option_name

String

Returns the name of the business units impact option.

app_instance.response.campaigns_data

String

Returns an array of campaign objects.

app_instance.response.closure_comments

String

Returns closure comments in the incident.

app_instance.response.containment_hash

String

Returns the value for containment hash 

app_instance.response.containment_host

String

Returns Containment host

app_instance.response.containment_ip

String

Returns Containment IP

app_instance.response.containment_result

String

Returns Containment result

app_instance.response.containment_summary

String

Returns Containment summary 

app_instance.response.containment_url

String

Containment URL

app_instance.response.description

String

Description of the incident

app_instance.response.destination_hostname

String

Destination host name

app_instance.response.destination_ip

String

Destination IP

app_instance.response.destination_port

String

Destination port

app_instance.response.endpoints_data

Array

An array of endpoint objects

app_instance.response.enhancements_data

Array

An array of enhancement objects

app_instance.false_positive

Array

False positive indicator

app_instance.response.false_positive_data

String

False positive data 

app_instance.response.ie_customer_notification_required

Null

Customer notification indicator

app_instance.response.ie_customer_notification_required_data

String

Returns customer notification data

app_instance.response.ie_findings_summary

String

Returns findings summary

app_instance.response.ie_forensics_details

String

Returns forensics details

app_instance.response.ie_impact_on_intellectual_property

Null

Impact on intellectual property

app_instance.response.ie_incident_type

String

Returns the incident type.

app_instance.response.ie_incident_type_data

Object

Returns the incident type data.

app_instance.response.ie_incident_type_data.option_name

String

Returns the name of the incident type option.

app_instance.response.ie_invegtigation_eradication_exception

Null

Investigation eradication exception.

app_instance.response.ie_lessons_learned

Null

Returns lessons learned

app_instance.response.ie_log_analysis_summary

Null

Returns log analysis summary

app_instance.response.ie_malware_analysis_summary

Null

Malware analysis summary

app_instance.response.ie_motives

Array

An array of motive objects

app_instance.response.ie_motives_data

Array

An array of motive data objects

app_instance.response.ie_num_of_assets_impacted

Null

Number of assets impacted by the incident.

app_instance.response.ie_num_of_users_impacted

Null

Number of users impacted by the incident.

app_instance.response.ie_port_numbers_impacted

Null

Port numbers impacted

app_instance.response.ie_regulatory_notifications_required

Null

Regulatory notifications required

app_instance.response.ie_regulatory_notifications_required_data

Null

Regulatory notifications required data

app_instance.response.ie_regulatory_reporting

Array

An array of regulatory reporting objects.

app_instance.response.ie_regulatory_reporting_data

Array

An array of regulatory reporting data objects.

app_instance.response.ie_regulatory_reporting_date

Null

Regulatory reporting date.

app_instance.response.ie_root_cause

Null

Root cause of the incident.

app_instance.response.ie_root_cause_data

Null

Root cause data

app_instance.response.incident_analysis

Null

Incident analysis 

app_instance.response.incident_identified

Array

An array of incident identified objects.

app_instance.response.incident_identified_data

Array

An array of incident identified data objects.

app_instance.response.incident_learning

Null

Incident learning

app_instance.response.ioc_MD5

Array

An array of MD5 Indicator of Compromise.

app_instance.response.ioc_MD5_data

Array

An array of MD5 IoC data objects.

app_instance.response.ioc_SHA1

Array

An array of SHA1 Indicator of Compromise.

app_instance.response.ioc_SHA1_data

Array

An array of SHA1 IoC data objects.

app_instance.response.ioc_SHA256

Array

An array of SHA256 Indicator of Compromise.

app_instance.response.ioc_SHA256_data

Array

An array of SHA256 IoC data objects.

app_instance.response.ioc_domain

Array

An array of IOC domain objects.

app_instance.response.ioc_domain_data

Array

An array of IOC domain data objects.

app_instance.response.ioc_email

Array

An array of IOC email objects.

app_instance.response.ioc_email_data

Array

An array of IOC email data objects.

app_instance.response.ioc_ip

Array

An array of IOC IP objects.

app_instance.response.ioc_ip_data.value

String

IP address value.

app_instance.response.ioc_url

Array

An array of IoC URL objects.

app_instance.response.ioc_url_data

Array

An array of IoC URL data objects.

app_instance.response.ip_reputation

Null

IP Reputation of the incident.

app_instance.response.kill_chain_phase

String

Current phase in the kill chain of the incident.

app_instance.response.kill_chain_phase_data

Object

Details of the current phase in the kill chain.

app_instance.response.kill_chain_phase_data.option_name

String

Phase name in the kill chain of the incident.

app_instance.response.knowledge_base_data

Array

An array of knowledge base objects.

app_instance.response.level

String

Incident level of the incident.

app_instance.response.level_data

Object

Details of the incident level.

app_instance.response.level_data.option_name

String

Incident level option name.

app_instance.response.malwares_data

Array

An array of malware objects.

app_instance.response.methods_monitor_recovery_actions

Null

Methods to monitor recovery actions.

app_instance.response.methods_validate_recovery_actions

Null

Methods to validate recovery actions.

app_instance.response.phase

String

The current phase of the incident.

app_instance.response.phase_data

Object

Details of the current phase.

app_instance.response.phase_data.option_name

String

Indicates the phase of the incident

app_instance.response.pirs_data

Array

An array of PIR (Priority Intelligence Requirements) objects.

app_instance.response.readable_id

String

Readable ID of the incident.

app_instance.response.recovery_details

Null

Details of the recovery in incident.

app_instance.response.related_incidents_data

Array

An array of related incident data objects.

app_instance.response.softwares_data

Array

An array of software data objects.

app_instance.response.source_hostname

Null

Source host name.

app_instance.response.source_ip

Null

Source IP address.

app_instance.response.source_port

Null

Source port

app_instance.response.sources_data

Object

An object containing source data.

app_instance.response.sources_data.created

String (datetime)

Creation timestamp of the source data.

app_instance.response.sources_data.modified

String (datetime)

Modification timestamp of the source data.

app_instance.response.sources_data.source_display_name

String

Display name of the source.

app_instance.response.sources_data.source_type

String

Type identifier of the source.

app_instance.response.sources_data.source_type_data

Object

Additional data about the source type.

app_instance.response.sources_data.source_type_data.created

String (datetime)

Creation timestamp of the source type data.

app_instance.response.sources_data.source_type_data.title

String

Title of the source type.

app_instance.response.sources_data.source_type_data.unique_id

String

Unique identifier of the source type data.

app_instance.response.sources_data.unique_id

String

Unique identifier of the source data.

app_instance.response.sources_data.value

String

Value of the source data.

app_instance.response.status

String

Status of the incident.

app_instance.response.status_data

Object

Additional data about the status.

app_instance.response.status_data.option_name

String

Indicates status option name.

app_instance.response.threat_actors_data

Array

An array of threat actor objects in the incident.

app_instance.response.time_to_resolve

Null

Time taken to resolve the incident.

app_instance.response.title

String

Title of the incident.

app_instance.response.url_reputation

Null

URL reputation in a phase

app_instance.response.users_data

Array

An array of user data objects.

app_instance.response.vulnerabilities_data

Array

An array of vulnerability data objects.

Action: Get Incident Workflow Details

This action retrieves the details of an incident workflow.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workflow ID 

Enter the unique ID of the incident workflow. 

Example: 

5ca19332-75e2-4e1b-953a-22f8b467ea1d

Text

Required

You can retrieve the list of workflows and their IDs using the following actions:

List Incident Workflows

Example Request 

[
  {
    "unique_id": "t53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the Incident Workflow.

description 

String

Description of the Incident Workflow.

unique_id 

String

Unique ID of the Incident Workflow.

schema_type 

String

Shows the state of Incident Workflow. 

Allowed values: 

- draft

- published

status 

String

Status of the Incident Workflow. 

Allowed values: 

- active

- inactive

is_default 

Boolean

Shows whether the Incident Workflow is the default workflow or not.

object_identifier 

String

Shows the string name for Incident module.

phase_flow 

String

Shows the phase flow of the Incident Workflow phases. 

Allowed values: 

- linear

- non-linear

created 

String

Creation date-time of the Incident Workflow.

modified 

String

Latest modification date-time of the Incident Workflow.

created_by 

String

user_id of the user who created the Incident Workflow.

modified_by 

String

user_id of the user who last modified the Incident Workflow.

created_by_data 

Object

Basic details of user who created the Incident Workflow.

modified_by_data 

Object

Basic details of the user who last modified the Incident Workflow.

is_removed 

Boolean

Shows whether the workflow is in deleted state or not.

is_mapped 

Boolean

Shows whether the Incident Workflow has been mapped to parent parameters or not.

num_of_phases 

Integer

Number of phases present in the Incident Workflow.

closure_phase 

String

unique_id of phase after which incident can be closed.

closure_phase_data 

Object

Details of the closure phase. 

Details include: option_name, unique_id, and so on.

phase_key 

String

unique_id of the phases.

preparation_key 

String

unique_id of the preparation tab.

custom_tab_key 

String

unique_id of the custom tabs.

closure_phase_options 

Array

unique_id of all the phases of the Incident Workflow which can be selected as the closure phase.

tabs 

Array

unique_id of the tabs of the Incident Workflow.

tabs.unique_id 

String

Unique ID of the Tab.

tabs.tab_name 

String

Title of the tab.

tabs.is_active 

Boolean

Shows if the tab is active or not.

tabs.is_editable 

Boolean

Shows if the tab can be edited or not.

tabs.is_removed 

Boolean

Shows whether the tab is in deleted state or not.

tabs.object_identifier 

String

Shows the string name for Incident module

tabs.tab_fields 

List of Objects

Details of the fields added in the tab. 

Note: The tab fields are further explained in the table below.

tabs.tab_type 

String

The tab type. 

Examples of tab types are: 

preparation: Preparation tab is common across all workflows. 

phase: Phase 

custom: Custom Tab

tabs.parent 

String

unique_id of the parent of the tab.

tabs.children 

List

Details of children tabs.

tabs.is_removable 

Boolean

Shows if tab can be removed or not.

tabs.validation_expression 

String

Validation expression (if any) added. It is used for Threat Intel.

tabs.schema 

List

List of unique_id of workflows in which the tab is added.

tabs.order 

Integer

Order of the tab.

tabs.help_text 

String

Help text of the tab

tabs.tab_fields.unique_id 

String

Unique identifier string of UUID-4 format of the Field.

tabs.tab_fields.field_name 

String

Title of the field.

tabs.tab_fields.field_type 

String

The type of field. 

Allowed values: 

select: Single option can be selected for the field. 

multiselect: Multiple options can be selected for the field. 

text: Text field. 

textarea: Text Area field. 

calendar: date time field. 

integer: Integer Field.

tabs.tab_fields.is_active 

Boolean

Shows whether field is active or not.

tabs.tab_fields.is_removed 

Boolean

Shows whether the field is in deleted state or not.

tabs.tab_fields.placeholder 

String

Placeholder of the field.

tabs.tab_fields.help_text 

String

Help text of the field.

tabs.tab_fields.field_options 

List of Objects

Details of the options.

tabs.tab_fields.is_editable 

Boolean

Shows whether field can be edited or not.

tabs.tab_fields.is_deletable 

Boolean

Shows whether field can be deleted or not.

tabs.tab_fields.is_required 

Boolean

Shows whether the field is mandatory or not.

tabs.tab_fields.field_readable_key 

String

Unique readable key for receiving field data from external sources.

tabs.tab_fields.is_widget_field 

Boolean

Shows whether the widget can be created for this field or not. (Applicable only on select/multi-select fields)

tabs.tab_fields.validation_expression 

String

Validation expression (if any) added. It is used for Threat Intel.

tabs.tab_fields.is_read_only 

Boolean

Shows whether the field is one time entry field or not.

tabs.tab_fields.enable_filter 

Boolean

Shows whether the filter option should be provided for this field or not. 

Applicable only for select/multi-select fields.

tabs.tab_fields.is_restricted_user_group_write_access 

Boolean

Shows whether the field access is restricted by user group.

tabs.tab_fields.user_groups_with_write_access 

List

List of group_comm_id of user groups that have write access to the field.

tabs.tab_fields.is_restricted 

Boolean

Shows whether the current user has write access to the field or not.

tabs.tab_fields.user_groups_with_write_access_data 

List of Objects

Basic details of user groups that have write access to the field.

tabs.tab_fields.is_parent_param 

Boolean

Shows whether the field is selected as a parent parameter or not.

tabs.tab_fields.order 

Integer

Order of the field. (Defines the position of the field in the form)

tabs.tab_fields.column_no 

Integer

Column Number of the field. (Defines the column of the field in the form). 

Allowed values: 

1: Field will be present in left column 

2: Field will be present in right column.

tabs.tab_fields.request_notes 

String

Reason for updating the field (Single select fields).

Action: Get Label Details

This action retrieves the details of a label.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Label ID 

Enter the unique ID of the label.

Example:

53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of labels and their IDs using the following action:

Get Labels

Example Request 

{
    "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002404"
}

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the label in UUID-4 format.

title 

String

The title of the label.

description 

Text

Description of the label.

color_code 

String

Hex value of the label color.

created 

String

Creation date and time of the label in ISO format.

modified 

String

Last modified date and time of the label in ISO format.

component_identifier 

String

Unique ID of the associated component.

component_identifier_data 

Object

Details of the component_identifier

Note: The parameters of the component_identifier_data are described in the table below.

component_identifier_data.component_name 

String

The name of the component.

component_identifier_data.component_identifier 

String

Unique ID of the associated component.

Action: Get Labels

This action retrieves a list of labels from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of labels in CFTR application according to the filters applied.

results 

List of Objects

Details of the labels. Each object provides details of one label.

unique_id 

String

Unique ID of the label in UUID-4 format.

title 

String

The title of the label.

description 

Text

Description of the label.

color_code 

String

Hex value of the label color.

created 

Creation date and time of the label in ISO format.

modified 

String

Last modified date and time of the label in ISO format.

component_identifier 

String

Unique ID of the associated component.

component_identifier_data 

Object

Details of the component_identifier

Note: The parameters of the component_identifier_data are described in the table below.

component_name 

String

The name of the component.

component_identifier 

String

Unique ID of the associated component.

Action: Get List of Threat Intel Types

This action retrieves a list of threat intel types from the application.

Action Input Parameters

There are no input parameters required for this action.

Action Response Parameters

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of Threat Intel types in CFTR application.

results 

List

Details of the Threat Intel types. 

Each object provides details of one Threat Intel type.

title 

String

Title of the Threat Intel type. 

This key is used to refer to Threat Intel type by other APIs.

unique_id 

String

Unique ID of the Threat Intel type.

created 

String

Creation date and time of the Threat Intel type.

modified 

String

Last updated date and time of the Threat Intel type.

display_name 

String

Name of the Threat Intel type.

Action: Get Location Details

This action retrieves the details of a location using the location ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Location ID 

Enter the unique ID of a location. 

Example:

67ef9042-612d-4bc1-b54f-d8195c002907

Text

Required

You can retrieve the list of locations and their IDs using the following action:

Get Locations

Example Request 

{
    "unique_id": "67ef9042-612d-4bc1-b54f-d8195c002907"
}

Action Response Parameters

Parameter 

Type 

Description 

title 

String

The title of the location.

unique_id 

String

Unique ID of the location in UUID-4 format.

country 

String

Unique ID of the corresponding country in UUID-4 format.

country_data 

Object

Details of the corresponding country.

country_data.title 

String

The name of the Country.

country_data.unique_id 

String

Unique ID of the corresponding country in UUID-4 format.

state 

String

Unique ID of the corresponding state in UUID-4 format.

state_data 

Object

Details of the corresponding state.

state_data.title 

String

The name of the State.

state_data.unique_id 

String

Unique ID of the corresponding state in UUID-4 format.

city 

String

Name of the city.

site 

String

Name of the site.

pincode 

String

PIN code of the site.

created 

String

Creation date and time of the location in ISO format.

modified 

String

Last modified date and time of the location in ISO format.

is_active 

Boolean

Shows if the location is active or not.

Longitude 

String

Unique ID of the longitude of the location.

Latitude 

String

Unique ID of the lantitude of the location.

Action: Get Malware Details

This action retrieves the details of malware using the malware ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Malware ID 

Enter the unique ID of the malware. 

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of malware and their IDs using the following action:

List Malware

Example Request 

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" 
  }
]

Action Response Parameters

Parameters 

Type 

Description 

type 

Object

Type of the malware.

ioc_email 

Object

Unique IDs of the email IOC type.

platform 

Object

List of affected platforms.

ioc_ip 

Object

Unique IDs of the IP IOC type.

ioc_md5 

Object

Unique IDs of the MD5 Hash IOC type.

file_type 

Object

File types of the malware. For example, dll, exe, docx, zip.

ioc_domain 

Object

Unique IDs of the domain IOC type.

ioc_sha1 

Object

Unique IDs of the SHA1 IOC type.

ioc_sha256 

Object

Unique IDs of the SHA256 IOC type.

ioc_url 

Object

Unique IDs of the URL IOC type.

unique_id 

String

Unique ID of the malware.

readable_id 

String

Readable ID of the malware.

created 

String

Created date of the malware in EPOCH time format.

modified 

String

Last modified date of the malware in EPOCH time format.

title 

String

Title of the malware.

description 

String

Description of the malware.

incidents 

Object

Unique ID of the linked incidents.

status 

String

Status of the malware.

briefings 

Object

Unique ID of the linked threat briefings.

briefings_data 

Object

Details of the linked threat briefings.

incidents_data 

Object

Details of the linked incidents.

is_bookmarked 

Boolean

Shows if the malware is bookmarked or not.

actions_data 

Object

Details of the linked actions.

campaigns 

Object

Unique ID of the linked campaigns.

campaigns_data 

Object

Details of the linked campaigns.

vulnerabilities 

Object

Unique ID of the linked vulnerabilities.

vulnerabilities_data 

Object

Details of the linked vulnerabilities.

threat_actors 

Object

Unique ID of the linked threat actors.

threat_actors_data 

Object

Details of the linked threat actors.

pirs_data 

Object

Details of the linked PIRs.

attachments_data 

Object

Details of the attachments.

created_by_data 

Object

Details of the user who created the malware. Details include: 

username, email, first name, last name, and so on.

labels 

Object

Unique ID of the linked labels.

labels_data 

Object

Details of the linked labels.

tactic_technique_pair_data 

Object

Details of the linked tactic technique pairs.

first_seen 

String

Date on which malware is seen for the first time.

last_modified 

Object

Last modified date of the malware.

applications 

Object

Unique ID of the linked applications.

applications_data 

Object

Details of the linked applications.

asset_softwares 

Object

Unique ID of the linked software.

asset_softwares_data 

Object

Details of the Linked Asset Softwares.

endpoints 

Object

Unique ID of the linked devices.

endpoints_data 

Object

Details of the linked devices.

enhancements 

Object

Unique ID of the linked enhancements.

enhancements_data 

Object

Details of the linked enhancements.

type_data 

Object

Details of the malware type.

file_type_data 

Object

Details of the malware file type.

platform_data 

Object

Details of the affected platforms.

Action: Get Manufacturer Details

This action retrieves the details of a manufacturer.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Manufacturer ID 

Enter the unique ID of a manufacturer.

Example:

53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of manufacturers and their IDs using the following action:

Get Manufacturers

Example Request 

{
    "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002404"
}

Action Response Parameters

Parameter 

Type 

Description 

title 

String

The title of the manufacturer.

unique_id 

String

Unique ID of the manufacturer in UUID-4 format.

readable_id 

String

Unique readable ID of the manufacturer. It starts with MFR followed by a unique number. 

Example: "MFR101"

description 

Text

Description of the manufacturer.

created 

String

Creation date and time of the manufacturer in ISO format.

modified 

String

Last modified date and time of the manufacturer in ISO format.

Action: Get OS Type Details

This action retrieves the details of an OS type.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Operating system (OS) ID 

Enter the unique ID of the OS type.

Example:

2fd4996d-f21b-4d43-8000-31769f3ed3ae

Text

Required

You can retrieve the list of OS types and their IDs using the following action:

Get OS Types

Example Request 

{
    "unique_id": "2fd4996d-f21b-4d43-8000-31769f3ed3ae"
}

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the OS type.

unique_id 

String

Unique Identifier String of UUID-4 format of the OS type.

readable_id 

String

Unique readable ID of the OS type. It starts with OST followed by a unique number. 

Example: "OST101"

description 

Text

Description of the OS type.

created 

String

Creation date and time of the OS type in ISO format.

modified 

String

Last modified date and time of the OS type in ISO format.

Action: Get PIR Details

This action can be used to retrieve the details of a PIR (Priority Intel Requirement) using the ID of the PIR.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Priority Intel Requirement (PIR) ID 

Enter the unique ID of the Priority Intel Requirement (PIR). 

Example: 

42505945-ea78-4c69-8d34-92cdd20026d8

Text

Required

You can retrieve the list of PIRs and their IDs using the following action:

Get PIRs 

Example Request 

[
  {
    "unique_id": "42505945-ea78-4c69-8d34-92cdd20026d8"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the PIR.

unique_id 

String

Unique ID of the PIR in UUID-4 format.

readable_id 

String

Readable ID of the PIR.

description 

Text

Description of the PIR.

created 

String

Creation date and time of the PIR in ISO format.

modified 

String

Last updated date and time of the PIR in ISO format.

status 

String

Current status of the PIR. 

Allowed values: 

open 

closed 

created_by_data 

Object

Details of user who created the PIR.

closed_by 

String

user_id of the user who closed the PIR.

closed_by_data 

Object

Details of user who closed the PIR.

closed_on 

String

Closing date and time of the PIR in ISO format.

is_bookmarked 

Boolean

Shows whether the PIR is bookmarked or not.

labels 

List of String

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

priority 

String

Priority level of the PIR. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

priority_data 

Object

Details of the priority of the PIR.

assigned_to 

List of Stings

List of Unique IDs of the assigned users in UUID-4 format.

assigned_to_data 

List of Objects

Details on the list of assigned users of the PIR. Details include: 

username, email, first_name, last_name, and so on.

assigned_group 

String

Unique ID of the assigned user group in UUID-4 format.

assigned_group_data 

Object

Details of the assigned user group. Details include: 

group name and group ID

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

Action: Get Roster

This action retrieves a list of rosters from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page No 

Enter the page number to retrieve the list of rosters. 

Example: 1

Integer

Optional

Default:

1

Page Size 

Enter the page size to retrieve the list of rosters. 

Example: 10

Integer

Optional

Default:

10

All Data 

Select true to retrieve all the data. 

Boolean

Optional

Rosters are returned as per the values defined in the Page No and Page Size parameters.

If you enter false, then the rosters list is returned in a paginated manner.

Default value: 

true

Search Query 

Enter the search query to filter the data. 

Example:

indicator

Text

Optional

Example Request 

{
    "page_no": 1,
    "page_size": 10,
    "all_data": false,
    "search_query": "analyst"
}

Action Response Parameters

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of rosters returned as per the entered query parameters.

results 

List of Objects

Details of the rosters. 

Each object provides the details of one roster.

unique_id

String

Unique ID of the roster.

is_removed

Boolean

Indicates if the roster is removed.

title

String

Title of the roster.

created_by_data

Object

Details of the user who created the roster.

modified_by_data

Object

Details of the user who modified the roster.

start

String

Start date and time of the roster (ISO 8601 format).

end

String

End date and time of the roster (ISO 8601 format).

shift_model

String

ID of the shift model associated with the roster.

shift_model_data

Object

Details of the shift model associated with the roster.

created

String

Creation date and time of the roster (ISO 8601 format).

modified

String

Last modified date and time of the roster (ISO 8601 format).

is_draft

Boolean

Indicates if the roster is in draft status.

exceptions

Array

List of exceptions for the roster.

users_data

Array

Details of the users associated with the roster.

Action: Get Source Details

This action retrieves the details of a source.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID 

Enter the unique ID of the source.

Example:

53ff8942-612d-4bc1-b54f-d8195c002907

Text

Required

You can retrieve the list of sources and their IDs using the following action:

Get Sources

Example Request 

{
    "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002907"
}

Action Response Parameters

Parameter 

Type 

Description 

value 

String

The name of the source.

source_type 

String

Unique ID of the source type in UUID-4 format.

source_display_name 

String

Display name of the source.

unique_id 

String

Unique ID of the source in UUID-4 format.

created 

String

Creation date and time of the source in ISO format.

modified 

String

Last modified date and time of the source in ISO format.

source_type_data 

Object

Details of the source type.

source_type_data.unique_id 

String

Unique ID of the source type in UUID-4 format .

source_type_data.created 

String

Creation date and time of the source type in ISO format.

source_type_data.title 

String

The title of the source type.

Action: Get Templates

This action retrieves the list of templates from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Number 

Enter the page number to retrieve the list of templates. 

Example: 

1

Integer

Optional

Default value:

1

Page Size 

Enter the page size to retrieve the list of templates. 

Example: 

10

Integer

Optional

Default value:

10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]
Action: Get Threat Actor Details

This action retrieves the details of a threat actor using the ID of the threat actor.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Actor ID 

Enter the unique ID of the threat actor. 

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of IDs of threat actors using the following action:

Get Threat Actors

Example Request 

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the threat actor.

unique_id 

String

Unique ID of the threat actor.

readable_id 

String

Readable ID of the threat actor.

description 

Text

Description of the threat actor.

created 

String

Creation time of the threat actor in ISO format.

modified 

String

Last Updated time of the threat actor in ISO format.

status 

String

Current status of the threat actor. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the threat actor. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the threat actor. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the threat actor.

closed_by 

String

user_id of the user who closed the threat actor.

closed_by_data 

Object

Details of user who closed the threat actor.

closed_on 

String

Closing date of the threat actor in ISO format.

is_bookmarked 

Boolean

Shows whether the threat actor is bookmarked or not.

attachments_data 

Array of Objects

Details of each attachment of the threat actor.

actions_data 

Array of Objects

Details of the actions that are added for the threat actor.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the threat actor.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the threat actor.

pirs_data 

Array of Objects

Details of the PIRs that are added for the threat actor.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

ioc_SHA1 

Array of UUID Strings

List of unique_id of the connected SHA1 Threat Intels.

ioc_SHA1_data 

Array of Objects

Details of the connected SHA1 Threat Intels.

ioc_MD5 

Array of UUID Strings

List of unique_id of the connected MD5 Threat Intels.

ioc_MD5_data 

Array of Objects

Details of the connected MD5 Threat Intels.

ioc_SHA256 

Array of UUID Strings

List of unique_id of the connected SHA256 Threat Intels.

ioc_SHA256_data 

Array of Objects

Details of the connected SHA256 Threat Intels.

ioc_ip 

Array of UUID Strings

List of unique_id of the connected IP Threat Intels.

ioc_ip_data 

Array of Objects

Details of the connected IP Threat Intels.

ioc_url 

Array of UUID Strings

List of unique_id of the connected URL Threat Intels.

ioc_url_data 

Array of Objects

Details of the connected URL Threat Intels.

ioc_domain 

Array of UUID Strings

List of unique_id of the connected domain Threat Intels.

ioc_domain_data 

Array of Objects

Details of the connected domain Threat Intels.

ioc_email 

Array of UUID Strings

List of unique_id of the connected email Threat Intels.

ioc_email_data 

Array of Objects

Details of the connected email Threat Intels.

Action: Get Threat Briefing Details

This action retrieves the details of a threat briefing.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Briefing ID 

Enter the unique ID of the threat briefing. 

Example:

y53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of threat briefings and their IDs using the following action:

Get Threat Briefings

Example Request 

[
  {
    "unique_id": "y53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the Threat Briefing.

readable_id 

String

Readable ID of the Threat Briefing.

title 

String

Title of the Threat Briefing.

description 

Text

Description of the threat briefing.

status 

String

Current status of the Threat Briefing. 

Allowed values: 

- ACTIVE 

- INACTIVE

created 

String

Created date and time of the Threat Briefing.

modified 

String

Last updated date and time of the Threat Briefing.

title_display 

String

Title of the Threat Briefing.

is_bookmarked 

Boolean

Shows whether the Threat Briefing is bookmarked or not.

labels 

List

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

locations_data 

List of Objects

Details of the locations linked to the Threat Briefing.

business_units_data 

List of Objects

Details of the business units linked to the Threat Briefing.

created_by 

String

Unique ID of the user who created the Threat Briefing.

created_by_data 

Object

Details of the user who created the Threat Briefing.

attachments_data 

Array of Objects

Details of each attachment of the Threat Briefing.

actions_data 

Array of Objects

Details of the actions that are added for the Threat Briefing.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the Threat Briefing.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the Threat Briefing.

pirs_data 

Array of Objects

Details of the PIRs that are added for the Threat Briefing.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

Action: Get Threat Intel (IOC) Details

This action retrieves the details of a threat intel (IOC).

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Intel (IOC) ID 

Enter the unique ID of the threat intel. 

Example:

f53ff8979-615d-4bc1-b54f-d8195c002404

Text

Required

Use the following action to retrieve the list of threat intel (IOC) and their IDs:

Get List of Threat Intel (IOC)

Example Request 

[
  {
    "unique_id": "f53ff8979-615d-4bc1-b54f-d8195c002404" 
  }
]

Action Response Parameters

Parameter 

Type 

Description 

value 

String

Value of the Threat Intel.

unique_id 

String

Unique ID of the Threat Intel in UUID-4 format.

created 

String

Creation date and time of the Threat Intel.

modified 

String

Last Updated date and time of the Threat Intel.

geo_details 

List of Objects

Details of the location of threat intel.

tlp 

String

TLP associated with the threat intel. 

Allowed values: 

RED 

AMBER 

GREEN 

WHITE 

incidents_data 

List of Objects

Details of Incidents associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

created_by 

String

user_id of the user who created the Threat Intel

status 

String

Current status of the Threat Intel. 

Allowed values: 

cleaned 

blocked 

malicious 

false_positive 

whitelisted 

none 

labels 

List

List of unique_id of labels added to the Threat Intel.

labels_data 

List of Objects

Details of labels added to the Threat Intel. 

Details include title, color_code, unique_id, created, and modified.

malwares_data 

List of Objects

Details of Malware associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

threat_actors_data 

List of Objects

Details of Threat Actors associated with the Threat Intel.

vulnerabilities_data 

List of Objects

Details of Vulnerabilities associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

actions_count 

Integer

Number of Actions added to the Threat Intel.

notes_count 

Integer

Number of comments added to the Threat Intel.

ioc_type 

String

unique_id of the Indicator Type.

ioc_type_data 

Object

Details of the Indicator Type.

Action: Get Threat Intel Form Structure

This action retrieves the form field structure of the Threat Intel component.

Action Input Parameters

There are no input parameters required for this action.

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the Tab.

tab_name 

String

Title of the tab.

is_active 

Boolean

Shows if the tab is active or not.

is_editable 

Boolean

Shows if the tab can be edited or not.

is_removed 

Boolean

Shows whether the tab is in deleted state or not.

object_identifier 

String

Shows the string name for Threat Intel module.

tab_fields 

List of Objects

Details of the fields added in the tab. 

Note: The tab fields are further explained in the table below.

tab_type 

String

The tab type. 

Examples of tab types are: 

preparation: Preparation tab is common across all workflows. 

custom: Custom Tab

parent 

String

unique_id of the parent of the tab.

children 

List

Details of children tabs.

is_removable 

Boolean

Shows if tab can be removed or not.

validation_expression 

String

Validation expression (if any) added. It is used for Threat Intel.

order 

Integer

Order of the tab.

tab_fields.unique_id 

String

Unique Identifier String of UUID-4 format of the Field.

tab_fields.field_name 

String

Title of the field.

tab_fields.field_type 

String

The type of field. 

Allowed values: 

select: Single option can be selected for the field. 

multiselect: Multiple options can be selected for the field. 

text: Text field. 

textarea: Text Area field. 

calendar: date time field. 

integer: Integer Field.

tab_fields.is_active 

Boolean

Shows whether field is active or not.

tab_fields.is_removed 

Boolean

Shows whether the field is in deleted state or not.

tab_fields.placeholder 

String

Placeholder of the field.

tab_fields.help_text 

String

Help text o.f the field

tab_fields.field_options 

List of Objects

Details of the options.

tab_fields.is_editable 

Boolean

Shows whether field can be edited or not.

tab_fields.is_deletable 

Boolean

Shows whether field can be deleted or not.

tab_fields.is_required 

Boolean

Shows whether the field is mandatory or not.

tab_fields.field_readable_key 

String

Unique readable key for receiving field data from external sources.

tab_fields.is_widget_field 

Boolean

Shows whether the widget can be created for this field or not. (Applicable only on select/multi-select fields)

tab_fields.validation_expression 

String

Validation expression (if any) added. It is used for Threat Intel.

tab_fields.is_read_only 

Boolean

Shows whether the field is one time entry field or not.

tab_fields.enable_filter 

Boolean

Shows whether the filter option should be provided for this field or not. 

(Applicable only on select/multi-select fields)

tab_fields.is_restricted_user_group_write_access 

Boolean

Shows whether the field access is restricted by user group.

tab_fields.user_groups_with_write_access 

List

List of group_comm_id of user groups that have write access to the field.

tab_fields.is_restricted 

Boolean

Shows whether the current user has write access to the field or not.

tab_fields.user_groups_with_write_access_data 

List of Objects

Basic details of user groups that have write access to the field.

tab_fields.is_parent_param 

Boolean

Shows whether the field is selected as a parent parameter or not.

tab_fields.order 

Integer

Order of the field. (Defines the position of the field in the form)

tab_fields.column_no 

Integer

Column number of the field. (Defines the column of the field in the form). 

Allowed values: 

1: Field will be present in left column 

2: Field will be present in right column.

Action: Get User Group Details

This action retrieves the details of a user group.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

User Group ID 

Enter the unique ID of a user group. 

Example: 

4e046ee1-5bc9-4320-965f-3bf24dbb9256

Text

Required

You can retrieve the list of user groups and their IDs using the following action:

Get User Groups

Example Request 

{
    "unique_id": "4e046ee1-5bc9-4320-965f-3bf24dbb9256"
}

Action Response Parameters

Parameter 

Type 

Description 

group_comm_id 

String

Unique ID of the user group in UUID-4 format.

group_name 

String

Name of the user group.

description 

Text

Description of the user group.

permissions 

List of Objects

List of permission objects of the user group. Each object includes the details of one permission.

created_by 

Object

Unique ID of the user who created the user group.

user_count 

Positive Integer

Number of users assigned to the user group.

permission_count 

Positive Integer

Count of the number of permissionsconfigured for the user group.

is_active 

Boolean

Shows whether the user group is currently active or not.

is_editable 

Boolean

Shows whether the user group is editable or not.

created 

Integer

Creation date and time of the user group in EPOCH time format.

ciims_user_set 

List of Strings

List of unique IDs of the users assigned to the user group in UUID-4 format.

ciims_user_set_data 

List of Objects

Details of the users assigned to the user group. Each object includes the details of one user.

group_cost 

Float

Analyst cost associated with the users of the user group. The default cost is configured as per the daily rate.

playbook_tags 

List of Strings

List of unique IDs of the Cyware Orchestrate Playbook tags added to the User Group in UUID-4 format.

playbook_tags_data 

List of Objects

Details of the Playbook tags. Each object includes the details of one Playbook tag.

is_readonly_group 

Boolean

Shows whether the group is read only or not.

saml_associated_groups 

String

Shows the associated SAML groups with the user group.

permissions.permission_comm_id 

String

Unique ID of the permission in UUID-4 format.

permissions.display_name 

String

Display name of the permission.

permissions.code_name 

String

Unique string of the permission.

permissions.grant 

String

Level of grant associated with each permission in CFTR. Allowed values: 

-ALLOWED: Permissions that are provided by default. 

-DISALLOWED: Permissions that cannot be provided while creating a group. 

-SELECTABLE: Permission that can be configured while creating a group.

permissions.verbose_name 

String

Verbose name given to the permission.

username 

String

Username of the user.

ciims_user_set_data.first_name 

String

First name of the user.

ciims_user_set_data.last_name 

String

Last name of the user.

ciims_user_set_data.profile_background_color 

String

Hex value of the user profile background color.

ciims_user_set_data.user_id 

String

Unique ID of the user in UUID-4 format.

ciims_user_set_data.display_pic 

String

Link to the display picture of the user.

ciims_user_set_data.is_active 

Boolean

Shows whether the user is an active user or not.

ciims_user_set_data.email 

String

Email ID of the user.

ciims_user_set_data.full_name 

String

Full name of the user.

playbook_tags_data.unique_id 

String

Unique ID of the Playbook in UUID-4 format.

playbook_tags_data.title 

String

Title of the Playbook.

playbook_tags_data.description 

Text

Description of the Playbook.

Action: Get Vulnerability Details

This action retrieves the details of a vulnerability.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Vulnerability ID 

Enter the unique ID of the vulnerability.

Example:

e53ff8972-618d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of vulnerabilities and their IDs using the following action:

Get Vulnerabilities

Example Request 

[
  {
    "unique_id": "e53ff8972-618d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the vulnerability.

unique_id 

String

Unique ID of the vulnerability.

readable_id 

String

Readable ID of the vulnerability.

description 

Text

Description of the vulnerability.

created 

String

Creation time of the vulnerability in ISO format.

modified 

String

Last Updated time of the vulnerability in ISO format.

status 

String

Current status of the vulnerability. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the vulnerability. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the vulnerability. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the vulnerability.

closed_by 

String

user_id of the user who closed the vulnerability.

closed_by_data 

Object

Details of user who closed the vulnerability.

closed_on 

String

Closing date of the vulnerability in ISO format.

is_bookmarked 

Boolean

Shows whether the vulnerability is bookmarked or not.

attachments_data 

Array of Objects

Details of each attachment of the vulnerability.

actions_data 

Array of Objects

Details of the actions that are added for the vulnerability.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the vulnerability.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the vulnerability.

pirs_data 

Array of Objects

Details of the PIRs that are added for the vulnerability.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

ioc_SHA1 

Array of UUID Strings

List of unique_id of the connected SHA1 Threat Intels.

ioc_SHA1_data 

Array of Objects

Details of the connected SHA1 Threat Intels.

ioc_MD5 

Array of UUID Strings

List of unique_id of the connected MD5 Threat Intels.

ioc_MD5_data 

Array of Objects

Details of the connected MD5 Threat Intels.

ioc_SHA256 

Array of UUID Strings

List of unique_id of the connected SHA256 Threat Intels.

ioc_SHA256_data 

Array of Objects

Details of the connected SHA256 Threat Intels.

ioc_ip 

Array of UUID Strings

List of unique_id of the connected IP Threat Intels.

ioc_ip_data 

Array of Objects

Details of the connected IP Threat Intels.

ioc_url 

Array of UUID Strings

List of unique_id of the connected URL Threat Intels.

ioc_url_data 

Array of Objects

Details of the connected URL Threat Intels.

ioc_domain 

Array of UUID Strings

List of unique_id of the connected domain Threat Intels.

ioc_domain_data 

Array of Objects

Details of the connected domain Threat Intels.

ioc_email 

Array of UUID Strings

List of unique_id of the connected email Threat Intels.

ioc_email_data 

Array of Objects

Details of the connected email Threat Intels.

Action: List Actions

This action retrieves a list of actions using query string and query parameters.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results. 

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): by default, the value is 1

  • page_size (int): by default, the value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter

Type 

Description

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of Actions in CFTR application as per the query parameters.

results 

List of Objects

Details of the Actions. 

Each object provides details of one Action.

title 

String

The title of the action.

unique_id 

String

Unique ID of the action.

created 

String

Created date of the action in EPOCH time format.

modified 

String

Last modified date of the action in EPOCH time format.

description 

String

Description the an action.

assigned_to 

String

User_id of the assigned user.

assigned_to_data 

Object

Details of the assigned user.

assigned_group 

String

Group_comm_id of the assigned user group.

assigned_group_data 

Object

Details of the assigned user group. Details include: 

group_comm_id and group_name of the user group.

status 

String

Status of the action. For example, open.

readable_id 

String

Readable ID of the action. For example, ACT379.

created_by_data 

Object

Details of the user who created the action. Details include: 

username, email ,first name, last name, and so on.

can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

is_bookmarked 

Boolean

True: Action is bookmarked. 

False: Action is not bookmarked.

closed_by_data 

Object

Details of the user who closed the action. Details include: 

username, email ,first name, last name, and so on.

closed_on 

String

Closure date of the action in EPOCH time format.

resolved_on 

String

Resolved date of the action in EPOCH time format.

assignment_sla 

String

Details of assignment SLA details of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_sla 

String

Details of resolution SLA of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_due_date 

String

Resolution due date of the action.

sla_stopped_on 

String

Date and time at which the SLA stopped for the action.

type 

String

Type of the action. For example, Recovery.

priority 

String

Priority level of the action

type_data 

Object

Details of the type of the action. Details include: unique_id, option_name, is_active, and so on.

priority_data 

Object

Details of the priority level of the action.

labels 

List of Strings

Unique IDs of the list of labels added to the action.

labels_data 

Object

Details of the labels added to the action. Details include: 

unique_id, title, color code, and so on.

created_from_template 

Boolean

Displays if the action is created using a template or not.

Action: List Asset Applications

This action retrieves a list of asset applications from the Applications module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • business_units 

  • created_date__gte 

  • created_date__lte

  • labels

  • modified_date__gte

  • modified_date__lte

  • locations

  • production_date__gte

  • production_date__gte

  • status

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the applications to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of applications returned as per the entered query parameters.

results 

List of Objects

Details of the applications. 

Each object provides the details of one application.

unique_id 

String

Unique ID of the application.

created 

String

Created date and time of the application.

modified 

String

Last updated date and time of the application.

title 

String

Title of the application.

production_date 

String

Production date of application.

readable_id 

String

Readable ID of the application.

labels 

List

List of the labels associated with the application.

labels_data 

List of Objects

Details of labels added to the application. The details include: 

title, unique_id, color_code, and so on.

status 

String

Status of the application.

Action: List Asset Software

This action retrieves a list of asset software from the Software module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • business_units

  • created_date__gte

  • created_date__lte

  • labels

  • modified_date__gte

  • modified_date__lte

  • locations

  • software_status

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of software returned as per the entered query parameters.

results 

List of Objects

Details of the softwares. 

Each object provides the details of one software.

unique_id 

String

Unique ID of the software.

created 

String

Created date and time of the software.

modified 

String

Last updated date and time of the software.

title 

String

Name of the software.

readable_id 

String

Readable ID of the software.

labels 

List

List of the labels that are added to the software.

labels_data 

List of Objects

Details of labels added to the software. The details include: 

title, unique_id, color_code, and so on.

software_status 

String

Status of the sofware. For example, active.

Action: List Asset Users

This action retrieves a list of asset users from the Users module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of users returned as per the entered query parameters.

results 

List of Objects

Details of the users. 

Each object provides the details of one user.

unique_id 

String

Unique ID of the user.

created 

String

Created date and time of the user.

modified 

String

Last updated date and time of the user.

employee_name 

String

Name of the user.

email 

String

Email ID of the user.

display_name 

String

Name of the user.

readable_id 

String

Readable ID of the user.

labels 

List

List of labels that are added to the user.

labels_data 

List of Objects

Details of labels added to the user. The details include: 

title, unique_id, color_code, and so on.

user_status 

String

Status of the user.

threat_score 

Float

Risk score of the user.

Action: List Attachments

This action retrieves the attachments from a component.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier

Enter the identifier of a component.

Text

Required

Allowed values: 

  • action

  • comment

  • enhancement

  • incident

  • malware

  • PIR

  • vulnerability

Unique ID 

Enter the unique ID of the component entry to which you want to add an attachment. 

Text

Required

If the component identifier is Incident, then the unique ID must be a specific Incident ID.

Example Request 

[
  {
    "component_name": "incident",
    "unique_id": "Example Unique ID",
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of attachments returned as per the entered query parameters.

results 

List of Objects

Details of the attachments. 

Each object provides the details of one attachment.

title

Text

Name of the file.

uploaded_file

URL

URL of the file from where it can be downloaded.

unique_id

String

Unique ID for the file.

created_by_data

Object

Details of the user who uploaded the file.

created

Datetime

File upload time.

modified

Datetime

File modified time.

readable_id

String

Unique readable ID of the file.

file_hash

String

Hash of the file.

file_type

String

Type of the file. I 

Allowed values: 

artifact: Artifact 

evidence: Evidence 

miscellaneous: Miscellaneous

file_size

Integer

Size of the file.

parent_readable_id

String

readable_id of the incident in which file is uploaded.

parent_component

String

Component name in which file is uploaded. Example: incident, action, and so on.

parent_unique_id

String

unique_id of the incident in which file is uploaded

Action: List Business Units

This action retrieves a list of business units from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page_size (int): default value is 10

  • page (int): default value is 1

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of Business Units in CFTR application according to the filters applied.

results 

List of Objects

Details of the Business Unit. Each object provides details of one Business Unit.

title 

String

The title of the Business Unit.

description 

Text

Description of the Business Unit.

unique_id 

String

Unique ID of the Business Unit in UUID-4 format.

created 

String

Creation date and time of the Business Unit in ISO format.

modified 

String

Last modified date and time of the Business Unit in ISO format.

readable_id 

String

Unique readable ID of the Business Unit. It starts with BU followed by a unique number. 

Example: "BU102"

email_list 

String

Emails of the recepients to whom the notifications are sent.

Action: List Campaigns

This action retrieves a list of campaigns.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): by default, the value is 1

  • page_size (int): by default, the value is 10

  • status (str): inactive, active

  • bookmarked (bool)

  • mentioned (bool)

  • created_by (ID)

  • created_date__gte (epochtime)

  • created_date__lte (epochtime)

  • locations (ID)

  • labels (ID)

  • modified_date__gte (epochtime)

  • modified_date__lte (epochtime)

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "ACTIVE"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count

Integer

Total number of campaigns in CFTR application according to the filters applied.

results

List of Objects

Details of the campaigns. 

Each object provides details of one campaign.

unique_id

String

Unique ID of the campaign in UUID-4 format.

readable_id

String

Unique readable ID of the campaign. It starts with CMP followed by a unique number. 

Example: CMP101

created

String

Campaign creation date and time.

description

Text

Description of the campaign.

modified

String

Last updated date and time of the campaign.

title

String

Title of the campaign.

title_display

String

Title of the campaign.

status

String

Current status of the campaign. 

Allowed values: 

ACTIVE 

INACTIVE 

is_bookmarked

Boolean

Shows if the campaign is bookmarked or not.

created_by_data

Object

Details of user who created the campaign. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

Unique ID of the labels associated with the campaign in UUID-4 format.

labels_data

List of Objects

Details of labels added to the campaign. Details include: 

title, unique_id, color_code, and so on.

Action: List CFTR Users

This action retrieves a list of users from the User Management module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • is_active

  • is_bot

  • group_comm_id

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of users in CFTR application according to the filters applied.

results 

List of Objects

Details of the users. Each object provides details of one user.

user_id 

String

Unique ID of the users in UUID-4 format.

first_name 

String

First name of the user.

last_name 

String

Last name of the user.

email 

String

Email ID of the user.

display_pic 

String

The link to the display picture of the user.

username 

String

Username of the user.

profile_background_color 

String

Hex key of the background color of the user profile.

is_active 

Boolean

Shows whether a user is an active user or not.

full_name 

String

Full name of the user.

Action: List Comments

This action retrieves the comments of an entry.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier

Enter the identifier of a component.

Example:

incident

Text

Required

Allowed values: 

  • action

  • application

  • software

  • campaign

  • device

  • enhancement 

  • incident

  • threat intel

  • malware

  • PIR

  • threat-briefing

  • vulnerability

Unique ID 

Enter the unique ID of the component entry to which you want to add comments. 

Example:

1cc818a1-2676-4746-ac2e-6610832c4d65

Text

Required

If component identifier is Incident, then unique ID must be specific Incident.

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • user_group

  • type

  • created_by

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
    "component_name": "incident",
    "unique_id": "Example Unique ID"
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

count

Integer

Number of comments added in a module object.

unique_id

String

Unique ID of the comment.

description

Text

Content of the comment.

created_by

Object

Details of the user who added the comment.

modified_by

Object

Details of the user who last updated the comment.

mentioned_users

List of UUID

List of user_id of users mentioned in the comment.

mentioned_users_data

List of Objects

Details of the users mentioned in the comment.

created

Datetime

Comment creation time in EPOCH time format.

modified

Datetime

Comment last updated time in EPOCH time format.

comment_type

String

Type of Comment. 

Examples: 

discussion: Notes added in an incident. 

handoff: Handoff notes added while updating the assignee or assigned group. 

closure: Closure Notes added while closing an incident.

content_object

String

Component in which the comment is added. 

Example: incident, action, ioc, and so on.

content_object_readable_id

String

readable_id of the incident in which comment is added

content_object_unique_id

String

unique_id of the incident in which comment is added

description_with_img_src

Text

Content of the content with the image URLs (if any image is added in the comment).

Pinned

Boolean

Shows if the comment is pinned or not.

Action: List Countries

This action retrieves a list of countries from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page_size (int): default value is 10

  • page (int): default value is 1

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]
Action: List Custom Module Entries

This action retrieves all the entries of a custom module with their details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier 

Enter the component identifier of the module. 

Example: 

module21

Text

Required

You can retrieve the list of components and their component identifiers using the following action:

List Custom Modules

Example Request 

[
  {
    "component_identifier": "module21" 
  }
]

Action Response Parameters

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of entries of the custom module in CFTR application as per the filters applied.

results 

List of Objects

Details of the entries of the custom module. 

Each object provides details of one entry.

unique_id 

String

Unique ID of the entry in UUID-4 format.

readable_id 

String

Unique readable ID of the entry. It starts with the configured Module Identifier followed by a unique number.

created 

String

Creation date and time of the entry.

modified 

String

Last updated date and time of the entry.

labels 

List

List of labels added to the entry.

modified_by_user_id 

String

UUID of the user who last modified the custom module entry.

created_by_user_id 

String

UUID of the user who created the custom module entry.

title 

Text

Title of the entry.

description 

Text

Description of the entry.

status 

String

Current status of the entry.

status_data 

Object

Details of the status of the entry. Details include: 

unique_id, option_name, is_active, and so on.

is_bookmarked 

Boolean

Shows if the entry is bookmarked or not.

modified_by_data 

Object

Details of the user who last updated the entry. Details include: 

username, email ,first_name, last_name, and so on.

created_by_data 

Object

Details of the user who created the entry. Details include: 

username, email ,first_name, last_name, and so on.

labels_data 

List of Objects

Details of labels added to the entry. Details include: 

title, unique_id, color_code, and so on.

is_bookmarked 

Boolean

Displays whether the entry is bookmarked or not.

is_removed 

Boolean

Displays whether the custom module entry is in the deleted state or not.

readable_id_counter 

Integer

Unique number of the entry.

Action: List Custom Modules

This action retrieves the list of custom modules.

Action Input Parameters

There are no input parameters required for this action.

Action Response Parameters

Parameter 

Type 

Description 

link

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count

Integer

Total number of custom modules in CFTR application according to the filters applied.

results

List of Objects

Details of the custom modules. 

Each object provides details of one incident.

component_identifier 

String

Component identifier of a custom module. Example, MOD.

module_name 

String

Name of the custom module.

icon 

String

The icon identifier that is being used for the custom module.

unique_id 

String

Unique ID of the custom module.

is_removable 

Boolean

Shows whether the custom module can be deleted or not. 

- true indicates that there is no entry created for the module and the module can be deleted. 

- false indicates that entries for the custom module are already created and the module cannot be deleted.

Action: List Devices

This action retrieves a list of devices from the Devices module.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

 Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • business_units

  • created_date__gte

  • created_date__lte

  • labels

  • modified_date__gte

  • modified_date__lte

  • locations

  • endpoint_status

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]
Action: List Enhancements

This action retrieves a list of enhancements.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • status

  • created_date__gte

  • created_date__lte

  • labels

  • modified_date__gte

  • modified_date__lte

  • incidents

  • campaigns

  • created_by

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count

Integer

Total number of enhancements in the CFTR application as per the filters applied.

results

List of Objects

Details of the enhancements. 

Each object provides details of one enhancement.

unique_id

String

Unique ID of the enhancement in UUID-4 format.

readable_id

String

Unique readable ID of the enhancement. It starts with ENHfollowed by a unique number. 

Example: ENH101

created

String

Enhancement creation date and time.

description

Text

Description of the enhancement.

modified

String

Last updated date and time of the enhancement.

title

Text

Title of the enhancement.

status

String

Current status of the enhancement. 

Allowed values: 

- open

- closed

priority

String

Priority level of the enhancement.

priority_data

Object

Details of the priority assigned. Details include: 

unique_id

option_name, and so on.

is_bookmarked

Boolean

Shows if the enhancement is bookmarked or not.

modified_by_data

Object

Details of the user who last updated the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_group

String

Unique ID of the assigned user group of the enhancement in UUID-4 format.

assigned_group_data

Object

Details of the assigned user group. Details include: group name and group ID.

created_by_data

Object

Details of user who created the enhancement. Details include 

username, email ,first_name, last_name, and so on.

assigned_to

String

Unique ID of the assigned user of the enhancement in UUID-4 format.

assigned_to_data

Object

Details of the assigned user. Details include 

username, email ,first_name, last_name, and so on.

labels

List of Strings

List of Unique IDs of the labels associated with the enhancement in UUID-4 format.

labels_data

List of Objects

Details of labels added to the enhancement. Details include 

title, unique_id, color_code, and so on.

enhancement_type

List of Strings

Option name of the enhancement types associated with the enhancement.

enhancement_type_data

List of Objects

Details of the enhancement types associated with the enhancement.

Action: List Incidents

This action retrieves a list of incidents from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Key Value

Optional

Allowed values: 

q (str), page (int): by default, the value is 1, page_size (int): by default, the value is 10, status (str): open, closed, untriaged, merged, participant (bool), self_assigned_groups (bool), self_assigned (bool), bookmarked (bool), mentioned (bool), assigned_to (bool), is_protected (bool), is_paused (bool), attack_techniques (id), attack_tactics (id), phase (str), business_units (id), created_by (id), detection_date__gte (epochtime), detection_date__lte (epochtime), incident_date__gte (epochtime), incident_date__lte (epochtime), modified_date__gte (epochtime), modified_date__lte (epochtime), created_date__gte (epochtime), created_date__lte (epochtime), locations (id), level (str): type of severity, kill_chain_phase (id), labels (id), created_date__n_months (int): 3, 6, created_date__n_days (int): 7, 30, 90, resolution_overdue (bool), assignment_overdue (bool)

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "open"
    }
  }
]

Action Response Parameters 

Parameter

Type

Description

link 

JSON Object

This parameter may include the following keys:

  • previous key shows the API endpoint to the previous page of the response.

  • next key shows the API endpoint to the next page of the response.

count 

Integer

Total number of incidents in CFTR application according to the filters applied.

results 

Array of JSON Objects

List of incident details. Each object provides details of one incident.

results[x].unique_id 

String

Unique ID of the Incident in UUID-4 format.

results[x].readable_id 

String

Unique readable ID of the incident. It starts with INC followed by a unique number.

results[x].created 

String

Incident creation date and time in Epoch format.

results[x].description 

String

Description of the Incident.

results[x].modified 

String

Last updated date and time of the incident.

results[x].title 

String

Title of the incident.

results[x].machine_generated 

Boolean

True: Incident is considered machine generated when it is generated using the CFTR OpenAPI. False: Incident created manually.

results[x].status 

String

Current status of the incident. Possible values: open, closed, untriaged, merged

results[x].closed_on 

String

Date and time when the incident was closed. If incident is not closed, value of this param will be null.

results[x].title_display 

String

Title of the incident.

results[x].is_protected 

Boolean

Returns true if the incident is marked as protected.

results[x].level 

String

Severity level of the incident.

results[x].phase 

String

Current phase of the incident.

results[x].is_paused 

Boolean

Returns true if the incident is paused.

results[x].opened_on 

String

Date and time when the incident was opened. If incident is not opened yet, value of this param will be null.

results[x].assignment_sla 

JSON Object

Assignment SLA details of the incident. It has two keys: 1. color: Associated color code(according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: Time elapsed between incident opening and SLA completion.

results[x].resolution_sla 

JSON Object

Resolution SLA details of the incident. It has two keys: 1. color: Associated color code(according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: Time elapsed between incident opening and SLA completion.

results[x].is_bookmarked 

Boolean

Shows if the incident is bookmarked or not.

results[x].resolution_due_date 

Timestamp

Resolution SLA breach date of the incident.

results[x].opened_by_data 

JSON Object

Details of the user who opened the incident. Details include: username, email ,first_name, last_name, and user_id.

results[x].parent_data 

JSON Object

Details of the parent incident if the incident is merged. Details include: title, unique_id, and readable_id.

results[x].modified_by_data 

JSON Object

Details of the user who last updated the Incident. Details include: username, email ,first_name, last_name, and user_id.

results[x].assigned_group_data 

JSON Object

Details of the assigned user group. Details include: group name and group ID.

results[x].created_by_data 

JSON Object

Details of the user who created the incident. Details include: username, email ,first_name, last_name, and user_id.

results[x].assigned_to_data 

JSON Object

Details of the assigned user. Details include: username, email ,first_name, last_name, and user_id.

results[x].labels_data 

Array of JSON Objects

Details of labels added to the incident. Details include: title, unique_id, color_code, and more.

results[x].business_units_impacted_data 

JSON Object

Details of business unit impacted by the incident. Details include: title and unique_id of the business unit.

results[x].locations_impacted_data 

Array of JSON Objects

Details of locations impacted by the incident. Details include: title and unique_id.

results[x].phase_data 

JSON Object

Details of the current phase of the incident. Details include: 

option_name: The name of the phase 

unique_id: Unique ID of the phase

results[x].ie_incident_type_data 

JSON Object

Details of the incident type associated with the incident. Details include: option_name, unique_id, and more.

results[x].ie_incident_type 

String

Incident type associated with the incident.

results[x].level_data 

JSON Object

Details of the severity level of the incident. Details include: option_name, unique_id, and more.

results[x].kill_chain_phase 

String

Current kill chain phase of the incident.

results[x].kill_chain_phase_data 

JSON Object

Details of the kill chain phase of the incident. Details include: unique_id, option_name, and more.

results[x].ie_motives_data 

Array of JSON Objects

Details of the motivations of the incident. Details include: unique_id, option_name, and more.

results[x].ie_motives 

Array

List of motivations of the incident.

results[x].applicable_compliance_data 

Array of JSON Objects

Details of the compliance standards that are applicable to the incident. Details include: unique_id, option_name, and more.

results[x].applicable_compliance 

Array

List of compliance standards that are applicable to the incident.

results[x].ie_root_cause_data 

JSON Objects

Details of the root cause of the incident.

results[x].ie_root_cause 

String

Root cause of the incident.

Action: List Incident Workflows

This action retrieves a list of all the incident workflows with the details from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page (int) 

  • page_size (int) 

  • schema_type(text)

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the Incident Workflow.

description 

String

Description of the Incident Workflow.

unique_id 

String

Unique Identifier String of UUID-4 format of the Incident Worflow.

schema_type 

String

Defines the state of Incident Workflow as `draft` OR `published`.

status 

String

Describes the state of Incident Workflow as `active` or `inactive`.

is_default 

Boolean

Determines whether the Incident Workflow is the default one or not.

object_identifier 

String

Determines the string name for Incident Module.

phase_flow 

String

Determines the selected flow of Workflow phases as `linear` or `non-linear`.

created 

String

Timestamp String in ISO Format describing the date-time of creation of the Incident Workflow.

modified 

String

Timestamp String in ISO Format describing the date-time of latest modification of the Incident Workflow.

created_by 

String

user_id in UUID-4 format of the user who created the Incident Workflow.

modified_by 

String

user_id in UUID-4 format of the User who lastly modified the Incident Workflow.

created_by_data 

Object

Basic details of the user who created the Incident Workflow.

modified_by_data 

Object

Basic details of the user who lastly modified the Incident Workflow.

is_removed 

Boolean

Determines whether the Workflow is in deleted state or not.

is_mapped 

Boolean

Determines whether the Incident Workflow has been mapped to parent parameters or not.

num_of_phases 

Integer

Determines the number of phases present in the Incident Workflow.

is_imported 

Boolean

Determines if the Workflow is imported or not.

Action: List Locations

This action retrieves a list of locations from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of locations in CFTR application according to the filters applied.

results 

List of Objects

Details of the location. Each object provides details of one location.

title 

String

The title of the location.

unique_id 

String

Unique ID of the location in UUID-4 format.

country 

String

Unique ID of the corresponding country in UUID-4 format.

country_data 

Object

Details of the corresponding country.

country_data.title 

String

The name of the Country.

country_data.unique_id 

String

Unique ID of the corresponding country in UUID-4 format.

state 

String

Unique ID of the corresponding state in UUID-4 format.

state_data 

Object

Details of the corresponding state.

state_data.title 

String

The name of the State.

state_data.unique_id 

String

Unique ID of the corresponding state in UUID-4 format.

city 

String

Name of the city.

site 

String

Name of the site.

pincode 

String

PIN code of the site.

created 

String

Creation date and time of the location in ISO format.

modified 

String

Last modified date and time of the location in ISO format.

is_active 

Boolean

Shows if the location is active or not.

Longitude 

String

Unique ID of the longitude of the location.

Latitude 

String

Unique ID of the lantitude of the location.

Action: List Malware

This action retrieves a list of malware.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • created_date__gte

  • file_type

  • first_seen__gte

  • first_seen__gte

  • first_seen__lte

  • created_date__lte

  • labels

  • modified_date__gte

  • modified_date__lte

  • status

  • platform

  • type

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of malware for activity logs of a component in CFTR.

results 

List of Objects

Details of the malware for activity logs. Each object provides details of one malware.

unique_id 

String

Unique ID of the malware.

readable_id 

String

Readable ID of the malware.

created 

String

Created date of the malware in EPOCH time format.

modified 

String

Last modified date of the malware in EPOCH time format.

title 

String

Title of the malware.

status 

String

Status of the malware.

is_bookmarked 

Boolean

Shows if the malware is bookmarked or not.

created_by_data 

Object

Details of the user who created the malware. Details include: 

username, email, first name, last name, and so on.

title_display 

String

Title of the malware.

labels 

Object

Unique IDs of the associated labels.

labels_data 

Object

Details of the associated labels, such as unique_id, title, color_code, and so on.

type_data 

Object

Details of the type of malware.

type 

Object

Type of the malware.

file_type_data 

Object

Details of malware file type.

file_type 

Object

Malware file type. 

For example, exe, bat, dll, zip, and so on_._

platform_data 

Object

Details of platform affected by the malware.

platform 

Object

Lists platforms affected by malware. 

For example, Windows, Windows XP, and so on.

Action: List Manufacturers

This action retrieves a list of manufacturers from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of manufacturers in the CFTR application according to the filters applied.

results 

List of Objects

Details of the manufacturers. Each object provides details of one manufacturer.

title 

String

The title of the manufacturer.

unique_id 

String

Unique ID of the manufacturer in UUID-4 format.

readable_id 

String

Unique readable ID of the manufacturer. It starts with MFR followed by a unique number. 

Example: "MFR101"

description 

Text

Description of the manufacturer.

created 

String

Creation date and time of the manufacturer in ISO format.

modified 

String

Last modified date and time of the manufacturer in ISO format.

Action: List OS Types

This action retrieves a list of operating system (OS) types from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]
Action: List PIRs

This action retrieves a list of PIRs (Priority Intel Requirement) using the ID of the PIR.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • created_date__gte

  • created_date__lte

  • labels

  • modified_date__gte

  • modified_date__lte

  • locations

  • status

  • priority

  • incidents

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of PIRs returned as per the entered query parameters.

results 

List of Objects

Details of the PIRs. 

Each object provides the details of one PIR.

title 

String

Title of the PIR.

unique_id 

String

Unique ID of the PIR in UUID-4 format.

readable_id 

String

Readable ID of the PIR.

description 

Text

Description of the PIR.

created 

String

Creation date and time of the PIR in ISO format.

modified 

String

Last updated date and time of the PIR in ISO format.

status 

String

Current status of the PIR. 

Allowed values: 

open 

closed 

created_by_data 

Object

Details of user who created the PIR.

closed_by 

String

user_id of the user who closed the PIR.

closed_by_data 

Object

Details of user who closed the PIR.

closed_on 

String

Closing date and time of the PIR in ISO format.

is_bookmarked 

Boolean

Shows whether the PIR is bookmarked or not.

labels 

List of String

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

priority 

String

Priority level of the PIR. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

priority_data 

Object

Details of the priority of the PIR.

assigned_to 

List of Stings

List of Unique IDs of the assigned users in UUID-4 format.

assigned_to_data 

List of Objects

Details on the list of assigned users of the PIR. Details include: 

username, email, first_name, last_name, and so on.

assigned_group 

String

Unique ID of the assigned user group in UUID-4 format.

assigned_group_data 

Object

Details of the assigned user group. Details include: 

group name and group ID

Action: List Sources

This action retrieves a list of sources from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

Page: 10

Key Value

Optional

Allowed values:

  • q (string)

  • page (integer): By default, the value is 1

  • page_size (integer): By default, the value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of sources in CFTR application according to the filters applied.

results 

List of Objects

Details of the source. Each object provides details of one source.

value 

String

The name of the source.

source_type 

String

Unique ID of the source type in UUID-4 format.

source_display_name 

String

Display name of the source.

unique_id 

String

Unique ID of the source in UUID-4 format.

created 

String

Creation date and time of the source in ISO format.

modified 

String

Last modified date and time of the source in ISO format.

source_type_data 

Object

Details of the source type.

source_type_data.unique_id 

String

Unique ID of the source type in UUID-4 format .

source_type_data.created 

String

Creation date and time of the source type in ISO format.

source_type_data.title 

String

The title of the source type.

Action: List Threat Actors

This action retrieves a list of threat actors.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Key Value

Optional

Allowed values:

  • q (str)

  • page (int): by default, the value is 1

  • page_size (int): by default, the value is 10

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of Business Units in CFTR application according to the filters applied.

results 

List of Objects

Details of the Business Unit. Each object provides details of one Business Unit.

title 

String

Title of the threat actor.

unique_id 

String

Unique ID of the threat actor.

readable_id 

String

Readable ID of the threat actor.

description 

Text

Description of the threat actor.

created 

String

Creation time of the threat actor in ISO format.

modified 

String

Last Updated time of the threat actor in ISO format.

status 

String

Current status of the threat actor. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the threat actor. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the threat actor. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the threat actor.

closed_by 

String

user_id of the user who closed the threat actor.

closed_by_data 

Object

Details of user who closed the threat actor.

closed_on 

String

Closing date of the threat actor in ISO format.

is_bookmarked 

Boolean

Shows whether the threat actor is bookmarked or not.

Action: List Threat Briefings

This action retrieves a list of threat briefings.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • page (int): by default, the value is 1

  • page_size (int): by default, the value is 10, 

  • status (str): inactive, active

  • bookmarked (bool)

  • mentioned (bool)

  • business_units (id)

  • created_by (id)

  • created_date__gte (epochtime)

  • created_date__lte (epochtime)

  • locations (id)

  • labels (id)

  • briefing_frequency (str)

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "ACTIVE"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

The total number of Threat Briefings returned as per the entered query parameters.

results 

List of Objects

Details of the Threat Briefings. 

Each object provides the details of one Threat Briefing.

unique_id 

String

Unique ID of the Threat Briefing.

readable_id 

String

Readable ID of the Threat Briefing.

title 

String

Title of the Threat Briefing.

description 

Text

Description of the threat briefing.

status 

String

Current status of the Threat Briefing. 

Allowed values: 

- ACTIVE 

- INACTIVE

created 

String

Created date and time of the Threat Briefing.

modified 

String

Last updated date and time of the Threat Briefing.

title_display 

String

Title of the Threat Briefing.

is_bookmarked 

Boolean

Shows whether the Threat Briefing is bookmarked or not.

labels 

List

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

locations_data 

List of Objects

Details of the locations linked to the Threat Briefing.

business_units_data 

List of Objects

Details of the business units linked to the Threat Briefing.

created_by 

String

Unique ID of the user who created the Threat Briefing.

created_by_data 

Object

Details of the user who created the Threat Briefing.

Action: List Threat Intel (IOCs)

This action retrieves a list of threat intel (IOCs).

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

  • q (str)

  • type (str): ioc_ip, ioc_url, ioc_domain, ioc_md5, ioc_sha1, ioc_sha256, ioc_email, 

  • modified_date__gte (epoch)

  • created_date__gte (epoch)

  • created_date__lte (epoch)

  • only_count (bool)

  • labels (ID)

  • tlp (str): red, amber, green, white

  • status (str): cleaned, blocked, malicious, false_positive, whitelisted, none 

  • page (int): by default, the value is 1

  • page_size (int): by default, the value is 10

Example Request 

[
  {
    "query_params":
    {
      "type": "ioc_domain",
      "tlp": "RED",
      "status": "cleaned",
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of Threat Intels in CFTR application.

results 

List

Details of the Threat Intels. 

Each object provides details of one Threat Intel.

value 

String

Value of the Threat Intel.

unique_id 

String

Unique ID of the Threat Intel in UUID-4 format.

created 

String

Creation date and time of the Threat Intel.

modified 

String

Last updated date and time of the Threat Intel.

tlp 

String

TLP associated with the Threat Intel. 

Allowed values: 

RED 

AMBER 

GREEN 

WHITE 

incidents_data 

List of Objects

Details of Incidents associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

status 

String

Current status of the Threat Intel. 

Allowed values: 

cleaned 

blocked 

malicious 

false_positive 

whitelisted 

none 

labels_data 

List of Objects

Details of labels added to the Threat Intel. 

Details include title, color_code, unique_id, created, and modified.

malwares_data 

List of Objects

Details of the Malware associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

threat_actors_data 

List of Objects

Details of Threat Actors associated with the Threat Intel.

vulnerabilities_data 

List of Objects

Details of Vulnerabilities associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

actions_count 

Integer

Number of Actions added to the Threat Intel.

notes_count 

Integer

Number of comments added to the Threat Intel.

ioc_type 

String

unique_id of the Indicator type.

ioc_type_data 

Object

Details of the Indicator type.

Action: List User Groups

This action retrieves a list of user groups from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • permission_comm_id

  • permission_code

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next shows the API endpoint to the next page.

count 

Integer

Total number of User Groups in CFTR application as per the query parameters.

results 

List of Objects

Details of the User Groups. 

Each object provides details of one User Group.

group_comm_id 

String

Unique ID of the User Group in UUID-4 format.

group_name 

String

Name of the User Group.

description 

Text

Description of the User Group.

permissions 

List of Objects

List of permission objects of the usser group. Each object includes the details of one permission.

created_by 

Object

Unique ID of the user who created the user group.

user_count 

Positive Integer

Number of users assigned to the user group.

permission_count 

Positive Integer

Count of the number of permissionsconfigured for the user group.

is_active 

Boolean

Shows whether the user group is currently active or not.

is_editable 

Boolean

Shows whether the user group is editable or not.

created 

Integer

Creation date and time of the user group in EPOCH time format.

ciims_user_set 

List of Strings

List of unique IDs of the users assigned to the user group in UUID-4 format.

ciims_user_set_data 

List of Objects

Details of the users assigned to the user group. Each object includes the details of one user.

group_cost 

Float

Analyst cost associated with the users of the user group. The default cost is configured as per the daily rate.

playbook_tags 

List of Strings

List of unique IDs of the Cyware Orchestrate Playbook tags added to the user group in UUID-4 format.

playbook_tags_data 

List of Objects

Details of the Playbook tags. Each object includes the details of one Playbook tag.

is_readonly_group 

Boolean

Shows whether the group is read-only or not.

saml_associated_groups 

String

SAML groups associated with the user group

permissions.permission_comm_id 

String

Unique ID of the permission in UUID-4 format.

permissions.display_name 

String

Display name of the permission.

permissions.code_name 

String

Unique string of the permission.

permissions.grant 

String

Level of grant associated with each permission in CFTR. Allowed values: 

-ALLOWED: Permissions that are provided by default. 

-DISALLOWED: Permissions that cannot be provided while creating a group. 

-SELECTABLE: Permission that can be configured while creating a group.

permissions.verbose_name 

String

Verbose name given to the permission.

playbook_tags_data.unique_id 

String

Unique ID of the Playbook in UUID-4 format.

playbook_tags_data.title 

String

Title of the Playbook.

playbook_tags_data.description 

Text

Description of the Playbook.

Action: List Vulnerabilities

This action retrieves a list of vulnerabilities.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values: 

  • q (str)

  • page (int): default value is 1

  • page_size (int): default value is 10

  • created_date__gte

  • created_date__lte 

  • labels

  • modified_date__gte

  • modified_date__lte

  • status

  • priority

  • type

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

link 

Object

This parameter has two keys: 

previous and next

previous key shows the API endpoint to the previous page. 

next key shows the API endpoint to the next page.

count 

Integer

Total number of vulnerabilities returned as per the entered query parameters.

results 

List of Objects

Details of the vulnerabilities. 

Each object provides the details of one vulnerability.

unique_id 

String

Unique ID of the vulnerability.

readable_id 

String

Readable ID of the vulnerability. For example, VUL115.

title 

String

Title of the vulnerability.

status 

String

Current status of the vulnerability. 

Allowed values: 

- open

- closed

created 

String

Created date of the vulnerability.

modified 

String

Last updated date of the vulnerability.

title_display 

String

Title of the vulnerability.

is_bookmarked 

Boolean

Shows whether the vulnerability is bookmarked or not.

labels 

List

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

risk_data 

Object

Details of risk associated with the vulnerability.

risk 

String

Risk level associated with the vulnerability. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

risk_data 

Object

Details of the risk associated with the vulnerability.

priority_data 

Object

Details of the priority of the vulnerability.

priority 

String

Priority level of the vulnerability. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

Action: Merge Incidents

This action merges incidents with a parent incident.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Parent Incident ID 

Enter the unique ID of the parent incident.

Example:

af043f9f-27d9-4f0d-8f38-9c4788a7e35b

Text

Required

You can retrieve the list of incidents and their IDs using the following action:

Get Incidents

Child Incidents 

Enter the unique ID of the child incidents to be merged with the parent incident.

Example:

af043f9f-27d9-4f0d-8f38-9c4788a7e35f

List

Required

Template ID 

Enter the template ID of the child incidents to merge with the parent incident.

Example:

af043f9f-27d9-4f0d-8f38-9c4788a7e35e

Text

Required

You can retrieve the list of templates and their IDs using the following action:

Get Templates

Action Response Parameters

Parameter 

Type 

Description 

response 

Integer

Status code 200 for a successful merging of incidents.

Action: Update Action Details

This action updates the details of an action using the ID of the action.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action ID 

Enter the unique ID of the action. 

Example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

You can retrieve the list of actions and their IDs from the application using the following action:

Get Actions

Additional Information 

Enter the additional information in the form of key-value pairs. 

Example:

status: open

Key Value

Optional

 

Readable Type 

Select true to enter the readable type values. This allows you to update actions using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value: 

false

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "open"
    }
  }
]

Action Response Parameters

Parameters 

Type 

Description 

title 

String

The title of the action.

unique_id 

String

Unique ID of the action.

created 

String

Created date of the action in EPOCH time format.

modified 

String

Last modified date of the action in EPOCH time format.

description 

String

Description of the action.

assigned_to 

String

User_id of the assigned user.

assigned_to_data 

Object

Details of the assigned user.

assigned_group 

String

Group_comm_id of the assigned user group.

assigned_group_data 

Object

Details of the assigned user group. Details include: group_comm_id, group_name.

status 

String

Status of the action.

readable_id 

String

Readable ID of the action. For example, ACT379.

created_by_data 

Object

Details of the user who created the action. Details include: 

username, email ,first name, last name, and so on.

can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

is_bookmarked 

Boolean

True: Action is bookmarked. 

False: Action is not bookmarked.

closed_by_data 

Object

Details of the user who closed the action. Details include: 

username, email ,first name, last name, and so on.

closed_on 

String

Closure date of the action in EPOCH time format.

resolved_on 

String

Resolved date of the action in EPOCH time format.

assignment_sla 

String

Details of assignment SLA details of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_sla 

String

Details of resolution SLA of the action. 

This parameter has two keys: 

1. color: Associated color code (according to SLA breach level). 

2. data: It has two keys: 

- sla_duration: SLA Breach time. 

- elapsed_time: time elapsed between action opening and SLA completion.

resolution_due_date 

String

Resolution due date of the action.

sla_stopped_on 

String

Date and time at which the SLA stopped for the action.

type 

String

Type of the action.

priority 

String

Priority level of the action

type_data 

Object

Details of the type of the action.

priority_data 

Object

Details of the priority level of the action.

created_from_template 

Boolean

Shows if the action is created using a template or not.

users 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

softwares 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected software.

softwares_data 

Array of Objects

Details of the connected software.

applications 

Array of UUID-4 Strings

Array of UUID-4 strings containing unique IDs of connected applications.

applications_data 

Array of Objects

Details of the connected applications.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns_data 

Array of Objects

Details of the connected campaigns.

incidents_data 

Object

Details of the connected incidents.

malwares_data 

Array of Objects

Details of the connected malware.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

Action: Update Asset Application Details

This action updates the details of an application using the ID of the application and additional fields.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Application ID 

Enter the unique ID of the application. 

Example: 

a8007b20-bf76-4ce8-a761-45a453512479

Text

Required

You can retrieve the list of applications and their IDs using the following action:

Get Asset Applications

Additional Information 

Enter the details in key-value pairs to be updated in the asset application. 

Example:

status: active

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to update applications using the values of locations, business units, and labels.

Boolean

Optional

Default value:

false

Example Request 

[
  {
    "unique_id": "Example Unique ID",
    {
        "extra_fields":
        {
          "title": "VirusTotal",
          "created": "2021-07-23T11:36:59.803613Z",
          "modified": "2021-07-23T11:36:59.803613Z",
          "status": "active"
        }  
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the application.

created 

String

Application creation date and time.

modified 

String

Application last updated date and time.

title 

String

Title of the application.

version 

Float

Version of the application.

title_display 

String

Title of the application.

readable_id 

String

Readable ID of the application.

status 

String

Current status of the the application.

application_type 

String

Type of the application. For example, Security.

application_status 

String

Status of the application. For example, Live.

production_date 

String

Production date of the application.

created_by 

String

user_id of the user who created the application.

created_by_data 

Object

Details of user who created the application.

labels 

List

List of unique_id labels that are added to the application.

labels_data 

List of Objects

Details of the labels that are added to the application.

business_units_data 

List of Objects

Details of business units that are impacted by the application

locations_data 

List of Objects

Details of locations that are impacted by the application.

application_url 

URL

URL of the application.

owner_data 

Object

Details of the owner of the application.

owner 

String

UUID of the application owner.

manager_data 

Object

Details of the manager of the application.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

Action: Update Asset Software Details

This action modifies the details of an asset software.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Asset Software ID 

Enter the unique ID of the asset software. 

Example:

b251f6a2-a5b8-41d6-aaf6-8f59ad72d6e3

Text

Required

You can retrieve the list of assets and their IDs using the following action:

Get Asset Software List

Additional Information 

Enter the details in key-value pairs to be updated in the asset software. 

Example:

status: open

Key Value

Optional

Example Request 

[
  {
    "unique_id": "b251f6a2-a5b8-41d6-aaf6-8f59ad72d6e3",
    {
        "extra_fields":
        {
          "title": "Desktop Computer",
          "created": "2021-07-23T11:36:59.803613Z",
          "modified": "2021-07-23T11:36:59.803613Z",
          "software_status": "active"
        }  
      }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the software.

created 

String

Software creation date and time.

modified 

String

Software last updated date and time.

title 

String

Name of the software.

software_id 

String

ID of the software.

software_type 

List

Type of the software. For example, Development Software.

title_display 

String

Name of software.

readable_id 

String

Readable ID of software. For example, SFT115.

software_status 

String

Current status of the software.

purchase_date 

String

Purchase date of the software.

created_by 

String

user_id of the user who created the software.

created_by_data 

Object

Details of user who added the software.

labels 

List

List of unique_id labels that are added to the software.

labels_data 

List of Objects

Details of the labels that are added to the software.

business_units_data 

List of Objects

Details of business units that are impacted by the software

locations_data 

List of Objects

Details of locations that are impacted by the software.

software_type_data 

Object

Details of the software type.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities .

malwares 

Array of UUID Strings

List of unique_id of the connected connected malwares.

malwares_data 

Array of Objects

Details of the connected malwares .

endpoints 

Array of UUID Strings

List of unique_id of the connected connected devices.

endpoint_data 

Array of Objects

Details of the connected devices.

Action: Update Asset User Details

This action updates the details of an asset user.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Asset User ID 

Enter the unique ID of the asset user.

Example:

b3184a17-e59f-46cb-82c3-d8aabbefff7e

Text

Required

You can retrieve the list of asset users and their IDs using the following action:

Get Asset Users

Additional Information 

Enter the details in key-value pairs to update the asset user.

Example:

location: New York

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create assets using the values of labels, and business units.

Boolean

Optional

Default value:

false

Example Request 

[
  {
    "unique_id": "b3184a17-e59f-46cb-82c3-d8aabbefff7e",
    {
        "extra_fields":
        {
          "full_name": "John Doe"
        }  
      }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the user.

created 

String

User creation date and time.

modified 

String

User last updated date and time.

employee_name 

String

Name of the user.

email 

String

Email ID of the user.

display_name 

String

Name of the user.

readable_id 

String

Readable ID of the user.

user_status 

String

Current Status of the user.

hire_date 

String

Hiring date of the user.

created_by 

String

user_id of the CFTR user who created the asset user.

created_by_data 

Object

Details of the CFTR user who created the asset user.

labels 

List

List of unique_id of labels that are added to the user.

labels_data 

List of Objects

Details of the labels that are added to the user.

business_units_data 

List of Objects

Details of business units of the user.

owned_applications 

Array of UUID Strings

List of unique_id of the applications owned by the user.

owned_applications_data 

Array of Objects

Details of the applications owned by the user.

managed_applications 

Array of UUID Strings

List of unique_id of the applications managed by the user.

managed_applications_data 

Array of Objects

Details of the managed applications.

managed_endpoints 

Array of UUID Strings

List of unique_id of the devices managed by the user.

managed_endpoints_data 

Array of Objects

Details of the managed devices.

owned_endpoints 

Array of UUID Strings

List of unique_id of the devices owned by the user.

owned_endpoints_data 

Array of Objects

Details of the managed devices.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

Action: Update Campaign Details

This action updates the details of a campaign.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Campaign ID 

Enter the unique ID of the campaign.

Example:

k53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of campaigns and their IDs using the following action:

Get Campaigns

Readable Type 

Select true to enter the readable type values. This allows you to update campaigns using the values of labels.

Boolean

Optional

Default: 

false

Additional Information 

Enter the additional details of the campaign in the form of key-value pairs. 

Example:

description: new campaign found

Key Value

Optional

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id

String

Unique ID of the campaign in UUID-4 format.

readable_id

String

Unique readable ID of the campaign. It starts with CMP followed by a unique number. 

Example: CMP101

created

String

Campaign creation date and time.

description

Text

Description of the campaign.

modified

String

Last updated date and time of the campaign.

title

String

Title of the campaign.

title_display

String

Title of the campaign.

status

String

Current status of the campaign. 

Allowed values: 

ACTIVE 

INACTIVE 

is_bookmarked

Boolean

Shows if the campaign is bookmarked or not.

created_by_data

Object

Details of the user who created the campaign. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

Unique ID of the labels associated with the campaign in UUID-4 format.

labels_data

List of Objects

Details of labels added to the campaign. Details include: 

title, unique_id, color_code, and so on.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

incidents 

Array UID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

malwares 

Array UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

actions_data 

Array of Objects

Details of the actions that are added to the campaign.

pirs_data 

Array of Objects

Details of the PIRs that are added to the campaign.

enhancements_data 

Array of Objects

Details of the enhancements that are added to the campaign.

Action: Update Custom Module Entry

This action updates a custom module entry.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier 

Enter the component identifier of the module. 

Example:

module21

Text

Required

You can retrieve the list of custom modules and their component identifier using the following action:

List Custom Modules

Instance Unique ID 

Enter the unique ID of the entry. 

Example: 

822c2781-8ea0-4122-8176-8995a4c81dca

Text

Required

You can retrieve the list of custom module entries and their IDs using the following action:

List Custom Module Entries

Payload 

Enter the additional information to be added in the custom module entry in key-value pairs. Use the field_readable_key of the custom fields as keys.

Key Value

Required

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the entry.

unique_id 

String

Unique ID of the entry.

status 

String

Current status of the entry.

description 

Text

Description of the entry.

created_by_user_id 

String

user_id of the user who created the entry.

modified_by_user_id 

String

user_id of the user who last modified the entry.

created_by_data 

Object

Details of the user who created the entry.

modified_by_data 

Object

Details of the user who last modified the entry.

created 

String

Creation date and time of the entry.

modified 

String

Last updated date and time of the entry.

is_bookmarked 

Boolean

Shows if the entry is bookmarked or not.

can_update_instance 

Boolean

Shows whether the entry can be updated by the user who requested it or not.

labels 

Array

List of the labels that are added to the entry.

labels_data 

Array of Objects

Details of the labels that are added to the entry.

is_removed 

Boolean

Displays if the entry is in deleted state or not.

status_data 

Array of Objects

Displays the details of the status of the entry.

attachments_data 

Array of Objects

Details of each attachment of the entry.

Action: Update Device Details

This action updates the details of a device using the ID of the device.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID 

Enter the unique ID of the device.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

Additional Information 

Enter the details in key-value pairs to be updated in the device.

Example:

hostname: updated security device

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to update devices using the values of locations, business units, manufacturers, labels, and operation system types.

Boolean

Optional

Default: 

false

Example Request 

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404",
    {
        "extra_fields":
        {
          "created": "2021-07-23T11:36:59.803613Z",
          "modified": "2021-07-23T11:36:59.803613Z",
          "hostname": "EC2AMAZ-8V2J535",
          "endpoint_status": "clean"
        }  
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the device.

created 

String

Device creation time in EPOCH time format.

modified 

String

Device Last Updated Time in EPOCH time format.

serial_number 

String

Serial number of the device.

hostname 

String

Hostname of the device.

readable_id 

String

Readable ID of the device. For example, DVC116.

endpoint_status 

String

Current status of the device.

owner 

String

Owner of the device.

physical_location 

String

Physical location of the device.

title_display 

String

Hostname of the device

ip_address 

Float

IP address of the device.

created_by 

String

user_id of the user who created the device.

created_by_data 

Object

Details of user who created the device. Details include: 

username, first_name, last_name, user_id and more.

status 

String

Status of the device.

labels 

List

List of unique_id labels that are added to the device.

labels_data 

List of Objects

Details of the labels that are added to the device.

business_units_data 

List of Objects

Details of business units that are impacted by the device.

locations_data 

List of Objects

Details of locations that are impacted by the device.

risk 

String

Risk level of the device.

risk_data 

Object

Details of the risk of the device.

priority 

String

Priority of the device.

endpoint_type 

String

Type of the endpoint. For example, Desktop.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

owner_data 

Object

Details of the owner of device.

manager_data 

Object

Details of the manager of device.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

actions_data 

Array of Objects

Details of the actions that are added to the device.

Action: Update Enhancement Details

This action updates the details of an enhancement using the ID of the enhancement.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Enhancement ID 

Enter the unique ID of the enhancement. 

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of enhancements using the following action:

Get Enhancements

Additional Information 

Enter the enhancement details in the form of key-value pairs. 

Example:

description: this is an important enhancement

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create enhancements using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value: 

false

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "closed"
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id

String

Unique ID of the enhancement in UUID-4 format.

readable_id

String

Unique readable ID of the enhancement. It starts with ENHfollowed by a unique number. 

Example: ENH101

created

Datetime

Enhancement creation date and time.

description

Text

Description of the enhancement.

modified

Datetime

Last updated date and time of the enhancement.

title

Text

Title of the enhancement.

status

String

Current status of the enhancement. 

Allowed values: 

- open

- closed

priority

String

Priority level of the enhancement.

priority_data

Object

Details of the priority assigned. Details include: 

unique_id

option_name, and so on.

priority_data.unique_id

String

Unique ID of the priority in UUID-4 format.

priority_data.option_name

String

Display Name of the priority

priority_data.color_code

String

Hex value of the priority display color.

is_bookmarked

Boolean

Shows if the enhancement is bookmarked or not.

modified_by_data

Object

Details of the user who last updated the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_group

String

Unique ID of the user group the enhancement belongs to in UUID-4 format.

assigned_group_data

Object

Details of the assigned user group. Details include group name and group ID.

created_by_data

Object

Details of the user who created the enhancement. Details include: 

username, email ,first_name, last_name, and so on.

assigned_to

String

Unique ID of the assigned user of the enhancement in UUID-4 format.

assigned_to_data

Object

Details of the assigned user. Details include: 

username, email ,first_name, last_name, and so on.

labels

List of Strings

List of Unique IDs of the labels attached to the enhancement in UUID-4 format.

labels_data

List of Objects

Details of labels added to the enhancement. Details include: 

title, unique_id, color_code, and so on.

labels_data.unique_id

String

Unique ID of the label in UUID-4 format.

labels_data.option_name

String

Display name of the label

labels_data.color_code

String

Hex value of the label display color.

enhancement_type

List of Strings

Option name of the enhancement types associated with the enhancement.

enhancement_type_data

List of Objects

Details of the enhancement types associated with the enhancement.

enhancement_type_data.unique_id

String

Unique ID of the enhancement in UUID-4 format.

enhancement_type_data.option_name

String

Display Name of the enhancement type

enhancement_type_data.color_code

String

Hex value of the enhancement type display color.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

attachments_data

Array of Objects

Details of each attachment of the enhancement.

Action: Update Incident Details

This action updates the details of an incident.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID 

Enter the unique ID of an incident. 

Example:

p53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of incidents and their IDs using the following action:

Get Incidents

Incident Status 

Enter the status of the incident. 

Example:

merged

Text

Optional

Allowed values: 

  • untriaged

  • open

  • closed

  • merged

Incident Phase 

Enter the phase of the incident.

Example:

recovery

Text

Optional

Allowed values: 

  • detection analysis

  • containment

  • investigation and eradication 

  • recovery

  • closure

Readable Type 

Select true to enter the readable type values. This allows you to update incidents using the values of locations, business units, sources, assigned groups, and the email IDs of assigned users.

Boolean

Optional

Default value:

false

Additional Information 

Enter other incident details in the form of key-value pairs to update. 

Example:

labels: Important

Key Value

Optional

Example Request 

[
  {
    "phase": "Detection Analysis",
    "title": "Sample Title",
    "status": "open",
    "unique_id": "a341fbb0-6046-4fb3-8b2c-29652af3584e",
    "description": "This is a sample description.",
    "extra_fields": {},
    "handoff_note": {
      "description": "updating assignee",
      "comment_type": "handoff"
    },
    "readable_type": false,
    "assigned_group": "cde925f0-a6a4-464d-b6a1-9727178d10ee",
    "locations_impacted": [
      "e02447d4-9b47-44de-ae4f-d810dfe72770",
      "fc6c98ae-6995-4cc3-80b8-21ebdec648d9"
    ],
    "business_units_impacted": "c24ab8cd-df74-4192-bd16-b135353486dd"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance}

JSON Object

This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Returns the response retrieved from the app action.

app_instance.response.modified_by_data 

JSON Object

Details of the user who last modified the incident.

app_instance.response.modified 

String

Last updated date and time of the incident.

app_instance.response.update_index

Integer

Update index of the incident.

app_instance.status_code

Integer

HTTP status code of the API request received from the instance.

Action: Update Malware Details

This action updates the details of a malware record using the malware ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Malware ID 

Enter the unique ID of the malware. 

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of malware and their IDs using the following action:

List Malware

Additional Information 

Enter the additional information in the form of key-value pairs. 

Example:

description: new malware found

Key Value

Optional

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "active"
    }
  }
]

Action Response Parameters

Parameters 

Type 

Description 

type 

Object

Type of the malware.

ioc_email 

Object

Unique IDs of the email IOC type.

platform 

Object

List of affected platforms.

ioc_ip 

Object

Unique IDs of the IP IOC type.

ioc_md5 

Object

Unique IDs of the MD5 Hash IOC type.

file_type 

Object

File types of the malware. For example, dll, exe, docx, zip.

ioc_domain 

Object

Unique IDs of the domain IOC type.

ioc_sha1 

Object

Unique IDs of the SHA1 IOC type.

ioc_sha256 

Object

Unique IDs of the SHA256 IOC type.

ioc_url 

Object

Unique IDs of the URL IOC type.

unique_id 

String

Unique ID of the malware.

readable_id 

String

Readable ID of the malware.

created 

String

Created date of the malware in EPOCH time format.

modified 

String

Last modified date of the malware in EPOCH time format.

title 

String

Title of the malware.

description 

String

Description of the malware.

incidents 

Object

Unique ID of the linked incidents.

status 

String

Status of the malware.

briefings 

Object

Unique ID of the linked threat briefings.

briefings_data 

Object

Details of the linked threat briefings.

incidents_data 

Object

Details of the linked incidents.

is_bookmarked 

Boolean

Shows if the malware is bookmarked or not.

actions_data 

Object

Details of the linked actions.

campaigns 

Object

Unique ID of the linked campaigns.

campaigns_data 

Object

Details of the linked campaigns.

vulnerabilities 

Object

Unique ID of the linked vulnerabilities.

vulnerabilities_data 

Object

Details of the linked vulnerabilities.

threat_actors 

Object

Unique ID of the linked threat actors.

threat_actors_data 

Object

Details of the linked threat actors.

pirs_data 

Object

Details of the linked PIRs.

attachments_data 

Object

Details of the attachments.

created_by_data 

Object

Details of the user who created the malware. Details include: 

username, email, first name, last name, and so on.

labels 

Object

Unique ID of the linked labels.

labels_data 

Object

Details of the linked labels.

tactic_technique_pair_data 

Object

Details of the linked tactic technique pairs.

first_seen 

String

Date on which malware is seen for the first time.

last_modified 

Object

Last modified date of the malware.

applications 

Object

Unique ID of the linked applications.

applications_data 

Object

Details of the linked applications.

asset_softwares 

Object

Unique ID of the linked software.

asset_softwares_data 

Object

Details of the Linked Asset Softwares.

endpoints 

Object

Unique ID of the linked devices.

endpoints_data 

Object

Details of the linked devices.

enhancements 

Object

Unique ID of the linked enhancements.

enhancements_data 

Object

Details of the linked enhancements.

type_data 

Object

Details of the malware type.

file_type_data 

Object

Details of the malware file type.

platform_data 

Object

Details of the affected platforms.

Action: Update PIR Details

This action updates a PIR (Priority Intel Requirement) record using the ID of the PIR.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

PIR (Priority Intel Requirement) ID 

Enter the unique ID of the PIR.

Example:

06863326-10f4-472a-9d8e-f45f4cd2dbcd

Text

Required

You can retrieve the list of PIRs and their IDs using the following action:

Get PIRs

Additional Information 

Enter the details in the form of key-value pairs. 

Example:

status: open

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to update a PIR using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default: 

false

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

title 

String

Title of the PIR.

unique_id 

String

Unique ID of the PIR in UUID-4 format.

readable_id 

String

Readable ID of the PIR.

description 

Text

Description of the PIR.

created 

String

Creation date and time of the PIR in ISO format.

modified 

String

Last updated date and time of the PIR in ISO format.

status 

String

Current status of the PIR. 

Allowed values: 

open 

closed 

created_by_data 

Object

Details of user who created the PIR.

closed_by 

String

user_id of the user who closed the PIR.

closed_by_data 

Object

Details of user who closed the PIR.

closed_on 

String

Closing date and time of the PIR in ISO format.

is_bookmarked 

Boolean

Shows whether the PIR is bookmarked or not.

labels 

List of String

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

priority 

String

Priority level of the PIR. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

priority_data 

Object

Details of the priority of the PIR.

assigned_to 

List of Stings

List of Unique IDs of the assigned users in UUID-4 format.

assigned_to_data 

List of Objects

Details on the list of assigned users of the PIR. Details include: 

username, email, first_name, last_name, and so on.

assigned_group 

String

Unique ID of the assigned user group in UUID-4 format.

assigned_group_data 

Object

Details of the assigned user group. Details include: 

group name and group ID

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

Action: Update Threat Actor Details

This action updates the details of a threat actor.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Threat Actor ID 

Enter the unique ID of the threat actor.

Example: 

497b2aa0-11f3-44f0-9d21-2a67453d8c94

Text

Required

You can retrieve the list of threat actors using the following action:

Get Threat Actors

Additional Information 

Enter the additional information in the form of key-value pairs.

Example:

description: A new threat actor found

Key Value

Optional

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "type": "Hacktivist"
    }
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

title 

String

Title of the threat actor.

unique_id 

String

Unique ID of the threat actor.

readable_id 

String

Readable ID of the threat actor.

description 

Text

Description of the threat actor.

created 

String

Creation time of the threat actor in ISO format.

modified 

String

Last Updated time of the threat actor in ISO format.

status 

String

Current status of the threat actor. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the threat actor. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the threat actor. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the threat actor.

closed_by 

String

user_id of the user who closed the threat actor.

closed_by_data 

Object

Details of user who closed the threat actor.

closed_on 

String

Closing date of the threat actor in ISO format.

is_bookmarked 

Boolean

Shows whether the threat actor is bookmarked or not.

attachments_data 

Array of Objects

Details of each attachment of the threat actor.

actions_data 

Array of Objects

Details of the actions that are added for the threat actor.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the threat actor.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the threat actor.

pirs_data 

Array of Objects

Details of the PIRs that are added for the threat actor.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

ioc_SHA1 

Array of UUID Strings

List of unique_id of the connected SHA1 Threat Intels.

ioc_SHA1_data 

Array of Objects

Details of the connected SHA1 Threat Intels.

ioc_MD5 

Array of UUID Strings

List of unique_id of the connected MD5 Threat Intels.

ioc_MD5_data 

Array of Objects

Details of the connected MD5 Threat Intels.

ioc_SHA256 

Array of UUID Strings

List of unique_id of the connected SHA256 Threat Intels.

ioc_SHA256_data 

Array of Objects

Details of the connected SHA256 Threat Intels.

ioc_ip 

Array of UUID Strings

List of unique_id of the connected IP Threat Intels.

ioc_ip_data 

Array of Objects

Details of the connected IP Threat Intels.

ioc_url 

Array of UUID Strings

List of unique_id of the connected URL Threat Intels.

ioc_url_data 

Array of Objects

Details of the connected URL Threat Intels.

ioc_domain 

Array of UUID Strings

List of unique_id of the connected domain Threat Intels.

ioc_domain_data 

Array of Objects

Details of the connected domain Threat Intels.

ioc_email 

Array of UUID Strings

List of unique_id of the connected email Threat Intels.

ioc_email_data 

Array of Objects

Details of the connected email Threat Intels.

Action: Update Threat Briefing Details

This action updates the details of a threat briefing.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Briefing ID 

Enter the unique ID of the threat briefing. 

Example:

w53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of threat briefings and their IDs using the following action:

Get Threat Briefings

Additional Information 

Enter additional information in the threat briefing in the form of key-value pairs. 

Example:

labels: important

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to update threat briefings using the values of locations, business units, and labels.

Boolean

Optional

Default value:

false

Example Request 

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "Active"
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

unique_id 

String

Unique ID of the Threat Briefing.

readable_id 

String

Readable ID of the Threat Briefing.

title 

String

Title of the Threat Briefing.

description 

Text

Description of the threat briefing.

status 

String

Current status of the Threat Briefing. 

Allowed values: 

- ACTIVE 

- INACTIVE

created 

String

Created date and time of the Threat Briefing.

modified 

String

Last updated date and time of the Threat Briefing.

title_display 

String

Title of the Threat Briefing.

is_bookmarked 

Boolean

Shows whether the Threat Briefing is bookmarked or not.

labels 

List

List of unique_id of the attached labels.

labels_data 

List of Objects

Details of the attached labels.

locations_data 

List of Objects

Details of the locations linked to the Threat Briefing.

business_units_data 

List of Objects

Details of the business units linked to the Threat Briefing.

created_by 

String

Unique ID of the user who created the Threat Briefing.

created_by_data 

Object

Details of the user who created the Threat Briefing.

attachments_data 

Array of Objects

Details of each attachment of the Threat Briefing.

actions_data 

Array of Objects

Details of the actions that are added for the Threat Briefing.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the Threat Briefing.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the Threat Briefing.

pirs_data 

Array of Objects

Details of the PIRs that are added for the Threat Briefing.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

vulnerabilities_data 

Array of Objects

Details of the connected vulnerabilities.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

Action: Update Threat Intel (IOC)

This action updates threat intel (IOC) using the threat intel ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Intel (IOC) ID 

Enter the unique ID of the threat intel (IOC) 

Example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

You can retrieve the list of threat intel using the following action:

Get List of Threat Intel (IOC)

Additional Information 

Enter the additional information to be updated in key-value pairs. 

Example: 

status: cleaned

Key Value

Optional

Example Request 

[
  {
    "tlp": "WHITE",
    "value": "5075f76fb61ce1a56d9b7758f97c7903796933b0b0737a274bf8d347b5fa4473",
    "status": "none",
    "created": "2021-07-30T07:35:58.756888Z",
    "ioc_type": "371b43d3-e28d-42f8-80c3-f32039d38954",
    "modified": "2021-07-30T07:35:58.756888Z",
    "unique_id": "b7392170-ea74-467c-9665-0103020cd926"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

value 

String

Value of the Threat Intel.

unique_id 

String

Unique ID of the Threat Intel in UUID-4 format.

created 

String

Creation date and time of the Threat Intel.

modified 

String

Last Updated date and time of the Threat Intel.

geo_details 

List of Objects

Details of the location of threat intel.

tlp 

String

TLP associated with the threat intel. 

Allowed values: 

RED 

AMBER 

GREEN 

WHITE 

incidents_data 

List of Objects

Details of Incidents associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

created_by 

String

user_id of the user who created the Threat Intel

status 

String

Current status of the Threat Intel. 

Allowed values: 

cleaned 

blocked 

malicious 

false_positive 

whitelisted 

none 

labels 

List

List of unique_id of labels added to the Threat Intel.

labels_data 

List of Objects

Details of labels added to the Threat Intel. 

Details include title, color_code, unique_id, created, and modified.

malwares_data 

List of Objects

Details of Malware associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

threat_actors_data 

List of Objects

Details of Threat Actors associated with the Threat Intel.

vulnerabilities_data 

List of Objects

Details of Vulnerabilities associated with the Threat Intel. 

Details include: unique_id, readable_id, and title.

actions_count 

Integer

Number of Actions added to the Threat Intel.

notes_count 

Integer

Number of comments added to the Threat Intel.

ioc_type 

String

unique_id of the Indicator Type.

ioc_type_data 

Object

Details of the Indicator Type.

Action: Update Vulnerability Details

This action updates the details of a vulnerability.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Vulnerability ID 

Enter the unique ID of the vulnerability.

Example:

e53ff8972-618d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of vulnerabilities and their IDs using the following action:

Get Vulnerabilties

Additional information 

Enter the details to be updated in key-value pairs.

Example:

status: closed

Key Value

Optional

Example Request 

[
  {
    "risk": "Very Low",
    "title": "Critical VUL1243",
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "cvss_score":8
    }
  }
]

Action Response Parameters

Parameter 

Type 

Description 

title 

String

Title of the vulnerability.

unique_id 

String

Unique ID of the vulnerability.

readable_id 

String

Readable ID of the vulnerability.

description 

Text

Description of the vulnerability.

created 

String

Creation time of the vulnerability in ISO format.

modified 

String

Last Updated time of the vulnerability in ISO format.

status 

String

Current status of the vulnerability. 

Allowed values: 

open 

closed 

risk 

String

Risk associated with the vulnerability. 

Allowed Values: 

- Very Low

- Low

- Medium

- High

- Very High

priority 

String

Priority of the vulnerability. 

Allowed values: 

- Very Low

- Low

- Medium

- High

- Very High

created_by_data 

Object

Details of user who created the vulnerability.

closed_by 

String

user_id of the user who closed the vulnerability.

closed_by_data 

Object

Details of user who closed the vulnerability.

closed_on 

String

Closing date of the vulnerability in ISO format.

is_bookmarked 

Boolean

Shows whether the vulnerability is bookmarked or not.

attachments_data 

Array of Objects

Details of each attachment of the vulnerability.

actions_data 

Array of Objects

Details of the actions that are added for the vulnerability.

enhancements 

Array of UUID Strings

List of the enhancements that are added for the vulnerability.

enhancements_data 

Array of Objects

Details of the enhancements that are added for the vulnerability.

pirs_data 

Array of Objects

Details of the PIRs that are added for the vulnerability.

applications 

Array of UUID Strings

List of unique_id of the connected applications.

applications_data 

Array of Objects

Details of the connected applications.

softwares 

Array of UUID Strings

List of unique_id of the connected software.

softwares_data 

Array of Objects

Details of the connected software.

users 

Array of UUID Strings

List of unique_id of the connected users.

users_data 

Array of Objects

Details of the connected users.

endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

endpoints_data 

Array of Objects

Details of the connected devices.

briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

briefings_data 

Array of Objects

Details of the connected threat briefings.

campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

campaigns_data 

Array of Objects

Details of the connected campaigns.

malwares 

Array of UUID Strings

List of unique_id of the connected malware.

malwares_data 

Array of Objects

Details of the connected malware.

threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

threat_actors_data 

Array of Objects

Details of the connected threat actors.

incidents 

Array of UUID Strings

List of unique_id of the connected incidents.

incidents_data 

Array of Objects

Details of the connected incidents.

ioc_SHA1 

Array of UUID Strings

List of unique_id of the connected SHA1 Threat Intels.

ioc_SHA1_data 

Array of Objects

Details of the connected SHA1 Threat Intels.

ioc_MD5 

Array of UUID Strings

List of unique_id of the connected MD5 Threat Intels.

ioc_MD5_data 

Array of Objects

Details of the connected MD5 Threat Intels.

ioc_SHA256 

Array of UUID Strings

List of unique_id of the connected SHA256 Threat Intels.

ioc_SHA256_data 

Array of Objects

Details of the connected SHA256 Threat Intels.

ioc_ip 

Array of UUID Strings

List of unique_id of the connected IP Threat Intels.

ioc_ip_data 

Array of Objects

Details of the connected IP Threat Intels.

ioc_url 

Array of UUID Strings

List of unique_id of the connected URL Threat Intels.

ioc_url_data 

Array of Objects

Details of the connected URL Threat Intels.

ioc_domain 

Array of UUID Strings

List of unique_id of the connected domain Threat Intels.

ioc_domain_data 

Array of Objects

Details of the connected domain Threat Intels.

ioc_email 

Array of UUID Strings

List of unique_id of the connected email Threat Intels.

ioc_email_data 

Array of Objects

Details of the connected email Threat Intels.

Action: Upload Attachment

This action uploads an attachment to a component

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object Identifier 

Enter the object identifier of the component to which you want to add an attachment. 

Example: 

incident, action

Text

Required

Allowed values:

  • incident

  • action

  • vulnerabilities

  • enhancements

  • PIRs

  • malware

Object Unique ID 

Enter the unique ID of the object. 

Example: 

df0ce907-baca-4d21-96ae-15e63f527191

Text

Required

File Path 

Enter the file path.

Example:

/Users/JohnDoe/Documents/security-details.txt

Text

Required

File Type 

Enter the file type.

Example:

evidence

Text

Optional

Allowed values: 

  • artifact

  • evidence

  • miscellaneous

Default value: 

artifact

Example Request 

{
    "object_unique_id": "df0xxxx7-baca-4d21-96ae-15xxx7191",
    "object_identifier": "incident",
    "file_path": "/tmp/d70dd6a1-71f3-412a-9f1d-6c5d74b544fc/local_file.txt"
}

Action Response Parameters

Parameter 

Type 

Description 

title

Text

Name of the file.

uploaded_file

URL

URL of the file from where it can be downloaded.

unique_id

String

Unique ID for the file.

created_by_data

Object

Details of the user who uploaded the file.

created

Datetime

File upload time.

modified

Datetime

File modified time.

readable_id

String

Unique readable ID of the file.

file_hash

String

Hash of the file.

file_type

String

Type of the file. I 

Allowed values: 

artifact: Artifact 

evidence: Evidence 

miscellaneous: Miscellaneous

file_size

Integer

Size of the file.

parent_readable_id

String

readable_id of the incident in which file is uploaded.

parent_component

String

Component name in which file is uploaded. Example: incident, action, and so on.

parent_unique_id

String

unique_id of the incident in which file is uploaded

Action: Generic Action

This is a generic action to perform any additional use case in the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Endpoint 

Enter the endpoint to make the API request. 

Example: 

/cftrapi/openapi/v1/comments/

Text

Required

HTTP Method 

Enter the HTTP method to make the API request. 

Example: 

GET, POST

Text

Required

Query Params 

Enter query parameters to filter the results.

Key value

Optional

Payload JSON 

Enter the JSON payload to pass to the API. 

Example: 

$JSON[{'data': {'type': type,'id': id}}]

Any

Optional

Payload Data 

Enter the payload to pass to the API.

Any

Optional