Respond (CFTR)

App Vendor: Cyware

App Category: Cyware Product

Connector Version: 4.0.5

API Version: CFTR v3

About App

The Respond connector app allows security teams to integrate with the Respond application, a threat response automation platform. The connector app enables analysts to perform actions related to incident response and management, threat actor management, vulnerability management, malware management, triage management, and more that help you automate threat response.

Note

Respond (v4.0.0) includes major updates that may not be compatible with previous versions. Major updates include adding new actions, deprecating a few actions, and more. We recommend you review all the playbooks and actions before upgrading.

The Respond app is configured with Orchestrate to perform the following actions:

Action Name	Description
Add Asset Software	This action adds an asset software in the Software module.
Add Asset User	This action adds an asset user to the Users module.
Add Comment	This action adds comments in a specific component.
Add Comment in Custom Module (Deprecated)	This action adds a comment in the custom module.
Add Device	This action adds a device to the Devices module.
Advanced Search for Modules	This action retrieves a list of module entries based on the specified payload and query parameters.
Bulk Create Threat Intel (IOCs)	This action creates multiple IOCs in the Threat Intel module.
Connect Modules	This action connects modules to reflect in the Connect the Dots of each module.
Create Action	This action creates an action in the application.
Create a Malware	This action created malware in the application.
Create a PIR	This action creates a PIR (Priority Intel Requirement).
Create Asset Application	This action creates an asset application in the Applications module.
Create a Threat Briefing	This action adds a new threat briefing record to the application.
Create Attack Tactic-Technique Pair	This action creates an attack tactic and technique pair.
Create Campaign	This action creates a new campaign in the application.
Create Custom Module Entry	This action creates a new custom module entry.
Create Enhancement	This action creates an enhancement.
Create Incident	This action creates an incident.
Create Threat Actor	This action adds a threat actor.
Create Vulnerability	This action adds a new vulnerability.
Fetch Health Console Status	This action retrieves the console status.
Get Action Details	This action retrieves the details of an action using the ID of the action.
Get Asset Application Details	This action retrieves the details of an application using the ID of the application.
Get Assets Impacted by Vulnerability	This action retrieves the details of the assets impacted by a vulnerability.
Get Asset Software Details	This action retrieves details of the asset software using the ID.
Get Asset User Details	This action retrieves the details of an asset user.
Get ATT&CK Tactic Details	This action retrieves the details of an ATT&CK tactic.
Get ATT&CK Tactics	This action retrieves a list of ATT&CK tactics from the ATT&CK Navigator module.
Get ATT&CK Technique Details	This action retrieves the details of an ATT&CK technique.
Get ATT&CK Techniques	This action retrieves a list of ATT&CK techniques from the ATT&CK Navigator module.
Get Business Unit Details	This action retrieves the details of a business unit.
Get Campaign Details	This action retrieves the details of a campaign.
List Actions	This action retrieves a list of actions based on the query parameters.
List Asset Applications	This action retrieves a list of asset applications from the Applications module.
List Asset Software	This action retrieves a list of asset software from the Software module.
List Asset Users	This action retrieves a list of asset users from the Users module.
List Attachments	This action retrieves the attachments of an entry.
List Business Units	This action retrieves a list of business units.
List Campaigns	This action retrieves a list of campaigns.
Get CFTR User Details	This action retrieves the details of a user.
List CFTR Users	This action retrieves a list of users from the User Management module.
List Comments	This action retrieves the comments for an entry.
List Countries	This action retrieves a list of countries from the application.
Get Custom Module Entry Detail	This action retrieves the details of a custom module entry.
Get Device Details	This action retrieves the details of a device using the ID of a device.
List Devices	This action retrieves a list of devices from the devices module.
Get Enhancement Details	This action retrieves the enhancement details using the ID of the enhancement.
List Enhancements	This action retrieves a list of enhancement records using query string and query parameters.
Get Incident Details	This action retrieves the details of an incident.
List Incidents	This action retrieves a list of incidents from the application.
Get Incident Workflow Details	This action retrieves the details of an incident workflow.
Get Label Details	This action retrieves the details of a label.
Get Labels	This action retrieves a list of labels from the application.
List Threat Intel (IOCs)	This action is used to retrieve a list of threat intel (IOCs).
Get List of Threat Intel Types	This action retrieves a list of threat intel types from the application.
Get Location Details	This action retrieves the details of a location using the ID of the location.
List Locations	This action retrieves a list of locations from the application.
Get Malware Details	This action retrieves the details of malware using malware ID.
Get Manufacturer Details	This action is used to retrieve the details of a manufacturer.
List Manufacturers	This action is used to retrieve a list of manufacturers from the application.
Get OS Type Details	This action retrieves the details of an OS type.
List OS Types	This action retrieves a list of operating system (OS) types from the application.
Get PIR Details	This action retrieves the details of a PIR (Priority Intel Requirement) using the ID of the PIR.
List PIRs	This action retrieves a list of PIR (Priority Intel Requirement) using query string and query parameters.
Get Recommended Users for an Incident	This action retrieves a list of users who are automatically recommended by Respond for assigning to a specific incident based on their roster and the history of incidents handled.
Get Roster	This action retrieves the list of rosters from the application.
Get Source Details	This action retrieves the details of a source.
List Sources	This action retrieves a list of sources from the application.
Get Templates	This action retrieves the list of templates from the application.
Get Threat Actor Details	This action retrieves the details of a threat actor using the ID of the threat actor.
List Threat Actors	This action retrieves a list of threat actors.
Get Threat Briefing Details	This action retrieves the details of a threat briefing.
List Threat Briefings	This action retrieves a list of threat briefings.
Get Threat Intel Form Structure	This action retrieves the form field structure of the threat intel component.
Get Threat Intel (IOC) Details	This action retrieves the details of an IOC.
Get User Group Details	This action retrieves the details of a user group.
List User Groups	This action retrieves a list of user groups from the application.
List Vulnerabilities	This action retrieves a list of vulnerabilities.
Get Vulnerability Details	This action retrieves the details of a vulnerability.
List Custom Module Entries	This action retrieves all the entries of a custom module with their details.
List Custom Modules	This action retrieves the list of custom modules.
List Incident Workflows	This action retrieves a list of all the incident workflows with details from the application.
List Malware	This action retrieves a list of malware.
Merge Incidents	This action merges incidents with a parent incident.
Update Action Details	This action updates the details of an action using the ID of an action.
Update Asset Application Details	This action updates the details of an application using the ID and additional fields.
Update Asset Software Details	This action updates the details of asset software.
Update Asset User Details	This action updates the details of an asset user.
Update Campaign Details	This action updates the details of a campaign.
Update Custom Module Entry	This action updates a custom module entry.
Update Device Details	This action updates the details of a device using the ID of the device.
Update Enhancement Details	This action updates the details of an enhancement using the ID of the enhancement.
Update Incident Details	This action updates the details of an incident.
Update Malware Details	This action updates the details of a malware record using a malware ID.
Update PIR Details	This action updates a PIR (Priority Intel Requirement) record using the ID of the PIR.
Update Threat Actor Details	This action updates the details of a threat actor.
Update Threat Briefing Details	This action updates the details of a threat briefing.
Update Threat Intel (IOC)	This action updates threat intel (IOC) using its ID.
Update Vulnerability Details	This action updates the details of a vulnerability.
Upload Attachment	This action uploads an attachment to a component.
Get Incident Summary	This action retrieves the executive summary of the incident using its ID.
Generic Action	This is a generic action to perform any additional use case in the application.

Note

The actions Get a list of vendors and Get vendor are deprecated. Additionally, the action Create a Threat Intel (IOC) is no longer supported, you can instead use the action Bulk Create Threat Intel (IOC).

Configuration Parameters

The following configuration parameters are required for the Respond app to communicate with the Respond enterprise application. The parameters can be configured by creating instances in the app.

Parameter	Description	Field Type	Required/Optional	Comments
Base URL	Enter the base URL to access the Respond application using the open API.	Text	Required
Access ID	Enter the access ID to access the Respond application using the open API.	Text	Required
Secret Key	Enter the secret key to access the Respond application using the open API.	Password	Required
TLS verification	Choose your preference to verify TLS while making requests. We recommend you set this option to yes. If no is passed, it may result in an incorrect connection establishment, resulting in a broken connection	Boolean	Optional	Default value: true Allowed values: true false
Timeout	Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Respond application. It is recommended to set the value between 60 and 70 seconds.	Integer	Optional	Available range: 15-120 seconds Default value: 15 seconds

Action: Add Asset Software

This action adds an asset software in the Software module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Readable Type	Enter true to add an application using the values of locations, business units, and labels.	Boolean	Optional	Default value: false
Asset Software Name	Enter the name of the asset software. Example: Cyware Orchestrate	Text	Required
Software Publisher ID	Enter the ID of the software publisher. Example: v53ff8942-612d-4bc1-b54f-d8195c002404	Text	Required
Software Type	Enter the software type as a list of comma-separated strings. Example: [system security, financial software]	List	Required
Software ID	Enter the software ID. Example: w83ff8942-612d-4bc1-b54f-d8195c002404	Text	Required
Additional Information	Enter the details in key-value pairs to be added to the asset software. Example: purpose : security	Key Value	Optional

Example Request

[
  {
    "title": "VirusTotal",
    "software_publisher": "VirusTotal",
    "software_id": "w83ff8942-612d-4bc1-b54f-d8195c002404",
    "software_type": ["system security","financial software"],
    "extra_fields":
    {
      “BU_name": "Business Unit 1"
    }  
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the software.
`created`	String	Software creation date and time.
`modified`	String	Software last updated date and time.
`title`	String	Name of the software.
`software_id`	String	ID of the software.
`software_type`	List	Type of the software. For example, Development Software.
`title_display`	String	Name of software.
`readable_id`	String	Readable ID of software. For example, SFT115.
`software_status`	String	Current status of the software.
`purchase_date`	String	Purchase date of the software.
`created_by`	String	`user_id` of the user who created the software.
`created_by_data`	Object	Details of user who added the software.
`labels`	List	List of `unique_id` labels that are added to the software.
`labels_data`	List of Objects	Details of the labels that are added to the software.
`business_units_data`	List of Objects	Details of business units that are impacted by the software
`locations_data`	List of Objects	Details of locations that are impacted by the software.
`software_type_data`	Object	Details of the software type.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities .
`malwares`	Array of UUID Strings	List of `unique_id` of the connected connected malwares.
`malwares_data`	Array of Objects	Details of the connected malwares .
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected connected devices.
`endpoint_data`	Array of Objects	Details of the connected devices.

Action: Add Asset User

This action adds an asset user to the Users module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Employee Name	Enter the name of the asset user. Example: John Doe	Text	Required
Employee Code	Enter the employee code of the asset user. Example: EMP_111	Text	Required
Email Address	Enter the email address of the asset user. Example: john.doe@cyware.com	Text	Required
Business Unit (BU)	Enter the IDs of business units in a comma-separated list. Example: [728277db-83be-4108-a8d7-e52c5deefc2c, 928277db-83be-4108-a8d7-e52c5deefc2n]	List	Required
Additional Information	Enter the details in key-value pairs to be added to the asset user. Example: full_name: John Doe	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to create an asset user using the values of labels and business units.	Boolean	Optional	Default value: false

Example Request

[
  {
    "employee_name": "John Dan",
    "employee_code": "EMP_111",
    "email": "john.dan@example.com",
    "business_units": "Business Unit",
    {
        "extra_fields":
        {
          "full_name": "John Dan"
        }  
      }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the user.
`created`	String	User creation date and time.
`modified`	String	User last updated date and time.
`employee_name`	String	Name of the user.
`email`	String	Email ID of the user.
`display_name`	String	Name of the user.
`readable_id`	String	Readable ID of the user.
`user_status`	String	Current Status of the user.
`hire_date`	String	Hiring date of the user.
`created_by`	String	`user_id` of the CFTR user who created the asset user.
`created_by_data`	Object	Details of the CFTR user who created the asset user.
`labels`	List	List of `unique_id` of labels that are added to the user.
`labels_data`	List of Objects	Details of the labels that are added to the user.
`business_units_data`	List of Objects	Details of business units of the user.
`owned_applications`	Array of UUID Strings	List of `unique_id` of the applications owned by the user.
`owned_applications_data`	Array of Objects	Details of the applications owned by the user.
`managed_applications`	Array of UUID Strings	List of `unique_id` of the applications managed by the user.
`managed_applications_data`	Array of Objects	Details of the managed applications.
`managed_endpoints`	Array of UUID Strings	List of `unique_id` of the devices managed by the user.
`managed_endpoints_data`	Array of Objects	Details of the managed devices.
`owned_endpoints`	Array of UUID Strings	List of `unique_id` of the devices owned by the user.
`owned_endpoints_data`	Array of Objects	Details of the managed devices.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.

Action: Add Comment

This action adds a comment to a specific component.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Component Name	Enter the name of a component. Example: incident	Text	Required	Allowed values: action, application, asset software, campaign, device, enhancement, incident, IOC, malware, PIR, threat-briefing, vulnerability
Unique ID	Enter the unique ID of the component entry to which you want to add comments. Example: f0900171-be25-490e-bddc-fa8bf29d6453	Text	Required	If the component name is incident, the unique ID must be specific to the incident.
Comment	Enter the comment to be added. Example: IP address blocked	Text	Required
Mentioned Users	Enter the list of usernames of users mentioned in the comment. Example: [a1c03ad2-8147-4834-a575-f1710be628b0, b3184a17-e59f-46cb-82c3-d8aabbefff7e]	List	Optional

Example Request

[
  {
    "component_name": "incident",
    "unique_id": "f0900171-be25-490e-bddc-fa8bf29d6453",
    "comment": "IP address blocked",  
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the comment.
description	Text	Content of the comment.
created_by	Object	Details of the user who added the comment.
modified_by	Object	Details of the user who last updated the comment.
mentioned_users	List of UUID	List of `user_id` of users mentioned in the comment.
mentioned_users_data	List of Objects	Details of the users mentioned in the comment.
created	String	Comment creation time.
modified	String	Comment last updated time.
comment_type	String	Type of Comment. Examples: `discussion`: Notes added in any instance. `handoff`: Handoff notes added while updating the assignee or assigned group. `closure`: Closure Notes added while closing an incident.
content_object	String	Component in which the comment is added. Example: `incident`, `action`, `ioc`, and so on.
content_object_readable_id	String	`readable_id` of the instance in which comment is added
content_object_unique_id	String	`unique_id` of the instance in which comment is added
description_with_img_src	Text	Content of the content with the image URLs (if any image is added in the comment).

Action: Add Comment in Custom Module (Deprecated)

This action adds a comment in the custom module.

Note

This action is deprecated and it is recommended to use the action Add Comment.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Component Identifier	Enter the component identifier of the module. Example: module21	Text	Required	You can retrieve the list of components and their IDs using the following action: List Custom Modules
Instance Unique ID	Enter the unique ID of the entry to which you want to add a comment. Example: 822c2781-8ea0-4122-8176-8995a4c81dca	Text	Required
Description	Enter the content for the comment. Example: note for custom module	Text	Required
Mentioned Users Usernames	Enter the list of usernames of the users to be added in the comment. Example: [a1c03ad2-8147-4834-a575-f1710be628b0, b3184a17-e59f-46cb-82c3-d8aabbefff7e]	List	Optional

Example Request

[
  {
    "component_identifier": "module21",
    "unique_id": "822c2781-8ea0-4122-8176-8995a4c81dca",
    "comment": "note for custom module" 
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the comment.
description	Text	Content of the comment.
created_by	Object	Details of the user who added the comment.
modified_by	Object	Details of the user who last updated the comment.
mentioned_users	List of UUIDs	List of `user_id` of users mentioned in the comment.
mentioned_users_data	List of Objects	Details of the users mentioned in the comment.
created	String	Comment creation time.
modified	String	Comment last updated time.
comment_type	String	Type of Comment. Examples: `discussion`: Notes added in any instance. `handoff`: Handoff notes added while updating the assignee or assigned group. `closure`: Closure Notes added while closing an incident.
content_object	String	Custom module in which the comment is added. Example: `incident`, `action`, `ioc`, and so on.
content_object_readable_id	String	`readable_id` of the entry in which the comment is added
content_object_unique_id	String	`unique_id` of the entry in which the comment is added
description_with_img_src	Text	Content of the comment with the image URLs (if any image is added in the comment).
pinned	Boolean	Displays if the comment is pinned or not.

Action: Add Device

This action adds a device to the Devices module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Hostname	Enter the name of the device. Example: information security	Text	Required
IP Address	Enter the IP address of the device. Example: 11.1.1.11	Text	Required
Additional Information	Enter the additional information in the form of key-value pairs. Example: endpoint_type: desktop	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to add devices using the values of locations, business units, manufacturers, labels, and operation system types.	Boolean	Optional	Default: false

Example Request

[
  {
    "hostname": "EC2AMAZ-8V2J535",
    "ip_address": "1.1.1.1",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "endpoint_status": "clean"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the device.
`created`	String	Device creation time in EPOCH time format.
`modified`	String	Device Last Updated Time in EPOCH time format.
`serial_number`	String	Serial number of the device.
`hostname`	String	Hostname of the device.
`readable_id`	String	Readable ID of the device. For example, DVC116.
`endpoint_status`	String	Current status of the device.
`owner`	String	Owner of the device.
`physical_location`	String	Physical location of the device.
`title_display`	String	Hostname of the device
`ip_address`	Float	IP address of the device.
`created_by`	String	`user_id` of the user who created the device.
`created_by_data`	Object	Details of user who created the device. Details include: `username`, `first_name`, `last_name, user_id` and more.
`status`	String	Status of the device.
`labels`	List	List of `unique_id` labels that are added to the device.
`labels_data`	List of Objects	Details of the labels that are added to the device.
`business_units_data`	List of Objects	Details of business units that are impacted by the device.
`locations_data`	List of Objects	Details of locations that are impacted by the device.
`risk`	String	Risk level of the device.
`risk_data`	Object	Details of the risk of the device.
`priority`	String	Priority of the device.
`endpoint_type`	String	Type of the endpoint. For example, Desktop.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`owner_data`	Object	Details of the owner of device.
`manager_data`	Object	Details of the manager of device.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`actions_data`	Array of Objects	Details of the actions that are added to the device.

Action: Advanced Search for Modules

This action retrieves a list of module entries based on the specified payload and query parameters.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Component Identifier	Enter the identifier of a component.	Text	Required	Allowed values: incident, action, vulnerability, threat-actor, campaign, threat-briefing, malware, enhancement, pir, general-user, device, application, asset-software
Advanced Search Payload	Enter the readable key of parameters and the respective values in key-value pairs to search entries. Include the operator to apply to the parameters. Example: {'assigned_group': '3bf12078-4f1d-4fb7-b2ba-3239137ea9e1,'ip_reputation': 'Malicious','operator': 'OR' }	Key value	Required	Allowed values: OR and AND Default value: AND
Query Parameter	Enter the query parameter and the respective value to filter results. Example: {'status':'open'}	Key value	Optional

Example Request

[
  {
    "query": {},
    "component_identifier": "incident",
    "advanced_search_payload": {
      "operator": "OR",
      "assigned_group": "a1a18016-9df5-4521-a0b7-ec4064fa5c1e",
      "incident_state": "Untriaged"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
link	Object	This parameter includes two keys: `previous` and `next`. `previous` key returns the API endpoint to the previous page. `next` key returns the API endpoint to the next page.
count	Integer	Returns the total number of module entries in the application based on the parameters passed in the query and payload.
results	List of Objects	Returns a list of module entries with details.

Action: Bulk Create Threat Intel (IOCs)

This action creates multiple IOCs in the threat intel module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
IOCs	Enter the IOC type and the respective values in key-value pairs. Examples: {'ioc_email':['test@email.com']} {'ioc_ip': [11.11.21.31]} {'ioc_domain': [domain_value]} {'ioc_url': [https://example.com/sample} {'ioc_SHA1': [c32f4b04626ccf49c788496e9340bb6f0a4aa782]} {'ioc_SHA256': [6a3578c1fc17c0d1421e1e7d2d3e522187c35bdc512537f7ec5d77a0e89b63c3]} {'ioc_MD5': [d41d8cd98f00b204e9800998ecf8427e]}	Key Value	Required

Parameter

Description

Field Type

Required/Optional

Comments

IOCs

Enter the IOC type and the respective values in key-value pairs.

Examples:

{'ioc_email':['test@email.com']}
{'ioc_ip': [11.11.21.31]}
{'ioc_domain': [domain_value]}
{'ioc_url': [https://example.com/sample}
{'ioc_SHA1': [c32f4b04626ccf49c788496e9340bb6f0a4aa782]}
{'ioc_SHA256': [6a3578c1fc17c0d1421e1e7d2d3e522187c35bdc512537f7ec5d77a0e89b63c3]}
{'ioc_MD5': [d41d8cd98f00b204e9800998ecf8427e]}

Key Value

Required

Action Response Parameters

Parameter	Type	Description
`iocs`	Object	Key-value pairs of Threat Intel type and the corresponding Threat Intel `unique_id`.
`iocs_data`	Object	Key-value pairs of Threat Intel type and the corresponding Threat Intel data. Threat Intel data includes the following details: `value`, `tlp`, `status`, and `unique_id`.

Parameter

Type

Description

iocs

Object

Key-value pairs of Threat Intel type and the corresponding Threat Intel unique_id.

iocs_data

Object

Key-value pairs of Threat Intel type and the corresponding Threat Intel data.

Threat Intel data includes the following details: value, tlp, status, and unique_id.

Action: Connect Modules

This action is used to connect modules displayed in Connect the Dots of each module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Data	Enter the IDs of the modules that you want to connect. Example: { "incident": ["1d9509c9-501b-4261-ba85-a9690acc5100", "49b46c68-b10d-41fd-82e7-1681fd8b7787"], "vulnerability": ["b4afd23b-a13f-4a4a-bacb-99e6aa465d42","eda602cc-4118-48b7-9394-e2bf954c7135"] }	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Data

Enter the IDs of the modules that you want to connect.

Example:

{

"incident": ["1d9509c9-501b-4261-ba85-a9690acc5100", "49b46c68-b10d-41fd-82e7-1681fd8b7787"],

"vulnerability": ["b4afd23b-a13f-4a4a-bacb-99e6aa465d42","eda602cc-4118-48b7-9394-e2bf954c7135"]

}

Key Value

Optional

Action Response Parameters

Parameter	Field Type	Description
`{app_instance}`	JSON Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
`app_instance.response`	JSON Object	Returns status code 200 for a successful execution.

Action: Create Action

This action creates an action in the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Action Title	Enter a title for the action. Example: block the IP address	Text	Required
Assigned Group ID	Enter the unique ID of the assigned group. Example: h53ff8942-612d-4bc1-b54f-d8195c002404	Text	Required	Retrieve the list of user groups and their IDs using the following action: Get User Groups
Additional Information	Enter the additional information in the form of key-value pairs. Example: status: open	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to create actions using the values of assigned groups, labels, and the email IDs of assigned users.	Boolean	Optional	Default value: false

Example Request

[
  {
    "title": "New Action",
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "open"
    }
  }
]

Action Response Parameters

Parameters	Type	Description
`title`	String	The title of the action.
`unique_id`	String	Unique ID of the action.
`created`	String	Created date of the action in EPOCH time format.
`modified`	String	Last modified date of the action in EPOCH time format.
`description`	String	Description of the action.
`assigned_to`	String	`User_id` of the assigned user.
`assigned_to_data`	Object	Details of the assigned user.
`assigned_group`	String	`Group_comm_id` of the assigned user group.
`assigned_group_data`	Object	Details of the assigned user group.
`status`	String	Status of the action.
`readable_id`	String	Readable ID of the action. For example, ACT381
`created_by_data`	Object	Details of the user who created the action. Details include: username, email ,first name, last name, and so on.
`can_update_instance`	Boolean	Shows whether the instance can be updated by the user who requested it or not.
`is_bookmarked`	Boolean	True: Action is bookmarked. False: Action is not bookmarked.
`closed_by_data`	Object	Details of the user who closed the action. Details include: username, email ,first name, last name, and so on.
`closed_on`	String	Closure date of the action in EPOCH time format.
`resolved_on`	String	Resolved date of the action in EPOCH time format.
`assignment_sla`	String	Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_sla`	String	Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_due_date`	String	Resolution due date of the action.
`sla_stopped_on`	String	Date and time at which the SLA stopped for the action.
`type`	String	Type of the action.
`priority`	String	Priority level of the action
`type_data`	Object	Details of the type of the action.
`priority_data`	Object	Details of the priority level of the action.
`created_from_template`	Boolean	Shows if the action is created using a template or not.
`users`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`softwares`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`applications`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`incidents_data`	Object	Details of the connected incidents.
`malwares_data`	Array of Objects	Details of the connected malware.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.

Action: Create a Malware

This action adds malware to the Malware module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Readable Type	Enter true to add a malware using the values of labels.	Boolean	Optional	Default: false
Malware Name	Enter the name of the malware. Example: ransomware	Text	Required
Malware Type	Enter the malware types in a comma-separated list. Example: [ "Destructive", "Ransomware", "Trojan", "Worm" ]	List	Required
Affected Platforms	Enter the platforms affected by the malware in a comma-separated list. Example: [ "Windows Server 2012", "Windows XP", "Linux", “Mac” ]	List	Required
Status	Enter the status of the malware. Example: active	Text	Optional	Allowed values: ACTIVE INACTIVE Default value: ACTIVE
Additional Information	Enter the additional information in the form of key-value pairs. Example: is_bookmarked: false	Key Value	Optional

Example Request

[
  {
    "title": "New Malware",
    "malware_type": "Ransomware",
    "platform": "Windows Server 2k12",
    "status": "active"
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "file_type": "dll"
    }
  }
]

Action Response Parameters

Parameters	Type	Description
`type`	Object	Type of the malware.
`ioc_email`	Object	Unique IDs of the email IOC type.
`platform`	Object	List of affected platforms.
`ioc_ip`	Object	Unique IDs of the IP IOC type.
`ioc_md5`	Object	Unique IDs of the MD5 Hash IOC type.
`file_type`	Object	File types of the malware. For example, dll, exe, docx, zip.
`ioc_domain`	Object	Unique IDs of the domain IOC type.
`ioc_sha1`	Object	Unique IDs of the SHA1 IOC type.
`ioc_sha256`	Object	Unique IDs of the SHA256 IOC type.
`ioc_url`	Object	Unique IDs of the URL IOC type.
`unique_id`	String	Unique ID of the malware.
`readable_id`	String	Readable ID of the malware.
`created`	String	Created date of the malware in EPOCH time format.
`modified`	String	Last modified date of the malware in EPOCH time format.
`title`	String	Title of the malware.
`description`	String	Description of the malware.
`incidents`	Object	Unique ID of the linked incidents.
`status`	String	Status of the malware.
`briefings`	Object	Unique ID of the linked threat briefings.
`briefings_data`	Object	Details of the linked threat briefings.
`incidents_data`	Object	Details of the linked incidents.
`is_bookmarked`	Boolean	Shows if the malware is bookmarked or not.
`actions_data`	Object	Details of the linked actions.
`campaigns`	Object	Unique ID of the linked campaigns.
`campaigns_data`	Object	Details of the linked campaigns.
`vulnerabilities`	Object	Unique ID of the linked vulnerabilities.
`vulnerabilities_data`	Object	Details of the linked vulnerabilities.
`threat_actors`	Object	Unique ID of the linked threat actors.
`threat_actors_data`	Object	Details of the linked threat actors.
`pirs_data`	Object	Details of the linked PIRs.
`attachments_data`	Object	Details of the attachments.
`created_by_data`	Object	Details of the user who created the malware. Details include: username, email, first name, last name, and so on.
`labels`	Object	Unique ID of the linked labels.
`labels_data`	Object	Details of the linked labels.
`tactic_technique_pair_data`	Object	Details of the linked tactic technique pairs.
`first_seen`	String	Date on which malware is seen for the first time.
`last_modified`	Object	Last modified date of the malware.
`applications`	Object	Unique ID of the linked applications.
`applications_data`	Object	Details of the linked applications.
`asset_softwares`	Object	Unique ID of the linked software.
`asset_softwares_data`	Object	Details of the Linked Asset Softwares.
`endpoints`	Object	Unique ID of the linked devices.
`endpoints_data`	Object	Details of the linked devices.
`enhancements`	Object	Unique ID of the linked enhancements.
`enhancements_data`	Object	Details of the linked enhancements.
`type_data`	Object	Details of the malware type.
`file_type_data`	Object	Details of the malware file type.
`platform_data`	Object	Details of the affected platforms.

Action: Create a PIR

This action creates a PIR (Priority Intel Requirement).

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
PIR Title	Enter the PIR title. Example: Requesting credentials to access the app	Text	Required
Assigned Group ID	Enter the unique ID of the assigned group. Example: h53ff8942-612d-4bc1-b54f-d8195c002404.	Text	Required	Retrieve the list of user groups and their IDs using the following action: Get User Groups
PIR Priority	Enter the priority level of the PIR. Example: low medium high	Text	Optional
PIR Description	Enter a short description for the PIR. Example: Request to provide credentials to access an application for data.	Text	Optional
Additional Information	Enter additional information in the form of key-value pairs. Example: status: open	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to create a PIR using the values of assigned groups, labels, and the email IDs of assigned users.	Boolean	Optional	Default value: false

Example Request

[
  {
    "title": "Security Strategy",
    "assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3",
    "priority": "low",
    "description": "Strategizing threats prevention",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the PIR.
`unique_id`	String	Unique ID of the PIR in UUID-4 format.
`readable_id`	String	Readable ID of the PIR.
`description`	Text	Description of the PIR.
`created`	String	Creation date and time of the PIR in ISO format.
`modified`	String	Last updated date and time of the PIR in ISO format.
`status`	String	Current status of the PIR. Allowed values: `open` `closed`
`created_by_data`	Object	Details of user who created the PIR.
`closed_by`	String	`user_id` of the user who closed the PIR.
`closed_by_data`	Object	Details of user who closed the PIR.
`closed_on`	String	Closing date and time of the PIR in ISO format.
`is_bookmarked`	Boolean	Shows whether the PIR is bookmarked or not.
`labels`	List of String	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`priority`	String	Priority level of the PIR. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority_data`	Object	Details of the priority of the PIR.
`assigned_to`	List of Stings	List of Unique IDs of the assigned users in UUID-4 format.
`assigned_to_data`	List of Objects	Details on the list of assigned users of the PIR. Details include: `username`, `email`, `first_name`, `last_name`, and so on.
`assigned_group`	String	Unique ID of the assigned user group in UUID-4 format.
`assigned_group_data`	Object	Details of the assigned user group. Details include: `group name` and `group ID`
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.

Action: Create Asset Application

This action creates an asset application in the Applications module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Application Name	Enter the name of the asset application. Example: google chrome	Text	Required
Business Units (BU)	Enter the comma-separated list of Business Units that are affected by the application. Example: [9750d6df-2d7f-4899-b20d-bfbba0a9084d, 7950d6fd-2d7f-4899-b20d-bfbba0a0849a]	List	Required	You can retrieve the list of business units and their IDs using the following action: Get Business Units
Application Status	Enter the status of the asset application.	Text	Required	Allowed values: live decommissioned sunset pre-funding
Locations	Enter the impacted locations by the application in a comma-separated list. Example: [671961e6-0119-460c-8d55-9b697f6e2d6e, 719661e6-0119-460c-8d55-9b697f6e2d6e]	List	Required
Application URL	Enter the URL of the application if the application is internet-hosted.	Text	Optional
Additional Information	Enter the details in key-value pairs to be added to the asset application. Example: application_type: Security	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to create applications using the values of locations, business units, and labels.	Boolean	Optional	Default value: false

Example Request

[
  {
    "app_name": "Google Chrome",
    "business_units": ["a8007b20-bf76-4ce8-a761-45a453512479", "a8007b20-bf76-4ce8-a761-45a453512470"],
    "app_status": "Live",
    "locations": ["a8007b20-bf76-4ce8-a761-45a453512471", "a8007b20-bf76-4ce8-a761-45a453512472"],
    "app_url": "www.google.com",
    "extra_fields":
    {
       "version": "1.0.0"
    }  
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the application.
`created`	String	Application creation date and time.
`modified`	String	Application last updated date and time.
`title`	String	Title of the application.
`version`	Float	Version of the application.
`title_display`	String	Title of the application.
`readable_id`	String	Readable ID of the application.
`status`	String	Current status of the the application.
`application_type`	String	Type of the application. For example, Security.
`application_status`	String	Status of the application. For example, Live.
`production_date`	String	Production date of the application.
`created_by`	String	`user_id` of the user who created the application.
`created_by_data`	Object	Details of user who created the application.
`labels`	List	List of `unique_id` labels that are added to the application.
`labels_data`	List of Objects	Details of the labels that are added to the application.
`business_units_data`	List of Objects	Details of business units that are impacted by the application
`locations_data`	List of Objects	Details of locations that are impacted by the application.
`application_url`	URL	URL of the application.
`owner_data`	Object	Details of the owner of the application.
`owner`	String	UUID of the application owner.
`manager_data`	Object	Details of the manager of the application.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.

Action: Create a Threat Briefing

This action adds a new threat briefing record to the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Threat Briefing Title	Enter a title for the threat briefing. Example: new threat briefing	Text	Required
Business Units (BU)	Enter the business unit IDs in a comma-separated list. Example: $LIST[w53ff8942-612d-4bc1-b54f-d8195c002404, t73ff8942-612d-4bc1-b54f-d8195c002404]	List	Required	You can retrieve the list of business units and their IDs using the following action: Get Business Units
Locations	Enter the location IDs in a comma-separated list. Example: [4882e471-e997-43ec-a317-e244d8286690, 4882e471-e997-43ec-a317-e244d8286560].	List	Required	You can retrieve the list of available locations and their titles using the following action: Get Locations
Description	Enter a short description related to the threat briefing. Example: New threat briefing added	Text	Optional
Additional Information	Enter the additional information related to the threat briefing in the form of key-value pairs. Example: labels: important	Key Value	Optional
Readable Type	Select true to create threat briefings using the values of locations, business units, and labels.	Boolean	Optional	Default value: false

Example Request

[
  {
    "title": "New Threat Briefing",
    "description": "new threat briefing added",
    "business_units": ["941563df-d8be-4c0e-9d3c-ac6906107300"],
    "locations": ["941563df-d8be-4c0e-9d3c-ac6906107399"],
    "extra_fields":
    {
      "state": "62044014-dc5f-4e6d-8a07-c9cab089dccd",
      "modified": "2019-12-19T09:48:06.402132Z"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the Threat Briefing.
`readable_id`	String	Readable ID of the Threat Briefing.
`title`	String	Title of the Threat Briefing.
`description`	Text	Description of the threat briefing.
`status`	String	Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE
`created`	String	Created date and time of the Threat Briefing.
`modified`	String	Last updated date and time of the Threat Briefing.
`title_display`	String	Title of the Threat Briefing.
`is_bookmarked`	Boolean	Shows whether the Threat Briefing is bookmarked or not.
`labels`	List	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`locations_data`	List of Objects	Details of the locations linked to the Threat Briefing.
`business_units_data`	List of Objects	Details of the business units linked to the Threat Briefing.
`created_by`	String	Unique ID of the user who created the Threat Briefing.
`created_by_data`	Object	Details of the user who created the Threat Briefing.
`attachments_data`	Array of Objects	Details of each attachment of the Threat Briefing.
`actions_data`	Array of Objects	Details of the actions that are added for the Threat Briefing.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the Threat Briefing.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the Threat Briefing.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the Threat Briefing.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.

Action: Create ATT&CK Tactic-Technique Pair

This action creates an ATT&CK tactic and technique pair.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
ATT&CK Technique ID	Enter the ID of the attack technique. Example: 4882e471-e997-43ec-a317-e244d5686690	Text	Required	You can retrieve the list of attack techniques and their IDs using the following action: Get ATT&CK Techniques
ATT&CK Tactic ID	Enter the attack tactic ID. Example: 5662e471-e997-43ec-a317-e244d5686690	Text	Required	You can retrieve the list of attack tactics and their IDs using the following action: Get ATT&CK Tactics

Parameter

Description

Field Type

Required/Optional

Comments

ATT&CK Technique ID

Enter the ID of the attack technique.

Example:

4882e471-e997-43ec-a317-e244d5686690

Text

Required

You can retrieve the list of attack techniques and their IDs using the following action:

Get ATT&CK Techniques

ATT&CK Tactic ID

Enter the attack tactic ID.

Example:

5662e471-e997-43ec-a317-e244d5686690

Text

Required

You can retrieve the list of attack tactics and their IDs using the following action:

Get ATT&CK Tactics

Example Request

[
  {
    "technique_uid": "Example Unique ID",
    "tactic_uid": "Example Unique ID"
  }
]

Action: Create Campaign

This action creates a new campaign in the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Campaign Name	Enter a name for the campaign. Example: analytics campaign	Text	Required
Campaign Description	Enter a description for the campaign. Example: This is an important campaign	Text	Optional
Readable Type	Select true to enter the readable type values. This allows you to create campaigns using the values of labels.	Boolean	Optional	Default: false
Additional Information	Enter additional information about the campaign in the form of key-value pairs. Example: label: important	Key Value	Optional

Example Request

[
  {
    "title": "Spearphishing Campaign",
    "description": "New campaign created",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the campaign in UUID-4 format.
readable_id	String	Unique readable ID of the campaign. It starts with `CMP` followed by a unique number. Example: CMP101
created	String	Campaign creation date and time.
description	Text	Description of the campaign.
modified	String	Last updated date and time of the campaign.
title	String	Title of the campaign.
title_display	String	Title of the campaign.
status	String	Current status of the campaign. Allowed values: `ACTIVE` `INACTIVE`
is_bookmarked	Boolean	Shows if the campaign is bookmarked or not.
created_by_data	Object	Details of the user who created the campaign. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	Unique ID of the labels associated with the campaign in UUID-4 format.
labels_data	List of Objects	Details of labels added to the campaign. Details include: `title`, `unique_id`, `color_code`, and so on.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`incidents`	Array UID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`malwares`	Array UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`actions_data`	Array of Objects	Details of the actions that are added to the campaign.
`pirs_data`	Array of Objects	Details of the PIRs that are added to the campaign.
`enhancements_data`	Array of Objects	Details of the enhancements that are added to the campaign.

Action: Create Custom Module Entry

This action creates a new custom module entry.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Component Identifier	Enter the component identifier of the module. Example: module21	Text	Required	You can retrieve the list of custom modules and their identifiers using the following action: List Custom Modules
Title	Enter a title for the entry. Example: Impacted users	Text	Required
Description	Enter a description of the entry. Example: Users impacted by the incident	Text	Required
Additional Parameters	Enter the additional information to be added in the custom module entry in key-value pairs. Use the field_readable_key of the custom fields as keys.	Key value	Optional

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the entry.
`unique_id`	String	Unique ID of the entry.
`status`	String	Current status of the entry.
`description`	Text	Description of the entry.
`created_by_user_id`	String	`user_id` of the user who created the entry.
`modified_by_user_id`	String	`user_id` of the user who last modified the entry.
`created_by_data`	Object	Details of the user who created the entry.
`modified_by_data`	Object	Details of the user who last modified the entry.
`created`	String	Creation date and time of the entry.
`modified`	String	Last updated date and time of the entry.
`is_bookmarked`	Boolean	Shows if the entry is bookmarked or not.
`can_update_instance`	Boolean	Shows whether the entry can be updated by the user who requested it or not.
`labels`	Array	List of the labels that are added to the entry.
`labels_data`	Array of Objects	Details of the labels that are added to the entry.
`is_removed`	Boolean	Displays if the entry is in deleted state or not.
`status_data`	Array of Objects	Displays the details of the status of the entry.
`attachments_data`	Array of Objects	Details of each attachment of the entry.

Action: Create Enhancement

This action creates an enhancement.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Enhancement Title	Enter the title of the enhancement. Example: security update	Text	Required
Assigned Group	Enter the unique ID of the assigned group. Example: j53ff8942-612d-4bc1-b54f-d8195c002404.	Text	Required
Enhancement Priority	Enter the priority of the enhancement. Examples: very high high medium low very low	Text	Required
Additional Information	Enter the additional information related to the enhancement in the form of key-value pairs. Example: description: added a new enhancement	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to create enhancements using the values of assigned groups, labels, and the email IDs of assigned users.	Boolean	Optional	Default value: false

Example Request

[
  {
    "title": "New Enhancement",
    "assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3",
    "priority": "high",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "open"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the enhancement in UUID-4 format.
readable_id	String	Unique readable ID of the enhancement. It starts with `ENH`followed by a unique number. Example: ENH101
created	Datetime	Enhancement creation date and time.
description	Text	Description of the enhancement.
modified	Datetime	Last updated date and time of the enhancement.
title	Text	Title of the enhancement.
status	String	Current status of the enhancement. Allowed values: - `open` - `closed`
priority	String	Priority level of the enhancement.
priority_data	Object	Details of the priority assigned. Details include: `unique_id`, `option_name`, and so on.
priority_data.unique_id	String	Unique ID of the priority in UUID-4 format.
priority_data.option_name	String	Display Name of the priority
priority_data.color_code	String	Hex value of the priority display color.
is_bookmarked	Boolean	Shows if the enhancement is bookmarked or not.
modified_by_data	Object	Details of the user who last updated the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_group	String	Unique ID of the user group the enhancement belongs to in UUID-4 format.
assigned_group_data	Object	Details of the assigned user group. Details include group name and group ID.
created_by_data	Object	Details of the user who created the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_to	String	Unique ID of the assigned user of the enhancement in UUID-4 format.
assigned_to_data	Object	Details of the assigned user. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	List of Unique IDs of the labels attached to the enhancement in UUID-4 format.
labels_data	List of Objects	Details of labels added to the enhancement. Details include: `title`, `unique_id`, `color_code`, and so on.
labels_data.unique_id	String	Unique ID of the label in UUID-4 format.
labels_data.option_name	String	Display name of the label
labels_data.color_code	String	Hex value of the label display color.
enhancement_type	List of Strings	Option name of the enhancement types associated with the enhancement.
enhancement_type_data	List of Objects	Details of the enhancement types associated with the enhancement.
enhancement_type_data.unique_id	String	Unique ID of the enhancement in UUID-4 format.
enhancement_type_data.option_name	String	Display Name of the enhancement type
enhancement_type_data.color_code	String	Hex value of the enhancement type display color.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`attachments_data`	Array of Objects	Details of each attachment of the enhancement.

Action: Create Incident

This action creates an incident in the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Title	Enter a title for the incident. Example: Found a Phishing Email	Text	Required
Description	Enter a description of the incident. Example: Incident detected	Text	Optional
Status	Enter the status of the incident. Example: untriaged	Text	Optional	Allowed values: open closed untriaged merged Default value: untriaged
Incident Type	Enter the type of the incident. Example: malware phishing Ransomware	Text	Optional
Business Unit Impacted	Enter the unique IDs of the impacted business units. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b]	List	Optional	You can retrieve the list of available Business Units and their IDs using the following action: Get Business Units
Locations Impacted	Enter the unique IDs of the impacted locations. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b]	List	Optional	You can retrieve the list of available locations and their titles using the following action: Get Locations
Source	Enter the unique IDs of the impacted sources. Example: 7c81cbda-11d8-4026-ae2f-287eaa643a9b	Text	Optional	You can retrieve the list of all available sources and their IDs using the following action: Get Sources
Incident Date	Enter the date of when the incident occurred in ISO 8601-time format. Example: 2021-10-28t19:37:16.321856z	Text	Optional
Detection Date	Enter the date when the incident was detected as malicious in ISO 8601 time format. Example: 2021-10-28t19:37:16.321856z	Text	Optional
Level	Enter the severity level of the incident. Example critical high low	Text	Optional
Assigned Group	Enter the group_comm_id of the group that needs to be assigned to the incident. Example: 4e046ee1-5bc9-4320-965f-3bf24dbb9256	Text	Optional	You can retrieve the list of user groups and their IDs using the following action: Get User Groups
Extra Fields	Enter the key-value pairs of additional information to add to this incident.	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to create incidents using the values of locations, business units, sources, assigned groups, labels, and the email IDs of assigned users.	Boolean	Optional	Default value: false

Example Request

[
  {
    "title": "New Incident",
    "description": "Incident Detected,
    "status": "Open",
    "ie_incident_type": "Malware",
    "business_unit_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "locations_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "source": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "incident_date": "2021-10-28T19:37:16.321856Z", 
    "detection_date": "2021-10-28T19:37:16.321856Z", 
    "level": "Critical", 
    "assigned_group": "AssignmentID_12"
  }
]

Action Response Parameters

Parameter	Type	Description
`{app_instance}`	JSON Object	This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.
`app_instance.response`	JSON Object	Returns the response retrieved from the app action.
`app_instance.response.title`	String	Title of the incident.
`app_instance.response.unique_id`	String	Unique Identifier String of UUID-4 format of the incident.
`app_instance.response.readable_id`	String	Readable ID of the incident. For example, INC320.
`app_instance.response.incident_date`	String	Date and time of when the incident happened.
`app_instance.response.detection_date`	String	Date and time when the incident was detected as malicious.
`app_instance.response.status`	String	Status of the incident workflow. Possible values: active inactive
`app_instance.response.phase`	String	Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow.
`app_instance.response.machine_generated`	Boolean	Displays if the incident is machine-generated or not.
`app_instance.response.phase_data`	JSON Object	Details of the current phase of the incident.
`app_instance.response.level`	String	Severity level of the incident. For example, high.
`app_instance.response.level_data`	JSON Object	Details of the severity level of the incident.
`app_instance.response.created_by`	String	`user_id` of the user who created the incident.
`app_instance.response.is_protected`	Boolean	Shows if the incident is protected or not.
`app_instance.response.is_removed`	Boolean	Shows if the incident is in the deleted state or not.
`app_instance.response.created_by_data`	JSON Object	Details of the user who created the incident.
`app_instance.response.modified_by_data`	JSON Object	Details of the user who last modified the incident.
`app_instance.response.closed_by_data`	JSON Object	Details of the used who closed the incident.
`app_instance.response.created`	String	Incident creation date and time.
`app_instance.response.modified`	String	Last updated date and time of the incident.
`app_instance.response.Opened_on`	Timestamp	Date and time when the incident was opened.
`app_instance.response.closed_on`	Timestamp	Date and time when the incident was closed. If the incident is not closed, the value of this parameter is null.
`app_instance.response.ie_num_of_pii_exposed`	Integer	Number of PIRs that were exposed in the incident.
`app_instance.response.description`	String	Description of the Incident.
`app_instance.response.assigned_to`	String	`user_id` of the assigned user.
`app_instance.response.assigned_to_data`	Object	Details of the assigned user.
`app_instance.response.assigned_group`	String	`group_comm_id` of the assigned user group.
`app_instance.response.assigned_group_data`	Object	Details of the assigned user group.
`app_instance.response.assignment_sla`	String	Assignment SLA details of the incident. This includes the following two keys: `color`: Associated color code (according to SLA breach level). `data`: This includes two keys: `sla_duration`: SLA Breach time. `elapsed_time`: Time elapsed between incident opening and SLA completion.
`app_instance.response.ie_incident_type`	Strings	The type of incident. Example: hacking.
`app_instance.response.days_open`	Integer	Number of days the incident is open.
`app_instance.response.resolution_sla`	String	Resolution SLA details of the incident. This includes two keys: `color`: Associated color code(according to SLA breach level). `data`: This includes two keys: `sla_duration`: SLA Breach time. `elapsed_time`: Time elapsed between incident opening and SLA completion.
`app_instance.response.notification_sla`	String	Details of the Incident notifications (if enabled in admin).
`app_instance.response.total_cost`	Integer	Total cost incurred due to the incident.
`app_instance.response.is_bookmarked`	Boolean	Shows if the incident is bookmarked or not.
`app_instance.response.permanently_closed`	Boolean	Shows if the incident is permanently closed or not.
`app_instance.response.resolution_due_date`	String	Resolution SLA breach date of the incident.
`app_instance.response.can_update_instance`	Boolean	Shows whether the instance can be updated by the user who requested it or not.
`app_instance.response.is_paused`	Boolean	Shows if the incident is paused or not.
`app_instance.response.paused_by`	String	`user_id` of the user who paused the incident.
`app_instance.response.paused_by_data`	JSON Object	Details of the user who paused the incident.
`app_instance.response.schema`	String	Unique ID of the Incident Workflow that is being used by the incident.
`app_instance.response.schema_type`	String	Type of the incident Workflow. Allowed values: 'draft' or 'published'
`app_instance.response.schema_data`	JSON Object	Details of the Incident Workflow that is being used by the incident.
`app_instance.response.sources`	Array	List of the sources for the incident.
`app_instance.response.sources_data`	Array of JSON Objects	Details of the sources for the incident.
`app_instance.response.labels`	Array	List of the labels that are added to the incident.
`app_instance.response.labels_data`	Array of JSON Objects	Details of the labels that are added to the incident.
`app_instance.response.tactic_technique_pair`	Array	List of the tactics and techniques used by the incident.
`app_instance.response.tactic_technique_pair_data`	Array of JSON Objects	Details of the tactics and techniques used by the incident.
`app_instance.response.business_units_impacted_data`	Array of JSON Objects	List of business units that are impacted by the incident.
`app_instance.response.locations_impacted_data`	Array of JSON Objects	List of locations that are impacted by the incident.
`app_instance.response.incident_state`	String	Current state of the incident. Possible values: open closed merged
`app_instance.response.status_data`	JSON Object	Details of the status of the incident.
`app_instance.response.applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`app_instance.response.applications_data`	Array of JSON Objects	Details of the connected applications.
`app_instance.response.softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`app_instance.response.softwares_data`	Array of JSON Objects	Details of the connected software.
`app_instance.response.users`	Array of UUID Strings	List of `unique_id` of the connected users.
`app_instance.response.users_data`	Array of JSON Objects	Details of the connected users.
`app_instance.response.endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`app_instance.response.endpoints_data`	Array of JSON Objects	Details of the connected devices.
`app_instance.response.briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`app_instance.response.briefings_data`	Array of JSON Objects	Details of the connected threat briefings.
`app_instance.response.campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`app_instance.response.campaigns_data`	Array of JSON Objects	Details of the connected campaigns.
`app_instance.response.malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`app_instance.response.malwares_data`	Array of JSON Objects	Details of the connected malware.
`app_instance.response.threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`app_instance.response.threat_actors_data`	Array of JSON Objects	Details of the connected threat actors.
`app_instance.response.vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`app_instance.response.vulnerabilities_data`	Array of JSON Objects	Details of the connected vulnerabilities.
`app_instance.response.enhancements`	Array of UUID Strings	List of `unique_id` of the connected enhancements.
`app_instance.response.enhancements_data`	Array of JSON Objects	Details of the connected enhancements.
`app_instance.response.actions_data`	Array of JSON Objects	Details of the actions that are added to the incident.
`app_instance.response.attachments_data`	Array of JSON Objects	Details of the attachments uploaded to the incident.
`app_instance.status_code`	Integer	HTTP status code of the API request received from the instance.

Action: Create Threat Actor

This action adds a threat actor to the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Threat Actor Title	Enter the name of the threat actor. Example: Hacktivist Groups	Text	Required
Base Countries	Enter the IDs of countries in a comma-separated list. Example: [4882e471-e997-43ec-a317-e244d8286690, 8e2beaff-7aaf-4b72-bcc0-d61b25e822f3]	List	Required	Use the following action to retrieve the list of countries with their IDs: Get Countries
Threat Actor Type	Enter the type of threat actor. Example: hacktivist	Text	Required
Additional Information	Enter the additional information in the form of key-value pairs. Example: description: A new threat actor found	Key Value	Optional

Example Request

[
  {
    "title": "NewThreatActor",
    "threat_actor_type": "Hacktivist",
    "countries_data": [4882e471-e997-43ec-a317-e244d8286690, 8e2beaff-7aaf-4b72-bcc0-d61b25e822f3]
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the threat actor.
`unique_id`	String	Unique ID of the threat actor.
`readable_id`	String	Readable ID of the threat actor.
`description`	Text	Description of the threat actor.
`created`	String	Creation time of the threat actor in ISO format.
`modified`	String	Last Updated time of the threat actor in ISO format.
`status`	String	Current status of the threat actor. Allowed values: `open` `closed`
`risk`	String	Risk associated with the threat actor. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the threat actor. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the threat actor.
`closed_by`	String	`user_id` of the user who closed the threat actor.
`closed_by_data`	Object	Details of user who closed the threat actor.
`closed_on`	String	Closing date of the threat actor in ISO format.
`is_bookmarked`	Boolean	Shows whether the threat actor is bookmarked or not.
`attachments_data`	Array of Objects	Details of each attachment of the threat actor.
`actions_data`	Array of Objects	Details of the actions that are added for the threat actor.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the threat actor.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the threat actor.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the threat actor.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`ioc_SHA1`	Array of UUID Strings	List of `unique_id` of the connected SHA1 Threat Intels.
`ioc_SHA1_data`	Array of Objects	Details of the connected SHA1 Threat Intels.
`ioc_MD5`	Array of UUID Strings	List of `unique_id` of the connected MD5 Threat Intels.
`ioc_MD5_data`	Array of Objects	Details of the connected MD5 Threat Intels.
`ioc_SHA256`	Array of UUID Strings	List of `unique_id` of the connected SHA256 Threat Intels.
`ioc_SHA256_data`	Array of Objects	Details of the connected SHA256 Threat Intels.
`ioc_ip`	Array of UUID Strings	List of `unique_id` of the connected IP Threat Intels.
`ioc_ip_data`	Array of Objects	Details of the connected IP Threat Intels.
`ioc_url`	Array of UUID Strings	List of `unique_id` of the connected URL Threat Intels.
`ioc_url_data`	Array of Objects	Details of the connected URL Threat Intels.
`ioc_domain`	Array of UUID Strings	List of `unique_id` of the connected domain Threat Intels.
`ioc_domain_data`	Array of Objects	Details of the connected domain Threat Intels.
`ioc_email`	Array of UUID Strings	List of `unique_id` of the connected email Threat Intels.
`ioc_email_data`	Array of Objects	Details of the connected email Threat Intels.

Action: Create Vulnerability

This action adds a new vulnerability.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Vulnerability Name	Enter the name of the vulnerability. Example: missing data encryption	Text	Required
Risk Level	Enter the risk level of the vulnerability. Example: very low	Text	Required	Allowed values: very low low medium high very high
Sources	Enter the sources of the vulnerability in a comma-separated list. Example: [anti virus, threat mailbox]	List	Required	You can retrieve the list of available sources using the following action: Get Sources
Priority Level	Enter the priority level of the vulnerability. Example: low	Text	Required	Allowed values: very low low medium high very high
Additional Information	Enter the additional information to be added in key-value pairs. Example: is_bookmarked: false	Key Value	Optional

Example Request

[
  {
    "title": "New Vulnerability",
    "risk": "Low",
    "priority": "Low",
    "extra_fields":
    {
      "BU_name": "Business Unit 1"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the vulnerability.
`unique_id`	String	Unique ID of the vulnerability.
`readable_id`	String	Readable ID of the vulnerability.
`description`	Text	Description of the vulnerability.
`created`	String	Creation time of the vulnerability in ISO format.
`modified`	String	Last Updated time of the vulnerability in ISO format.
`status`	String	Current status of the vulnerability. Allowed values: `open` `closed`
`risk`	String	Risk associated with the vulnerability. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the vulnerability. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the vulnerability.
`closed_by`	String	`user_id` of the user who closed the vulnerability.
`closed_by_data`	Object	Details of user who closed the vulnerability.
`closed_on`	String	Closing date of the vulnerability in ISO format.
`is_bookmarked`	Boolean	Shows whether the vulnerability is bookmarked or not.
`attachments_data`	Array of Objects	Details of each attachment of the vulnerability.
`actions_data`	Array of Objects	Details of the actions that are added for the vulnerability.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the vulnerability.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the vulnerability.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the vulnerability.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`ioc_SHA1`	Array of UUID Strings	List of `unique_id` of the connected SHA1 Threat Intels.
`ioc_SHA1_data`	Array of Objects	Details of the connected SHA1 Threat Intels.
`ioc_MD5`	Array of UUID Strings	List of `unique_id` of the connected MD5 Threat Intels.
`ioc_MD5_data`	Array of Objects	Details of the connected MD5 Threat Intels.
`ioc_SHA256`	Array of UUID Strings	List of `unique_id` of the connected SHA256 Threat Intels.
`ioc_SHA256_data`	Array of Objects	Details of the connected SHA256 Threat Intels.
`ioc_ip`	Array of UUID Strings	List of `unique_id` of the connected IP Threat Intels.
`ioc_ip_data`	Array of Objects	Details of the connected IP Threat Intels.
`ioc_url`	Array of UUID Strings	List of `unique_id` of the connected URL Threat Intels.
`ioc_url_data`	Array of Objects	Details of the connected URL Threat Intels.
`ioc_domain`	Array of UUID Strings	List of `unique_id` of the connected domain Threat Intels.
`ioc_domain_data`	Array of Objects	Details of the connected domain Threat Intels.
`ioc_email`	Array of UUID Strings	List of `unique_id` of the connected email Threat Intels.
`ioc_email_data`	Array of Objects	Details of the connected email Threat Intels.

Action: Fetch Health Console Status

This action retrieves the console status.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Query Parameters	Enter the query parameters in the form of key-value pairs to filter the results.	Key Value	Optional	Allowed values: created_date__gte (epoch time) created_date__lte (epoch time)

Example Request

[
  {
    "query_params":
    {
      "created_date__gte": "1627835818",
      "created_date__lte": "1596299815"
    }
  }
]

Action: Get Action Details

This action retrieves the details of an action using the ID of the action.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Action ID	Enter the unique ID of the action. Example: k53ff8942-612d-4bc1-b54f-d8195c002404	Text	Required	You can retrieve the list of actions and their IDs using the following action: Get Actions

Parameter

Description

Field Type

Required/Optional

Comments

Action ID

Enter the unique ID of the action.

Example:

k53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of actions and their IDs using the following action:

Get Actions

Example Request

 [
  {
    "unique_id": "k53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameters	Type	Description
`title`	String	The title of the action.
`unique_id`	String	Unique ID of the action.
`created`	String	Created date of the action in EPOCH time format.
`modified`	String	Last modified date of the action in EPOCH time format.
`description`	String	Description of the action.
`assigned_to`	String	`User_id` of the assigned user.
`assigned_to_data`	Object	Details of the assigned user.
`assigned_group`	String	`Group_comm_id` of the assigned user group.
`assigned_group_data`	Object	Details of the assigned user group. Details include: group_comm_id and group_name of the user group.
`status`	String	Status of the action.
`readable_id`	String	Readable ID of the action. For example, ACT379.
`created_by_data`	Object	Details of the user who created the action. Details include: username, email ,first name, last name, and so on.
`can_update_instance`	Boolean	Shows whether the instance can be updated by the user who requested it or not.
`is_bookmarked`	Boolean	True: Action is bookmarked. False: Action is not bookmarked.
`closed_by_data`	Object	Details of the user who closed the action. Details include: username, email ,first name, last name, and so on.
`closed_on`	String	Closure date of the action in EPOCH time format.
`resolved_on`	String	Resolved date of the action in EPOCH time format.
`assignment_sla`	String	Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_sla`	String	Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_due_date`	String	Resolution due date of the action.
`sla_stopped_on`	String	Date and time at which the SLA stopped for the action.
`type`	String	Type of the action.
`priority`	String	Priority level of the action
`type_data`	Object	Details of the type of the action.
`priority_data`	Object	Details of the priority level of the action.
`created_from_template`	Boolean	Displays if the action is created using template or not.
`users`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`softwares`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`applications`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`incidents_data`	Object	Details of the connected incidents.
`malwares_data`	Array of Objects	Details of the connected malware.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.

Action: Get Asset Application Details

This action retrieves the details of an application using the ID of the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Application ID	Enter the unique ID of the application. Example: v53ff8942-612d-4bc1-b54f-d8195c002404	Text	Required	You can retrieve the list of asset applications and their IDs using the following action: Get Asset Applications

Parameter

Description

Field Type

Required/Optional

Comments

Application ID

Enter the unique ID of the application.

Example:

v53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of asset applications and their IDs using the following action:

Get Asset Applications

Example Request

[
  {
    "unique_id": "v53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the application.
`created`	String	Application creation date and time.
`modified`	String	Application last updated date and time.
`title`	String	Title of the application.
`version`	Float	Version of the application.
`title_display`	String	Title of the application.
`readable_id`	String	Readable ID of the application.
`status`	String	Current status of the the application.
`application_type`	String	Type of the application. For example, Security.
`application_status`	String	Status of the application. For example, Live.
`production_date`	String	Production date of the application.
`created_by`	String	`user_id` of the user who created the application.
`created_by_data`	Object	Details of user who created the application.
`labels`	List	List of `unique_id` labels that are added to the application.
`labels_data`	List of Objects	Details of the labels that are added to the application.
`business_units_data`	List of Objects	Details of business units that are impacted by the application
`locations_data`	List of Objects	Details of locations that are impacted by the application.
`application_url`	URL	URL of the application.
`owner_data`	Object	Details of the owner of the application.
`owner`	String	UUID of the application owner.
`manager_data`	Object	Details of the manager of the application.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.

Action: Get Assets Impacted by Vulnerability

This action retrieves the details of assets impacted by the vulnerability.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
CVE ID	Enter the CVE ID of the vulnerability. Example: CVE-2024-4746	Text	Required

Parameter

Description

Field Type

Required/Optional

Comments

CVE ID

Enter the CVE ID of the vulnerability.

Example:

CVE-2024-4746

Text

Required

Example Request

[
  {
    "cve_id": "CVE-2024-4746"
  }
]

Action Response Parameters

Parameter	Type	Description
app_instance_test	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.response	Object	This parameter indicates the response data of the query.
app_instace.applications_data	Array	Displays an array of application objects.
app_instance.description	String (HTML)	Displays the description of the vulnerability.
app_instace.endpoints_data	Array	Displays an array of endpoint objects.
app_instance.softwares_data	Array	Displays an array of software objects.
app_instance.response.title	String	Displays the title of the issue Example: CVE-2024-4746

Action: Get Asset Software Details

This action retrieves asset software details using the ID of the software.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Asset Software ID	Enter the unique ID of the asset software. Example: fb487600-8a14-43df-8e96-5f759aa61cf0	Text	Required	You can retrieve the list of asset software and their IDs using the following action: Get Asset Software List

Parameter

Description

Field Type

Required/Optional

Comments

Asset Software ID

Enter the unique ID of the asset software.

Example:

fb487600-8a14-43df-8e96-5f759aa61cf0

Text

Required

You can retrieve the list of asset software and their IDs using the following action:

Get Asset Software List

Example Request

[
  {
    "unique_id": "fb487600-8a14-43df-8e96-5f759aa61cf0"
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the software.
`created`	String	Software creation date and time.
`modified`	String	Software last updated date and time.
`title`	String	Name of the software.
`software_id`	String	ID of the software.
`software_type`	List	Type of the software. For example, Development Software.
`title_display`	String	Name of software.
`readable_id`	String	Readable ID of software. For example, SFT115.
`software_status`	String	Current status of the software.
`purchase_date`	String	Purchase date of the software.
`created_by`	String	`user_id` of the user who created the software.
`created_by_data`	Object	Details of user who added the software.
`labels`	List	List of `unique_id` labels that are added to the software.
`labels_data`	List of Objects	Details of the labels that are added to the software.
`business_units_data`	List of Objects	Details of business units that are impacted by the software
`locations_data`	List of Objects	Details of locations that are impacted by the software.
`software_type_data`	Object	Details of the software type.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities .
`malwares`	Array of UUID Strings	List of `unique_id` of the connected connected malwares.
`malwares_data`	Array of Objects	Details of the connected malwares .
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected connected devices.
`endpoint_data`	Array of Objects	Details of the connected devices.

Action: Get Asset User Details

This action is used to retrieve the details of an asset user.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

General User ID

Enter the unique ID of an asset user.

Example:

226086de-dff4-44dd-8f48-dbd4e6569eb4

Text

Required

You can retrieve the list of asset users and their IDs using the following action:

Get Asset Users

Example Request

[
  {
    "unique_id": "226086de-dff4-44dd-8f48-dbd4e6569eb4"
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the user.
`created`	String	User creation date and time.
`modified`	String	User last updated date and time.
`employee_name`	String	Name of the user.
`email`	String	Email ID of the user.
`display_name`	String	Name of the user.
`readable_id`	String	Readable ID of the user.
`user_status`	String	Current Status of the user.
`hire_date`	String	Hiring date of the user.
`created_by`	String	`user_id` of the CFTR user who created the asset user.
`created_by_data`	Object	Details of the CFTR user who created the asset user.
`labels`	List	List of `unique_id` of labels that are added to the user.
`labels_data`	List of Objects	Details of the labels that are added to the user.
`business_units_data`	List of Objects	Details of business units of the user.
`owned_applications`	Array of UUID Strings	List of `unique_id` of the applications owned by the user.
`owned_applications_data`	Array of Objects	Details of the applications owned by the user.
`managed_applications`	Array of UUID Strings	List of `unique_id` of the applications managed by the user.
`managed_applications_data`	Array of Objects	Details of the managed applications.
`managed_endpoints`	Array of UUID Strings	List of `unique_id` of the devices managed by the user.
`managed_endpoints_data`	Array of Objects	Details of the managed devices.
`owned_endpoints`	Array of UUID Strings	List of `unique_id` of the devices owned by the user.
`owned_endpoints_data`	Array of Objects	Details of the managed devices.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.

Action: Get ATT&CK Tactic Details

This action retrieves the details of an ATT&CK tactic.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ATT&CK Tactic ID

Enter the ID of the ATT&CK tactic.

Example:

37e5c89c-5a62-4236-b81e-f81202a0cde5

Text

Required

You can retrieve the list of attack tactics and their IDs using the following action:

Get Attack Tactics

Example Request

[
  {
    "unique_id": "37e5c89c-5a62-4236-b81e-f81202a0cde5"
  }
]

Action Response Parameters

Parameter	Type	Description
title	String	The title of the MITRE ATT&CK tactic.
slug	String	Slug of the MITRE ATT&CK tactic, used for URLs and identifiers.
domain	String	Domain to which the MITRE ATT&CK tactic belongs.
phase	String	Phase of the MITRE ATT&CK tactic.
url	String	URL to the detailed information about the MITRE ATT&CK tactic.
unique_id	String	Unique identifier for the MITRE ATT&CK tactic.
external_mitre_attack_id	String	External MITRE ATT&CK identifier.

Action: Get ATT&CK Tactics

This action retrieves a list of attack tactics from the ATT&CK Navigator module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
link	Object	Contains related links for pagination and other resources.
count	Integer	Total number of MITRE ATT&CK tactics available.
results	Array of Objects	List of MITRE ATT&CK tactics.
results.title	String	The title of the MITRE ATT&CK tactic.
results.slug	String	Slug of the MITRE ATT&CK tactic, used for URLs and identifiers.
results.domain	String	Domain to which the MITRE ATT&CK tactic belongs.
results.phase	String	Phase of the MITRE ATT&CK tactic.
results.url	String	URL to the detailed information about the MITRE ATT&CK tactic.
results.unique_id	String	Unique identifier for the MITRE ATT&CK tactic.
results.external_mitre_attack_id	String	External MITRE ATT&CK identifier.

Action: Get ATT&CK Technique Details

This action retrieves the details of an ATT&CK technique.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ATT&CK Technique ID

Enter the unique ID of the ATT&CK technique.

Example:

37e5c89c-5a62-4236-b81e-f81202a0cde5

Text

Required

You can retrieve the list of attack techniques and their IDs using the following action:

Get Attack Techniques

Example Request

[
  {
    "unique_id": "37e5c89c-5a62-4236-b81e-f81202a0cde5"
  }
]

Action Response Parameters

Parameter	Type	Description
title	String	Title of the ATT&CK technique.
tactics	Array of Strings	Array of tactic IDs associated with the technique.
type	String	The type of the action (e.g., attack-pattern).
mitre_technique_id	String	MITRE unique ID of the ATT&CK technique.
unique_id	String	System unique ID of the ATT&CK technique.
external_mitre_attack_id	String	External ID of the MITRE ATT&CK technique (e.g., T1548).

Action: Get ATT&CK Techniques

This action retrieves a list of ATT&CK techniques from the ATT&CK Navigator module.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Query Parameters	Enter the query parameters in key-value pairs to filter the results.	Key Value	Optional	Allowed values: q (str) page (int): default value is 1 page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
link	Object	Contains related links for pagination and other resources.
count	Integer	Total number of MITRE ATT&CK tactics available.
results	Array of Objects	List of MITRE ATT&CK tactics.
title	String	Title of the ATT&CK technique.
tactics	Array of Strings	Array of tactic IDs associated with the technique.
type	String	The type of the action (e.g., attack-pattern).
mitre_technique_id	String	MITRE unique ID of the ATT&CK technique.
unique_id	String	System unique ID of the ATT&CK technique.
external_mitre_attack_id	String	External ID of the MITRE ATT&CK technique (e.g., T1548).

Action: Get Business Unit Details

This action retrieves the details of a business unit.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Business Unit ID

Enter the unique ID of the business unit.

Example:

67ff8942-612d-4bc1-b54f-d8195c002907

Text

Required

You can retrieve the list of the Business Units and their IDs using the following action:

Get Business Units

Example Request

{
    "unique_id": "67ff8942-612d-4bc1-b54f-d8195c002907"
}

Action Response Parameters

Parameter	Type	Description
`title`	String	The title of the Business Unit.
`description`	Text	Description of the Business Unit.
`unique_id`	String	Unique ID of the Business Unit in UUID-4 format.
`created`	String	Creation date and time of the Business Unit in ISO format.
`modified`	String	Last modified date and time of the Business Unit in ISO format.
`readable_id`	String	Unique readable ID of the Business Unit. It starts with BU followed by a unique number. Example: "BU102"
`email_list`	String	Emails of the recepients to whom the notifications are sent.

Action: Get Campaign Details

This action retrieves the details of a campaign.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Campaign ID

Enter the details of the campaign using the unique ID.

For example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

You can retrieve the list of campaigns and their IDs using the following action:

Get Campaigns

Example Request

[
  {
    "unique_id": "f0900171-be25-490e-bddc-fa8bf29d6453"
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the campaign in UUID-4 format.
readable_id	String	Unique readable ID of the campaign. It starts with `CMP` followed by a unique number. Example: CMP101
created	String	Campaign creation date and time.
description	Text	Description of the campaign.
modified	String	Last updated date and time of the campaign.
title	String	Title of the campaign.
title_display	String	Title of the campaign.
status	String	Current status of the campaign. Allowed values: `ACTIVE` `INACTIVE`
is_bookmarked	Boolean	Shows if the campaign is bookmarked or not.
created_by_data	Object	Details of the user who created the campaign. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	Unique ID of the labels associated with the campaign in UUID-4 format.
labels_data	List of Objects	Details of labels added to the campaign. Details include: `title`, `unique_id`, `color_code`, and so on.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`incidents`	Array UID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`malwares`	Array UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`actions_data`	Array of Objects	Details of the actions that are added to the campaign.
`pirs_data`	Array of Objects	Details of the PIRs that are added to the campaign.
`enhancements_data`	Array of Objects	Details of the enhancements that are added to the campaign.

Action: Get CFTR User Details

This action retrieves the details of users.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User ID

Enter the unique ID of a user.

Example:

9ca5d44c-4f16-410c-ab6b-db26ce6f0b42

Text

Required

You can retrieve the list of users and their IDs using the following action:

Get CFTR Users

Example Request

{
    "unique_id": "9ca5d44c-4f16-410c-ab6b-db26ce6f0b42"
}

Action Response Parameters

Parameter	Type	Description
`user_id`	String	Unique ID of the user in UUID-4 format.
`permission`	List of String	The list of permissions configured for the user in the CFTR application. Note: The permissions depend on the user groups of the user.
`last_login`	String	Last log in date and time of the user in ISO Format.
`first_name`	String	First name of the user.
`last_name`	String	Last name of the user.
`email`	String	Email ID of the user.
`title`	String	Job title of the user.
`display_pic`	String	The link to the display picture of the user.
`groups`	List of String	List of unique IDs of `group_comm_id` of the User Groups in UUID-4 format.
`groups_data`	List of Objects	Details of the User Groups. Each object includes the details of one User Group such as `group_comm_id`, `group_name`, and `description`.
`groups_data.group_comm_id`	String	Unique ID of the User Group in UUID-4 format.
`groups_data.group_name`	String	Name of the User Group.
`groups_data.description`	Text	Description of the User Group.
`country_code`	String	Country code of the user.
`contact_number`	String	Contact number of the user.
`username`	String	Username of the user.
`location`	String	Unique ID of the location of the user in UUID-4 format.
`location_data`	Object	Details of the user location.
`allowed_locations`	List of Strings	List of unique IDs of the allowed locations of the user in UUID-4 format.
`allowed_locations_data`	List of Objects	Details of the allowed locations of the user. Each object includes the details of one location. Details include: title, unique_id, and is_active.
`allowed_locations_data.title`	String	Title of the location
`allowed_locations_data.unique_id`	String	Unique ID of the location in UUID-4 format.
`allowed_locations_data.is_active`	Boolean	Shows if the location is active or not.
`business_unit`	String	Unique ID of the Business Unit of the user in UUID-4 format.
`business_unit_data`	Object	Details of the Business Unit of the user.
`allowed_business_units`	List of Strings	List of unique IDs of the allowed Business Units of the user in UUID-4 format.
`allowed_business_units_data`	List of Objects	Details of the allowed Business Units of the user. Each object includes the details of one Business Unit. Details include: `title`, `description`, unique_id, created,and so on
`allowed_business_units_data.title`	String	Title of the Business Unit.
`allowed_business_units_data.description`	Text	Description of the Business Unit.
`allowed_business_units_data.unique_id`	String	Unique ID of the Business Unit in UUID-4 format.
`allowed_business_units_data.created`	String	Creation date and time of the Business Unit in ISO format.
`allowed_business_units_data.modified`	String	Last modified date and time of the Business Unit in ISO format.
`allowed_business_units_data.readable_id`	String	Unique readable ID of the Business Unit. It starts with BU followed by a unique number Example: "BU101"
`is_active`	Boolean	Shows whether the user is an active user or not.
`date_joined`	Datetime	Joining date and time of the user in ISO format.
`is_onboarded`	Boolean	Shows whether the user has activated their account using the confirmation link or not.
`date_onboarded`	String	Onboarding date and time of the user in ISO format.
`is_bot`	Boolean	Shows whether the user is a bot user or not.
`is_admin`	Boolean	Shows whether the user is an admin in the CFTR application or not.
`show_related_incidents`	Boolean	Shows whether the user has access to view related incidents in the Connect The Dots section or not.
`show_related_assets`	Boolean	Shows if the user has access to view the related assets in Connect the Dots or not.
`show_briefings_escalation`	Boolean	Shows if the user has access to view briefings escalations.
`date_onboarded`	String	Date and time of when the user was onboarded.
`landing_component`	String	Unique ID of the landing component configured for the user in UUID-4 format.
`landing_component_data`	Object	Details of the landing component configured for the user.
`landing_component_data.component_comm_id`	String	Unique ID of the component in UUID-4 format.
`landing_component_data.component_name`	String	Name of the component.
`landing_component_data.code_name`	String	Code name of the component.
`landing_component_data.component_identifier`	String	Identification string of the component.
`allowed_components`	List of Objects	Details of the allowed components of the user. Each object includes the details of one component. Details include: `component_comm_id`, `component_name`, `code_name`, and `component_identifier`.
`allowed_components.component_comm_id`	String	Unique ID of the component in UUID-4 format.
`allowed_components.component_name`	String	Name of the component.
`allowed_components.code_name`	String	Code name of the component.
`allowed_components.component_identifier`	String	Identification string of the component.
`last_active`	String	Last active date and time of the user in ISO format.
`last_device`	String	Details of the last device used by the user.
`last_device_ip`	String	Generic IP address of the device last used by the user.
`currency`	String	Currency choice associated with the user. Allowed values: `INR`, `USD`, `GBP`, `EUR`, and`AED`.
`invited_by`	String	Unique ID of the user who invited the current user.
`ldap_id`	String	Unique ID of LDAP associated with the user.
`full_name`	String	Full name of the user.
`password_update_time`	String	Last updated date and time of the password of the user in ISO format.
`analyst_cost`	Float	Maximum value of analyst cost associated with each user group of the user.
`is_system_user`	Boolean	Shows whether the user is a system user or not.
`invite_status`	String	Shows whether the user has accepted the invite or not. Allowed values: - `INVITED`: Invite yet to be accepted. - `ACCEPTED`: Invite accepted.
`is_on_prem_client`	Boolean	Displays if the user is a on prem client.
`is_readonly_user`	Boolean	If the user is has only ready-only access.
`number_of_incidents_per_day`	Integer	The number of incidents that can be created by the user.
`number_of_business_units`	Integer	Number of business units

Action: Get Custom Module Entry Detail

This action retrieves the details of a custom module entry.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier

Enter the component identifier of the module.

Example:

module21

Text

Required

You can retrieve the list of custom modules and their component identifier using the following action:

List Custom Modules

Instance Unique ID

Enter the unique ID of a custom module entry.

Example:

822c2781-8ea0-4122-8176-8995a4c81dca

Text

Required

You can retrieve the list of custom module entries and their IDs using the following action:

List Custom Module Entries

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the entry.
`unique_id`	String	Unique ID of the entry.
`status`	String	Current status of the entry.
`description`	Text	Description of the entry.
`created_by_user_id`	String	`user_id` of the user who created the entry.
`modified_by_user_id`	String	`user_id` of the user who last modified the entry.
`created_by_data`	Object	Details of the user who created the entry.
`modified_by_data`	Object	Details of the user who last modified the entry.
`created`	String	Creation date and time of the entry.
`modified`	String	Last updated date and time of the entry.
`is_bookmarked`	Boolean	Shows if the entry is bookmarked or not.
`can_update_instance`	Boolean	Shows whether the entry can be updated by the user who requested it or not.
`labels`	Array	List of the labels that are added to the entry.
`labels_data`	Array of Objects	Details of the labels that are added to the entry.
`is_removed`	Boolean	Displays if the entry is in deleted state or not.
`status_data`	Array of Objects	Displays the details of the status of the entry.
`attachments_data`	Array of Objects	Details of each attachment of the entry.

Action: Get Device Details

This action retrieves the details of a device using the ID of the device.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID

Enter the unique ID of the device.

Example:

e53fe8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of devices and their IDs using the following action:

Get Devices

Example Request

[
  {
    "unique_id": "e53fe8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the device.
`created`	String	Device creation time in EPOCH time format.
`modified`	String	Device Last Updated Time in EPOCH time format.
`serial_number`	String	Serial number of the device.
`hostname`	String	Hostname of the device.
`readable_id`	String	Readable ID of the device. For example, DVC116.
`endpoint_status`	String	Current status of the device.
`owner`	String	Owner of the device.
`physical_location`	String	Physical location of the device.
`title_display`	String	Hostname of the device
`ip_address`	Float	IP address of the device.
`created_by`	String	`user_id` of the user who created the device.
`created_by_data`	Object	Details of user who created the device. Details include: `username`, `first_name`, `last_name, user_id` and more.
`status`	String	Status of the device.
`labels`	List	List of `unique_id` labels that are added to the device.
`labels_data`	List of Objects	Details of the labels that are added to the device.
`business_units_data`	List of Objects	Details of business units that are impacted by the device.
`locations_data`	List of Objects	Details of locations that are impacted by the device.
`risk`	String	Risk level of the device.
`risk_data`	Object	Details of the risk of the device.
`priority`	String	Priority of the device.
`endpoint_type`	String	Type of the endpoint. For example, Desktop.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`owner_data`	Object	Details of the owner of device.
`manager_data`	Object	Details of the manager of device.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`actions_data`	Array of Objects	Details of the actions that are added to the device.

Action: Get Enhancement Details

This action retrieves the enhancement details using the ID of the enhancement.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Enhancement ID

Enter the unique ID of the enhancement.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of enhancements and their IDs using the following action:

Get Enhancements

Example Request

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" 
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the enhancement in UUID-4 format.
readable_id	String	Unique readable ID of the enhancement. It starts with `ENH`followed by a unique number. Example: ENH101
created	Datetime	Enhancement creation date and time.
description	Text	Description of the enhancement.
modified	Datetime	Last updated date and time of the enhancement.
title	Text	Title of the enhancement.
status	String	Current status of the enhancement. Allowed values: - `open` - `closed`
priority	String	Priority level of the enhancement.
priority_data	Object	Details of the priority assigned. Details include: `unique_id`, `option_name`, and so on.
priority_data.unique_id	String	Unique ID of the priority in UUID-4 format.
priority_data.option_name	String	Display Name of the priority
priority_data.color_code	String	Hex value of the priority display color.
is_bookmarked	Boolean	Shows if the enhancement is bookmarked or not.
modified_by_data	Object	Details of the user who last updated the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_group	String	Unique ID of the user group the enhancement belongs to in UUID-4 format.
assigned_group_data	Object	Details of the assigned user group. Details include group name and group ID.
created_by_data	Object	Details of the user who created the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_to	String	Unique ID of the assigned user of the enhancement in UUID-4 format.
assigned_to_data	Object	Details of the assigned user. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	List of Unique IDs of the labels attached to the enhancement in UUID-4 format.
labels_data	List of Objects	Details of labels added to the enhancement. Details include: `title`, `unique_id`, `color_code`, and so on.
labels_data.unique_id	String	Unique ID of the label in UUID-4 format.
labels_data.option_name	String	Display name of the label
labels_data.color_code	String	Hex value of the label display color.
enhancement_type	List of Strings	Option name of the enhancement types associated with the enhancement.
enhancement_type_data	List of Objects	Details of the enhancement types associated with the enhancement.
enhancement_type_data.unique_id	String	Unique ID of the enhancement in UUID-4 format.
enhancement_type_data.option_name	String	Display Name of the enhancement type
enhancement_type_data.color_code	String	Hex value of the enhancement type display color.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
attachments_data	Array of Objects	Details of each attachment of the enhancement.

Action: Get Incident Details

This action retrieves the details of an incident.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Enter the unique ID of the incident.

Example:

t53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the IDs of the incident using the following action:

Get Incidents

Example Request

[
  {
    "unique_id": "t53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`{app_instance}`	JSON Object	This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.
`app_instance.response`	JSON Object	Returns the response retrieved from the app action.
`app_instance.response.title`	String	Title of the incident.
`app_instance.response.unique_id`	String	Unique Identifier String of UUID-4 format of the incident.
`app_instance.response.readable_id`	String	Readable ID of the incident. For example, INC320.
`app_instance.response.incident_date`	String	Date and time of when the incident happened.
`app_instance.response.detection_date`	String	Date and time when the incident was detected as malicious.
`app_instance.response.status`	String	Status of the incident workflow. Possible values: active inactive
`app_instance.response.phase`	String	Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow.
`app_instance.response.machine_generated`	Boolean	Displays if the incident is machine-generated or not.
`app_instance.response.phase_data`	JSON Object	Details of the current phase of the incident.
`app_instance.response.level`	String	Severity level of the incident. For example, high.
`app_instance.response.level_data`	JSON Object	Details of the severity level of the incident.
`app_instance.response.created_by`	String	`user_id` of the user who created the incident.
`app_instance.response.is_protected`	Boolean	Shows if the incident is protected or not.
`app_instance.response.is_removed`	Boolean	Shows if the incident is in the deleted state or not.
`app_instance.response.created_by_data`	JSON Object	Details of the user who created the incident.
`app_instance.response.modified_by_data`	JSON Object	Details of the user who last modified the incident.
`app_instance.response.closed_by_data`	JSON Object	Details of the used who closed the incident.
`app_instance.response.created`	String	Incident creation date and time.
`app_instance.response.modified`	String	Last updated date and time of the incident.
`app_instance.response.Opened_on`	Timestamp	Date and time when the incident was opened.
`app_instance.response.closed_on`	Timestamp	Date and time when the incident was closed. If the incident is not closed, the value of this parameter is null.
`app_instance.response.ie_num_of_pii_exposed`	Integer	Number of PIRs that were exposed in the incident.
`app_instance.response.description`	String	Description of the Incident.
`app_instance.response.assigned_to`	String	`user_id` of the assigned user.
`app_instance.response.assigned_to_data`	Object	Details of the assigned user.
`app_instance.response.assigned_group`	String	`group_comm_id` of the assigned user group.
`app_instance.response.assigned_group_data`	Object	Details of the assigned user group.
`app_instance.response.assignment_sla`	String	Assignment SLA details of the incident. This includes the following two keys: `color`: Associated color code (according to SLA breach level). `data`: This includes two keys: `sla_duration`: SLA Breach time. `elapsed_time`: Time elapsed between incident opening and SLA completion.
`app_instance.response.ie_incident_type`	Strings	The type of incident. Example: hacking.
`app_instance.response.days_open`	Integer	Number of days the incident is open.
`app_instance.response.resolution_sla`	String	Resolution SLA details of the incident. This includes two keys: `color`: Associated color code(according to SLA breach level). `data`: This includes two keys: `sla_duration`: SLA Breach time. `elapsed_time`: Time elapsed between incident opening and SLA completion.
`app_instance.response.notification_sla`	String	Details of the Incident notifications (if enabled in admin).
`app_instance.response.total_cost`	Integer	Total cost incurred due to the incident.
`app_instance.response.is_bookmarked`	Boolean	Shows if the incident is bookmarked or not.
`app_instance.response.permanently_closed`	Boolean	Shows if the incident is permanently closed or not.
`app_instance.response.resolution_due_date`	String	Resolution SLA breach date of the incident.
`app_instance.response.can_update_instance`	Boolean	Shows whether the instance can be updated by the user who requested it or not.
`app_instance.response.is_paused`	Boolean	Shows if the incident is paused or not.
`app_instance.response.paused_by`	String	`user_id` of the user who paused the incident.
`app_instance.response.paused_by_data`	JSON Object	Details of the user who paused the incident.
`app_instance.response.schema`	String	Unique ID of the Incident Workflow that is being used by the incident.
`app_instance.response.schema_type`	String	Type of the incident Workflow. Allowed values: 'draft' or 'published'
`app_instance.response.schema_data`	JSON Object	Details of the Incident Workflow that is being used by the incident.
`app_instance.response.sources`	Array	List of the sources for the incident.
`app_instance.response.sources_data`	Array of JSON Objects	Details of the sources for the incident.
`app_instance.response.labels`	Array	List of the labels that are added to the incident.
`app_instance.response.labels_data`	Array of JSON Objects	Details of the labels that are added to the incident.
`app_instance.response.tactic_technique_pair`	Array	List of the tactics and techniques used by the incident.
`app_instance.response.tactic_technique_pair_data`	Array of JSON Objects	Details of the tactics and techniques used by the incident.
`app_instance.response.business_units_impacted_data`	Array of JSON Objects	List of business units that are impacted by the incident.
`app_instance.response.locations_impacted_data`	Array of JSON Objects	List of locations that are impacted by the incident.
`app_instance.response.incident_state`	String	Current state of the incident. Possible values: open closed merged
`app_instance.response.status_data`	JSON Object	Details of the status of the incident.
`app_instance.response.applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`app_instance.response.applications_data`	Array of JSON Objects	Details of the connected applications.
`app_instance.response.softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`app_instance.response.softwares_data`	Array of JSON Objects	Details of the connected software.
`app_instance.response.users`	Array of UUID Strings	List of `unique_id` of the connected users.
`app_instance.response.users_data`	Array of JSON Objects	Details of the connected users.
`app_instance.response.endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`app_instance.response.endpoints_data`	Array of JSON Objects	Details of the connected devices.
`app_instance.response.briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`app_instance.response.briefings_data`	Array of JSON Objects	Details of the connected threat briefings.
`app_instance.response.campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`app_instance.response.campaigns_data`	Array of JSON Objects	Details of the connected campaigns.
`app_instance.response.malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`app_instance.response.malwares_data`	Array of JSON Objects	Details of the connected malware.
`app_instance.response.threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`app_instance.response.threat_actors_data`	Array of JSON Objects	Details of the connected threat actors.
`app_instance.response.vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`app_instance.response.vulnerabilities_data`	Array of JSON Objects	Details of the connected vulnerabilities.
`app_instance.response.enhancements`	Array of UUID Strings	List of `unique_id` of the connected enhancements.
`app_instance.response.enhancements_data`	Array of JSON Objects	Details of the connected enhancements.
`app_instance.response.actions_data`	Array of JSON Objects	Details of the actions that are added to the incident.
`app_instance.response.attachments_data`	Array of JSON Objects	Details of the attachments uploaded to the incident.
`app_instance.status_code`	Integer	HTTP status code of the API request received from the instance.

Action: Get Incident Summary

This action retrieves the executive summary of the incident using the incident ID.

App Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Enter the incident ID to retrieve the summary.

Example:

INC103

Text

Required

Example Request

[
  {
    "incident_id": "INC103"
  }
]

Action Response Parameters

Parameter	Type	Description
app_instance	Object	Returns the root object containing the response and status code.
app_instance.response	Object	Displays the response data of the query.
app_instance.status_code	Integer	Returns the HTTP status code of the response.
app_instance.response.actions_data	Array	Returns an array of action objects.
app_instance.response.actions_data.readable_id	String	Returns the Readable ID of the action.
app_instance.response.actions_data.title	String	Return the title of the action in the incident.
app_instance.response.actions_data.title_display	String	Displays the title of the action linked to the incident.
app_instance.response.applicable_compliance	Array	Returns the list of applicable compliance standards to the incident.
app_instance.response.applicable_compliance_data	Array	Returns an array of compliance option objects.
app_instance.response.applicable_compliance_data[].option_name	String	Returns the name of the compliance option.
app_instance.response.applications_data	Array	Returns an array of application objects.
app_instance.response.attack_vector	Null	Returns attack vector linked to the incident.
app_instance.response.attack_vector_data	Null	Returns the details of the Attack vector linked to the incident.
app_instance.response.base_line_changes	Null	Returns the baseline changes.
app_instance.response.briefings_data	Array	Returns an array of briefing objects.
app_instance.response.business_impact	Array	Returns an array of business units impacted by the incident.
app_instance.response.business_impact_data	Array	Returns an array of business units impacted option objects.
app_instance.response.business_impact_data.option_name	String	Returns the name of the business units impact option.
app_instance.response.campaigns_data	String	Returns an array of campaign objects.
app_instance.response.closure_comments	String	Returns closure comments in the incident.
app_instance.response.containment_hash	String	Returns the value for containment hash
app_instance.response.containment_host	String	Returns Containment host
app_instance.response.containment_ip	String	Returns Containment IP
app_instance.response.containment_result	String	Returns Containment result
app_instance.response.containment_summary	String	Returns Containment summary
app_instance.response.containment_url	String	Containment URL
app_instance.response.description	String	Description of the incident
app_instance.response.destination_hostname	String	Destination host name
app_instance.response.destination_ip	String	Destination IP
app_instance.response.destination_port	String	Destination port
app_instance.response.endpoints_data	Array	An array of endpoint objects
app_instance.response.enhancements_data	Array	An array of enhancement objects
app_instance.false_positive	Array	False positive indicator
app_instance.response.false_positive_data	String	False positive data
app_instance.response.ie_customer_notification_required	Null	Customer notification indicator
app_instance.response.ie_customer_notification_required_data	String	Returns customer notification data
app_instance.response.ie_findings_summary	String	Returns findings summary
app_instance.response.ie_forensics_details	String	Returns forensics details
app_instance.response.ie_impact_on_intellectual_property	Null	Impact on intellectual property
app_instance.response.ie_incident_type	String	Returns the incident type.
app_instance.response.ie_incident_type_data	Object	Returns the incident type data.
app_instance.response.ie_incident_type_data.option_name	String	Returns the name of the incident type option.
app_instance.response.ie_invegtigation_eradication_exception	Null	Investigation eradication exception.
app_instance.response.ie_lessons_learned	Null	Returns lessons learned
app_instance.response.ie_log_analysis_summary	Null	Returns log analysis summary
app_instance.response.ie_malware_analysis_summary	Null	Malware analysis summary
app_instance.response.ie_motives	Array	An array of motive objects
app_instance.response.ie_motives_data	Array	An array of motive data objects
app_instance.response.ie_num_of_assets_impacted	Null	Number of assets impacted by the incident.
app_instance.response.ie_num_of_users_impacted	Null	Number of users impacted by the incident.
app_instance.response.ie_port_numbers_impacted	Null	Port numbers impacted
app_instance.response.ie_regulatory_notifications_required	Null	Regulatory notifications required
app_instance.response.ie_regulatory_notifications_required_data	Null	Regulatory notifications required data
app_instance.response.ie_regulatory_reporting	Array	An array of regulatory reporting objects.
app_instance.response.ie_regulatory_reporting_data	Array	An array of regulatory reporting data objects.
app_instance.response.ie_regulatory_reporting_date	Null	Regulatory reporting date.
app_instance.response.ie_root_cause	Null	Root cause of the incident.
app_instance.response.ie_root_cause_data	Null	Root cause data
app_instance.response.incident_analysis	Null	Incident analysis
app_instance.response.incident_identified	Array	An array of incident identified objects.
app_instance.response.incident_identified_data	Array	An array of incident identified data objects.
app_instance.response.incident_learning	Null	Incident learning
app_instance.response.ioc_MD5	Array	An array of MD5 Indicator of Compromise.
app_instance.response.ioc_MD5_data	Array	An array of MD5 IoC data objects.
app_instance.response.ioc_SHA1	Array	An array of SHA1 Indicator of Compromise.
app_instance.response.ioc_SHA1_data	Array	An array of SHA1 IoC data objects.
app_instance.response.ioc_SHA256	Array	An array of SHA256 Indicator of Compromise.
app_instance.response.ioc_SHA256_data	Array	An array of SHA256 IoC data objects.
app_instance.response.ioc_domain	Array	An array of IOC domain objects.
app_instance.response.ioc_domain_data	Array	An array of IOC domain data objects.
app_instance.response.ioc_email	Array	An array of IOC email objects.
app_instance.response.ioc_email_data	Array	An array of IOC email data objects.
app_instance.response.ioc_ip	Array	An array of IOC IP objects.
app_instance.response.ioc_ip_data.value	String	IP address value.
app_instance.response.ioc_url	Array	An array of IoC URL objects.
app_instance.response.ioc_url_data	Array	An array of IoC URL data objects.
app_instance.response.ip_reputation	Null	IP Reputation of the incident.
app_instance.response.kill_chain_phase	String	Current phase in the kill chain of the incident.
app_instance.response.kill_chain_phase_data	Object	Details of the current phase in the kill chain.
app_instance.response.kill_chain_phase_data.option_name	String	Phase name in the kill chain of the incident.
app_instance.response.knowledge_base_data	Array	An array of knowledge base objects.
app_instance.response.level	String	Incident level of the incident.
app_instance.response.level_data	Object	Details of the incident level.
app_instance.response.level_data.option_name	String	Incident level option name.
app_instance.response.malwares_data	Array	An array of malware objects.
app_instance.response.methods_monitor_recovery_actions	Null	Methods to monitor recovery actions.
app_instance.response.methods_validate_recovery_actions	Null	Methods to validate recovery actions.
app_instance.response.phase	String	The current phase of the incident.
app_instance.response.phase_data	Object	Details of the current phase.
app_instance.response.phase_data.option_name	String	Indicates the phase of the incident
app_instance.response.pirs_data	Array	An array of PIR (Priority Intelligence Requirements) objects.
app_instance.response.readable_id	String	Readable ID of the incident.
app_instance.response.recovery_details	Null	Details of the recovery in incident.
app_instance.response.related_incidents_data	Array	An array of related incident data objects.
app_instance.response.softwares_data	Array	An array of software data objects.
app_instance.response.source_hostname	Null	Source host name.
app_instance.response.source_ip	Null	Source IP address.
app_instance.response.source_port	Null	Source port
app_instance.response.sources_data	Object	An object containing source data.
app_instance.response.sources_data.created	String (datetime)	Creation timestamp of the source data.
app_instance.response.sources_data.modified	String (datetime)	Modification timestamp of the source data.
app_instance.response.sources_data.source_display_name	String	Display name of the source.
app_instance.response.sources_data.source_type	String	Type identifier of the source.
app_instance.response.sources_data.source_type_data	Object	Additional data about the source type.
app_instance.response.sources_data.source_type_data.created	String (datetime)	Creation timestamp of the source type data.
app_instance.response.sources_data.source_type_data.title	String	Title of the source type.
app_instance.response.sources_data.source_type_data.unique_id	String	Unique identifier of the source type data.
app_instance.response.sources_data.unique_id	String	Unique identifier of the source data.
app_instance.response.sources_data.value	String	Value of the source data.
app_instance.response.status	String	Status of the incident.
app_instance.response.status_data	Object	Additional data about the status.
app_instance.response.status_data.option_name	String	Indicates status option name.
app_instance.response.threat_actors_data	Array	An array of threat actor objects in the incident.
app_instance.response.time_to_resolve	Null	Time taken to resolve the incident.
app_instance.response.title	String	Title of the incident.
app_instance.response.url_reputation	Null	URL reputation in a phase
app_instance.response.users_data	Array	An array of user data objects.
app_instance.response.vulnerabilities_data	Array	An array of vulnerability data objects.

Action: Get Incident Workflow Details

This action retrieves the details of an incident workflow.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Workflow ID

Enter the unique ID of the incident workflow.

Example:

5ca19332-75e2-4e1b-953a-22f8b467ea1d

Text

Required

You can retrieve the list of workflows and their IDs using the following actions:

List Incident Workflows

Example Request

[
  {
    "unique_id": "t53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the Incident Workflow.
`description`	String	Description of the Incident Workflow.
`unique_id`	String	Unique ID of the Incident Workflow.
`schema_type`	String	Shows the state of Incident Workflow. Allowed values: - `draft` - `published`
`status`	String	Status of the Incident Workflow. Allowed values: - `active` - `inactive`
`is_default`	Boolean	Shows whether the Incident Workflow is the default workflow or not.
`object_identifier`	String	Shows the string name for Incident module.
`phase_flow`	String	Shows the phase flow of the Incident Workflow phases. Allowed values: - `linear` - `non-linear`
`created`	String	Creation date-time of the Incident Workflow.
`modified`	String	Latest modification date-time of the Incident Workflow.
`created_by`	String	`user_id` of the user who created the Incident Workflow.
`modified_by`	String	`user_id` of the user who last modified the Incident Workflow.
`created_by_data`	Object	Basic details of user who created the Incident Workflow.
`modified_by_data`	Object	Basic details of the user who last modified the Incident Workflow.
`is_removed`	Boolean	Shows whether the workflow is in deleted state or not.
`is_mapped`	Boolean	Shows whether the Incident Workflow has been mapped to parent parameters or not.
`num_of_phases`	Integer	Number of phases present in the Incident Workflow.
`closure_phase`	String	`unique_id` of phase after which incident can be closed.
`closure_phase_data`	Object	Details of the closure phase. Details include: `option_name`, `unique_id`, and so on.
`phase_key`	String	`unique_id` of the phases.
`preparation_key`	String	`unique_id` of the preparation tab.
`custom_tab_key`	String	`unique_id` of the custom tabs.
`closure_phase_options`	Array	`unique_id` of all the phases of the Incident Workflow which can be selected as the closure phase.
`tabs`	Array	`unique_id` of the tabs of the Incident Workflow.
`tabs.unique_id`	String	Unique ID of the Tab.
`tabs.tab_name`	String	Title of the tab.
`tabs.is_active`	Boolean	Shows if the tab is active or not.
`tabs.is_editable`	Boolean	Shows if the tab can be edited or not.
`tabs.is_removed`	Boolean	Shows whether the tab is in deleted state or not.
`tabs.object_identifier`	String	Shows the string name for Incident module
`tabs.tab_fields`	List of Objects	Details of the fields added in the tab. Note: The tab fields are further explained in the table below.
`tabs.tab_type`	String	The tab type. Examples of tab types are: `preparation`: Preparation tab is common across all workflows. `phase`: Phase `custom`: Custom Tab
`tabs.parent`	String	`unique_id` of the parent of the tab.
`tabs.children`	List	Details of children tabs.
`tabs.is_removable`	Boolean	Shows if tab can be removed or not.
`tabs.validation_expression`	String	Validation expression (if any) added. It is used for Threat Intel.
`tabs.schema`	List	List of `unique_id` of workflows in which the tab is added.
`tabs.order`	Integer	Order of the tab.
`tabs.help_text`	String	Help text of the tab
`tabs.tab_fields.unique_id`	String	Unique identifier string of UUID-4 format of the Field.
`tabs.tab_fields.field_name`	String	Title of the field.
`tabs.tab_fields.field_type`	String	The type of field. Allowed values: `select`: Single option can be selected for the field. `multiselect`: Multiple options can be selected for the field. `text`: Text field. `textarea`: Text Area field. `calendar`: date time field. `integer`: Integer Field.
`tabs.tab_fields.is_active`	Boolean	Shows whether field is active or not.
`tabs.tab_fields.is_removed`	Boolean	Shows whether the field is in deleted state or not.
`tabs.tab_fields.placeholder`	String	Placeholder of the field.
`tabs.tab_fields.help_text`	String	Help text of the field.
`tabs.tab_fields.field_options`	List of Objects	Details of the options.
`tabs.tab_fields.is_editable`	Boolean	Shows whether field can be edited or not.
`tabs.tab_fields.is_deletable`	Boolean	Shows whether field can be deleted or not.
`tabs.tab_fields.is_required`	Boolean	Shows whether the field is mandatory or not.
`tabs.tab_fields.field_readable_key`	String	Unique readable key for receiving field data from external sources.
`tabs.tab_fields.is_widget_field`	Boolean	Shows whether the widget can be created for this field or not. (Applicable only on select/multi-select fields)
`tabs.tab_fields.validation_expression`	String	Validation expression (if any) added. It is used for Threat Intel.
`tabs.tab_fields.is_read_only`	Boolean	Shows whether the field is one time entry field or not.
`tabs.tab_fields.enable_filter`	Boolean	Shows whether the filter option should be provided for this field or not. Applicable only for select/multi-select fields.
`tabs.tab_fields.is_restricted_user_group_write_access`	Boolean	Shows whether the field access is restricted by user group.
`tabs.tab_fields.user_groups_with_write_access`	List	List of `group_comm_id` of user groups that have write access to the field.
`tabs.tab_fields.is_restricted`	Boolean	Shows whether the current user has write access to the field or not.
`tabs.tab_fields.user_groups_with_write_access_data`	List of Objects	Basic details of user groups that have write access to the field.
`tabs.tab_fields.is_parent_param`	Boolean	Shows whether the field is selected as a parent parameter or not.
`tabs.tab_fields.order`	Integer	Order of the field. (Defines the position of the field in the form)
`tabs.tab_fields.column_no`	Integer	Column Number of the field. (Defines the column of the field in the form). Allowed values: `1`: Field will be present in left column `2`: Field will be present in right column.
`tabs.tab_fields.request_notes`	String	Reason for updating the field (Single select fields).

Action: Get Label Details

This action retrieves the details of a label.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Label ID

Enter the unique ID of the label.

Example:

53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of labels and their IDs using the following action:

Get Labels

Example Request

{
    "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002404"
}

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the label in UUID-4 format.
`title`	String	The title of the label.
`description`	Text	Description of the label.
`color_code`	String	Hex value of the label color.
`created`	String	Creation date and time of the label in ISO format.
`modified`	String	Last modified date and time of the label in ISO format.
`component_identifier`	String	Unique ID of the associated component.
`component_identifier_data`	Object	Details of the `component_identifier`. Note: The parameters of the `component_identifier_data` are described in the table below.
`component_identifier_data.component_name`	String	The name of the component.
`component_identifier_data.component_identifier`	String	Unique ID of the associated component.

Action: Get Labels

This action retrieves a list of labels from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of labels in CFTR application according to the filters applied.
`results`	List of Objects	Details of the labels. Each object provides details of one label.
`unique_id`	String	Unique ID of the label in UUID-4 format.
`title`	String	The title of the label.
`description`	Text	Description of the label.
`color_code`	String	Hex value of the label color.
`created`	Creation date and time of the label in ISO format.
`modified`	String	Last modified date and time of the label in ISO format.
`component_identifier`	String	Unique ID of the associated component.
`component_identifier_data`	Object	Details of the `component_identifier`. Note: The parameters of the `component_identifier_data` are described in the table below.
`component_name`	String	The name of the component.
`component_identifier`	String	Unique ID of the associated component.

Action: Get List of Threat Intel Types

This action retrieves a list of threat intel types from the application.

Action Input Parameters

There are no input parameters required for this action.

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of Threat Intel types in CFTR application.
`results`	List	Details of the Threat Intel types. Each object provides details of one Threat Intel type.
`title`	String	Title of the Threat Intel type. This key is used to refer to Threat Intel type by other APIs.
`unique_id`	String	Unique ID of the Threat Intel type.
`created`	String	Creation date and time of the Threat Intel type.
`modified`	String	Last updated date and time of the Threat Intel type.
`display_name`	String	Name of the Threat Intel type.

Action: Get Location Details

This action retrieves the details of a location using the location ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Location ID

Enter the unique ID of a location.

Example:

67ef9042-612d-4bc1-b54f-d8195c002907

Text

Required

You can retrieve the list of locations and their IDs using the following action:

Get Locations

Example Request

{
    "unique_id": "67ef9042-612d-4bc1-b54f-d8195c002907"
}

Action Response Parameters

Parameter	Type	Description
`title`	String	The title of the location.
`unique_id`	String	Unique ID of the location in UUID-4 format.
`country`	String	Unique ID of the corresponding country in UUID-4 format.
`country_data`	Object	Details of the corresponding country.
`country_data.title`	String	The name of the Country.
`country_data.unique_id`	String	Unique ID of the corresponding country in UUID-4 format.
`state`	String	Unique ID of the corresponding state in UUID-4 format.
`state_data`	Object	Details of the corresponding state.
`state_data.title`	String	The name of the State.
`state_data.unique_id`	String	Unique ID of the corresponding state in UUID-4 format.
`city`	String	Name of the city.
`site`	String	Name of the site.
`pincode`	String	PIN code of the site.
`created`	String	Creation date and time of the location in ISO format.
`modified`	String	Last modified date and time of the location in ISO format.
`is_active`	Boolean	Shows if the location is active or not.
`Longitude`	String	Unique ID of the longitude of the location.
`Latitude`	String	Unique ID of the lantitude of the location.

Action: Get Malware Details

This action retrieves the details of malware using the malware ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Malware ID

Enter the unique ID of the malware.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of malware and their IDs using the following action:

List Malware

Example Request

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" 
  }
]

Action Response Parameters

Parameters	Type	Description
`type`	Object	Type of the malware.
`ioc_email`	Object	Unique IDs of the email IOC type.
`platform`	Object	List of affected platforms.
`ioc_ip`	Object	Unique IDs of the IP IOC type.
`ioc_md5`	Object	Unique IDs of the MD5 Hash IOC type.
`file_type`	Object	File types of the malware. For example, dll, exe, docx, zip.
`ioc_domain`	Object	Unique IDs of the domain IOC type.
`ioc_sha1`	Object	Unique IDs of the SHA1 IOC type.
`ioc_sha256`	Object	Unique IDs of the SHA256 IOC type.
`ioc_url`	Object	Unique IDs of the URL IOC type.
`unique_id`	String	Unique ID of the malware.
`readable_id`	String	Readable ID of the malware.
`created`	String	Created date of the malware in EPOCH time format.
`modified`	String	Last modified date of the malware in EPOCH time format.
`title`	String	Title of the malware.
`description`	String	Description of the malware.
`incidents`	Object	Unique ID of the linked incidents.
`status`	String	Status of the malware.
`briefings`	Object	Unique ID of the linked threat briefings.
`briefings_data`	Object	Details of the linked threat briefings.
`incidents_data`	Object	Details of the linked incidents.
`is_bookmarked`	Boolean	Shows if the malware is bookmarked or not.
`actions_data`	Object	Details of the linked actions.
`campaigns`	Object	Unique ID of the linked campaigns.
`campaigns_data`	Object	Details of the linked campaigns.
`vulnerabilities`	Object	Unique ID of the linked vulnerabilities.
`vulnerabilities_data`	Object	Details of the linked vulnerabilities.
`threat_actors`	Object	Unique ID of the linked threat actors.
`threat_actors_data`	Object	Details of the linked threat actors.
`pirs_data`	Object	Details of the linked PIRs.
`attachments_data`	Object	Details of the attachments.
`created_by_data`	Object	Details of the user who created the malware. Details include: username, email, first name, last name, and so on.
`labels`	Object	Unique ID of the linked labels.
`labels_data`	Object	Details of the linked labels.
`tactic_technique_pair_data`	Object	Details of the linked tactic technique pairs.
`first_seen`	String	Date on which malware is seen for the first time.
`last_modified`	Object	Last modified date of the malware.
`applications`	Object	Unique ID of the linked applications.
`applications_data`	Object	Details of the linked applications.
`asset_softwares`	Object	Unique ID of the linked software.
`asset_softwares_data`	Object	Details of the Linked Asset Softwares.
`endpoints`	Object	Unique ID of the linked devices.
`endpoints_data`	Object	Details of the linked devices.
`enhancements`	Object	Unique ID of the linked enhancements.
`enhancements_data`	Object	Details of the linked enhancements.
`type_data`	Object	Details of the malware type.
`file_type_data`	Object	Details of the malware file type.
`platform_data`	Object	Details of the affected platforms.

Action: Get Manufacturer Details

This action retrieves the details of a manufacturer.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Manufacturer ID

Enter the unique ID of a manufacturer.

Example:

53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of manufacturers and their IDs using the following action:

Get Manufacturers

Example Request

{
    "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002404"
}

Action Response Parameters

Parameter	Type	Description
`title`	String	The title of the manufacturer.
`unique_id`	String	Unique ID of the manufacturer in UUID-4 format.
`readable_id`	String	Unique readable ID of the manufacturer. It starts with MFR followed by a unique number. Example: "MFR101"
`description`	Text	Description of the manufacturer.
`created`	String	Creation date and time of the manufacturer in ISO format.
`modified`	String	Last modified date and time of the manufacturer in ISO format.

Action: Get OS Type Details

This action retrieves the details of an OS type.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Operating system (OS) ID

Enter the unique ID of the OS type.

Example:

2fd4996d-f21b-4d43-8000-31769f3ed3ae

Text

Required

You can retrieve the list of OS types and their IDs using the following action:

Get OS Types

Example Request

{
    "unique_id": "2fd4996d-f21b-4d43-8000-31769f3ed3ae"
}

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the OS type.
`unique_id`	String	Unique Identifier String of UUID-4 format of the OS type.
`readable_id`	String	Unique readable ID of the OS type. It starts with OST followed by a unique number. Example: "OST101"
`description`	Text	Description of the OS type.
`created`	String	Creation date and time of the OS type in ISO format.
`modified`	String	Last modified date and time of the OS type in ISO format.

Action: Get PIR Details

This action can be used to retrieve the details of a PIR (Priority Intel Requirement) using the ID of the PIR.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Priority Intel Requirement (PIR) ID

Enter the unique ID of the Priority Intel Requirement (PIR).

Example:

42505945-ea78-4c69-8d34-92cdd20026d8

Text

Required

You can retrieve the list of PIRs and their IDs using the following action:

Get PIRs

Example Request

[
  {
    "unique_id": "42505945-ea78-4c69-8d34-92cdd20026d8"
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the PIR.
`unique_id`	String	Unique ID of the PIR in UUID-4 format.
`readable_id`	String	Readable ID of the PIR.
`description`	Text	Description of the PIR.
`created`	String	Creation date and time of the PIR in ISO format.
`modified`	String	Last updated date and time of the PIR in ISO format.
`status`	String	Current status of the PIR. Allowed values: `open` `closed`
`created_by_data`	Object	Details of user who created the PIR.
`closed_by`	String	`user_id` of the user who closed the PIR.
`closed_by_data`	Object	Details of user who closed the PIR.
`closed_on`	String	Closing date and time of the PIR in ISO format.
`is_bookmarked`	Boolean	Shows whether the PIR is bookmarked or not.
`labels`	List of String	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`priority`	String	Priority level of the PIR. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority_data`	Object	Details of the priority of the PIR.
`assigned_to`	List of Stings	List of Unique IDs of the assigned users in UUID-4 format.
`assigned_to_data`	List of Objects	Details on the list of assigned users of the PIR. Details include: `username`, `email`, `first_name`, `last_name`, and so on.
`assigned_group`	String	Unique ID of the assigned user group in UUID-4 format.
`assigned_group_data`	Object	Details of the assigned user group. Details include: `group name` and `group ID`
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.

Action: Get Recommended Users for an Incident

This action retrieves the list of users that are automatically recommended for assigning to a specific incident based on their roster and the history of incidents handled.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Enter the unique ID of the incident.

Text

Required

You can retrieve the list of incidents and their IDs using the following action:

Get Incidents

Allocation Datetime

Enter the allocation time in EPOCH format

Text

Optional

Example Request

[
  {
    "unique_id": "1cc818a1-2676-4746-ac2e-6610832c4d65"
  }
]

Action Response Parameters

Parameter	Type	Description
results	Array of Objects	List of recommended users.
username	String	The username of the recommended user.
first_name	String	The first name of the recommended user.
last_name	String	The last name of the recommended user.
profile_background_color	String	The profile background color of the recommended user.
user_id	String	The user ID of the recommended user.
display_pic	String (nullable)	The display picture of the recommended user. Can be null.
email	String	The email of the recommended user.
score	Number	The recommendation score of the user.

Action: Get Roster

This action retrieves a list of rosters from the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Page No	Enter the page number to retrieve the list of rosters. Example: 1	Integer	Optional	Default: 1
Page Size	Enter the page size to retrieve the list of rosters. Example: 10	Integer	Optional	Default: 10
All Data	Select true to retrieve all the data.	Boolean	Optional	Rosters are returned as per the values defined in the Page No and Page Size parameters. If you enter false, then the rosters list is returned in a paginated manner. Default value: true
Search Query	Enter the search query to filter the data. Example: indicator	Text	Optional

Example Request

{
    "page_no": 1,
    "page_size": 10,
    "all_data": false,
    "search_query": "analyst"
}

Action Response Parameters

Parameter	Type	Description
link	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
count	Integer	The total number of rosters returned as per the entered query parameters.
results	List of Objects	Details of the rosters. Each object provides the details of one roster.
unique_id	String	Unique ID of the roster.
is_removed	Boolean	Indicates if the roster is removed.
title	String	Title of the roster.
created_by_data	Object	Details of the user who created the roster.
modified_by_data	Object	Details of the user who modified the roster.
start	String	Start date and time of the roster (ISO 8601 format).
end	String	End date and time of the roster (ISO 8601 format).
shift_model	String	ID of the shift model associated with the roster.
shift_model_data	Object	Details of the shift model associated with the roster.
created	String	Creation date and time of the roster (ISO 8601 format).
modified	String	Last modified date and time of the roster (ISO 8601 format).
is_draft	Boolean	Indicates if the roster is in draft status.
exceptions	Array	List of exceptions for the roster.
users_data	Array	Details of the users associated with the roster.

Action: Get Source Details

This action retrieves the details of a source.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID

Enter the unique ID of the source.

Example:

53ff8942-612d-4bc1-b54f-d8195c002907

Text

Required

You can retrieve the list of sources and their IDs using the following action:

Get Sources

Example Request

{
    "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002907"
}

Action Response Parameters

Parameter	Type	Description
`value`	String	The name of the source.
`source_type`	String	Unique ID of the source type in UUID-4 format.
`source_display_name`	String	Display name of the source.
`unique_id`	String	Unique ID of the source in UUID-4 format.
`created`	String	Creation date and time of the source in ISO format.
`modified`	String	Last modified date and time of the source in ISO format.
`source_type_data`	Object	Details of the source type.
`source_type_data.unique_id`	String	Unique ID of the source type in UUID-4 format .
`source_type_data.created`	String	Creation date and time of the source type in ISO format.
`source_type_data.title`	String	The title of the source type.

Action: Get Templates

This action retrieves the list of templates from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Number

Enter the page number to retrieve the list of templates.

Example:

Integer

Optional

Default value:

Page Size

Enter the page size to retrieve the list of templates.

Example:

Integer

Optional

Default value:

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action: Get Threat Actor Details

This action retrieves the details of a threat actor using the ID of the threat actor.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Actor ID

Enter the unique ID of the threat actor.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of IDs of threat actors using the following action:

Get Threat Actors

Example Request

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the threat actor.
`unique_id`	String	Unique ID of the threat actor.
`readable_id`	String	Readable ID of the threat actor.
`description`	Text	Description of the threat actor.
`created`	String	Creation time of the threat actor in ISO format.
`modified`	String	Last Updated time of the threat actor in ISO format.
`status`	String	Current status of the threat actor. Allowed values: `open` `closed`
`risk`	String	Risk associated with the threat actor. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the threat actor. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the threat actor.
`closed_by`	String	`user_id` of the user who closed the threat actor.
`closed_by_data`	Object	Details of user who closed the threat actor.
`closed_on`	String	Closing date of the threat actor in ISO format.
`is_bookmarked`	Boolean	Shows whether the threat actor is bookmarked or not.
`attachments_data`	Array of Objects	Details of each attachment of the threat actor.
`actions_data`	Array of Objects	Details of the actions that are added for the threat actor.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the threat actor.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the threat actor.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the threat actor.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`ioc_SHA1`	Array of UUID Strings	List of `unique_id` of the connected SHA1 Threat Intels.
`ioc_SHA1_data`	Array of Objects	Details of the connected SHA1 Threat Intels.
`ioc_MD5`	Array of UUID Strings	List of `unique_id` of the connected MD5 Threat Intels.
`ioc_MD5_data`	Array of Objects	Details of the connected MD5 Threat Intels.
`ioc_SHA256`	Array of UUID Strings	List of `unique_id` of the connected SHA256 Threat Intels.
`ioc_SHA256_data`	Array of Objects	Details of the connected SHA256 Threat Intels.
`ioc_ip`	Array of UUID Strings	List of `unique_id` of the connected IP Threat Intels.
`ioc_ip_data`	Array of Objects	Details of the connected IP Threat Intels.
`ioc_url`	Array of UUID Strings	List of `unique_id` of the connected URL Threat Intels.
`ioc_url_data`	Array of Objects	Details of the connected URL Threat Intels.
`ioc_domain`	Array of UUID Strings	List of `unique_id` of the connected domain Threat Intels.
`ioc_domain_data`	Array of Objects	Details of the connected domain Threat Intels.
`ioc_email`	Array of UUID Strings	List of `unique_id` of the connected email Threat Intels.
`ioc_email_data`	Array of Objects	Details of the connected email Threat Intels.

Action: Get Threat Briefing Details

This action retrieves the details of a threat briefing.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Briefing ID

Enter the unique ID of the threat briefing.

Example:

y53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of threat briefings and their IDs using the following action:

Get Threat Briefings

Example Request

[
  {
    "unique_id": "y53ff8942-612d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the Threat Briefing.
`readable_id`	String	Readable ID of the Threat Briefing.
`title`	String	Title of the Threat Briefing.
`description`	Text	Description of the threat briefing.
`status`	String	Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE
`created`	String	Created date and time of the Threat Briefing.
`modified`	String	Last updated date and time of the Threat Briefing.
`title_display`	String	Title of the Threat Briefing.
`is_bookmarked`	Boolean	Shows whether the Threat Briefing is bookmarked or not.
`labels`	List	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`locations_data`	List of Objects	Details of the locations linked to the Threat Briefing.
`business_units_data`	List of Objects	Details of the business units linked to the Threat Briefing.
`created_by`	String	Unique ID of the user who created the Threat Briefing.
`created_by_data`	Object	Details of the user who created the Threat Briefing.
`attachments_data`	Array of Objects	Details of each attachment of the Threat Briefing.
`actions_data`	Array of Objects	Details of the actions that are added for the Threat Briefing.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the Threat Briefing.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the Threat Briefing.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the Threat Briefing.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.

Action: Get Threat Intel (IOC) Details

This action retrieves the details of a threat intel (IOC).

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Intel (IOC) ID

Enter the unique ID of the threat intel.

Example:

f53ff8979-615d-4bc1-b54f-d8195c002404

Text

Required

Use the following action to retrieve the list of threat intel (IOC) and their IDs:

Get List of Threat Intel (IOC)

Example Request

[
  {
    "unique_id": "f53ff8979-615d-4bc1-b54f-d8195c002404" 
  }
]

Action Response Parameters

Parameter	Type	Description
`value`	String	Value of the Threat Intel.
`unique_id`	String	Unique ID of the Threat Intel in UUID-4 format.
`created`	String	Creation date and time of the Threat Intel.
`modified`	String	Last Updated date and time of the Threat Intel.
`geo_details`	List of Objects	Details of the location of threat intel.
`tlp`	String	TLP associated with the threat intel. Allowed values: `RED` `AMBER` `GREEN` `WHITE`
`incidents_data`	List of Objects	Details of Incidents associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`created_by`	String	`user_id` of the user who created the Threat Intel
`status`	String	Current status of the Threat Intel. Allowed values: `cleaned` `blocked` `malicious` `false_positive` `whitelisted` `none`
`labels`	List	List of `unique_id` of labels added to the Threat Intel.
`labels_data`	List of Objects	Details of labels added to the Threat Intel. Details include `title`, `color_code`, `unique_id`, `created`, and `modified`.
`malwares_data`	List of Objects	Details of Malware associated with the Threat Intel. Details include: `unique_id`, `readable_id,` and `title`.
`threat_actors_data`	List of Objects	Details of Threat Actors associated with the Threat Intel.
`vulnerabilities_data`	List of Objects	Details of Vulnerabilities associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`actions_count`	Integer	Number of Actions added to the Threat Intel.
`notes_count`	Integer	Number of comments added to the Threat Intel.
`ioc_type`	String	`unique_id` of the Indicator Type.
`ioc_type_data`	Object	Details of the Indicator Type.

Action: Get Threat Intel Form Structure

This action retrieves the form field structure of the Threat Intel component.

Action Input Parameters

There are no input parameters required for this action.

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the Tab.
`tab_name`	String	Title of the tab.
`is_active`	Boolean	Shows if the tab is active or not.
`is_editable`	Boolean	Shows if the tab can be edited or not.
`is_removed`	Boolean	Shows whether the tab is in deleted state or not.
`object_identifier`	String	Shows the string name for Threat Intel module.
`tab_fields`	List of Objects	Details of the fields added in the tab. Note: The tab fields are further explained in the table below.
`tab_type`	String	The tab type. Examples of tab types are: `preparation`: Preparation tab is common across all workflows. `custom`: Custom Tab
`parent`	String	`unique_id` of the parent of the tab.
`children`	List	Details of children tabs.
`is_removable`	Boolean	Shows if tab can be removed or not.
`validation_expression`	String	Validation expression (if any) added. It is used for Threat Intel.
`order`	Integer	Order of the tab.
`tab_fields.unique_id`	String	Unique Identifier String of UUID-4 format of the Field.
`tab_fields.field_name`	String	Title of the field.
`tab_fields.field_type`	String	The type of field. Allowed values: `select`: Single option can be selected for the field. `multiselect`: Multiple options can be selected for the field. `text`: Text field. `textarea`: Text Area field. `calendar`: date time field. `integer`: Integer Field.
`tab_fields.is_active`	Boolean	Shows whether field is active or not.
`tab_fields.is_removed`	Boolean	Shows whether the field is in deleted state or not.
`tab_fields.placeholder`	String	Placeholder of the field.
`tab_fields.help_text`	String	Help text o.f the field
`tab_fields.field_options`	List of Objects	Details of the options.
`tab_fields.is_editable`	Boolean	Shows whether field can be edited or not.
`tab_fields.is_deletable`	Boolean	Shows whether field can be deleted or not.
`tab_fields.is_required`	Boolean	Shows whether the field is mandatory or not.
`tab_fields.field_readable_key`	String	Unique readable key for receiving field data from external sources.
`tab_fields.is_widget_field`	Boolean	Shows whether the widget can be created for this field or not. (Applicable only on select/multi-select fields)
`tab_fields.validation_expression`	String	Validation expression (if any) added. It is used for Threat Intel.
`tab_fields.is_read_only`	Boolean	Shows whether the field is one time entry field or not.
`tab_fields.enable_filter`	Boolean	Shows whether the filter option should be provided for this field or not. (Applicable only on select/multi-select fields)
`tab_fields.is_restricted_user_group_write_access`	Boolean	Shows whether the field access is restricted by user group.
`tab_fields.user_groups_with_write_access`	List	List of `group_comm_id` of user groups that have write access to the field.
`tab_fields.is_restricted`	Boolean	Shows whether the current user has write access to the field or not.
`tab_fields.user_groups_with_write_access_data`	List of Objects	Basic details of user groups that have write access to the field.
`tab_fields.is_parent_param`	Boolean	Shows whether the field is selected as a parent parameter or not.
`tab_fields.order`	Integer	Order of the field. (Defines the position of the field in the form)
`tab_fields.column_no`	Integer	Column number of the field. (Defines the column of the field in the form). Allowed values: `1`: Field will be present in left column `2`: Field will be present in right column.

Action: Get User Group Details

This action retrieves the details of a user group.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User Group ID

Enter the unique ID of a user group.

Example:

4e046ee1-5bc9-4320-965f-3bf24dbb9256

Text

Required

You can retrieve the list of user groups and their IDs using the following action:

Get User Groups

Example Request

{
    "unique_id": "4e046ee1-5bc9-4320-965f-3bf24dbb9256"
}

Action Response Parameters

Parameter	Type	Description
`group_comm_id`	String	Unique ID of the user group in UUID-4 format.
`group_name`	String	Name of the user group.
`description`	Text	Description of the user group.
`permissions`	List of Objects	List of permission objects of the user group. Each object includes the details of one permission.
`created_by`	Object	Unique ID of the user who created the user group.
`user_count`	Positive Integer	Number of users assigned to the user group.
`permission_count`	Positive Integer	Count of the number of `permissions`configured for the user group.
`is_active`	Boolean	Shows whether the user group is currently active or not.
`is_editable`	Boolean	Shows whether the user group is editable or not.
`created`	Integer	Creation date and time of the user group in EPOCH time format.
`ciims_user_set`	List of Strings	List of unique IDs of the users assigned to the user group in UUID-4 format.
`ciims_user_set_data`	List of Objects	Details of the users assigned to the user group. Each object includes the details of one user.
`group_cost`	Float	Analyst cost associated with the users of the user group. The default cost is configured as per the daily rate.
`playbook_tags`	List of Strings	List of unique IDs of the Cyware Orchestrate Playbook tags added to the User Group in UUID-4 format.
`playbook_tags_data`	List of Objects	Details of the Playbook tags. Each object includes the details of one Playbook tag.
`is_readonly_group`	Boolean	Shows whether the group is read only or not.
`saml_associated_groups`	String	Shows the associated SAML groups with the user group.
`permissions.permission_comm_id`	String	Unique ID of the permission in UUID-4 format.
`permissions.display_name`	String	Display name of the permission.
`permissions.code_name`	String	Unique string of the permission.
`permissions.grant`	String	Level of grant associated with each permission in CFTR. Allowed values: -`ALLOWED:` Permissions that are provided by default. -`DISALLOWED:` Permissions that cannot be provided while creating a group. -`SELECTABLE:` Permission that can be configured while creating a group.
`permissions.verbose_name`	String	Verbose name given to the permission.
`username`	String	Username of the user.
`ciims_user_set_data.first_name`	String	First name of the user.
`ciims_user_set_data.last_name`	String	Last name of the user.
`ciims_user_set_data.profile_background_color`	String	Hex value of the user profile background color.
`ciims_user_set_data.user_id`	String	Unique ID of the user in UUID-4 format.
`ciims_user_set_data.display_pic`	String	Link to the display picture of the user.
`ciims_user_set_data.is_active`	Boolean	Shows whether the user is an active user or not.
`ciims_user_set_data.email`	String	Email ID of the user.
`ciims_user_set_data.full_name`	String	Full name of the user.
`playbook_tags_data.unique_id`	String	Unique ID of the Playbook in UUID-4 format.
`playbook_tags_data.title`	String	Title of the Playbook.
`playbook_tags_data.description`	Text	Description of the Playbook.

Action: Get Vulnerability Details

This action retrieves the details of a vulnerability.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Vulnerability ID

Enter the unique ID of the vulnerability.

Example:

e53ff8972-618d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of vulnerabilities and their IDs using the following action:

Get Vulnerabilities

Example Request

[
  {
    "unique_id": "e53ff8972-618d-4bc1-b54f-d8195c002404"
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the vulnerability.
`unique_id`	String	Unique ID of the vulnerability.
`readable_id`	String	Readable ID of the vulnerability.
`description`	Text	Description of the vulnerability.
`created`	String	Creation time of the vulnerability in ISO format.
`modified`	String	Last Updated time of the vulnerability in ISO format.
`status`	String	Current status of the vulnerability. Allowed values: `open` `closed`
`risk`	String	Risk associated with the vulnerability. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the vulnerability. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the vulnerability.
`closed_by`	String	`user_id` of the user who closed the vulnerability.
`closed_by_data`	Object	Details of user who closed the vulnerability.
`closed_on`	String	Closing date of the vulnerability in ISO format.
`is_bookmarked`	Boolean	Shows whether the vulnerability is bookmarked or not.
`attachments_data`	Array of Objects	Details of each attachment of the vulnerability.
`actions_data`	Array of Objects	Details of the actions that are added for the vulnerability.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the vulnerability.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the vulnerability.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the vulnerability.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`ioc_SHA1`	Array of UUID Strings	List of `unique_id` of the connected SHA1 Threat Intels.
`ioc_SHA1_data`	Array of Objects	Details of the connected SHA1 Threat Intels.
`ioc_MD5`	Array of UUID Strings	List of `unique_id` of the connected MD5 Threat Intels.
`ioc_MD5_data`	Array of Objects	Details of the connected MD5 Threat Intels.
`ioc_SHA256`	Array of UUID Strings	List of `unique_id` of the connected SHA256 Threat Intels.
`ioc_SHA256_data`	Array of Objects	Details of the connected SHA256 Threat Intels.
`ioc_ip`	Array of UUID Strings	List of `unique_id` of the connected IP Threat Intels.
`ioc_ip_data`	Array of Objects	Details of the connected IP Threat Intels.
`ioc_url`	Array of UUID Strings	List of `unique_id` of the connected URL Threat Intels.
`ioc_url_data`	Array of Objects	Details of the connected URL Threat Intels.
`ioc_domain`	Array of UUID Strings	List of `unique_id` of the connected domain Threat Intels.
`ioc_domain_data`	Array of Objects	Details of the connected domain Threat Intels.
`ioc_email`	Array of UUID Strings	List of `unique_id` of the connected email Threat Intels.
`ioc_email_data`	Array of Objects	Details of the connected email Threat Intels.

Action: List Actions

This action retrieves a list of actions using query string and query parameters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): by default, the value is 1
page_size (int): by default, the value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of Actions in CFTR application as per the query parameters.
`results`	List of Objects	Details of the Actions. Each object provides details of one Action.
`title`	String	The title of the action.
`unique_id`	String	Unique ID of the action.
`created`	String	Created date of the action in EPOCH time format.
`modified`	String	Last modified date of the action in EPOCH time format.
`description`	String	Description the an action.
`assigned_to`	String	`User_id` of the assigned user.
`assigned_to_data`	Object	Details of the assigned user.
`assigned_group`	String	`Group_comm_id` of the assigned user group.
`assigned_group_data`	Object	Details of the assigned user group. Details include: group_comm_id and group_name of the user group.
`status`	String	Status of the action. For example, open.
`readable_id`	String	Readable ID of the action. For example, ACT379.
`created_by_data`	Object	Details of the user who created the action. Details include: username, email ,first name, last name, and so on.
`can_update_instance`	Boolean	Shows whether the instance can be updated by the user who requested it or not.
`is_bookmarked`	Boolean	True: Action is bookmarked. False: Action is not bookmarked.
`closed_by_data`	Object	Details of the user who closed the action. Details include: username, email ,first name, last name, and so on.
`closed_on`	String	Closure date of the action in EPOCH time format.
`resolved_on`	String	Resolved date of the action in EPOCH time format.
`assignment_sla`	String	Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_sla`	String	Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_due_date`	String	Resolution due date of the action.
`sla_stopped_on`	String	Date and time at which the SLA stopped for the action.
`type`	String	Type of the action. For example, Recovery.
`priority`	String	Priority level of the action
`type_data`	Object	Details of the type of the action. Details include: unique_id, option_name, is_active, and so on.
`priority_data`	Object	Details of the priority level of the action.
`labels`	List of Strings	Unique IDs of the list of labels added to the action.
`labels_data`	Object	Details of the labels added to the action. Details include: unique_id, title, color code, and so on.
`created_from_template`	Boolean	Displays if the action is created using a template or not.

Action: List Asset Applications

This action retrieves a list of asset applications from the Applications module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
business_units
created_date__gte
created_date__lte
labels
modified_date__gte
modified_date__lte
locations
production_date__gte
production_date__gte
status

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the applications to the previous page. `next` key shows the API endpoint to the next page.
`count`	Integer	The total number of applications returned as per the entered query parameters.
`results`	List of Objects	Details of the applications. Each object provides the details of one application.
`unique_id`	String	Unique ID of the application.
`created`	String	Created date and time of the application.
`modified`	String	Last updated date and time of the application.
`title`	String	Title of the application.
`production_date`	String	Production date of application.
`readable_id`	String	Readable ID of the application.
`labels`	List	List of the labels associated with the application.
`labels_data`	List of Objects	Details of labels added to the application. The details include: `title`, `unique_id`, `color_code`, and so on.
`status`	String	Status of the application.

Action: List Asset Software

This action retrieves a list of asset software from the Software module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
business_units
created_date__gte
created_date__lte
labels
modified_date__gte
modified_date__lte
locations
software_status

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
`count`	Integer	The total number of software returned as per the entered query parameters.
`results`	List of Objects	Details of the softwares. Each object provides the details of one software.
`unique_id`	String	Unique ID of the software.
`created`	String	Created date and time of the software.
`modified`	String	Last updated date and time of the software.
`title`	String	Name of the software.
`readable_id`	String	Readable ID of the software.
`labels`	List	List of the labels that are added to the software.
`labels_data`	List of Objects	Details of labels added to the software. The details include: `title`, `unique_id`, `color_code`, and so on.
`software_status`	String	Status of the sofware. For example, active.

Action: List Asset Users

This action retrieves a list of asset users from the Users module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
`count`	Integer	The total number of users returned as per the entered query parameters.
`results`	List of Objects	Details of the users. Each object provides the details of one user.
`unique_id`	String	Unique ID of the user.
`created`	String	Created date and time of the user.
`modified`	String	Last updated date and time of the user.
`employee_name`	String	Name of the user.
`email`	String	Email ID of the user.
`display_name`	String	Name of the user.
`readable_id`	String	Readable ID of the user.
`labels`	List	List of labels that are added to the user.
`labels_data`	List of Objects	Details of labels added to the user. The details include: `title`, `unique_id`, `color_code`, and so on.
`user_status`	String	Status of the user.
`threat_score`	Float	Risk score of the user.

Action: List Attachments

This action retrieves the attachments from a component.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Component Identifier	Enter the identifier of a component.	Text	Required	Allowed values: action comment enhancement incident malware PIR vulnerability
Unique ID	Enter the unique ID of the component entry to which you want to add an attachment.	Text	Required	If the component identifier is Incident, then the unique ID must be a specific Incident ID.

Example Request

[
  {
    "component_name": "incident",
    "unique_id": "Example Unique ID",
  }
]

Action Response Parameters

Parameter	Type	Description
link	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
count	Integer	The total number of attachments returned as per the entered query parameters.
results	List of Objects	Details of the attachments. Each object provides the details of one attachment.
title	Text	Name of the file.
uploaded_file	URL	URL of the file from where it can be downloaded.
unique_id	String	Unique ID for the file.
created_by_data	Object	Details of the user who uploaded the file.
created	Datetime	File upload time.
modified	Datetime	File modified time.
readable_id	String	Unique readable ID of the file.
file_hash	String	Hash of the file.
file_type	String	Type of the file. I Allowed values: `artifact`: Artifact `evidence`: Evidence `miscellaneous`: Miscellaneous
file_size	Integer	Size of the file.
parent_readable_id	String	`readable_id` of the incident in which file is uploaded.
parent_component	String	Component name in which file is uploaded. Example: `incident`, `action`, and so on.
parent_unique_id	String	`unique_id` of the incident in which file is uploaded

Action: List Business Units

This action retrieves a list of business units from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page_size (int): default value is 10
page (int): default value is 1

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of Business Units in CFTR application according to the filters applied.
`results`	List of Objects	Details of the Business Unit. Each object provides details of one Business Unit.
`title`	String	The title of the Business Unit.
`description`	Text	Description of the Business Unit.
`unique_id`	String	Unique ID of the Business Unit in UUID-4 format.
`created`	String	Creation date and time of the Business Unit in ISO format.
`modified`	String	Last modified date and time of the Business Unit in ISO format.
`readable_id`	String	Unique readable ID of the Business Unit. It starts with BU followed by a unique number. Example: "BU102"
`email_list`	String	Emails of the recepients to whom the notifications are sent.

Action: List Campaigns

This action retrieves a list of campaigns.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): by default, the value is 1
page_size (int): by default, the value is 10
status (str): inactive, active
bookmarked (bool)
mentioned (bool)
created_by (ID)
created_date__gte (epochtime)
created_date__lte (epochtime)
locations (ID)
labels (ID)
modified_date__gte (epochtime)
modified_date__lte (epochtime)

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "ACTIVE"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
link	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
count	Integer	Total number of campaigns in CFTR application according to the filters applied.
results	List of Objects	Details of the campaigns. Each object provides details of one campaign.
unique_id	String	Unique ID of the campaign in UUID-4 format.
readable_id	String	Unique readable ID of the campaign. It starts with `CMP` followed by a unique number. Example: CMP101
created	String	Campaign creation date and time.
description	Text	Description of the campaign.
modified	String	Last updated date and time of the campaign.
title	String	Title of the campaign.
title_display	String	Title of the campaign.
status	String	Current status of the campaign. Allowed values: `ACTIVE` `INACTIVE`
is_bookmarked	Boolean	Shows if the campaign is bookmarked or not.
created_by_data	Object	Details of user who created the campaign. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	Unique ID of the labels associated with the campaign in UUID-4 format.
labels_data	List of Objects	Details of labels added to the campaign. Details include: `title`, `unique_id`, `color_code`, and so on.

Action: List CFTR Users

This action retrieves a list of users from the User Management module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
is_active
is_bot
group_comm_id

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of users in CFTR application according to the filters applied.
`results`	List of Objects	Details of the users. Each object provides details of one user.
`user_id`	String	Unique ID of the users in UUID-4 format.
`first_name`	String	First name of the user.
`last_name`	String	Last name of the user.
`email`	String	Email ID of the user.
`display_pic`	String	The link to the display picture of the user.
`username`	String	Username of the user.
`profile_background_color`	String	Hex key of the background color of the user profile.
`is_active`	Boolean	Shows whether a user is an active user or not.
`full_name`	String	Full name of the user.

Action: List Comments

This action retrieves the comments of an entry.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier

Enter the identifier of a component.

Example:

incident

Text

Required

Allowed values:

action
application
software
campaign
device
enhancement
incident
threat intel
malware
PIR
threat-briefing
vulnerability

Unique ID

Enter the unique ID of the component entry to which you want to add comments.

Example:

1cc818a1-2676-4746-ac2e-6610832c4d65

Text

Required

If component identifier is Incident, then unique ID must be specific Incident.

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
user_group
type
created_by

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
    "component_name": "incident",
    "unique_id": "Example Unique ID"
  }
]

Action Response Parameters

Parameter	Type	Description
count	Integer	Number of comments added in a module object.
unique_id	String	Unique ID of the comment.
description	Text	Content of the comment.
created_by	Object	Details of the user who added the comment.
modified_by	Object	Details of the user who last updated the comment.
mentioned_users	List of UUID	List of `user_id` of users mentioned in the comment.
mentioned_users_data	List of Objects	Details of the users mentioned in the comment.
created	Datetime	Comment creation time in EPOCH time format.
modified	Datetime	Comment last updated time in EPOCH time format.
comment_type	String	Type of Comment. Examples: `discussion`: Notes added in an incident. `handoff`: Handoff notes added while updating the assignee or assigned group. `closure`: Closure Notes added while closing an incident.
content_object	String	Component in which the comment is added. Example: `incident`, `action`, `ioc`, and so on.
content_object_readable_id	String	`readable_id` of the incident in which comment is added
content_object_unique_id	String	`unique_id` of the incident in which comment is added
description_with_img_src	Text	Content of the content with the image URLs (if any image is added in the comment).
Pinned	Boolean	Shows if the comment is pinned or not.

Action: List Countries

This action retrieves a list of countries from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page_size (int): default value is 10
page (int): default value is 1

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action: List Custom Module Entries

This action retrieves all the entries of a custom module with their details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier

Enter the component identifier of the module.

Example:

module21

Text

Required

You can retrieve the list of components and their component identifiers using the following action:

List Custom Modules

Example Request

[
  {
    "component_identifier": "module21" 
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of entries of the custom module in CFTR application as per the filters applied.
`results`	List of Objects	Details of the entries of the custom module. Each object provides details of one entry.
`unique_id`	String	Unique ID of the entry in UUID-4 format.
`readable_id`	String	Unique readable ID of the entry. It starts with the configured Module Identifier followed by a unique number.
`created`	String	Creation date and time of the entry.
`modified`	String	Last updated date and time of the entry.
`labels`	List	List of labels added to the entry.
`modified_by_user_id`	String	UUID of the user who last modified the custom module entry.
`created_by_user_id`	String	UUID of the user who created the custom module entry.
`title`	Text	Title of the entry.
`description`	Text	Description of the entry.
`status`	String	Current status of the entry.
`status_data`	Object	Details of the status of the entry. Details include: `unique_id`, `option_name`, `is_active`, and so on.
`is_bookmarked`	Boolean	Shows if the entry is bookmarked or not.
`modified_by_data`	Object	Details of the user who last updated the entry. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
`created_by_data`	Object	Details of the user who created the entry. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
`labels_data`	List of Objects	Details of labels added to the entry. Details include: `title`, `unique_id`, `color_code`, and so on.
`is_bookmarked`	Boolean	Displays whether the entry is bookmarked or not.
`is_removed`	Boolean	Displays whether the custom module entry is in the deleted state or not.
`readable_id_counter`	Integer	Unique number of the entry.

Action: List Custom Modules

This action retrieves the list of custom modules.

Action Input Parameters

There are no input parameters required for this action.

Action Response Parameters

Parameter	Type	Description
link	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
count	Integer	Total number of custom modules in CFTR application according to the filters applied.
results	List of Objects	Details of the custom modules. Each object provides details of one incident.
`component_identifier`	String	Component identifier of a custom module. Example, MOD.
`module_name`	String	Name of the custom module.
`icon`	String	The icon identifier that is being used for the custom module.
`unique_id`	String	Unique ID of the custom module.
`is_removable`	Boolean	Shows whether the custom module can be deleted or not. `- true` indicates that there is no entry created for the module and the module can be deleted. `- false` indicates that entries for the custom module are already created and the module cannot be deleted.

Action: List Devices

This action retrieves a list of devices from the Devices module.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
business_units
created_date__gte
created_date__lte
labels
modified_date__gte
modified_date__lte
locations
endpoint_status

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action: List Enhancements

This action retrieves a list of enhancements.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
status
created_date__gte
created_date__lte
labels
modified_date__gte
modified_date__lte
incidents
campaigns
created_by

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
link	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
count	Integer	Total number of enhancements in the CFTR application as per the filters applied.
results	List of Objects	Details of the enhancements. Each object provides details of one enhancement.
unique_id	String	Unique ID of the enhancement in UUID-4 format.
readable_id	String	Unique readable ID of the enhancement. It starts with `ENH`followed by a unique number. Example: ENH101
created	String	Enhancement creation date and time.
description	Text	Description of the enhancement.
modified	String	Last updated date and time of the enhancement.
title	Text	Title of the enhancement.
status	String	Current status of the enhancement. Allowed values: - `open` - `closed`
priority	String	Priority level of the enhancement.
priority_data	Object	Details of the priority assigned. Details include: `unique_id`, `option_name`, and so on.
is_bookmarked	Boolean	Shows if the enhancement is bookmarked or not.
modified_by_data	Object	Details of the user who last updated the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_group	String	Unique ID of the assigned user group of the enhancement in UUID-4 format.
assigned_group_data	Object	Details of the assigned user group. Details include: `group name` and `group ID`.
created_by_data	Object	Details of user who created the enhancement. Details include `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_to	String	Unique ID of the assigned user of the enhancement in UUID-4 format.
assigned_to_data	Object	Details of the assigned user. Details include `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	List of Unique IDs of the labels associated with the enhancement in UUID-4 format.
labels_data	List of Objects	Details of labels added to the enhancement. Details include `title`, `unique_id`, `color_code`, and so on.
enhancement_type	List of Strings	Option name of the enhancement types associated with the enhancement.
enhancement_type_data	List of Objects	Details of the enhancement types associated with the enhancement.

Action: List Incidents

This action retrieves a list of incidents from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in the form of key-value pairs to filter the results.

Key Value

Optional

Allowed values:

q (str), page (int): by default, the value is 1, page_size (int): by default, the value is 10, status (str): open, closed, untriaged, merged, participant (bool), self_assigned_groups (bool), self_assigned (bool), bookmarked (bool), mentioned (bool), assigned_to (bool), is_protected (bool), is_paused (bool), attack_techniques (id), attack_tactics (id), phase (str), business_units (id), created_by (id), detection_date__gte (epochtime), detection_date__lte (epochtime), incident_date__gte (epochtime), incident_date__lte (epochtime), modified_date__gte (epochtime), modified_date__lte (epochtime), created_date__gte (epochtime), created_date__lte (epochtime), locations (id), level (str): type of severity, kill_chain_phase (id), labels (id), created_date__n_months (int): 3, 6, created_date__n_days (int): 7, 30, 90, resolution_overdue (bool), assignment_overdue (bool)

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "open"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	JSON Object	This parameter may include the following keys: `previous` key shows the API endpoint to the previous page of the response. `next` key shows the API endpoint to the next page of the response.
`count`	Integer	Total number of incidents in CFTR application according to the filters applied.
`results`	Array of JSON Objects	List of incident details. Each object provides details of one incident.
`results[x].unique_id`	String	Unique ID of the Incident in UUID-4 format.
`results[x].readable_id`	String	Unique readable ID of the incident. It starts with INC followed by a unique number.
`results[x].created`	String	Incident creation date and time in Epoch format.
`results[x].description`	String	Description of the Incident.
`results[x].modified`	String	Last updated date and time of the incident.
`results[x].title`	String	Title of the incident.
`results[x].machine_generated`	Boolean	True: Incident is considered machine generated when it is generated using the CFTR OpenAPI. False: Incident created manually.
`results[x].status`	String	Current status of the incident. Possible values: open, closed, untriaged, merged
`results[x].closed_on`	String	Date and time when the incident was closed. If incident is not closed, value of this param will be null.
`results[x].title_display`	String	Title of the incident.
`results[x].is_protected`	Boolean	Returns true if the incident is marked as protected.
`results[x].level`	String	Severity level of the incident.
`results[x].phase`	String	Current phase of the incident.
`results[x].is_paused`	Boolean	Returns true if the incident is paused.
`results[x].opened_on`	String	Date and time when the incident was opened. If incident is not opened yet, value of this param will be null.
`results[x].assignment_sla`	JSON Object	Assignment SLA details of the incident. It has two keys: 1. `color`: Associated color code(according to SLA breach level). 2. `data`: It has two keys: - `sla_duration`: SLA Breach time. - `elapsed_time`: Time elapsed between incident opening and SLA completion.
`results[x].resolution_sla`	JSON Object	Resolution SLA details of the incident. It has two keys: 1. `color`: Associated color code(according to SLA breach level). 2. `data`: It has two keys: - `sla_duration`: SLA Breach time. - `elapsed_time`: Time elapsed between incident opening and SLA completion.
`results[x].is_bookmarked`	Boolean	Shows if the incident is bookmarked or not.
`results[x].resolution_due_date`	Timestamp	Resolution SLA breach date of the incident.
`results[x].opened_by_data`	JSON Object	Details of the user who opened the incident. Details include: `username`, `email` ,`first_name`, `last_name`, and `user_id`.
`results[x].parent_data`	JSON Object	Details of the parent incident if the incident is merged. Details include: `title`, `unique_id`, and `readable_id`.
`results[x].modified_by_data`	JSON Object	Details of the user who last updated the Incident. Details include: `username`, `email` ,`first_name`, `last_name`, and `user_id`.
`results[x].assigned_group_data`	JSON Object	Details of the assigned user group. Details include: group name and group ID.
`results[x].created_by_data`	JSON Object	Details of the user who created the incident. Details include: `username`, `email` ,`first_name`, `last_name`, and `user_id`.
`results[x].assigned_to_data`	JSON Object	Details of the assigned user. Details include: `username`, `email` ,`first_name`, `last_name`, and `user_id`.
`results[x].labels_data`	Array of JSON Objects	Details of labels added to the incident. Details include: `title`, `unique_id`, `color_code`, and more.
`results[x].business_units_impacted_data`	JSON Object	Details of business unit impacted by the incident. Details include: `title` and `unique_id` of the business unit.
`results[x].locations_impacted_data`	Array of JSON Objects	Details of locations impacted by the incident. Details include: `title` and `unique_id`.
`results[x].phase_data`	JSON Object	Details of the current phase of the incident. Details include: `option_name`: The name of the phase `unique_id`: Unique ID of the phase
`results[x].ie_incident_type_data`	JSON Object	Details of the incident type associated with the incident. Details include: `option_name`, `unique_id,` and more.
`results[x].ie_incident_type`	String	Incident type associated with the incident.
`results[x].level_data`	JSON Object	Details of the severity level of the incident. Details include: `option_name`, `unique_id`, and more.
`results[x].kill_chain_phase`	String	Current kill chain phase of the incident.
`results[x].kill_chain_phase_data`	JSON Object	Details of the kill chain phase of the incident. Details include: `unique_id`, `option_name`, and more.
`results[x].ie_motives_data`	Array of JSON Objects	Details of the motivations of the incident. Details include: `unique_id`, `option_name`, and more.
`results[x].ie_motives`	Array	List of motivations of the incident.
`results[x].applicable_compliance_data`	Array of JSON Objects	Details of the compliance standards that are applicable to the incident. Details include: `unique_id`, `option_name`, and more.
`results[x].applicable_compliance`	Array	List of compliance standards that are applicable to the incident.
`results[x].ie_root_cause_data`	JSON Objects	Details of the root cause of the incident.
`results[x].ie_root_cause`	String	Root cause of the incident.

Action: List Incident Workflows

This action retrieves a list of all the incident workflows with the details from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int)
page_size (int)
schema_type(text)

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the Incident Workflow.
`description`	String	Description of the Incident Workflow.
`unique_id`	String	Unique Identifier String of UUID-4 format of the Incident Worflow.
`schema_type`	String	Defines the state of Incident Workflow as `draft` OR `published`.
`status`	String	Describes the state of Incident Workflow as `active` or `inactive`.
`is_default`	Boolean	Determines whether the Incident Workflow is the default one or not.
`object_identifier`	String	Determines the string name for Incident Module.
`phase_flow`	String	Determines the selected flow of Workflow phases as `linear` or `non-linear`.
`created`	String	Timestamp String in ISO Format describing the date-time of creation of the Incident Workflow.
`modified`	String	Timestamp String in ISO Format describing the date-time of latest modification of the Incident Workflow.
`created_by`	String	`user_id` in UUID-4 format of the user who created the Incident Workflow.
`modified_by`	String	`user_id` in UUID-4 format of the User who lastly modified the Incident Workflow.
`created_by_data`	Object	Basic details of the user who created the Incident Workflow.
`modified_by_data`	Object	Basic details of the user who lastly modified the Incident Workflow.
`is_removed`	Boolean	Determines whether the Workflow is in deleted state or not.
`is_mapped`	Boolean	Determines whether the Incident Workflow has been mapped to parent parameters or not.
`num_of_phases`	Integer	Determines the number of phases present in the Incident Workflow.
`is_imported`	Boolean	Determines if the Workflow is imported or not.

Action: List Locations

This action retrieves a list of locations from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of locations in CFTR application according to the filters applied.
`results`	List of Objects	Details of the location. Each object provides details of one location.
`title`	String	The title of the location.
`unique_id`	String	Unique ID of the location in UUID-4 format.
`country`	String	Unique ID of the corresponding country in UUID-4 format.
`country_data`	Object	Details of the corresponding country.
`country_data.title`	String	The name of the Country.
`country_data.unique_id`	String	Unique ID of the corresponding country in UUID-4 format.
`state`	String	Unique ID of the corresponding state in UUID-4 format.
`state_data`	Object	Details of the corresponding state.
`state_data.title`	String	The name of the State.
`state_data.unique_id`	String	Unique ID of the corresponding state in UUID-4 format.
`city`	String	Name of the city.
`site`	String	Name of the site.
`pincode`	String	PIN code of the site.
`created`	String	Creation date and time of the location in ISO format.
`modified`	String	Last modified date and time of the location in ISO format.
`is_active`	Boolean	Shows if the location is active or not.
`Longitude`	String	Unique ID of the longitude of the location.
`Latitude`	String	Unique ID of the lantitude of the location.

Action: List Malware

This action retrieves a list of malware.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Query Parameters	Enter the query parameters in key-value pairs to filter the results.	Key Value	Optional	Allowed values: q (str) page (int): default value is 1 page_size (int): default value is 10 created_date__gte file_type first_seen__gte first_seen__gte first_seen__lte created_date__lte labels modified_date__gte modified_date__lte status platform type

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of malware for activity logs of a component in CFTR.
`results`	List of Objects	Details of the malware for activity logs. Each object provides details of one malware.
`unique_id`	String	Unique ID of the malware.
`readable_id`	String	Readable ID of the malware.
`created`	String	Created date of the malware in EPOCH time format.
`modified`	String	Last modified date of the malware in EPOCH time format.
`title`	String	Title of the malware.
`status`	String	Status of the malware.
`is_bookmarked`	Boolean	Shows if the malware is bookmarked or not.
`created_by_data`	Object	Details of the user who created the malware. Details include: username, email, first name, last name, and so on.
`title_display`	String	Title of the malware.
`labels`	Object	Unique IDs of the associated labels.
`labels_data`	Object	Details of the associated labels, such as unique_id, title, color_code, and so on.
`type_data`	Object	Details of the type of malware.
`type`	Object	Type of the malware.
`file_type_data`	Object	Details of malware file type.
`file_type`	Object	Malware file type. For example, exe, bat, dll, zip, and so on_._
`platform_data`	Object	Details of platform affected by the malware.
`platform`	Object	Lists platforms affected by malware. For example, Windows, Windows XP, and so on.

Action: List Manufacturers

This action retrieves a list of manufacturers from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of manufacturers in the CFTR application according to the filters applied.
`results`	List of Objects	Details of the manufacturers. Each object provides details of one manufacturer.
`title`	String	The title of the manufacturer.
`unique_id`	String	Unique ID of the manufacturer in UUID-4 format.
`readable_id`	String	Unique readable ID of the manufacturer. It starts with MFR followed by a unique number. Example: "MFR101"
`description`	Text	Description of the manufacturer.
`created`	String	Creation date and time of the manufacturer in ISO format.
`modified`	String	Last modified date and time of the manufacturer in ISO format.

Action: List OS Types

This action retrieves a list of operating system (OS) types from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action: List PIRs

This action retrieves a list of PIRs (Priority Intel Requirement) using the ID of the PIR.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
created_date__gte
created_date__lte
labels
modified_date__gte
modified_date__lte
locations
status
priority
incidents

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
`count`	Integer	The total number of PIRs returned as per the entered query parameters.
`results`	List of Objects	Details of the PIRs. Each object provides the details of one PIR.
`title`	String	Title of the PIR.
`unique_id`	String	Unique ID of the PIR in UUID-4 format.
`readable_id`	String	Readable ID of the PIR.
`description`	Text	Description of the PIR.
`created`	String	Creation date and time of the PIR in ISO format.
`modified`	String	Last updated date and time of the PIR in ISO format.
`status`	String	Current status of the PIR. Allowed values: `open` `closed`
`created_by_data`	Object	Details of user who created the PIR.
`closed_by`	String	`user_id` of the user who closed the PIR.
`closed_by_data`	Object	Details of user who closed the PIR.
`closed_on`	String	Closing date and time of the PIR in ISO format.
`is_bookmarked`	Boolean	Shows whether the PIR is bookmarked or not.
`labels`	List of String	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`priority`	String	Priority level of the PIR. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority_data`	Object	Details of the priority of the PIR.
`assigned_to`	List of Stings	List of Unique IDs of the assigned users in UUID-4 format.
`assigned_to_data`	List of Objects	Details on the list of assigned users of the PIR. Details include: `username`, `email`, `first_name`, `last_name`, and so on.
`assigned_group`	String	Unique ID of the assigned user group in UUID-4 format.
`assigned_group_data`	Object	Details of the assigned user group. Details include: `group name` and `group ID`

Action: List Sources

This action retrieves a list of sources from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

Page: 10

Key Value

Optional

Allowed values:

q (string)
page (integer): By default, the value is 1
page_size (integer): By default, the value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of sources in CFTR application according to the filters applied.
`results`	List of Objects	Details of the source. Each object provides details of one source.
`value`	String	The name of the source.
`source_type`	String	Unique ID of the source type in UUID-4 format.
`source_display_name`	String	Display name of the source.
`unique_id`	String	Unique ID of the source in UUID-4 format.
`created`	String	Creation date and time of the source in ISO format.
`modified`	String	Last modified date and time of the source in ISO format.
`source_type_data`	Object	Details of the source type.
`source_type_data.unique_id`	String	Unique ID of the source type in UUID-4 format .
`source_type_data.created`	String	Creation date and time of the source type in ISO format.
`source_type_data.title`	String	The title of the source type.

Action: List Threat Actors

This action retrieves a list of threat actors.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Query Parameters	Enter the query parameters in the form of key-value pairs to filter the results.	Key Value	Optional	Allowed values: q (str) page (int): by default, the value is 1 page_size (int): by default, the value is 10

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of Business Units in CFTR application according to the filters applied.
`results`	List of Objects	Details of the Business Unit. Each object provides details of one Business Unit.
`title`	String	Title of the threat actor.
`unique_id`	String	Unique ID of the threat actor.
`readable_id`	String	Readable ID of the threat actor.
`description`	Text	Description of the threat actor.
`created`	String	Creation time of the threat actor in ISO format.
`modified`	String	Last Updated time of the threat actor in ISO format.
`status`	String	Current status of the threat actor. Allowed values: `open` `closed`
`risk`	String	Risk associated with the threat actor. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the threat actor. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the threat actor.
`closed_by`	String	`user_id` of the user who closed the threat actor.
`closed_by_data`	Object	Details of user who closed the threat actor.
`closed_on`	String	Closing date of the threat actor in ISO format.
`is_bookmarked`	Boolean	Shows whether the threat actor is bookmarked or not.

Action: List Threat Briefings

This action retrieves a list of threat briefings.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in the form of key-value pairs to filter results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): by default, the value is 1
page_size (int): by default, the value is 10,
status (str): inactive, active
bookmarked (bool)
mentioned (bool)
business_units (id)
created_by (id)
created_date__gte (epochtime)
created_date__lte (epochtime)
locations (id)
labels (id)
briefing_frequency (str)

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "ACTIVE"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
`count`	Integer	The total number of Threat Briefings returned as per the entered query parameters.
`results`	List of Objects	Details of the Threat Briefings. Each object provides the details of one Threat Briefing.
`unique_id`	String	Unique ID of the Threat Briefing.
`readable_id`	String	Readable ID of the Threat Briefing.
`title`	String	Title of the Threat Briefing.
`description`	Text	Description of the threat briefing.
`status`	String	Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE
`created`	String	Created date and time of the Threat Briefing.
`modified`	String	Last updated date and time of the Threat Briefing.
`title_display`	String	Title of the Threat Briefing.
`is_bookmarked`	Boolean	Shows whether the Threat Briefing is bookmarked or not.
`labels`	List	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`locations_data`	List of Objects	Details of the locations linked to the Threat Briefing.
`business_units_data`	List of Objects	Details of the business units linked to the Threat Briefing.
`created_by`	String	Unique ID of the user who created the Threat Briefing.
`created_by_data`	Object	Details of the user who created the Threat Briefing.

Action: List Threat Intel (IOCs)

This action retrieves a list of threat intel (IOCs).

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in the form of key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
type (str): ioc_ip, ioc_url, ioc_domain, ioc_md5, ioc_sha1, ioc_sha256, ioc_email,
modified_date__gte (epoch)
created_date__gte (epoch)
created_date__lte (epoch)
only_count (bool)
labels (ID)
tlp (str): red, amber, green, white
status (str): cleaned, blocked, malicious, false_positive, whitelisted, none
page (int): by default, the value is 1
page_size (int): by default, the value is 10

Example Request

[
  {
    "query_params":
    {
      "type": "ioc_domain",
      "tlp": "RED",
      "status": "cleaned",
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of Threat Intels in CFTR application.
`results`	List	Details of the Threat Intels. Each object provides details of one Threat Intel.
`value`	String	Value of the Threat Intel.
`unique_id`	String	Unique ID of the Threat Intel in UUID-4 format.
`created`	String	Creation date and time of the Threat Intel.
`modified`	String	Last updated date and time of the Threat Intel.
`tlp`	String	TLP associated with the Threat Intel. Allowed values: `RED` `AMBER` `GREEN` `WHITE`
`incidents_data`	List of Objects	Details of Incidents associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`status`	String	Current status of the Threat Intel. Allowed values: `cleaned` `blocked` `malicious` `false_positive` `whitelisted` `none`
`labels_data`	List of Objects	Details of labels added to the Threat Intel. Details include `title`, `color_code`, `unique_id`, `created`, and `modified`.
`malwares_data`	List of Objects	Details of the Malware associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`threat_actors_data`	List of Objects	Details of Threat Actors associated with the Threat Intel.
`vulnerabilities_data`	List of Objects	Details of Vulnerabilities associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`actions_count`	Integer	Number of Actions added to the Threat Intel.
`notes_count`	Integer	Number of comments added to the Threat Intel.
`ioc_type`	String	`unique_id` of the Indicator type.
`ioc_type_data`	Object	Details of the Indicator type.

Action: List User Groups

This action retrieves a list of user groups from the application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
permission_comm_id
permission_code

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` shows the API endpoint to the next page.
`count`	Integer	Total number of User Groups in CFTR application as per the query parameters.
`results`	List of Objects	Details of the User Groups. Each object provides details of one User Group.
`group_comm_id`	String	Unique ID of the User Group in UUID-4 format.
`group_name`	String	Name of the User Group.
`description`	Text	Description of the User Group.
`permissions`	List of Objects	List of permission objects of the usser group. Each object includes the details of one permission.
`created_by`	Object	Unique ID of the user who created the user group.
`user_count`	Positive Integer	Number of users assigned to the user group.
`permission_count`	Positive Integer	Count of the number of `permissions`configured for the user group.
`is_active`	Boolean	Shows whether the user group is currently active or not.
`is_editable`	Boolean	Shows whether the user group is editable or not.
`created`	Integer	Creation date and time of the user group in EPOCH time format.
`ciims_user_set`	List of Strings	List of unique IDs of the users assigned to the user group in UUID-4 format.
`ciims_user_set_data`	List of Objects	Details of the users assigned to the user group. Each object includes the details of one user.
`group_cost`	Float	Analyst cost associated with the users of the user group. The default cost is configured as per the daily rate.
`playbook_tags`	List of Strings	List of unique IDs of the Cyware Orchestrate Playbook tags added to the user group in UUID-4 format.
`playbook_tags_data`	List of Objects	Details of the Playbook tags. Each object includes the details of one Playbook tag.
`is_readonly_group`	Boolean	Shows whether the group is read-only or not.
`saml_associated_groups`	String	SAML groups associated with the user group
`permissions.permission_comm_id`	String	Unique ID of the permission in UUID-4 format.
`permissions.display_name`	String	Display name of the permission.
`permissions.code_name`	String	Unique string of the permission.
`permissions.grant`	String	Level of grant associated with each permission in CFTR. Allowed values: -`ALLOWED:` Permissions that are provided by default. -`DISALLOWED:` Permissions that cannot be provided while creating a group. -`SELECTABLE:` Permission that can be configured while creating a group.
`permissions.verbose_name`	String	Verbose name given to the permission.
`playbook_tags_data.unique_id`	String	Unique ID of the Playbook in UUID-4 format.
`playbook_tags_data.title`	String	Title of the Playbook.
`playbook_tags_data.description`	Text	Description of the Playbook.

Action: List Vulnerabilities

This action retrieves a list of vulnerabilities.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters

Enter the query parameters in key-value pairs to filter the results.

Example:

page: 10

Key Value

Optional

Allowed values:

q (str)
page (int): default value is 1
page_size (int): default value is 10
created_date__gte
created_date__lte
labels
modified_date__gte
modified_date__lte
status
priority
type

Example Request

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`link`	Object	This parameter has two keys: `previous` and `next`. `previous` key shows the API endpoint to the previous page. `next` key shows the API endpoint to the next page.
`count`	Integer	Total number of vulnerabilities returned as per the entered query parameters.
`results`	List of Objects	Details of the vulnerabilities. Each object provides the details of one vulnerability.
`unique_id`	String	Unique ID of the vulnerability.
`readable_id`	String	Readable ID of the vulnerability. For example, VUL115.
`title`	String	Title of the vulnerability.
`status`	String	Current status of the vulnerability. Allowed values: - `open` - `closed`
`created`	String	Created date of the vulnerability.
`modified`	String	Last updated date of the vulnerability.
`title_display`	String	Title of the vulnerability.
`is_bookmarked`	Boolean	Shows whether the vulnerability is bookmarked or not.
`labels`	List	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`risk_data`	Object	Details of risk associated with the vulnerability.
`risk`	String	Risk level associated with the vulnerability. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`risk_data`	Object	Details of the risk associated with the vulnerability.
`priority_data`	Object	Details of the priority of the vulnerability.
`priority`	String	Priority level of the vulnerability. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`

Action: Merge Incidents

This action merges incidents with a parent incident.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Parent Incident ID

Enter the unique ID of the parent incident.

Example:

af043f9f-27d9-4f0d-8f38-9c4788a7e35b

Text

Required

You can retrieve the list of incidents and their IDs using the following action:

Get Incidents

Child Incidents

Enter the unique ID of the child incidents to be merged with the parent incident.

Example:

af043f9f-27d9-4f0d-8f38-9c4788a7e35f

List

Required

Template ID

Enter the template ID of the child incidents to merge with the parent incident.

Example:

af043f9f-27d9-4f0d-8f38-9c4788a7e35e

Text

Required

You can retrieve the list of templates and their IDs using the following action:

Get Templates

Action Response Parameters

Parameter	Type	Description
response	Integer	Status code 200 for a successful merging of incidents.

Action: Update Action Details

This action updates the details of an action using the ID of the action.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action ID

Enter the unique ID of the action.

Example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

You can retrieve the list of actions and their IDs from the application using the following action:

Get Actions

Additional Information

Enter the additional information in the form of key-value pairs.

Example:

status: open

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to update actions using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value:

false

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "open"
    }
  }
]

Action Response Parameters

Parameters	Type	Description
`title`	String	The title of the action.
`unique_id`	String	Unique ID of the action.
`created`	String	Created date of the action in EPOCH time format.
`modified`	String	Last modified date of the action in EPOCH time format.
`description`	String	Description of the action.
`assigned_to`	String	`User_id` of the assigned user.
`assigned_to_data`	Object	Details of the assigned user.
`assigned_group`	String	`Group_comm_id` of the assigned user group.
`assigned_group_data`	Object	Details of the assigned user group. Details include: group_comm_id, group_name.
`status`	String	Status of the action.
`readable_id`	String	Readable ID of the action. For example, ACT379.
`created_by_data`	Object	Details of the user who created the action. Details include: username, email ,first name, last name, and so on.
`can_update_instance`	Boolean	Shows whether the instance can be updated by the user who requested it or not.
`is_bookmarked`	Boolean	True: Action is bookmarked. False: Action is not bookmarked.
`closed_by_data`	Object	Details of the user who closed the action. Details include: username, email ,first name, last name, and so on.
`closed_on`	String	Closure date of the action in EPOCH time format.
`resolved_on`	String	Resolved date of the action in EPOCH time format.
`assignment_sla`	String	Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_sla`	String	Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion.
`resolution_due_date`	String	Resolution due date of the action.
`sla_stopped_on`	String	Date and time at which the SLA stopped for the action.
`type`	String	Type of the action.
`priority`	String	Priority level of the action
`type_data`	Object	Details of the type of the action.
`priority_data`	Object	Details of the priority level of the action.
`created_from_template`	Boolean	Shows if the action is created using a template or not.
`users`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`softwares`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`applications`	Array of UUID-4 Strings	Array of UUID-4 strings containing unique IDs of connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`incidents_data`	Object	Details of the connected incidents.
`malwares_data`	Array of Objects	Details of the connected malware.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.

Action: Update Asset Application Details

This action updates the details of an application using the ID of the application and additional fields.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Application ID

Enter the unique ID of the application.

Example:

a8007b20-bf76-4ce8-a761-45a453512479

Text

Required

You can retrieve the list of applications and their IDs using the following action:

Get Asset Applications

Additional Information

Enter the details in key-value pairs to be updated in the asset application.

Example:

status: active

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to update applications using the values of locations, business units, and labels.

Boolean

Optional

Default value:

false

Example Request

[
  {
    "unique_id": "Example Unique ID",
    {
        "extra_fields":
        {
          "title": "VirusTotal",
          "created": "2021-07-23T11:36:59.803613Z",
          "modified": "2021-07-23T11:36:59.803613Z",
          "status": "active"
        }  
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the application.
`created`	String	Application creation date and time.
`modified`	String	Application last updated date and time.
`title`	String	Title of the application.
`version`	Float	Version of the application.
`title_display`	String	Title of the application.
`readable_id`	String	Readable ID of the application.
`status`	String	Current status of the the application.
`application_type`	String	Type of the application. For example, Security.
`application_status`	String	Status of the application. For example, Live.
`production_date`	String	Production date of the application.
`created_by`	String	`user_id` of the user who created the application.
`created_by_data`	Object	Details of user who created the application.
`labels`	List	List of `unique_id` labels that are added to the application.
`labels_data`	List of Objects	Details of the labels that are added to the application.
`business_units_data`	List of Objects	Details of business units that are impacted by the application
`locations_data`	List of Objects	Details of locations that are impacted by the application.
`application_url`	URL	URL of the application.
`owner_data`	Object	Details of the owner of the application.
`owner`	String	UUID of the application owner.
`manager_data`	Object	Details of the manager of the application.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.

Action: Update Asset Software Details

This action modifies the details of an asset software.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Asset Software ID

Enter the unique ID of the asset software.

Example:

b251f6a2-a5b8-41d6-aaf6-8f59ad72d6e3

Text

Required

You can retrieve the list of assets and their IDs using the following action:

Get Asset Software List

Additional Information

Enter the details in key-value pairs to be updated in the asset software.

Example:

status: open

Key Value

Optional

Example Request

[
  {
    "unique_id": "b251f6a2-a5b8-41d6-aaf6-8f59ad72d6e3",
    {
        "extra_fields":
        {
          "title": "Desktop Computer",
          "created": "2021-07-23T11:36:59.803613Z",
          "modified": "2021-07-23T11:36:59.803613Z",
          "software_status": "active"
        }  
      }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the software.
`created`	String	Software creation date and time.
`modified`	String	Software last updated date and time.
`title`	String	Name of the software.
`software_id`	String	ID of the software.
`software_type`	List	Type of the software. For example, Development Software.
`title_display`	String	Name of software.
`readable_id`	String	Readable ID of software. For example, SFT115.
`software_status`	String	Current status of the software.
`purchase_date`	String	Purchase date of the software.
`created_by`	String	`user_id` of the user who created the software.
`created_by_data`	Object	Details of user who added the software.
`labels`	List	List of `unique_id` labels that are added to the software.
`labels_data`	List of Objects	Details of the labels that are added to the software.
`business_units_data`	List of Objects	Details of business units that are impacted by the software
`locations_data`	List of Objects	Details of locations that are impacted by the software.
`software_type_data`	Object	Details of the software type.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities .
`malwares`	Array of UUID Strings	List of `unique_id` of the connected connected malwares.
`malwares_data`	Array of Objects	Details of the connected malwares .
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected connected devices.
`endpoint_data`	Array of Objects	Details of the connected devices.

Action: Update Asset User Details

This action updates the details of an asset user.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Asset User ID

Enter the unique ID of the asset user.

Example:

b3184a17-e59f-46cb-82c3-d8aabbefff7e

Text

Required

You can retrieve the list of asset users and their IDs using the following action:

Get Asset Users

Additional Information

Enter the details in key-value pairs to update the asset user.

Example:

location: New York

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to create assets using the values of labels, and business units.

Boolean

Optional

Default value:

false

Example Request

[
  {
    "unique_id": "b3184a17-e59f-46cb-82c3-d8aabbefff7e",
    {
        "extra_fields":
        {
          "full_name": "John Doe"
        }  
      }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the user.
`created`	String	User creation date and time.
`modified`	String	User last updated date and time.
`employee_name`	String	Name of the user.
`email`	String	Email ID of the user.
`display_name`	String	Name of the user.
`readable_id`	String	Readable ID of the user.
`user_status`	String	Current Status of the user.
`hire_date`	String	Hiring date of the user.
`created_by`	String	`user_id` of the CFTR user who created the asset user.
`created_by_data`	Object	Details of the CFTR user who created the asset user.
`labels`	List	List of `unique_id` of labels that are added to the user.
`labels_data`	List of Objects	Details of the labels that are added to the user.
`business_units_data`	List of Objects	Details of business units of the user.
`owned_applications`	Array of UUID Strings	List of `unique_id` of the applications owned by the user.
`owned_applications_data`	Array of Objects	Details of the applications owned by the user.
`managed_applications`	Array of UUID Strings	List of `unique_id` of the applications managed by the user.
`managed_applications_data`	Array of Objects	Details of the managed applications.
`managed_endpoints`	Array of UUID Strings	List of `unique_id` of the devices managed by the user.
`managed_endpoints_data`	Array of Objects	Details of the managed devices.
`owned_endpoints`	Array of UUID Strings	List of `unique_id` of the devices owned by the user.
`owned_endpoints_data`	Array of Objects	Details of the managed devices.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.

Action: Update Campaign Details

This action updates the details of a campaign.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Campaign ID

Enter the unique ID of the campaign.

Example:

k53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of campaigns and their IDs using the following action:

Get Campaigns

Readable Type

Select true to enter the readable type values. This allows you to update campaigns using the values of labels.

Boolean

Optional

Default:

false

Additional Information

Enter the additional details of the campaign in the form of key-value pairs.

Example:

description: new campaign found

Key Value

Optional

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the campaign in UUID-4 format.
readable_id	String	Unique readable ID of the campaign. It starts with `CMP` followed by a unique number. Example: CMP101
created	String	Campaign creation date and time.
description	Text	Description of the campaign.
modified	String	Last updated date and time of the campaign.
title	String	Title of the campaign.
title_display	String	Title of the campaign.
status	String	Current status of the campaign. Allowed values: `ACTIVE` `INACTIVE`
is_bookmarked	Boolean	Shows if the campaign is bookmarked or not.
created_by_data	Object	Details of the user who created the campaign. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	Unique ID of the labels associated with the campaign in UUID-4 format.
labels_data	List of Objects	Details of labels added to the campaign. Details include: `title`, `unique_id`, `color_code`, and so on.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`incidents`	Array UID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`malwares`	Array UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`actions_data`	Array of Objects	Details of the actions that are added to the campaign.
`pirs_data`	Array of Objects	Details of the PIRs that are added to the campaign.
`enhancements_data`	Array of Objects	Details of the enhancements that are added to the campaign.

Action: Update Custom Module Entry

This action updates a custom module entry.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Component Identifier

Enter the component identifier of the module.

Example:

module21

Text

Required

You can retrieve the list of custom modules and their component identifier using the following action:

List Custom Modules

Instance Unique ID

Enter the unique ID of the entry.

Example:

822c2781-8ea0-4122-8176-8995a4c81dca

Text

Required

You can retrieve the list of custom module entries and their IDs using the following action:

List Custom Module Entries

Payload

Enter the additional information to be added in the custom module entry in key-value pairs. Use the field_readable_key of the custom fields as keys.

Key Value

Required

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the entry.
`unique_id`	String	Unique ID of the entry.
`status`	String	Current status of the entry.
`description`	Text	Description of the entry.
`created_by_user_id`	String	`user_id` of the user who created the entry.
`modified_by_user_id`	String	`user_id` of the user who last modified the entry.
`created_by_data`	Object	Details of the user who created the entry.
`modified_by_data`	Object	Details of the user who last modified the entry.
`created`	String	Creation date and time of the entry.
`modified`	String	Last updated date and time of the entry.
`is_bookmarked`	Boolean	Shows if the entry is bookmarked or not.
`can_update_instance`	Boolean	Shows whether the entry can be updated by the user who requested it or not.
`labels`	Array	List of the labels that are added to the entry.
`labels_data`	Array of Objects	Details of the labels that are added to the entry.
`is_removed`	Boolean	Displays if the entry is in deleted state or not.
`status_data`	Array of Objects	Displays the details of the status of the entry.
`attachments_data`	Array of Objects	Details of each attachment of the entry.

Action: Update Device Details

This action updates the details of a device using the ID of the device.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID

Enter the unique ID of the device.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

Additional Information

Enter the details in key-value pairs to be updated in the device.

Example:

hostname: updated security device

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to update devices using the values of locations, business units, manufacturers, labels, and operation system types.

Boolean

Optional

Default:

false

Example Request

[
  {
    "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404",
    {
        "extra_fields":
        {
          "created": "2021-07-23T11:36:59.803613Z",
          "modified": "2021-07-23T11:36:59.803613Z",
          "hostname": "EC2AMAZ-8V2J535",
          "endpoint_status": "clean"
        }  
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the device.
`created`	String	Device creation time in EPOCH time format.
`modified`	String	Device Last Updated Time in EPOCH time format.
`serial_number`	String	Serial number of the device.
`hostname`	String	Hostname of the device.
`readable_id`	String	Readable ID of the device. For example, DVC116.
`endpoint_status`	String	Current status of the device.
`owner`	String	Owner of the device.
`physical_location`	String	Physical location of the device.
`title_display`	String	Hostname of the device
`ip_address`	Float	IP address of the device.
`created_by`	String	`user_id` of the user who created the device.
`created_by_data`	Object	Details of user who created the device. Details include: `username`, `first_name`, `last_name, user_id` and more.
`status`	String	Status of the device.
`labels`	List	List of `unique_id` labels that are added to the device.
`labels_data`	List of Objects	Details of the labels that are added to the device.
`business_units_data`	List of Objects	Details of business units that are impacted by the device.
`locations_data`	List of Objects	Details of locations that are impacted by the device.
`risk`	String	Risk level of the device.
`risk_data`	Object	Details of the risk of the device.
`priority`	String	Priority of the device.
`endpoint_type`	String	Type of the endpoint. For example, Desktop.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`owner_data`	Object	Details of the owner of device.
`manager_data`	Object	Details of the manager of device.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`actions_data`	Array of Objects	Details of the actions that are added to the device.

Action: Update Enhancement Details

This action updates the details of an enhancement using the ID of the enhancement.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Enhancement ID

Enter the unique ID of the enhancement.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Required

You can retrieve the list of enhancements using the following action:

Get Enhancements

Additional Information

Enter the enhancement details in the form of key-value pairs.

Example:

description: this is an important enhancement

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to create enhancements using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value:

false

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "closed"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
unique_id	String	Unique ID of the enhancement in UUID-4 format.
readable_id	String	Unique readable ID of the enhancement. It starts with `ENH`followed by a unique number. Example: ENH101
created	Datetime	Enhancement creation date and time.
description	Text	Description of the enhancement.
modified	Datetime	Last updated date and time of the enhancement.
title	Text	Title of the enhancement.
status	String	Current status of the enhancement. Allowed values: - `open` - `closed`
priority	String	Priority level of the enhancement.
priority_data	Object	Details of the priority assigned. Details include: `unique_id`, `option_name`, and so on.
priority_data.unique_id	String	Unique ID of the priority in UUID-4 format.
priority_data.option_name	String	Display Name of the priority
priority_data.color_code	String	Hex value of the priority display color.
is_bookmarked	Boolean	Shows if the enhancement is bookmarked or not.
modified_by_data	Object	Details of the user who last updated the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_group	String	Unique ID of the user group the enhancement belongs to in UUID-4 format.
assigned_group_data	Object	Details of the assigned user group. Details include group name and group ID.
created_by_data	Object	Details of the user who created the enhancement. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
assigned_to	String	Unique ID of the assigned user of the enhancement in UUID-4 format.
assigned_to_data	Object	Details of the assigned user. Details include: `username`, `email` ,`first_name`, `last_name`, and so on.
labels	List of Strings	List of Unique IDs of the labels attached to the enhancement in UUID-4 format.
labels_data	List of Objects	Details of labels added to the enhancement. Details include: `title`, `unique_id`, `color_code`, and so on.
labels_data.unique_id	String	Unique ID of the label in UUID-4 format.
labels_data.option_name	String	Display name of the label
labels_data.color_code	String	Hex value of the label display color.
enhancement_type	List of Strings	Option name of the enhancement types associated with the enhancement.
enhancement_type_data	List of Objects	Details of the enhancement types associated with the enhancement.
enhancement_type_data.unique_id	String	Unique ID of the enhancement in UUID-4 format.
enhancement_type_data.option_name	String	Display Name of the enhancement type
enhancement_type_data.color_code	String	Hex value of the enhancement type display color.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
attachments_data	Array of Objects	Details of each attachment of the enhancement.

Action: Update Incident Details

This action updates the details of an incident.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Incident ID	Enter the unique ID of an incident. Example: p53ff8942-612d-4bc1-b54f-d8195c002404	Text	Required	You can retrieve the list of incidents and their IDs using the following action: Get Incidents
Incident Status	Enter the status of the incident. Example: merged	Text	Optional	Allowed values: untriaged open closed merged
Incident Phase	Enter the phase of the incident. Example: recovery	Text	Optional	Allowed values: detection analysis containment investigation and eradication recovery closure
Additional Information	Enter other incident details in the form of key-value pairs to update. Example: labels: Important	Key Value	Optional
Readable Type	Select true to enter the readable type values. This allows you to update incidents using the values of locations, business units, sources, assigned groups, and the email IDs of assigned users.	Boolean	Optional	Default value: false

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "status": "untriaged",
    "phase": "Containment",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`{app_instance}`	JSON Object	This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.
`app_instance.response`	JSON Object	Returns the response retrieved from the app action.
`app_instance.response.modified_by_data`	JSON Object	Details of the user who last modified the incident.
`app_instance.response.modified`	String	Last updated date and time of the incident.
`app_instance.response.update_index`	Integer	Update index of the incident.
`app_instance.status_code`	Integer	HTTP status code of the API request received from the instance.

Action: Update Malware Details

This action updates the details of a malware record using the malware ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Malware ID

Enter the unique ID of the malware.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of malware and their IDs using the following action:

List Malware

Additional Information

Enter the additional information in the form of key-value pairs.

Example:

description: new malware found

Key Value

Optional

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "active"
    }
  }
]

Action Response Parameters

Parameters	Type	Description
`type`	Object	Type of the malware.
`ioc_email`	Object	Unique IDs of the email IOC type.
`platform`	Object	List of affected platforms.
`ioc_ip`	Object	Unique IDs of the IP IOC type.
`ioc_md5`	Object	Unique IDs of the MD5 Hash IOC type.
`file_type`	Object	File types of the malware. For example, dll, exe, docx, zip.
`ioc_domain`	Object	Unique IDs of the domain IOC type.
`ioc_sha1`	Object	Unique IDs of the SHA1 IOC type.
`ioc_sha256`	Object	Unique IDs of the SHA256 IOC type.
`ioc_url`	Object	Unique IDs of the URL IOC type.
`unique_id`	String	Unique ID of the malware.
`readable_id`	String	Readable ID of the malware.
`created`	String	Created date of the malware in EPOCH time format.
`modified`	String	Last modified date of the malware in EPOCH time format.
`title`	String	Title of the malware.
`description`	String	Description of the malware.
`incidents`	Object	Unique ID of the linked incidents.
`status`	String	Status of the malware.
`briefings`	Object	Unique ID of the linked threat briefings.
`briefings_data`	Object	Details of the linked threat briefings.
`incidents_data`	Object	Details of the linked incidents.
`is_bookmarked`	Boolean	Shows if the malware is bookmarked or not.
`actions_data`	Object	Details of the linked actions.
`campaigns`	Object	Unique ID of the linked campaigns.
`campaigns_data`	Object	Details of the linked campaigns.
`vulnerabilities`	Object	Unique ID of the linked vulnerabilities.
`vulnerabilities_data`	Object	Details of the linked vulnerabilities.
`threat_actors`	Object	Unique ID of the linked threat actors.
`threat_actors_data`	Object	Details of the linked threat actors.
`pirs_data`	Object	Details of the linked PIRs.
`attachments_data`	Object	Details of the attachments.
`created_by_data`	Object	Details of the user who created the malware. Details include: username, email, first name, last name, and so on.
`labels`	Object	Unique ID of the linked labels.
`labels_data`	Object	Details of the linked labels.
`tactic_technique_pair_data`	Object	Details of the linked tactic technique pairs.
`first_seen`	String	Date on which malware is seen for the first time.
`last_modified`	Object	Last modified date of the malware.
`applications`	Object	Unique ID of the linked applications.
`applications_data`	Object	Details of the linked applications.
`asset_softwares`	Object	Unique ID of the linked software.
`asset_softwares_data`	Object	Details of the Linked Asset Softwares.
`endpoints`	Object	Unique ID of the linked devices.
`endpoints_data`	Object	Details of the linked devices.
`enhancements`	Object	Unique ID of the linked enhancements.
`enhancements_data`	Object	Details of the linked enhancements.
`type_data`	Object	Details of the malware type.
`file_type_data`	Object	Details of the malware file type.
`platform_data`	Object	Details of the affected platforms.

Action: Update PIR Details

This action updates a PIR (Priority Intel Requirement) record using the ID of the PIR.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

PIR (Priority Intel Requirement) ID

Enter the unique ID of the PIR.

Example:

06863326-10f4-472a-9d8e-f45f4cd2dbcd

Text

Required

You can retrieve the list of PIRs and their IDs using the following action:

Get PIRs

Additional Information

Enter the details in the form of key-value pairs.

Example:

status: open

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to update a PIR using the values of assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default:

false

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the PIR.
`unique_id`	String	Unique ID of the PIR in UUID-4 format.
`readable_id`	String	Readable ID of the PIR.
`description`	Text	Description of the PIR.
`created`	String	Creation date and time of the PIR in ISO format.
`modified`	String	Last updated date and time of the PIR in ISO format.
`status`	String	Current status of the PIR. Allowed values: `open` `closed`
`created_by_data`	Object	Details of user who created the PIR.
`closed_by`	String	`user_id` of the user who closed the PIR.
`closed_by_data`	Object	Details of user who closed the PIR.
`closed_on`	String	Closing date and time of the PIR in ISO format.
`is_bookmarked`	Boolean	Shows whether the PIR is bookmarked or not.
`labels`	List of String	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`priority`	String	Priority level of the PIR. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority_data`	Object	Details of the priority of the PIR.
`assigned_to`	List of Stings	List of Unique IDs of the assigned users in UUID-4 format.
`assigned_to_data`	List of Objects	Details on the list of assigned users of the PIR. Details include: `username`, `email`, `first_name`, `last_name`, and so on.
`assigned_group`	String	Unique ID of the assigned user group in UUID-4 format.
`assigned_group_data`	Object	Details of the assigned user group. Details include: `group name` and `group ID`
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.

Action: Update Threat Actor Details

This action updates the details of a threat actor.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Actor ID

Enter the unique ID of the threat actor.

Example:

497b2aa0-11f3-44f0-9d21-2a67453d8c94

Text

Required

You can retrieve the list of threat actors using the following action:

Get Threat Actors

Additional Information

Enter the additional information in the form of key-value pairs.

Example:

description: A new threat actor found

Key Value

Optional

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "type": "Hacktivist"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the threat actor.
`unique_id`	String	Unique ID of the threat actor.
`readable_id`	String	Readable ID of the threat actor.
`description`	Text	Description of the threat actor.
`created`	String	Creation time of the threat actor in ISO format.
`modified`	String	Last Updated time of the threat actor in ISO format.
`status`	String	Current status of the threat actor. Allowed values: `open` `closed`
`risk`	String	Risk associated with the threat actor. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the threat actor. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the threat actor.
`closed_by`	String	`user_id` of the user who closed the threat actor.
`closed_by_data`	Object	Details of user who closed the threat actor.
`closed_on`	String	Closing date of the threat actor in ISO format.
`is_bookmarked`	Boolean	Shows whether the threat actor is bookmarked or not.
`attachments_data`	Array of Objects	Details of each attachment of the threat actor.
`actions_data`	Array of Objects	Details of the actions that are added for the threat actor.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the threat actor.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the threat actor.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the threat actor.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`ioc_SHA1`	Array of UUID Strings	List of `unique_id` of the connected SHA1 Threat Intels.
`ioc_SHA1_data`	Array of Objects	Details of the connected SHA1 Threat Intels.
`ioc_MD5`	Array of UUID Strings	List of `unique_id` of the connected MD5 Threat Intels.
`ioc_MD5_data`	Array of Objects	Details of the connected MD5 Threat Intels.
`ioc_SHA256`	Array of UUID Strings	List of `unique_id` of the connected SHA256 Threat Intels.
`ioc_SHA256_data`	Array of Objects	Details of the connected SHA256 Threat Intels.
`ioc_ip`	Array of UUID Strings	List of `unique_id` of the connected IP Threat Intels.
`ioc_ip_data`	Array of Objects	Details of the connected IP Threat Intels.
`ioc_url`	Array of UUID Strings	List of `unique_id` of the connected URL Threat Intels.
`ioc_url_data`	Array of Objects	Details of the connected URL Threat Intels.
`ioc_domain`	Array of UUID Strings	List of `unique_id` of the connected domain Threat Intels.
`ioc_domain_data`	Array of Objects	Details of the connected domain Threat Intels.
`ioc_email`	Array of UUID Strings	List of `unique_id` of the connected email Threat Intels.
`ioc_email_data`	Array of Objects	Details of the connected email Threat Intels.

Action: Update Threat Briefing Details

This action updates the details of a threat briefing.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Briefing ID

Enter the unique ID of the threat briefing.

Example:

w53ff8942-612d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of threat briefings and their IDs using the following action:

Get Threat Briefings

Additional Information

Enter additional information in the threat briefing in the form of key-value pairs.

Example:

labels: important

Key Value

Optional

Readable Type

Select true to enter the readable type values. This allows you to update threat briefings using the values of locations, business units, and labels.

Boolean

Optional

Default value:

false

Example Request

[
  {
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "status": "Active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`unique_id`	String	Unique ID of the Threat Briefing.
`readable_id`	String	Readable ID of the Threat Briefing.
`title`	String	Title of the Threat Briefing.
`description`	Text	Description of the threat briefing.
`status`	String	Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE
`created`	String	Created date and time of the Threat Briefing.
`modified`	String	Last updated date and time of the Threat Briefing.
`title_display`	String	Title of the Threat Briefing.
`is_bookmarked`	Boolean	Shows whether the Threat Briefing is bookmarked or not.
`labels`	List	List of `unique_id` of the attached labels.
`labels_data`	List of Objects	Details of the attached labels.
`locations_data`	List of Objects	Details of the locations linked to the Threat Briefing.
`business_units_data`	List of Objects	Details of the business units linked to the Threat Briefing.
`created_by`	String	Unique ID of the user who created the Threat Briefing.
`created_by_data`	Object	Details of the user who created the Threat Briefing.
`attachments_data`	Array of Objects	Details of each attachment of the Threat Briefing.
`actions_data`	Array of Objects	Details of the actions that are added for the Threat Briefing.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the Threat Briefing.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the Threat Briefing.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the Threat Briefing.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`vulnerabilities`	Array of UUID Strings	List of `unique_id` of the connected vulnerabilities.
`vulnerabilities_data`	Array of Objects	Details of the connected vulnerabilities.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.

Action: Update Threat Intel (IOC)

This action updates threat intel (IOC) using the threat intel ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Intel (IOC) ID

Enter the unique ID of the threat intel (IOC)

Example:

f0900171-be25-490e-bddc-fa8bf29d6453

Text

Required

You can retrieve the list of threat intel using the following action:

Get List of Threat Intel (IOC)

Additional Information

Enter the additional information to be updated in key-value pairs.

Example:

status: cleaned

Key Value

Optional

Example Request

[
  {
    "tlp": "WHITE",
    "value": "5075f76fb61ce1a56d9b7758f97c7903796933b0b0737a274bf8d347b5fa4473",
    "status": "none",
    "created": "2021-07-30T07:35:58.756888Z",
    "ioc_type": "371b43d3-e28d-42f8-80c3-f32039d38954",
    "modified": "2021-07-30T07:35:58.756888Z",
    "unique_id": "b7392170-ea74-467c-9665-0103020cd926"
  }
]

Action Response Parameters

Parameter	Type	Description
`value`	String	Value of the Threat Intel.
`unique_id`	String	Unique ID of the Threat Intel in UUID-4 format.
`created`	String	Creation date and time of the Threat Intel.
`modified`	String	Last Updated date and time of the Threat Intel.
`geo_details`	List of Objects	Details of the location of threat intel.
`tlp`	String	TLP associated with the threat intel. Allowed values: `RED` `AMBER` `GREEN` `WHITE`
`incidents_data`	List of Objects	Details of Incidents associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`created_by`	String	`user_id` of the user who created the Threat Intel
`status`	String	Current status of the Threat Intel. Allowed values: `cleaned` `blocked` `malicious` `false_positive` `whitelisted` `none`
`labels`	List	List of `unique_id` of labels added to the Threat Intel.
`labels_data`	List of Objects	Details of labels added to the Threat Intel. Details include `title`, `color_code`, `unique_id`, `created`, and `modified`.
`malwares_data`	List of Objects	Details of Malware associated with the Threat Intel. Details include: `unique_id`, `readable_id,` and `title`.
`threat_actors_data`	List of Objects	Details of Threat Actors associated with the Threat Intel.
`vulnerabilities_data`	List of Objects	Details of Vulnerabilities associated with the Threat Intel. Details include: `unique_id`, `readable_id`, and `title`.
`actions_count`	Integer	Number of Actions added to the Threat Intel.
`notes_count`	Integer	Number of comments added to the Threat Intel.
`ioc_type`	String	`unique_id` of the Indicator Type.
`ioc_type_data`	Object	Details of the Indicator Type.

Action: Update Vulnerability Details

This action updates the details of a vulnerability.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Vulnerability ID

Enter the unique ID of the vulnerability.

Example:

e53ff8972-618d-4bc1-b54f-d8195c002404.

Text

Required

You can retrieve the list of vulnerabilities and their IDs using the following action:

Get Vulnerabilties

Additional information

Enter the details to be updated in key-value pairs.

Example:

status: closed

Key Value

Optional

Example Request

[
  {
    "risk": "Very Low",
    "title": "Critical VUL1243",
    "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
    "extra_fields":
    {
      "created": "2021-07-23T11:36:59.803613Z",
      "modified": "2021-07-23T11:36:59.803613Z",
      "cvss_score":8
    }
  }
]

Action Response Parameters

Parameter	Type	Description
`title`	String	Title of the vulnerability.
`unique_id`	String	Unique ID of the vulnerability.
`readable_id`	String	Readable ID of the vulnerability.
`description`	Text	Description of the vulnerability.
`created`	String	Creation time of the vulnerability in ISO format.
`modified`	String	Last Updated time of the vulnerability in ISO format.
`status`	String	Current status of the vulnerability. Allowed values: `open` `closed`
`risk`	String	Risk associated with the vulnerability. Allowed Values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`priority`	String	Priority of the vulnerability. Allowed values: - `Very Low` - `Low` - `Medium` - `High` - `Very High`
`created_by_data`	Object	Details of user who created the vulnerability.
`closed_by`	String	`user_id` of the user who closed the vulnerability.
`closed_by_data`	Object	Details of user who closed the vulnerability.
`closed_on`	String	Closing date of the vulnerability in ISO format.
`is_bookmarked`	Boolean	Shows whether the vulnerability is bookmarked or not.
`attachments_data`	Array of Objects	Details of each attachment of the vulnerability.
`actions_data`	Array of Objects	Details of the actions that are added for the vulnerability.
`enhancements`	Array of UUID Strings	List of the enhancements that are added for the vulnerability.
`enhancements_data`	Array of Objects	Details of the enhancements that are added for the vulnerability.
`pirs_data`	Array of Objects	Details of the PIRs that are added for the vulnerability.
`applications`	Array of UUID Strings	List of `unique_id` of the connected applications.
`applications_data`	Array of Objects	Details of the connected applications.
`softwares`	Array of UUID Strings	List of `unique_id` of the connected software.
`softwares_data`	Array of Objects	Details of the connected software.
`users`	Array of UUID Strings	List of `unique_id` of the connected users.
`users_data`	Array of Objects	Details of the connected users.
`endpoints`	Array of UUID Strings	List of `unique_id` of the connected devices.
`endpoints_data`	Array of Objects	Details of the connected devices.
`briefings`	Array of UUID Strings	List of `unique_id` of the connected threat briefings.
`briefings_data`	Array of Objects	Details of the connected threat briefings.
`campaigns`	Array of UUID Strings	List of `unique_id` of the connected campaigns.
`campaigns_data`	Array of Objects	Details of the connected campaigns.
`malwares`	Array of UUID Strings	List of `unique_id` of the connected malware.
`malwares_data`	Array of Objects	Details of the connected malware.
`threat_actors`	Array of UUID Strings	List of `unique_id` of the connected threat actors.
`threat_actors_data`	Array of Objects	Details of the connected threat actors.
`incidents`	Array of UUID Strings	List of `unique_id` of the connected incidents.
`incidents_data`	Array of Objects	Details of the connected incidents.
`ioc_SHA1`	Array of UUID Strings	List of `unique_id` of the connected SHA1 Threat Intels.
`ioc_SHA1_data`	Array of Objects	Details of the connected SHA1 Threat Intels.
`ioc_MD5`	Array of UUID Strings	List of `unique_id` of the connected MD5 Threat Intels.
`ioc_MD5_data`	Array of Objects	Details of the connected MD5 Threat Intels.
`ioc_SHA256`	Array of UUID Strings	List of `unique_id` of the connected SHA256 Threat Intels.
`ioc_SHA256_data`	Array of Objects	Details of the connected SHA256 Threat Intels.
`ioc_ip`	Array of UUID Strings	List of `unique_id` of the connected IP Threat Intels.
`ioc_ip_data`	Array of Objects	Details of the connected IP Threat Intels.
`ioc_url`	Array of UUID Strings	List of `unique_id` of the connected URL Threat Intels.
`ioc_url_data`	Array of Objects	Details of the connected URL Threat Intels.
`ioc_domain`	Array of UUID Strings	List of `unique_id` of the connected domain Threat Intels.
`ioc_domain_data`	Array of Objects	Details of the connected domain Threat Intels.
`ioc_email`	Array of UUID Strings	List of `unique_id` of the connected email Threat Intels.
`ioc_email_data`	Array of Objects	Details of the connected email Threat Intels.

Action: Upload Attachment

This action uploads an attachment to a component

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Object Identifier	Enter the object identifier of the component to which you want to add an attachment. Example: incident, action	Text	Required	Allowed values: incident action vulnerabilities enhancements PIRs malware
Object Unique ID	Enter the unique ID of the object. Example: df0ce907-baca-4d21-96ae-15e63f527191	Text	Required
File Path	Enter the file path. Example: /Users/JohnDoe/Documents/security-details.txt	Text	Required
File Type	Enter the file type. Example: evidence	Text	Optional	Allowed values: artifact evidence miscellaneous Default value: artifact

Example Request

{
    "object_unique_id": "df0xxxx7-baca-4d21-96ae-15xxx7191",
    "object_identifier": "incident",
    "file_path": "/tmp/d70dd6a1-71f3-412a-9f1d-6c5d74b544fc/local_file.txt"
}

Action Response Parameters

Parameter	Type	Description
title	Text	Name of the file.
uploaded_file	URL	URL of the file from where it can be downloaded.
unique_id	String	Unique ID for the file.
created_by_data	Object	Details of the user who uploaded the file.
created	Datetime	File upload time.
modified	Datetime	File modified time.
readable_id	String	Unique readable ID of the file.
file_hash	String	Hash of the file.
file_type	String	Type of the file. I Allowed values: `artifact`: Artifact `evidence`: Evidence `miscellaneous`: Miscellaneous
file_size	Integer	Size of the file.
parent_readable_id	String	`readable_id` of the incident in which file is uploaded.
parent_component	String	Component name in which file is uploaded. Example: `incident`, `action`, and so on.
parent_unique_id	String	`unique_id` of the incident in which file is uploaded

Action: Generic Action

This is a generic action to perform any additional use case in the application.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional
Endpoint	Enter the endpoint to make the API request. Example: /cftrapi/openapi/v1/comments/	Text	Required
HTTP Method	Enter the HTTP method to make the API request. Example: GET, POST	Text	Required
Query Params	Enter query parameters to filter the results.	Key value	Optional
Payload JSON	Enter the JSON payload to pass to the API. Example: $JSON[{'data': {'type': type,'id': id}}]	Any	Optional
Payload Data	Enter the payload to pass to the API.	Any	Optional

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.

Cyware Orchestrate

Respond (CFTR)

About App

Note

Note

Configuration Parameters

Action: Add Asset Software

Action: Add Asset User

Action: Add Comment

Action: Add Comment in Custom Module (Deprecated)

Note

Action: Add Device

Action: Advanced Search for Modules

Action: Bulk Create Threat Intel (IOCs)

Action: Connect Modules

Action: Create Action

Action: Create a Malware

Action: Create a PIR

Action: Create Asset Application

Action: Create a Threat Briefing

Action: Create ATT&CK Tactic-Technique Pair

Action: Create Campaign

Action: Create Custom Module Entry

Action: Create Enhancement

Action: Create Incident

Action: Create Threat Actor

Action: Create Vulnerability

Action: Fetch Health Console Status

Action: Get Action Details

Action: Get Asset Application Details

Action: Get Assets Impacted by Vulnerability

Action: Get Asset Software Details

Action: Get Asset User Details

Action: Get ATT&CK Tactic Details

Action: Get ATT&CK Tactics

Action: Get ATT&CK Technique Details

Action: Get ATT&CK Techniques

Action: Get Business Unit Details

Action: Get Campaign Details

Action: Get CFTR User Details

Action: Get Custom Module Entry Detail

Action: Get Device Details

Action: Get Enhancement Details

Action: Get Incident Details

Action: Get Incident Summary

Action: Get Incident Workflow Details

Action: Get Label Details

Action: Get Labels

Action: Get List of Threat Intel Types

Action: Get Location Details

Action: Get Malware Details

Action: Get Manufacturer Details

Action: Get OS Type Details

Action: Get PIR Details

Action: Get Recommended Users for an Incident

Action: Get Roster

Action: Get Source Details

Action: Get Templates

Action: Get Threat Actor Details

Action: Get Threat Briefing Details

Action: Get Threat Intel (IOC) Details

Action: Get Threat Intel Form Structure

Action: Get User Group Details

Action: Get Vulnerability Details

Action: List Actions

Action: List Asset Applications

Action: List Asset Software

Action: List Asset Users

Action: List Attachments

Action: List Business Units

Action: List Campaigns

Action: List CFTR Users

Action: List Comments

Action: List Countries

Action: List Custom Module Entries

Action: List Custom Modules

Action: List Devices

Action: List Enhancements

Action: List Incidents

Action: List Incident Workflows