Respond (CFTR)
App Vendor: Cyware
App Category: Cyware Product
Connector Version: 4.0.5
API Version: CFTR v3
About App
The Respond connector app allows security teams to integrate with the Respond application, a threat response automation platform. The connector app enables analysts to perform actions related to incident response and management, threat actor management, vulnerability management, malware management, triage management, and more that help you automate threat response.
Note
Respond (v4.0.0) includes major updates that may not be compatible with previous versions. Major updates include adding new actions, deprecating a few actions, and more. We recommend you review all the playbooks and actions before upgrading.
The Respond app is configured with Orchestrate to perform the following actions:
Action Name | Description |
---|---|
Add Asset Software | This action adds an asset software in the Software module. |
Add Asset User | This action adds an asset user to the Users module. |
Add Comment | This action adds comments in a specific component. |
Add Comment in Custom Module (Deprecated) | This action adds a comment in the custom module. |
Add Device | This action adds a device to the Devices module. |
Advanced Search for Modules | This action retrieves a list of module entries based on the specified payload and query parameters. |
Bulk Create Threat Intel (IOCs) | This action creates multiple IOCs in the Threat Intel module. |
Connect Modules | This action connects modules to reflect in the Connect the Dots of each module. |
Create Action | This action creates an action in the application. |
Create a Malware | This action created malware in the application. |
Create a PIR | This action creates a PIR (Priority Intel Requirement). |
Create Asset Application | This action creates an asset application in the Applications module. |
Create a Threat Briefing | This action adds a new threat briefing record to the application. |
Create Attack Tactic-Technique Pair | This action creates an attack tactic and technique pair. |
Create Campaign | This action creates a new campaign in the application. |
Create Custom Module Entry | This action creates a new custom module entry. |
Create Enhancement | This action creates an enhancement. |
Create Incident | This action creates an incident. |
Create Threat Actor | This action adds a threat actor. |
Create Vulnerability | This action adds a new vulnerability. |
Fetch Health Console Status | This action retrieves the console status. |
Get Action Details | This action retrieves the details of an action using the ID of the action. |
Get Asset Application Details | This action retrieves the details of an application using the ID of the application. |
Get Assets Impacted by Vulnerability | This action retrieves the details of the assets impacted by a vulnerability. |
Get Asset Software Details | This action retrieves details of the asset software using the ID. |
Get Asset User Details | This action retrieves the details of an asset user. |
Get ATT&CK Tactic Details | This action retrieves the details of an ATT&CK tactic. |
Get ATT&CK Tactics | This action retrieves a list of ATT&CK tactics from the ATT&CK Navigator module. |
Get ATT&CK Technique Details | This action retrieves the details of an ATT&CK technique. |
Get ATT&CK Techniques | This action retrieves a list of ATT&CK techniques from the ATT&CK Navigator module. |
Get Business Unit Details | This action retrieves the details of a business unit. |
Get Campaign Details | This action retrieves the details of a campaign. |
List Actions | This action retrieves a list of actions based on the query parameters. |
List Asset Applications | This action retrieves a list of asset applications from the Applications module. |
List Asset Software | This action retrieves a list of asset software from the Software module. |
List Asset Users | This action retrieves a list of asset users from the Users module. |
List Attachments | This action retrieves the attachments of an entry. |
List Business Units | This action retrieves a list of business units. |
List Campaigns | This action retrieves a list of campaigns. |
Get CFTR User Details | This action retrieves the details of a user. |
List CFTR Users | This action retrieves a list of users from the User Management module. |
List Comments | This action retrieves the comments for an entry. |
List Countries | This action retrieves a list of countries from the application. |
Get Custom Module Entry Detail | This action retrieves the details of a custom module entry. |
Get Device Details | This action retrieves the details of a device using the ID of a device. |
List Devices | This action retrieves a list of devices from the devices module. |
Get Enhancement Details | This action retrieves the enhancement details using the ID of the enhancement. |
List Enhancements | This action retrieves a list of enhancement records using query string and query parameters. |
Get Incident Details | This action retrieves the details of an incident. |
List Incidents | This action retrieves a list of incidents from the application. |
Get Incident Workflow Details | This action retrieves the details of an incident workflow. |
Get Label Details | This action retrieves the details of a label. |
Get Labels | This action retrieves a list of labels from the application. |
List Threat Intel (IOCs) | This action is used to retrieve a list of threat intel (IOCs). |
Get List of Threat Intel Types | This action retrieves a list of threat intel types from the application. |
Get Location Details | This action retrieves the details of a location using the ID of the location. |
List Locations | This action retrieves a list of locations from the application. |
Get Malware Details | This action retrieves the details of malware using malware ID. |
Get Manufacturer Details | This action is used to retrieve the details of a manufacturer. |
List Manufacturers | This action is used to retrieve a list of manufacturers from the application. |
Get OS Type Details | This action retrieves the details of an OS type. |
List OS Types | This action retrieves a list of operating system (OS) types from the application. |
Get PIR Details | This action retrieves the details of a PIR (Priority Intel Requirement) using the ID of the PIR. |
List PIRs | This action retrieves a list of PIR (Priority Intel Requirement) using query string and query parameters. |
Get Recommended Users for an Incident | This action retrieves a list of users who are automatically recommended by Respond for assigning to a specific incident based on their roster and the history of incidents handled. |
Get Roster | This action retrieves the list of rosters from the application. |
Get Source Details | This action retrieves the details of a source. |
List Sources | This action retrieves a list of sources from the application. |
Get Templates | This action retrieves the list of templates from the application. |
Get Threat Actor Details | This action retrieves the details of a threat actor using the ID of the threat actor. |
List Threat Actors | This action retrieves a list of threat actors. |
Get Threat Briefing Details | This action retrieves the details of a threat briefing. |
List Threat Briefings | This action retrieves a list of threat briefings. |
Get Threat Intel Form Structure | This action retrieves the form field structure of the threat intel component. |
Get Threat Intel (IOC) Details | This action retrieves the details of an IOC. |
Get User Group Details | This action retrieves the details of a user group. |
List User Groups | This action retrieves a list of user groups from the application. |
List Vulnerabilities | This action retrieves a list of vulnerabilities. |
Get Vulnerability Details | This action retrieves the details of a vulnerability. |
List Custom Module Entries | This action retrieves all the entries of a custom module with their details. |
List Custom Modules | This action retrieves the list of custom modules. |
List Incident Workflows | This action retrieves a list of all the incident workflows with details from the application. |
List Malware | This action retrieves a list of malware. |
Merge Incidents | This action merges incidents with a parent incident. |
Update Action Details | This action updates the details of an action using the ID of an action. |
Update Asset Application Details | This action updates the details of an application using the ID and additional fields. |
Update Asset Software Details | This action updates the details of asset software. |
Update Asset User Details | This action updates the details of an asset user. |
Update Campaign Details | This action updates the details of a campaign. |
Update Custom Module Entry | This action updates a custom module entry. |
Update Device Details | This action updates the details of a device using the ID of the device. |
Update Enhancement Details | This action updates the details of an enhancement using the ID of the enhancement. |
Update Incident Details | This action updates the details of an incident. |
Update Malware Details | This action updates the details of a malware record using a malware ID. |
Update PIR Details | This action updates a PIR (Priority Intel Requirement) record using the ID of the PIR. |
Update Threat Actor Details | This action updates the details of a threat actor. |
Update Threat Briefing Details | This action updates the details of a threat briefing. |
Update Threat Intel (IOC) | This action updates threat intel (IOC) using its ID. |
Update Vulnerability Details | This action updates the details of a vulnerability. |
Upload Attachment | This action uploads an attachment to a component. |
Get Incident Summary | This action retrieves the executive summary of the incident using its ID. |
Generic Action | This is a generic action to perform any additional use case in the application. |
Note
The actions Get a list of vendors and Get vendor are deprecated. Additionally, the action Create a Threat Intel (IOC) is no longer supported, you can instead use the action Bulk Create Threat Intel (IOC).
Configuration Parameters
The following configuration parameters are required for the Respond app to communicate with the Respond enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Base URL | Enter the base URL to access the Respond application using the open API. | Text | Required | |
Access ID | Enter the access ID to access the Respond application using the open API. | Text | Required | |
Secret Key | Enter the secret key to access the Respond application using the open API. | Password | Required | |
TLS verification | Choose your preference to verify TLS while making requests. We recommend you set this option to yes. If no is passed, it may result in an incorrect connection establishment, resulting in a broken connection | Boolean | Optional | Default value: true Allowed values:
|
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Respond application. It is recommended to set the value between 60 and 70 seconds. | Integer | Optional | Available range: 15-120 seconds Default value: 15 seconds |
Action: Add Asset Software
This action adds an asset software in the Software module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Readable Type | Enter true to add an application using the values of locations, business units, and labels. | Boolean | Optional | Default value: false |
Asset Software Name | Enter the name of the asset software. Example: Cyware Orchestrate | Text | Required | |
Software Publisher ID | Enter the ID of the software publisher. Example: v53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | |
Software Type | Enter the software type as a list of comma-separated strings. Example: [system security, financial software] | List | Required | |
Software ID | Enter the software ID. Example: w83ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | |
Additional Information | Enter the details in key-value pairs to be added to the asset software. Example: purpose : security | Key Value | Optional |
Example Request
[ { "title": "VirusTotal", "software_publisher": "VirusTotal", "software_id": "w83ff8942-612d-4bc1-b54f-d8195c002404", "software_type": ["system security","financial software"], "extra_fields": { “BU_name": "Business Unit 1" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the software. |
| String | Software creation date and time. |
| String | Software last updated date and time. |
| String | Name of the software. |
| String | ID of the software. |
| List | Type of the software. For example, Development Software. |
| String | Name of software. |
| String | Readable ID of software. For example, SFT115. |
| String | Current status of the software. |
| String | Purchase date of the software. |
| String |
|
| Object | Details of user who added the software. |
| List | List of |
| List of Objects | Details of the labels that are added to the software. |
| List of Objects | Details of business units that are impacted by the software |
| List of Objects | Details of locations that are impacted by the software. |
| Object | Details of the software type. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities . |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malwares . |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
Action: Add Asset User
This action adds an asset user to the Users module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Employee Name | Enter the name of the asset user. Example: John Doe | Text | Required | |
Employee Code | Enter the employee code of the asset user. Example: EMP_111 | Text | Required | |
Email Address | Enter the email address of the asset user. Example: john.doe@cyware.com | Text | Required | |
Business Unit (BU) | Enter the IDs of business units in a comma-separated list. Example: [728277db-83be-4108-a8d7-e52c5deefc2c, 928277db-83be-4108-a8d7-e52c5deefc2n] | List | Required | |
Additional Information | Enter the details in key-value pairs to be added to the asset user. Example: full_name: John Doe | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create an asset user using the values of labels and business units. | Boolean | Optional | Default value: false |
Example Request
[ { "employee_name": "John Dan", "employee_code": "EMP_111", "email": "john.dan@example.com", "business_units": "Business Unit", { "extra_fields": { "full_name": "John Dan" } } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the user. |
| String | User creation date and time. |
| String | User last updated date and time. |
| String | Name of the user. |
| String | Email ID of the user. |
| String | Name of the user. |
| String | Readable ID of the user. |
| String | Current Status of the user. |
| String | Hiring date of the user. |
| String |
|
| Object | Details of the CFTR user who created the asset user. |
| List | List of |
| List of Objects | Details of the labels that are added to the user. |
| List of Objects | Details of business units of the user. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the applications owned by the user. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
Action: Add Comment
This action adds a comment to a specific component.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Name | Enter the name of a component. Example: incident | Text | Required | Allowed values: action, application, asset software, campaign, device, enhancement, incident, IOC, malware, PIR, threat-briefing, vulnerability |
Unique ID | Enter the unique ID of the component entry to which you want to add comments. Example: f0900171-be25-490e-bddc-fa8bf29d6453 | Text | Required | If the component name is incident, the unique ID must be specific to the incident. |
Comment | Enter the comment to be added. Example: IP address blocked | Text | Required | |
Mentioned Users | Enter the list of usernames of users mentioned in the comment. Example: [a1c03ad2-8147-4834-a575-f1710be628b0, b3184a17-e59f-46cb-82c3-d8aabbefff7e] | List | Optional |
Example Request
[ { "component_name": "incident", "unique_id": "f0900171-be25-490e-bddc-fa8bf29d6453", "comment": "IP address blocked", } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the comment. |
description | Text | Content of the comment. |
created_by | Object | Details of the user who added the comment. |
modified_by | Object | Details of the user who last updated the comment. |
mentioned_users | List of UUID | List of |
mentioned_users_data | List of Objects | Details of the users mentioned in the comment. |
created | String | Comment creation time. |
modified | String | Comment last updated time. |
comment_type | String | Type of Comment. Examples:
|
content_object | String | Component in which the comment is added. Example: |
content_object_readable_id | String |
|
content_object_unique_id | String |
|
description_with_img_src | Text | Content of the content with the image URLs (if any image is added in the comment). |
Action: Add Comment in Custom Module (Deprecated)
This action adds a comment in the custom module.
Note
This action is deprecated and it is recommended to use the action Add Comment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the component identifier of the module. Example: module21 | Text | Required | You can retrieve the list of components and their IDs using the following action: List Custom Modules |
Instance Unique ID | Enter the unique ID of the entry to which you want to add a comment. Example: 822c2781-8ea0-4122-8176-8995a4c81dca | Text | Required | |
Description | Enter the content for the comment. Example: note for custom module | Text | Required | |
Mentioned Users Usernames | Enter the list of usernames of the users to be added in the comment. Example: [a1c03ad2-8147-4834-a575-f1710be628b0, b3184a17-e59f-46cb-82c3-d8aabbefff7e] | List | Optional |
Example Request
[ { "component_identifier": "module21", "unique_id": "822c2781-8ea0-4122-8176-8995a4c81dca", "comment": "note for custom module" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the comment. |
description | Text | Content of the comment. |
created_by | Object | Details of the user who added the comment. |
modified_by | Object | Details of the user who last updated the comment. |
mentioned_users | List of UUIDs | List of |
mentioned_users_data | List of Objects | Details of the users mentioned in the comment. |
created | String | Comment creation time. |
modified | String | Comment last updated time. |
comment_type | String | Type of Comment. Examples:
|
content_object | String | Custom module in which the comment is added. Example: |
content_object_readable_id | String |
|
content_object_unique_id | String |
|
description_with_img_src | Text | Content of the comment with the image URLs (if any image is added in the comment). |
pinned | Boolean | Displays if the comment is pinned or not. |
Action: Add Device
This action adds a device to the Devices module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Hostname | Enter the name of the device. Example: information security | Text | Required | |
IP Address | Enter the IP address of the device. Example: 11.1.1.11 | Text | Required | |
Additional Information | Enter the additional information in the form of key-value pairs. Example: endpoint_type: desktop | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to add devices using the values of locations, business units, manufacturers, labels, and operation system types. | Boolean | Optional | Default: false |
Example Request
[ { "hostname": "EC2AMAZ-8V2J535", "ip_address": "1.1.1.1", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "endpoint_status": "clean" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the device. |
| String | Device creation time in EPOCH time format. |
| String | Device Last Updated Time in EPOCH time format. |
| String | Serial number of the device. |
| String | Hostname of the device. |
| String | Readable ID of the device. For example, DVC116. |
| String | Current status of the device. |
| String | Owner of the device. |
| String | Physical location of the device. |
| String | Hostname of the device |
| Float | IP address of the device. |
| String |
|
| Object | Details of user who created the device. Details include:
|
| String | Status of the device. |
| List | List of |
| List of Objects | Details of the labels that are added to the device. |
| List of Objects | Details of business units that are impacted by the device. |
| List of Objects | Details of locations that are impacted by the device. |
| String | Risk level of the device. |
| Object | Details of the risk of the device. |
| String | Priority of the device. |
| String | Type of the endpoint. For example, Desktop. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Object | Details of the owner of device. |
| Object | Details of the manager of device. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the actions that are added to the device. |
Action: Advanced Search for Modules
This action retrieves a list of module entries based on the specified payload and query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Component Identifier | Enter the identifier of a component. | Text | Required | Allowed values: incident, action, vulnerability, threat-actor, campaign, threat-briefing, malware, enhancement, pir, general-user, device, application, asset-software |
Advanced Search Payload | Enter the readable key of parameters and the respective values in key-value pairs to search entries. Include the operator to apply to the parameters. Example: {'assigned_group': '3bf12078-4f1d-4fb7-b2ba-3239137ea9e1,'ip_reputation': 'Malicious','operator': 'OR' } | Key value | Required | Allowed values: OR and AND Default value: AND |
Query Parameter | Enter the query parameter and the respective value to filter results. Example: {'status':'open'} | Key value | Optional |
Example Request
[ { "query": {}, "component_identifier": "incident", "advanced_search_payload": { "operator": "OR", "assigned_group": "a1a18016-9df5-4521-a0b7-ec4064fa5c1e", "incident_state": "Untriaged" } } ]
Action Response Parameters
Parameter | Type | Description |
link | Object | This parameter includes two keys:
|
count | Integer | Returns the total number of module entries in the application based on the parameters passed in the query and payload. |
results | List of Objects | Returns a list of module entries with details. |
Action: Bulk Create Threat Intel (IOCs)
This action creates multiple IOCs in the threat intel module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
IOCs | Enter the IOC type and the respective values in key-value pairs. Examples:
| Key Value | Required |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | Key-value pairs of Threat Intel type and the corresponding Threat Intel |
| Object | Key-value pairs of Threat Intel type and the corresponding Threat Intel data. Threat Intel data includes the following details: |
Action: Connect Modules
This action is used to connect modules displayed in Connect the Dots of each module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Data | Enter the IDs of the modules that you want to connect. Example: { "incident": ["1d9509c9-501b-4261-ba85-a9690acc5100", "49b46c68-b10d-41fd-82e7-1681fd8b7787"], "vulnerability": ["b4afd23b-a13f-4a4a-bacb-99e6aa465d42","eda602cc-4118-48b7-9394-e2bf954c7135"] } | Key Value | Optional |
Action Response Parameters
Parameter | Field Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Returns status code 200 for a successful execution. |
Action: Create Action
This action creates an action in the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Action Title | Enter a title for the action. Example: block the IP address | Text | Required | |
Assigned Group ID | Enter the unique ID of the assigned group. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | Retrieve the list of user groups and their IDs using the following action: Get User Groups |
Additional Information | Enter the additional information in the form of key-value pairs. Example: status: open | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create actions using the values of assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[ { "title": "New Action", "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "open" } } ]
Action Response Parameters
Parameters | Type | Description |
---|---|---|
| String | The title of the action. |
| String | Unique ID of the action. |
| String | Created date of the action in EPOCH time format. |
| String | Last modified date of the action in EPOCH time format. |
| String | Description of the action. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. |
| String | Status of the action. |
| String | Readable ID of the action. For example, ACT381 |
| Object | Details of the user who created the action. Details include: username, email ,first name, last name, and so on. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | True: Action is bookmarked. False: Action is not bookmarked. |
| Object | Details of the user who closed the action. Details include: username, email ,first name, last name, and so on. |
| String | Closure date of the action in EPOCH time format. |
| String | Resolved date of the action in EPOCH time format. |
| String | Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Resolution due date of the action. |
| String | Date and time at which the SLA stopped for the action. |
| String | Type of the action. |
| String | Priority level of the action |
| Object | Details of the type of the action. |
| Object | Details of the priority level of the action. |
| Boolean | Shows if the action is created using a template or not. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of the connected users. |
| Array of Objects | Details of the connected users. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected devices. |
| Array of Objects | Details of the connected devices. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected software. |
| Array of Objects | Details of the connected software. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected applications. |
| Array of Objects | Details of the connected applications. |
| Array of Objects | Details of the connected threat briefings. |
| Array of Objects | Details of the connected campaigns. |
| Object | Details of the connected incidents. |
| Array of Objects | Details of the connected malware. |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the connected threat actors. |
Action: Create a Malware
This action adds malware to the Malware module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Readable Type | Enter true to add a malware using the values of labels. | Boolean | Optional | Default: false |
Malware Name | Enter the name of the malware. Example: ransomware | Text | Required | |
Malware Type | Enter the malware types in a comma-separated list. Example: [ "Destructive", "Ransomware", "Trojan", "Worm" ] | List | Required | |
Affected Platforms | Enter the platforms affected by the malware in a comma-separated list. Example: [ "Windows Server 2012", "Windows XP", "Linux", “Mac” ] | List | Required | |
Status | Enter the status of the malware. Example: active | Text | Optional | Allowed values:
Default value: ACTIVE |
Additional Information | Enter the additional information in the form of key-value pairs. Example: is_bookmarked: false | Key Value | Optional |
Example Request
[ { "title": "New Malware", "malware_type": "Ransomware", "platform": "Windows Server 2k12", "status": "active" "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "file_type": "dll" } } ]
Action Response Parameters
Parameters | Type | Description |
---|---|---|
| Object | Type of the malware. |
| Object | Unique IDs of the email IOC type. |
| Object | List of affected platforms. |
| Object | Unique IDs of the IP IOC type. |
| Object | Unique IDs of the MD5 Hash IOC type. |
| Object | File types of the malware. For example, dll, exe, docx, zip. |
| Object | Unique IDs of the domain IOC type. |
| Object | Unique IDs of the SHA1 IOC type. |
| Object | Unique IDs of the SHA256 IOC type. |
| Object | Unique IDs of the URL IOC type. |
| String | Unique ID of the malware. |
| String | Readable ID of the malware. |
| String | Created date of the malware in EPOCH time format. |
| String | Last modified date of the malware in EPOCH time format. |
| String | Title of the malware. |
| String | Description of the malware. |
| Object | Unique ID of the linked incidents. |
| String | Status of the malware. |
| Object | Unique ID of the linked threat briefings. |
| Object | Details of the linked threat briefings. |
| Object | Details of the linked incidents. |
| Boolean | Shows if the malware is bookmarked or not. |
| Object | Details of the linked actions. |
| Object | Unique ID of the linked campaigns. |
| Object | Details of the linked campaigns. |
| Object | Unique ID of the linked vulnerabilities. |
| Object | Details of the linked vulnerabilities. |
| Object | Unique ID of the linked threat actors. |
| Object | Details of the linked threat actors. |
| Object | Details of the linked PIRs. |
| Object | Details of the attachments. |
| Object | Details of the user who created the malware. Details include: username, email, first name, last name, and so on. |
| Object | Unique ID of the linked labels. |
| Object | Details of the linked labels. |
| Object | Details of the linked tactic technique pairs. |
| String | Date on which malware is seen for the first time. |
| Object | Last modified date of the malware. |
| Object | Unique ID of the linked applications. |
| Object | Details of the linked applications. |
| Object | Unique ID of the linked software. |
| Object | Details of the Linked Asset Softwares. |
| Object | Unique ID of the linked devices. |
| Object | Details of the linked devices. |
| Object | Unique ID of the linked enhancements. |
| Object | Details of the linked enhancements. |
| Object | Details of the malware type. |
| Object | Details of the malware file type. |
| Object | Details of the affected platforms. |
Action: Create a PIR
This action creates a PIR (Priority Intel Requirement).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
PIR Title | Enter the PIR title. Example: Requesting credentials to access the app | Text | Required | |
Assigned Group ID | Enter the unique ID of the assigned group. Example: h53ff8942-612d-4bc1-b54f-d8195c002404. | Text | Required | Retrieve the list of user groups and their IDs using the following action: Get User Groups |
PIR Priority | Enter the priority level of the PIR. Example:
| Text | Optional | |
PIR Description | Enter a short description for the PIR. Example: Request to provide credentials to access an application for data. | Text | Optional | |
Additional Information | Enter additional information in the form of key-value pairs. Example: status: open | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create a PIR using the values of assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[ { "title": "Security Strategy", "assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3", "priority": "low", "description": "Strategizing threats prevention", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the PIR. |
| String | Unique ID of the PIR in UUID-4 format. |
| String | Readable ID of the PIR. |
| Text | Description of the PIR. |
| String | Creation date and time of the PIR in ISO format. |
| String | Last updated date and time of the PIR in ISO format. |
| String | Current status of the PIR. Allowed values:
|
| Object | Details of user who created the PIR. |
| String |
|
| Object | Details of user who closed the PIR. |
| String | Closing date and time of the PIR in ISO format. |
| Boolean | Shows whether the PIR is bookmarked or not. |
| List of String | List of |
| List of Objects | Details of the attached labels. |
| String | Priority level of the PIR. Allowed values: - - - - - |
| Object | Details of the priority of the PIR. |
| List of Stings | List of Unique IDs of the assigned users in UUID-4 format. |
| List of Objects | Details on the list of assigned users of the PIR. Details include:
|
| String | Unique ID of the assigned user group in UUID-4 format. |
| Object | Details of the assigned user group. Details include:
|
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
Action: Create Asset Application
This action creates an asset application in the Applications module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Application Name | Enter the name of the asset application. Example: google chrome | Text | Required | |
Business Units (BU) | Enter the comma-separated list of Business Units that are affected by the application. Example: [9750d6df-2d7f-4899-b20d-bfbba0a9084d, 7950d6fd-2d7f-4899-b20d-bfbba0a0849a] | List | Required | You can retrieve the list of business units and their IDs using the following action: Get Business Units |
Application Status | Enter the status of the asset application. | Text | Required | Allowed values:
|
Locations | Enter the impacted locations by the application in a comma-separated list. Example: [671961e6-0119-460c-8d55-9b697f6e2d6e, 719661e6-0119-460c-8d55-9b697f6e2d6e] | List | Required | |
Application URL | Enter the URL of the application if the application is internet-hosted. | Text | Optional | |
Additional Information | Enter the details in key-value pairs to be added to the asset application. Example: application_type: Security | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create applications using the values of locations, business units, and labels. | Boolean | Optional | Default value: false |
Example Request
[ { "app_name": "Google Chrome", "business_units": ["a8007b20-bf76-4ce8-a761-45a453512479", "a8007b20-bf76-4ce8-a761-45a453512470"], "app_status": "Live", "locations": ["a8007b20-bf76-4ce8-a761-45a453512471", "a8007b20-bf76-4ce8-a761-45a453512472"], "app_url": "www.google.com", "extra_fields": { "version": "1.0.0" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the application. |
| String | Application creation date and time. |
| String | Application last updated date and time. |
| String | Title of the application. |
| Float | Version of the application. |
| String | Title of the application. |
| String | Readable ID of the application. |
| String | Current status of the the application. |
| String | Type of the application. For example, Security. |
| String | Status of the application. For example, Live. |
| String | Production date of the application. |
| String |
|
| Object | Details of user who created the application. |
| List | List of |
| List of Objects | Details of the labels that are added to the application. |
| List of Objects | Details of business units that are impacted by the application |
| List of Objects | Details of locations that are impacted by the application. |
| URL | URL of the application. |
| Object | Details of the owner of the application. |
| String | UUID of the application owner. |
| Object | Details of the manager of the application. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
Action: Create a Threat Briefing
This action adds a new threat briefing record to the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Briefing Title | Enter a title for the threat briefing. Example: new threat briefing | Text | Required | |
Business Units (BU) | Enter the business unit IDs in a comma-separated list. Example: $LIST[w53ff8942-612d-4bc1-b54f-d8195c002404, t73ff8942-612d-4bc1-b54f-d8195c002404] | List | Required | You can retrieve the list of business units and their IDs using the following action: Get Business Units |
Locations | Enter the location IDs in a comma-separated list. Example: [4882e471-e997-43ec-a317-e244d8286690, 4882e471-e997-43ec-a317-e244d8286560]. | List | Required | You can retrieve the list of available locations and their titles using the following action: Get Locations |
Description | Enter a short description related to the threat briefing. Example: New threat briefing added | Text | Optional | |
Additional Information | Enter the additional information related to the threat briefing in the form of key-value pairs. Example: labels: important | Key Value | Optional | |
Readable Type | Select true to create threat briefings using the values of locations, business units, and labels. | Boolean | Optional | Default value: false |
Example Request
[ { "title": "New Threat Briefing", "description": "new threat briefing added", "business_units": ["941563df-d8be-4c0e-9d3c-ac6906107300"], "locations": ["941563df-d8be-4c0e-9d3c-ac6906107399"], "extra_fields": { "state": "62044014-dc5f-4e6d-8a07-c9cab089dccd", "modified": "2019-12-19T09:48:06.402132Z" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the Threat Briefing. |
| String | Readable ID of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Text | Description of the threat briefing. |
| String | Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE |
| String | Created date and time of the Threat Briefing. |
| String | Last updated date and time of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Boolean | Shows whether the Threat Briefing is bookmarked or not. |
| List | List of |
| List of Objects | Details of the attached labels. |
| List of Objects | Details of the locations linked to the Threat Briefing. |
| List of Objects | Details of the business units linked to the Threat Briefing. |
| String | Unique ID of the user who created the Threat Briefing. |
| Object | Details of the user who created the Threat Briefing. |
| Array of Objects | Details of each attachment of the Threat Briefing. |
| Array of Objects | Details of the actions that are added for the Threat Briefing. |
| Array of UUID Strings | List of the enhancements that are added for the Threat Briefing. |
| Array of Objects | Details of the enhancements that are added for the Threat Briefing. |
| Array of Objects | Details of the PIRs that are added for the Threat Briefing. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
Action: Create ATT&CK Tactic-Technique Pair
This action creates an ATT&CK tactic and technique pair.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
ATT&CK Technique ID | Enter the ID of the attack technique. Example: 4882e471-e997-43ec-a317-e244d5686690 | Text | Required | You can retrieve the list of attack techniques and their IDs using the following action: Get ATT&CK Techniques |
ATT&CK Tactic ID | Enter the attack tactic ID. Example: 5662e471-e997-43ec-a317-e244d5686690 | Text | Required | You can retrieve the list of attack tactics and their IDs using the following action: Get ATT&CK Tactics |
Example Request
[ { "technique_uid": "Example Unique ID", "tactic_uid": "Example Unique ID" } ]
Action: Create Campaign
This action creates a new campaign in the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Campaign Name | Enter a name for the campaign. Example: analytics campaign | Text | Required | |
Campaign Description | Enter a description for the campaign. Example: This is an important campaign | Text | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create campaigns using the values of labels. | Boolean | Optional | Default: false |
Additional Information | Enter additional information about the campaign in the form of key-value pairs. Example: label: important | Key Value | Optional |
Example Request
[ { "title": "Spearphishing Campaign", "description": "New campaign created", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the campaign in UUID-4 format. |
readable_id | String | Unique readable ID of the campaign. It starts with Example: CMP101 |
created | String | Campaign creation date and time. |
description | Text | Description of the campaign. |
modified | String | Last updated date and time of the campaign. |
title | String | Title of the campaign. |
title_display | String | Title of the campaign. |
status | String | Current status of the campaign. Allowed values:
|
is_bookmarked | Boolean | Shows if the campaign is bookmarked or not. |
created_by_data | Object | Details of the user who created the campaign. Details include:
|
labels | List of Strings | Unique ID of the labels associated with the campaign in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the campaign. Details include:
|
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array UID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the actions that are added to the campaign. |
| Array of Objects | Details of the PIRs that are added to the campaign. |
| Array of Objects | Details of the enhancements that are added to the campaign. |
Action: Create Custom Module Entry
This action creates a new custom module entry.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the component identifier of the module. Example: module21 | Text | Required | You can retrieve the list of custom modules and their identifiers using the following action: List Custom Modules |
Title | Enter a title for the entry. Example: Impacted users | Text | Required | |
Description | Enter a description of the entry. Example: Users impacted by the incident | Text | Required | |
Additional Parameters | Enter the additional information to be added in the custom module entry in key-value pairs. Use the field_readable_key of the custom fields as keys. | Key value | Optional |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the entry. |
| String | Unique ID of the entry. |
| String | Current status of the entry. |
| Text | Description of the entry. |
| String |
|
| String |
|
| Object | Details of the user who created the entry. |
| Object | Details of the user who last modified the entry. |
| String | Creation date and time of the entry. |
| String | Last updated date and time of the entry. |
| Boolean | Shows if the entry is bookmarked or not. |
| Boolean | Shows whether the entry can be updated by the user who requested it or not. |
| Array | List of the labels that are added to the entry. |
| Array of Objects | Details of the labels that are added to the entry. |
| Boolean | Displays if the entry is in deleted state or not. |
| Array of Objects | Displays the details of the status of the entry. |
| Array of Objects | Details of each attachment of the entry. |
Action: Create Enhancement
This action creates an enhancement.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Enhancement Title | Enter the title of the enhancement. Example: security update | Text | Required | |
Assigned Group | Enter the unique ID of the assigned group. Example: j53ff8942-612d-4bc1-b54f-d8195c002404. | Text | Required | |
Enhancement Priority | Enter the priority of the enhancement. Examples:
| Text | Required | |
Additional Information | Enter the additional information related to the enhancement in the form of key-value pairs. Example: description: added a new enhancement | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create enhancements using the values of assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[ { "title": "New Enhancement", "assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3", "priority": "high", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "open" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the enhancement in UUID-4 format. |
readable_id | String | Unique readable ID of the enhancement. It starts with Example: ENH101 |
created | Datetime | Enhancement creation date and time. |
description | Text | Description of the enhancement. |
modified | Datetime | Last updated date and time of the enhancement. |
title | Text | Title of the enhancement. |
status | String | Current status of the enhancement. Allowed values: - - |
priority | String | Priority level of the enhancement. |
priority_data | Object | Details of the priority assigned. Details include:
|
priority_data.unique_id | String | Unique ID of the priority in UUID-4 format. |
priority_data.option_name | String | Display Name of the priority |
priority_data.color_code | String | Hex value of the priority display color. |
is_bookmarked | Boolean | Shows if the enhancement is bookmarked or not. |
modified_by_data | Object | Details of the user who last updated the enhancement. Details include:
|
assigned_group | String | Unique ID of the user group the enhancement belongs to in UUID-4 format. |
assigned_group_data | Object | Details of the assigned user group. Details include group name and group ID. |
created_by_data | Object | Details of the user who created the enhancement. Details include:
|
assigned_to | String | Unique ID of the assigned user of the enhancement in UUID-4 format. |
assigned_to_data | Object | Details of the assigned user. Details include:
|
labels | List of Strings | List of Unique IDs of the labels attached to the enhancement in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the enhancement. Details include:
|
labels_data.unique_id | String | Unique ID of the label in UUID-4 format. |
labels_data.option_name | String | Display name of the label |
labels_data.color_code | String | Hex value of the label display color. |
enhancement_type | List of Strings | Option name of the enhancement types associated with the enhancement. |
enhancement_type_data | List of Objects | Details of the enhancement types associated with the enhancement. |
enhancement_type_data.unique_id | String | Unique ID of the enhancement in UUID-4 format. |
enhancement_type_data.option_name | String | Display Name of the enhancement type |
enhancement_type_data.color_code | String | Hex value of the enhancement type display color. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of each attachment of the enhancement. |
Action: Create Incident
This action creates an incident in the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Title | Enter a title for the incident. Example: Found a Phishing Email | Text | Required | |
Description | Enter a description of the incident. Example: Incident detected | Text | Optional | |
Status | Enter the status of the incident. Example: untriaged | Text | Optional | Allowed values:
Default value: untriaged |
Incident Type | Enter the type of the incident. Example:
| Text | Optional | |
Business Unit Impacted | Enter the unique IDs of the impacted business units. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | List | Optional | You can retrieve the list of available Business Units and their IDs using the following action: Get Business Units |
Locations Impacted | Enter the unique IDs of the impacted locations. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | List | Optional | You can retrieve the list of available locations and their titles using the following action: Get Locations |
Source | Enter the unique IDs of the impacted sources. Example: 7c81cbda-11d8-4026-ae2f-287eaa643a9b | Text | Optional | You can retrieve the list of all available sources and their IDs using the following action: Get Sources |
Incident Date | Enter the date of when the incident occurred in ISO 8601-time format. Example: 2021-10-28t19:37:16.321856z | Text | Optional | |
Detection Date | Enter the date when the incident was detected as malicious in ISO 8601 time format. Example: 2021-10-28t19:37:16.321856z | Text | Optional | |
Level | Enter the severity level of the incident. Example
| Text | Optional | |
Assigned Group | Enter the group_comm_id of the group that needs to be assigned to the incident. Example: 4e046ee1-5bc9-4320-965f-3bf24dbb9256 | Text | Optional | You can retrieve the list of user groups and their IDs using the following action: Get User Groups |
Extra Fields | Enter the key-value pairs of additional information to add to this incident. | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create incidents using the values of locations, business units, sources, assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[ { "title": "New Incident", "description": "Incident Detected, "status": "Open", "ie_incident_type": "Malware", "business_unit_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b], "locations_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b], "source": [7c81cbda-11d8-4026-ae2f-287eaa643a9b], "incident_date": "2021-10-28T19:37:16.321856Z", "detection_date": "2021-10-28T19:37:16.321856Z", "level": "Critical", "assigned_group": "AssignmentID_12" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Returns the response retrieved from the app action. |
| String | Title of the incident. |
| String | Unique Identifier String of UUID-4 format of the incident. |
| String | Readable ID of the incident. For example, INC320. |
| String | Date and time of when the incident happened. |
| String | Date and time when the incident was detected as malicious. |
| String | Status of the incident workflow. Possible values:
|
| String | Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow. |
| Boolean | Displays if the incident is machine-generated or not. |
| JSON Object | Details of the current phase of the incident. |
| String | Severity level of the incident. For example, high. |
| JSON Object | Details of the severity level of the incident. |
| String |
|
| Boolean | Shows if the incident is protected or not. |
| Boolean | Shows if the incident is in the deleted state or not. |
| JSON Object | Details of the user who created the incident. |
| JSON Object | Details of the user who last modified the incident. |
| JSON Object | Details of the used who closed the incident. |
| String | Incident creation date and time. |
| String | Last updated date and time of the incident. |
| Timestamp | Date and time when the incident was opened. |
| Timestamp | Date and time when the incident was closed. If the incident is not closed, the value of this parameter is null. |
| Integer | Number of PIRs that were exposed in the incident. |
| String | Description of the Incident. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. |
| String | Assignment SLA details of the incident. This includes the following two keys:
|
| Strings | The type of incident. Example: hacking. |
| Integer | Number of days the incident is open. |
| String | Resolution SLA details of the incident. This includes two keys:
|
| String | Details of the Incident notifications (if enabled in admin). |
| Integer | Total cost incurred due to the incident. |
| Boolean | Shows if the incident is bookmarked or not. |
| Boolean | Shows if the incident is permanently closed or not. |
| String | Resolution SLA breach date of the incident. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | Shows if the incident is paused or not. |
| String |
|
| JSON Object | Details of the user who paused the incident. |
| String | Unique ID of the Incident Workflow that is being used by the incident. |
| String | Type of the incident Workflow. Allowed values: 'draft' or 'published' |
| JSON Object | Details of the Incident Workflow that is being used by the incident. |
| Array | List of the sources for the incident. |
| Array of JSON Objects | Details of the sources for the incident. |
| Array | List of the labels that are added to the incident. |
| Array of JSON Objects | Details of the labels that are added to the incident. |
| Array | List of the tactics and techniques used by the incident. |
| Array of JSON Objects | Details of the tactics and techniques used by the incident. |
| Array of JSON Objects | List of business units that are impacted by the incident. |
| Array of JSON Objects | List of locations that are impacted by the incident. |
| String | Current state of the incident. Possible values:
|
| JSON Object | Details of the status of the incident. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected enhancements. |
| Array of JSON Objects | Details of the actions that are added to the incident. |
| Array of JSON Objects | Details of the attachments uploaded to the incident. |
| Integer | HTTP status code of the API request received from the instance. |
Action: Create Threat Actor
This action adds a threat actor to the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Actor Title | Enter the name of the threat actor. Example: Hacktivist Groups | Text | Required | |
Base Countries | Enter the IDs of countries in a comma-separated list. Example: [4882e471-e997-43ec-a317-e244d8286690, 8e2beaff-7aaf-4b72-bcc0-d61b25e822f3] | List | Required | Use the following action to retrieve the list of countries with their IDs: Get Countries |
Threat Actor Type | Enter the type of threat actor. Example: hacktivist | Text | Required | |
Additional Information | Enter the additional information in the form of key-value pairs. Example: description: A new threat actor found | Key Value | Optional |
Example Request
[ { "title": "NewThreatActor", "threat_actor_type": "Hacktivist", "countries_data": [4882e471-e997-43ec-a317-e244d8286690, 8e2beaff-7aaf-4b72-bcc0-d61b25e822f3] "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "active" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the threat actor. |
| String | Unique ID of the threat actor. |
| String | Readable ID of the threat actor. |
| Text | Description of the threat actor. |
| String | Creation time of the threat actor in ISO format. |
| String | Last Updated time of the threat actor in ISO format. |
| String | Current status of the threat actor. Allowed values:
|
| String | Risk associated with the threat actor. Allowed Values: - - - - - |
| String | Priority of the threat actor. Allowed values: - - - - - |
| Object | Details of user who created the threat actor. |
| String |
|
| Object | Details of user who closed the threat actor. |
| String | Closing date of the threat actor in ISO format. |
| Boolean | Shows whether the threat actor is bookmarked or not. |
| Array of Objects | Details of each attachment of the threat actor. |
| Array of Objects | Details of the actions that are added for the threat actor. |
| Array of UUID Strings | List of the enhancements that are added for the threat actor. |
| Array of Objects | Details of the enhancements that are added for the threat actor. |
| Array of Objects | Details of the PIRs that are added for the threat actor. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA1 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected MD5 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA256 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected IP Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected URL Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected domain Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected email Threat Intels. |
Action: Create Vulnerability
This action adds a new vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Vulnerability Name | Enter the name of the vulnerability. Example: missing data encryption | Text | Required | |
Risk Level | Enter the risk level of the vulnerability. Example: very low | Text | Required | Allowed values:
|
Sources | Enter the sources of the vulnerability in a comma-separated list. Example: [anti virus, threat mailbox] | List | Required | You can retrieve the list of available sources using the following action: Get Sources |
Priority Level | Enter the priority level of the vulnerability. Example: low | Text | Required | Allowed values:
|
Additional Information | Enter the additional information to be added in key-value pairs. Example: is_bookmarked: false | Key Value | Optional |
Example Request
[ { "title": "New Vulnerability", "risk": "Low", "priority": "Low", "extra_fields": { "BU_name": "Business Unit 1" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the vulnerability. |
| String | Unique ID of the vulnerability. |
| String | Readable ID of the vulnerability. |
| Text | Description of the vulnerability. |
| String | Creation time of the vulnerability in ISO format. |
| String | Last Updated time of the vulnerability in ISO format. |
| String | Current status of the vulnerability. Allowed values:
|
| String | Risk associated with the vulnerability. Allowed Values: - - - - - |
| String | Priority of the vulnerability. Allowed values: - - - - - |
| Object | Details of user who created the vulnerability. |
| String |
|
| Object | Details of user who closed the vulnerability. |
| String | Closing date of the vulnerability in ISO format. |
| Boolean | Shows whether the vulnerability is bookmarked or not. |
| Array of Objects | Details of each attachment of the vulnerability. |
| Array of Objects | Details of the actions that are added for the vulnerability. |
| Array of UUID Strings | List of the enhancements that are added for the vulnerability. |
| Array of Objects | Details of the enhancements that are added for the vulnerability. |
| Array of Objects | Details of the PIRs that are added for the vulnerability. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA1 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected MD5 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA256 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected IP Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected URL Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected domain Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected email Threat Intels. |
Action: Fetch Health Console Status
This action retrieves the console status.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "created_date__gte": "1627835818", "created_date__lte": "1596299815" } } ]
Action: Get Action Details
This action retrieves the details of an action using the ID of the action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Action ID | Enter the unique ID of the action. Example: k53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of actions and their IDs using the following action: Get Actions |
Example Request
[ { "unique_id": "k53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameters | Type | Description |
---|---|---|
| String | The title of the action. |
| String | Unique ID of the action. |
| String | Created date of the action in EPOCH time format. |
| String | Last modified date of the action in EPOCH time format. |
| String | Description of the action. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. Details include: group_comm_id and group_name of the user group. |
| String | Status of the action. |
| String | Readable ID of the action. For example, ACT379. |
| Object | Details of the user who created the action. Details include: username, email ,first name, last name, and so on. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | True: Action is bookmarked. False: Action is not bookmarked. |
| Object | Details of the user who closed the action. Details include: username, email ,first name, last name, and so on. |
| String | Closure date of the action in EPOCH time format. |
| String | Resolved date of the action in EPOCH time format. |
| String | Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Resolution due date of the action. |
| String | Date and time at which the SLA stopped for the action. |
| String | Type of the action. |
| String | Priority level of the action |
| Object | Details of the type of the action. |
| Object | Details of the priority level of the action. |
| Boolean | Displays if the action is created using template or not. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of the connected users. |
| Array of Objects | Details of the connected users. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected devices. |
| Array of Objects | Details of the connected devices. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected software. |
| Array of Objects | Details of the connected software. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected applications. |
| Array of Objects | Details of the connected applications. |
| Array of Objects | Details of the connected threat briefings. |
| Array of Objects | Details of the connected campaigns. |
| Object | Details of the connected incidents. |
| Array of Objects | Details of the connected malware. |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the connected threat actors. |
Action: Get Asset Application Details
This action retrieves the details of an application using the ID of the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Application ID | Enter the unique ID of the application. Example: v53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of asset applications and their IDs using the following action: Get Asset Applications |
Example Request
[ { "unique_id": "v53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the application. |
| String | Application creation date and time. |
| String | Application last updated date and time. |
| String | Title of the application. |
| Float | Version of the application. |
| String | Title of the application. |
| String | Readable ID of the application. |
| String | Current status of the the application. |
| String | Type of the application. For example, Security. |
| String | Status of the application. For example, Live. |
| String | Production date of the application. |
| String |
|
| Object | Details of user who created the application. |
| List | List of |
| List of Objects | Details of the labels that are added to the application. |
| List of Objects | Details of business units that are impacted by the application |
| List of Objects | Details of locations that are impacted by the application. |
| URL | URL of the application. |
| Object | Details of the owner of the application. |
| String | UUID of the application owner. |
| Object | Details of the manager of the application. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
Action: Get Assets Impacted by Vulnerability
This action retrieves the details of assets impacted by the vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
CVE ID | Enter the CVE ID of the vulnerability. Example: CVE-2024-4746 | Text | Required |
Example Request
[ { "cve_id": "CVE-2024-4746" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance_test | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | Object | This parameter indicates the response data of the query. |
app_instace.applications_data | Array | Displays an array of application objects. |
app_instance.description | String (HTML) | Displays the description of the vulnerability. |
app_instace.endpoints_data | Array | Displays an array of endpoint objects. |
app_instance.softwares_data | Array | Displays an array of software objects. |
app_instance.response.title | String | Displays the title of the issue Example: CVE-2024-4746 |
Action: Get Asset Software Details
This action retrieves asset software details using the ID of the software.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Asset Software ID | Enter the unique ID of the asset software. Example: fb487600-8a14-43df-8e96-5f759aa61cf0 | Text | Required | You can retrieve the list of asset software and their IDs using the following action: Get Asset Software List |
Example Request
[ { "unique_id": "fb487600-8a14-43df-8e96-5f759aa61cf0" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the software. |
| String | Software creation date and time. |
| String | Software last updated date and time. |
| String | Name of the software. |
| String | ID of the software. |
| List | Type of the software. For example, Development Software. |
| String | Name of software. |
| String | Readable ID of software. For example, SFT115. |
| String | Current status of the software. |
| String | Purchase date of the software. |
| String |
|
| Object | Details of user who added the software. |
| List | List of |
| List of Objects | Details of the labels that are added to the software. |
| List of Objects | Details of business units that are impacted by the software |
| List of Objects | Details of locations that are impacted by the software. |
| Object | Details of the software type. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities . |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malwares . |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
Action: Get Asset User Details
This action is used to retrieve the details of an asset user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
General User ID | Enter the unique ID of an asset user. Example: 226086de-dff4-44dd-8f48-dbd4e6569eb4 | Text | Required | You can retrieve the list of asset users and their IDs using the following action: Get Asset Users |
Example Request
[ { "unique_id": "226086de-dff4-44dd-8f48-dbd4e6569eb4" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the user. |
| String | User creation date and time. |
| String | User last updated date and time. |
| String | Name of the user. |
| String | Email ID of the user. |
| String | Name of the user. |
| String | Readable ID of the user. |
| String | Current Status of the user. |
| String | Hiring date of the user. |
| String |
|
| Object | Details of the CFTR user who created the asset user. |
| List | List of |
| List of Objects | Details of the labels that are added to the user. |
| List of Objects | Details of business units of the user. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the applications owned by the user. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
Action: Get ATT&CK Tactic Details
This action retrieves the details of an ATT&CK tactic.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
ATT&CK Tactic ID | Enter the ID of the ATT&CK tactic. Example: 37e5c89c-5a62-4236-b81e-f81202a0cde5 | Text | Required | You can retrieve the list of attack tactics and their IDs using the following action: Get Attack Tactics |
Example Request
[ { "unique_id": "37e5c89c-5a62-4236-b81e-f81202a0cde5" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
title | String | The title of the MITRE ATT&CK tactic. |
slug | String | Slug of the MITRE ATT&CK tactic, used for URLs and identifiers. |
domain | String | Domain to which the MITRE ATT&CK tactic belongs. |
phase | String | Phase of the MITRE ATT&CK tactic. |
url | String | URL to the detailed information about the MITRE ATT&CK tactic. |
unique_id | String | Unique identifier for the MITRE ATT&CK tactic. |
external_mitre_attack_id | String | External MITRE ATT&CK identifier. |
Action: Get ATT&CK Tactics
This action retrieves a list of attack tactics from the ATT&CK Navigator module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | Contains related links for pagination and other resources. |
count | Integer | Total number of MITRE ATT&CK tactics available. |
results | Array of Objects | List of MITRE ATT&CK tactics. |
results.title | String | The title of the MITRE ATT&CK tactic. |
results.slug | String | Slug of the MITRE ATT&CK tactic, used for URLs and identifiers. |
results.domain | String | Domain to which the MITRE ATT&CK tactic belongs. |
results.phase | String | Phase of the MITRE ATT&CK tactic. |
results.url | String | URL to the detailed information about the MITRE ATT&CK tactic. |
results.unique_id | String | Unique identifier for the MITRE ATT&CK tactic. |
results.external_mitre_attack_id | String | External MITRE ATT&CK identifier. |
Action: Get ATT&CK Technique Details
This action retrieves the details of an ATT&CK technique.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
ATT&CK Technique ID | Enter the unique ID of the ATT&CK technique. Example: 37e5c89c-5a62-4236-b81e-f81202a0cde5 | Text | Required | You can retrieve the list of attack techniques and their IDs using the following action: Get Attack Techniques |
Example Request
[ { "unique_id": "37e5c89c-5a62-4236-b81e-f81202a0cde5" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
title | String | Title of the ATT&CK technique. |
tactics | Array of Strings | Array of tactic IDs associated with the technique. |
type | String | The type of the action (e.g., attack-pattern). |
mitre_technique_id | String | MITRE unique ID of the ATT&CK technique. |
unique_id | String | System unique ID of the ATT&CK technique. |
external_mitre_attack_id | String | External ID of the MITRE ATT&CK technique (e.g., T1548). |
Action: Get ATT&CK Techniques
This action retrieves a list of ATT&CK techniques from the ATT&CK Navigator module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | Contains related links for pagination and other resources. |
count | Integer | Total number of MITRE ATT&CK tactics available. |
results | Array of Objects | List of MITRE ATT&CK tactics. |
title | String | Title of the ATT&CK technique. |
tactics | Array of Strings | Array of tactic IDs associated with the technique. |
type | String | The type of the action (e.g., attack-pattern). |
mitre_technique_id | String | MITRE unique ID of the ATT&CK technique. |
unique_id | String | System unique ID of the ATT&CK technique. |
external_mitre_attack_id | String | External ID of the MITRE ATT&CK technique (e.g., T1548). |
Action: Get Business Unit Details
This action retrieves the details of a business unit.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Business Unit ID | Enter the unique ID of the business unit. Example: 67ff8942-612d-4bc1-b54f-d8195c002907 | Text | Required | You can retrieve the list of the Business Units and their IDs using the following action: Get Business Units |
Example Request
{ "unique_id": "67ff8942-612d-4bc1-b54f-d8195c002907" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | The title of the Business Unit. |
| Text | Description of the Business Unit. |
| String | Unique ID of the Business Unit in UUID-4 format. |
| String | Creation date and time of the Business Unit in ISO format. |
| String | Last modified date and time of the Business Unit in ISO format. |
| String | Unique readable ID of the Business Unit. It starts with BU followed by a unique number. Example: "BU102" |
| String | Emails of the recepients to whom the notifications are sent. |
Action: Get Campaign Details
This action retrieves the details of a campaign.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Campaign ID | Enter the details of the campaign using the unique ID. For example: f0900171-be25-490e-bddc-fa8bf29d6453 | Text | Required | You can retrieve the list of campaigns and their IDs using the following action: Get Campaigns |
Example Request
[ { "unique_id": "f0900171-be25-490e-bddc-fa8bf29d6453" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the campaign in UUID-4 format. |
readable_id | String | Unique readable ID of the campaign. It starts with Example: CMP101 |
created | String | Campaign creation date and time. |
description | Text | Description of the campaign. |
modified | String | Last updated date and time of the campaign. |
title | String | Title of the campaign. |
title_display | String | Title of the campaign. |
status | String | Current status of the campaign. Allowed values:
|
is_bookmarked | Boolean | Shows if the campaign is bookmarked or not. |
created_by_data | Object | Details of the user who created the campaign. Details include:
|
labels | List of Strings | Unique ID of the labels associated with the campaign in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the campaign. Details include:
|
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array UID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the actions that are added to the campaign. |
| Array of Objects | Details of the PIRs that are added to the campaign. |
| Array of Objects | Details of the enhancements that are added to the campaign. |
Action: Get CFTR User Details
This action retrieves the details of users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
User ID | Enter the unique ID of a user. Example: 9ca5d44c-4f16-410c-ab6b-db26ce6f0b42 | Text | Required | You can retrieve the list of users and their IDs using the following action: Get CFTR Users |
Example Request
{ "unique_id": "9ca5d44c-4f16-410c-ab6b-db26ce6f0b42" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the user in UUID-4 format. |
| List of String | The list of permissions configured for the user in the CFTR application. Note: The permissions depend on the user groups of the user. |
| String | Last log in date and time of the user in ISO Format. |
| String | First name of the user. |
| String | Last name of the user. |
| String | Email ID of the user. |
| String | Job title of the user. |
| String | The link to the display picture of the user. |
| List of String | List of unique IDs of |
| List of Objects | Details of the User Groups. Each object includes the details of one User Group such as |
| String | Unique ID of the User Group in UUID-4 format. |
| String | Name of the User Group. |
| Text | Description of the User Group. |
| String | Country code of the user. |
| String | Contact number of the user. |
| String | Username of the user. |
| String | Unique ID of the location of the user in UUID-4 format. |
| Object | Details of the user location. |
| List of Strings | List of unique IDs of the allowed locations of the user in UUID-4 format. |
| List of Objects | Details of the allowed locations of the user. Each object includes the details of one location. Details include: title, unique_id, and is_active. |
| String | Title of the location |
| String | Unique ID of the location in UUID-4 format. |
| Boolean | Shows if the location is active or not. |
| String | Unique ID of the Business Unit of the user in UUID-4 format. |
| Object | Details of the Business Unit of the user. |
| List of Strings | List of unique IDs of the allowed Business Units of the user in UUID-4 format. |
| List of Objects | Details of the allowed Business Units of the user. Each object includes the details of one Business Unit. Details include:
|
| String | Title of the Business Unit. |
| Text | Description of the Business Unit. |
| String | Unique ID of the Business Unit in UUID-4 format. |
| String | Creation date and time of the Business Unit in ISO format. |
| String | Last modified date and time of the Business Unit in ISO format. |
| String | Unique readable ID of the Business Unit. It starts with BU followed by a unique number Example: "BU101" |
| Boolean | Shows whether the user is an active user or not. |
| Datetime | Joining date and time of the user in ISO format. |
| Boolean | Shows whether the user has activated their account using the confirmation link or not. |
| String | Onboarding date and time of the user in ISO format. |
| Boolean | Shows whether the user is a bot user or not. |
| Boolean | Shows whether the user is an admin in the CFTR application or not. |
| Boolean | Shows whether the user has access to view related incidents in the Connect The Dots section or not. |
| Boolean | Shows if the user has access to view the related assets in Connect the Dots or not. |
| Boolean | Shows if the user has access to view briefings escalations. |
| String | Date and time of when the user was onboarded. |
| String | Unique ID of the landing component configured for the user in UUID-4 format. |
| Object | Details of the landing component configured for the user. |
| String | Unique ID of the component in UUID-4 format. |
| String | Name of the component. |
| String | Code name of the component. |
| String | Identification string of the component. |
| List of Objects | Details of the allowed components of the user. Each object includes the details of one component. Details include:
|
| String | Unique ID of the component in UUID-4 format. |
| String | Name of the component. |
| String | Code name of the component. |
| String | Identification string of the component. |
| String | Last active date and time of the user in ISO format. |
| String | Details of the last device used by the user. |
| String | Generic IP address of the device last used by the user. |
| String | Currency choice associated with the user. Allowed values: |
| String | Unique ID of the user who invited the current user. |
| String | Unique ID of LDAP associated with the user. |
| String | Full name of the user. |
| String | Last updated date and time of the password of the user in ISO format. |
| Float | Maximum value of analyst cost associated with each user group of the user. |
| Boolean | Shows whether the user is a system user or not. |
| String | Shows whether the user has accepted the invite or not. Allowed values: - - |
| Boolean | Displays if the user is a on prem client. |
| Boolean | If the user is has only ready-only access. |
| Integer | The number of incidents that can be created by the user. |
| Integer | Number of business units |
Action: Get Custom Module Entry Detail
This action retrieves the details of a custom module entry.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the component identifier of the module. Example: module21 | Text | Required | You can retrieve the list of custom modules and their component identifier using the following action: List Custom Modules |
Instance Unique ID | Enter the unique ID of a custom module entry. Example: 822c2781-8ea0-4122-8176-8995a4c81dca | Text | Required | You can retrieve the list of custom module entries and their IDs using the following action: List Custom Module Entries |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the entry. |
| String | Unique ID of the entry. |
| String | Current status of the entry. |
| Text | Description of the entry. |
| String |
|
| String |
|
| Object | Details of the user who created the entry. |
| Object | Details of the user who last modified the entry. |
| String | Creation date and time of the entry. |
| String | Last updated date and time of the entry. |
| Boolean | Shows if the entry is bookmarked or not. |
| Boolean | Shows whether the entry can be updated by the user who requested it or not. |
| Array | List of the labels that are added to the entry. |
| Array of Objects | Details of the labels that are added to the entry. |
| Boolean | Displays if the entry is in deleted state or not. |
| Array of Objects | Displays the details of the status of the entry. |
| Array of Objects | Details of each attachment of the entry. |
Action: Get Device Details
This action retrieves the details of a device using the ID of the device.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Device ID | Enter the unique ID of the device. Example: e53fe8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of devices and their IDs using the following action: Get Devices |
Example Request
[ { "unique_id": "e53fe8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the device. |
| String | Device creation time in EPOCH time format. |
| String | Device Last Updated Time in EPOCH time format. |
| String | Serial number of the device. |
| String | Hostname of the device. |
| String | Readable ID of the device. For example, DVC116. |
| String | Current status of the device. |
| String | Owner of the device. |
| String | Physical location of the device. |
| String | Hostname of the device |
| Float | IP address of the device. |
| String |
|
| Object | Details of user who created the device. Details include:
|
| String | Status of the device. |
| List | List of |
| List of Objects | Details of the labels that are added to the device. |
| List of Objects | Details of business units that are impacted by the device. |
| List of Objects | Details of locations that are impacted by the device. |
| String | Risk level of the device. |
| Object | Details of the risk of the device. |
| String | Priority of the device. |
| String | Type of the endpoint. For example, Desktop. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Object | Details of the owner of device. |
| Object | Details of the manager of device. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the actions that are added to the device. |
Action: Get Enhancement Details
This action retrieves the enhancement details using the ID of the enhancement.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Enhancement ID | Enter the unique ID of the enhancement. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of enhancements and their IDs using the following action: Get Enhancements |
Example Request
[ { "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the enhancement in UUID-4 format. |
readable_id | String | Unique readable ID of the enhancement. It starts with Example: ENH101 |
created | Datetime | Enhancement creation date and time. |
description | Text | Description of the enhancement. |
modified | Datetime | Last updated date and time of the enhancement. |
title | Text | Title of the enhancement. |
status | String | Current status of the enhancement. Allowed values: - - |
priority | String | Priority level of the enhancement. |
priority_data | Object | Details of the priority assigned. Details include:
|
priority_data.unique_id | String | Unique ID of the priority in UUID-4 format. |
priority_data.option_name | String | Display Name of the priority |
priority_data.color_code | String | Hex value of the priority display color. |
is_bookmarked | Boolean | Shows if the enhancement is bookmarked or not. |
modified_by_data | Object | Details of the user who last updated the enhancement. Details include:
|
assigned_group | String | Unique ID of the user group the enhancement belongs to in UUID-4 format. |
assigned_group_data | Object | Details of the assigned user group. Details include group name and group ID. |
created_by_data | Object | Details of the user who created the enhancement. Details include:
|
assigned_to | String | Unique ID of the assigned user of the enhancement in UUID-4 format. |
assigned_to_data | Object | Details of the assigned user. Details include:
|
labels | List of Strings | List of Unique IDs of the labels attached to the enhancement in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the enhancement. Details include:
|
labels_data.unique_id | String | Unique ID of the label in UUID-4 format. |
labels_data.option_name | String | Display name of the label |
labels_data.color_code | String | Hex value of the label display color. |
enhancement_type | List of Strings | Option name of the enhancement types associated with the enhancement. |
enhancement_type_data | List of Objects | Details of the enhancement types associated with the enhancement. |
enhancement_type_data.unique_id | String | Unique ID of the enhancement in UUID-4 format. |
enhancement_type_data.option_name | String | Display Name of the enhancement type |
enhancement_type_data.color_code | String | Hex value of the enhancement type display color. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
attachments_data | Array of Objects | Details of each attachment of the enhancement. |
Action: Get Incident Details
This action retrieves the details of an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Incident ID | Enter the unique ID of the incident. Example: t53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the IDs of the incident using the following action: Get Incidents |
Example Request
[ { "unique_id": "t53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Returns the response retrieved from the app action. |
| String | Title of the incident. |
| String | Unique Identifier String of UUID-4 format of the incident. |
| String | Readable ID of the incident. For example, INC320. |
| String | Date and time of when the incident happened. |
| String | Date and time when the incident was detected as malicious. |
| String | Status of the incident workflow. Possible values:
|
| String | Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow. |
| Boolean | Displays if the incident is machine-generated or not. |
| JSON Object | Details of the current phase of the incident. |
| String | Severity level of the incident. For example, high. |
| JSON Object | Details of the severity level of the incident. |
| String |
|
| Boolean | Shows if the incident is protected or not. |
| Boolean | Shows if the incident is in the deleted state or not. |
| JSON Object | Details of the user who created the incident. |
| JSON Object | Details of the user who last modified the incident. |
| JSON Object | Details of the used who closed the incident. |
| String | Incident creation date and time. |
| String | Last updated date and time of the incident. |
| Timestamp | Date and time when the incident was opened. |
| Timestamp | Date and time when the incident was closed. If the incident is not closed, the value of this parameter is null. |
| Integer | Number of PIRs that were exposed in the incident. |
| String | Description of the Incident. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. |
| String | Assignment SLA details of the incident. This includes the following two keys:
|
| Strings | The type of incident. Example: hacking. |
| Integer | Number of days the incident is open. |
| String | Resolution SLA details of the incident. This includes two keys:
|
| String | Details of the Incident notifications (if enabled in admin). |
| Integer | Total cost incurred due to the incident. |
| Boolean | Shows if the incident is bookmarked or not. |
| Boolean | Shows if the incident is permanently closed or not. |
| String | Resolution SLA breach date of the incident. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | Shows if the incident is paused or not. |
| String |
|
| JSON Object | Details of the user who paused the incident. |
| String | Unique ID of the Incident Workflow that is being used by the incident. |
| String | Type of the incident Workflow. Allowed values: 'draft' or 'published' |
| JSON Object | Details of the Incident Workflow that is being used by the incident. |
| Array | List of the sources for the incident. |
| Array of JSON Objects | Details of the sources for the incident. |
| Array | List of the labels that are added to the incident. |
| Array of JSON Objects | Details of the labels that are added to the incident. |
| Array | List of the tactics and techniques used by the incident. |
| Array of JSON Objects | Details of the tactics and techniques used by the incident. |
| Array of JSON Objects | List of business units that are impacted by the incident. |
| Array of JSON Objects | List of locations that are impacted by the incident. |
| String | Current state of the incident. Possible values:
|
| JSON Object | Details of the status of the incident. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected enhancements. |
| Array of JSON Objects | Details of the actions that are added to the incident. |
| Array of JSON Objects | Details of the attachments uploaded to the incident. |
| Integer | HTTP status code of the API request received from the instance. |
Action: Get Incident Summary
This action retrieves the executive summary of the incident using the incident ID.
App Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Incident ID | Enter the incident ID to retrieve the summary. Example: INC103 | Text | Required |
Example Request
[ { "incident_id": "INC103" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance | Object | Returns the root object containing the response and status code. |
app_instance.response | Object | Displays the response data of the query. |
app_instance.status_code | Integer | Returns the HTTP status code of the response. |
app_instance.response.actions_data | Array | Returns an array of action objects. |
app_instance.response.actions_data.readable_id | String | Returns the Readable ID of the action. |
app_instance.response.actions_data.title | String | Return the title of the action in the incident. |
app_instance.response.actions_data.title_display | String | Displays the title of the action linked to the incident. |
app_instance.response.applicable_compliance | Array | Returns the list of applicable compliance standards to the incident. |
app_instance.response.applicable_compliance_data | Array | Returns an array of compliance option objects. |
app_instance.response.applicable_compliance_data[].option_name | String | Returns the name of the compliance option. |
app_instance.response.applications_data | Array | Returns an array of application objects. |
app_instance.response.attack_vector | Null | Returns attack vector linked to the incident. |
app_instance.response.attack_vector_data | Null | Returns the details of the Attack vector linked to the incident. |
app_instance.response.base_line_changes | Null | Returns the baseline changes. |
app_instance.response.briefings_data | Array | Returns an array of briefing objects. |
app_instance.response.business_impact | Array | Returns an array of business units impacted by the incident. |
app_instance.response.business_impact_data | Array | Returns an array of business units impacted option objects. |
app_instance.response.business_impact_data.option_name | String | Returns the name of the business units impact option. |
app_instance.response.campaigns_data | String | Returns an array of campaign objects. |
app_instance.response.closure_comments | String | Returns closure comments in the incident. |
app_instance.response.containment_hash | String | Returns the value for containment hash |
app_instance.response.containment_host | String | Returns Containment host |
app_instance.response.containment_ip | String | Returns Containment IP |
app_instance.response.containment_result | String | Returns Containment result |
app_instance.response.containment_summary | String | Returns Containment summary |
app_instance.response.containment_url | String | Containment URL |
app_instance.response.description | String | Description of the incident |
app_instance.response.destination_hostname | String | Destination host name |
app_instance.response.destination_ip | String | Destination IP |
app_instance.response.destination_port | String | Destination port |
app_instance.response.endpoints_data | Array | An array of endpoint objects |
app_instance.response.enhancements_data | Array | An array of enhancement objects |
app_instance.false_positive | Array | False positive indicator |
app_instance.response.false_positive_data | String | False positive data |
app_instance.response.ie_customer_notification_required | Null | Customer notification indicator |
app_instance.response.ie_customer_notification_required_data | String | Returns customer notification data |
app_instance.response.ie_findings_summary | String | Returns findings summary |
app_instance.response.ie_forensics_details | String | Returns forensics details |
app_instance.response.ie_impact_on_intellectual_property | Null | Impact on intellectual property |
app_instance.response.ie_incident_type | String | Returns the incident type. |
app_instance.response.ie_incident_type_data | Object | Returns the incident type data. |
app_instance.response.ie_incident_type_data.option_name | String | Returns the name of the incident type option. |
app_instance.response.ie_invegtigation_eradication_exception | Null | Investigation eradication exception. |
app_instance.response.ie_lessons_learned | Null | Returns lessons learned |
app_instance.response.ie_log_analysis_summary | Null | Returns log analysis summary |
app_instance.response.ie_malware_analysis_summary | Null | Malware analysis summary |
app_instance.response.ie_motives | Array | An array of motive objects |
app_instance.response.ie_motives_data | Array | An array of motive data objects |
app_instance.response.ie_num_of_assets_impacted | Null | Number of assets impacted by the incident. |
app_instance.response.ie_num_of_users_impacted | Null | Number of users impacted by the incident. |
app_instance.response.ie_port_numbers_impacted | Null | Port numbers impacted |
app_instance.response.ie_regulatory_notifications_required | Null | Regulatory notifications required |
app_instance.response.ie_regulatory_notifications_required_data | Null | Regulatory notifications required data |
app_instance.response.ie_regulatory_reporting | Array | An array of regulatory reporting objects. |
app_instance.response.ie_regulatory_reporting_data | Array | An array of regulatory reporting data objects. |
app_instance.response.ie_regulatory_reporting_date | Null | Regulatory reporting date. |
app_instance.response.ie_root_cause | Null | Root cause of the incident. |
app_instance.response.ie_root_cause_data | Null | Root cause data |
app_instance.response.incident_analysis | Null | Incident analysis |
app_instance.response.incident_identified | Array | An array of incident identified objects. |
app_instance.response.incident_identified_data | Array | An array of incident identified data objects. |
app_instance.response.incident_learning | Null | Incident learning |
app_instance.response.ioc_MD5 | Array | An array of MD5 Indicator of Compromise. |
app_instance.response.ioc_MD5_data | Array | An array of MD5 IoC data objects. |
app_instance.response.ioc_SHA1 | Array | An array of SHA1 Indicator of Compromise. |
app_instance.response.ioc_SHA1_data | Array | An array of SHA1 IoC data objects. |
app_instance.response.ioc_SHA256 | Array | An array of SHA256 Indicator of Compromise. |
app_instance.response.ioc_SHA256_data | Array | An array of SHA256 IoC data objects. |
app_instance.response.ioc_domain | Array | An array of IOC domain objects. |
app_instance.response.ioc_domain_data | Array | An array of IOC domain data objects. |
app_instance.response.ioc_email | Array | An array of IOC email objects. |
app_instance.response.ioc_email_data | Array | An array of IOC email data objects. |
app_instance.response.ioc_ip | Array | An array of IOC IP objects. |
app_instance.response.ioc_ip_data.value | String | IP address value. |
app_instance.response.ioc_url | Array | An array of IoC URL objects. |
app_instance.response.ioc_url_data | Array | An array of IoC URL data objects. |
app_instance.response.ip_reputation | Null | IP Reputation of the incident. |
app_instance.response.kill_chain_phase | String | Current phase in the kill chain of the incident. |
app_instance.response.kill_chain_phase_data | Object | Details of the current phase in the kill chain. |
app_instance.response.kill_chain_phase_data.option_name | String | Phase name in the kill chain of the incident. |
app_instance.response.knowledge_base_data | Array | An array of knowledge base objects. |
app_instance.response.level | String | Incident level of the incident. |
app_instance.response.level_data | Object | Details of the incident level. |
app_instance.response.level_data.option_name | String | Incident level option name. |
app_instance.response.malwares_data | Array | An array of malware objects. |
app_instance.response.methods_monitor_recovery_actions | Null | Methods to monitor recovery actions. |
app_instance.response.methods_validate_recovery_actions | Null | Methods to validate recovery actions. |
app_instance.response.phase | String | The current phase of the incident. |
app_instance.response.phase_data | Object | Details of the current phase. |
app_instance.response.phase_data.option_name | String | Indicates the phase of the incident |
app_instance.response.pirs_data | Array | An array of PIR (Priority Intelligence Requirements) objects. |
app_instance.response.readable_id | String | Readable ID of the incident. |
app_instance.response.recovery_details | Null | Details of the recovery in incident. |
app_instance.response.related_incidents_data | Array | An array of related incident data objects. |
app_instance.response.softwares_data | Array | An array of software data objects. |
app_instance.response.source_hostname | Null | Source host name. |
app_instance.response.source_ip | Null | Source IP address. |
app_instance.response.source_port | Null | Source port |
app_instance.response.sources_data | Object | An object containing source data. |
app_instance.response.sources_data.created | String (datetime) | Creation timestamp of the source data. |
app_instance.response.sources_data.modified | String (datetime) | Modification timestamp of the source data. |
app_instance.response.sources_data.source_display_name | String | Display name of the source. |
app_instance.response.sources_data.source_type | String | Type identifier of the source. |
app_instance.response.sources_data.source_type_data | Object | Additional data about the source type. |
app_instance.response.sources_data.source_type_data.created | String (datetime) | Creation timestamp of the source type data. |
app_instance.response.sources_data.source_type_data.title | String | Title of the source type. |
app_instance.response.sources_data.source_type_data.unique_id | String | Unique identifier of the source type data. |
app_instance.response.sources_data.unique_id | String | Unique identifier of the source data. |
app_instance.response.sources_data.value | String | Value of the source data. |
app_instance.response.status | String | Status of the incident. |
app_instance.response.status_data | Object | Additional data about the status. |
app_instance.response.status_data.option_name | String | Indicates status option name. |
app_instance.response.threat_actors_data | Array | An array of threat actor objects in the incident. |
app_instance.response.time_to_resolve | Null | Time taken to resolve the incident. |
app_instance.response.title | String | Title of the incident. |
app_instance.response.url_reputation | Null | URL reputation in a phase |
app_instance.response.users_data | Array | An array of user data objects. |
app_instance.response.vulnerabilities_data | Array | An array of vulnerability data objects. |
Action: Get Incident Workflow Details
This action retrieves the details of an incident workflow.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Workflow ID | Enter the unique ID of the incident workflow. Example: 5ca19332-75e2-4e1b-953a-22f8b467ea1d | Text | Required | You can retrieve the list of workflows and their IDs using the following actions: List Incident Workflows |
Example Request
[ { "unique_id": "t53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the Incident Workflow. |
| String | Description of the Incident Workflow. |
| String | Unique ID of the Incident Workflow. |
| String | Shows the state of Incident Workflow. Allowed values: - - |
| String | Status of the Incident Workflow. Allowed values: - - |
| Boolean | Shows whether the Incident Workflow is the default workflow or not. |
| String | Shows the string name for Incident module. |
| String | Shows the phase flow of the Incident Workflow phases. Allowed values: - - |
| String | Creation date-time of the Incident Workflow. |
| String | Latest modification date-time of the Incident Workflow. |
| String |
|
| String |
|
| Object | Basic details of user who created the Incident Workflow. |
| Object | Basic details of the user who last modified the Incident Workflow. |
| Boolean | Shows whether the workflow is in deleted state or not. |
| Boolean | Shows whether the Incident Workflow has been mapped to parent parameters or not. |
| Integer | Number of phases present in the Incident Workflow. |
| String |
|
| Object | Details of the closure phase. Details include: |
| String |
|
| String |
|
| String |
|
| Array |
|
| Array |
|
| String | Unique ID of the Tab. |
| String | Title of the tab. |
| Boolean | Shows if the tab is active or not. |
| Boolean | Shows if the tab can be edited or not. |
| Boolean | Shows whether the tab is in deleted state or not. |
| String | Shows the string name for Incident module |
| List of Objects | Details of the fields added in the tab. Note: The tab fields are further explained in the table below. |
| String | The tab type. Examples of tab types are:
|
| String |
|
| List | Details of children tabs. |
| Boolean | Shows if tab can be removed or not. |
| String | Validation expression (if any) added. It is used for Threat Intel. |
| List | List of |
| Integer | Order of the tab. |
| String | Help text of the tab |
| String | Unique identifier string of UUID-4 format of the Field. |
| String | Title of the field. |
| String | The type of field. Allowed values:
|
| Boolean | Shows whether field is active or not. |
| Boolean | Shows whether the field is in deleted state or not. |
| String | Placeholder of the field. |
| String | Help text of the field. |
| List of Objects | Details of the options. |
| Boolean | Shows whether field can be edited or not. |
| Boolean | Shows whether field can be deleted or not. |
| Boolean | Shows whether the field is mandatory or not. |
| String | Unique readable key for receiving field data from external sources. |
| Boolean | Shows whether the widget can be created for this field or not. (Applicable only on select/multi-select fields) |
| String | Validation expression (if any) added. It is used for Threat Intel. |
| Boolean | Shows whether the field is one time entry field or not. |
| Boolean | Shows whether the filter option should be provided for this field or not. Applicable only for select/multi-select fields. |
| Boolean | Shows whether the field access is restricted by user group. |
| List | List of |
| Boolean | Shows whether the current user has write access to the field or not. |
| List of Objects | Basic details of user groups that have write access to the field. |
| Boolean | Shows whether the field is selected as a parent parameter or not. |
| Integer | Order of the field. (Defines the position of the field in the form) |
| Integer | Column Number of the field. (Defines the column of the field in the form). Allowed values:
|
| String | Reason for updating the field (Single select fields). |
Action: Get Label Details
This action retrieves the details of a label.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Label ID | Enter the unique ID of the label. Example: 53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of labels and their IDs using the following action: Get Labels |
Example Request
{ "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002404" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the label in UUID-4 format. |
| String | The title of the label. |
| Text | Description of the label. |
| String | Hex value of the label color. |
| String | Creation date and time of the label in ISO format. |
| String | Last modified date and time of the label in ISO format. |
| String | Unique ID of the associated component. |
| Object | Details of the Note: The parameters of the |
| String | The name of the component. |
| String | Unique ID of the associated component. |
Action: Get Labels
This action retrieves a list of labels from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of labels in CFTR application according to the filters applied. |
| List of Objects | Details of the labels. Each object provides details of one label. |
| String | Unique ID of the label in UUID-4 format. |
| String | The title of the label. |
| Text | Description of the label. |
| String | Hex value of the label color. |
| Creation date and time of the label in ISO format. | |
| String | Last modified date and time of the label in ISO format. |
| String | Unique ID of the associated component. |
| Object | Details of the Note: The parameters of the |
| String | The name of the component. |
| String | Unique ID of the associated component. |
Action: Get List of Threat Intel Types
This action retrieves a list of threat intel types from the application.
Action Input Parameters
There are no input parameters required for this action.
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of Threat Intel types in CFTR application. |
| List | Details of the Threat Intel types. Each object provides details of one Threat Intel type. |
| String | Title of the Threat Intel type. This key is used to refer to Threat Intel type by other APIs. |
| String | Unique ID of the Threat Intel type. |
| String | Creation date and time of the Threat Intel type. |
| String | Last updated date and time of the Threat Intel type. |
| String | Name of the Threat Intel type. |
Action: Get Location Details
This action retrieves the details of a location using the location ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Location ID | Enter the unique ID of a location. Example: 67ef9042-612d-4bc1-b54f-d8195c002907 | Text | Required | You can retrieve the list of locations and their IDs using the following action: Get Locations |
Example Request
{ "unique_id": "67ef9042-612d-4bc1-b54f-d8195c002907" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | The title of the location. |
| String | Unique ID of the location in UUID-4 format. |
| String | Unique ID of the corresponding country in UUID-4 format. |
| Object | Details of the corresponding country. |
| String | The name of the Country. |
| String | Unique ID of the corresponding country in UUID-4 format. |
| String | Unique ID of the corresponding state in UUID-4 format. |
| Object | Details of the corresponding state. |
| String | The name of the State. |
| String | Unique ID of the corresponding state in UUID-4 format. |
| String | Name of the city. |
| String | Name of the site. |
| String | PIN code of the site. |
| String | Creation date and time of the location in ISO format. |
| String | Last modified date and time of the location in ISO format. |
| Boolean | Shows if the location is active or not. |
| String | Unique ID of the longitude of the location. |
| String | Unique ID of the lantitude of the location. |
Action: Get Malware Details
This action retrieves the details of malware using the malware ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Malware ID | Enter the unique ID of the malware. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of malware and their IDs using the following action: List Malware |
Example Request
[ { "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameters | Type | Description |
---|---|---|
| Object | Type of the malware. |
| Object | Unique IDs of the email IOC type. |
| Object | List of affected platforms. |
| Object | Unique IDs of the IP IOC type. |
| Object | Unique IDs of the MD5 Hash IOC type. |
| Object | File types of the malware. For example, dll, exe, docx, zip. |
| Object | Unique IDs of the domain IOC type. |
| Object | Unique IDs of the SHA1 IOC type. |
| Object | Unique IDs of the SHA256 IOC type. |
| Object | Unique IDs of the URL IOC type. |
| String | Unique ID of the malware. |
| String | Readable ID of the malware. |
| String | Created date of the malware in EPOCH time format. |
| String | Last modified date of the malware in EPOCH time format. |
| String | Title of the malware. |
| String | Description of the malware. |
| Object | Unique ID of the linked incidents. |
| String | Status of the malware. |
| Object | Unique ID of the linked threat briefings. |
| Object | Details of the linked threat briefings. |
| Object | Details of the linked incidents. |
| Boolean | Shows if the malware is bookmarked or not. |
| Object | Details of the linked actions. |
| Object | Unique ID of the linked campaigns. |
| Object | Details of the linked campaigns. |
| Object | Unique ID of the linked vulnerabilities. |
| Object | Details of the linked vulnerabilities. |
| Object | Unique ID of the linked threat actors. |
| Object | Details of the linked threat actors. |
| Object | Details of the linked PIRs. |
| Object | Details of the attachments. |
| Object | Details of the user who created the malware. Details include: username, email, first name, last name, and so on. |
| Object | Unique ID of the linked labels. |
| Object | Details of the linked labels. |
| Object | Details of the linked tactic technique pairs. |
| String | Date on which malware is seen for the first time. |
| Object | Last modified date of the malware. |
| Object | Unique ID of the linked applications. |
| Object | Details of the linked applications. |
| Object | Unique ID of the linked software. |
| Object | Details of the Linked Asset Softwares. |
| Object | Unique ID of the linked devices. |
| Object | Details of the linked devices. |
| Object | Unique ID of the linked enhancements. |
| Object | Details of the linked enhancements. |
| Object | Details of the malware type. |
| Object | Details of the malware file type. |
| Object | Details of the affected platforms. |
Action: Get Manufacturer Details
This action retrieves the details of a manufacturer.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Manufacturer ID | Enter the unique ID of a manufacturer. Example: 53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of manufacturers and their IDs using the following action: Get Manufacturers |
Example Request
{ "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002404" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | The title of the manufacturer. |
| String | Unique ID of the manufacturer in UUID-4 format. |
| String | Unique readable ID of the manufacturer. It starts with MFR followed by a unique number. Example: "MFR101" |
| Text | Description of the manufacturer. |
| String | Creation date and time of the manufacturer in ISO format. |
| String | Last modified date and time of the manufacturer in ISO format. |
Action: Get OS Type Details
This action retrieves the details of an OS type.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Operating system (OS) ID | Enter the unique ID of the OS type. Example: 2fd4996d-f21b-4d43-8000-31769f3ed3ae | Text | Required | You can retrieve the list of OS types and their IDs using the following action: Get OS Types |
Example Request
{ "unique_id": "2fd4996d-f21b-4d43-8000-31769f3ed3ae" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the OS type. |
| String | Unique Identifier String of UUID-4 format of the OS type. |
| String | Unique readable ID of the OS type. It starts with OST followed by a unique number. Example: "OST101" |
| Text | Description of the OS type. |
| String | Creation date and time of the OS type in ISO format. |
| String | Last modified date and time of the OS type in ISO format. |
Action: Get PIR Details
This action can be used to retrieve the details of a PIR (Priority Intel Requirement) using the ID of the PIR.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Priority Intel Requirement (PIR) ID | Enter the unique ID of the Priority Intel Requirement (PIR). Example: 42505945-ea78-4c69-8d34-92cdd20026d8 | Text | Required | You can retrieve the list of PIRs and their IDs using the following action: Get PIRs |
Example Request
[ { "unique_id": "42505945-ea78-4c69-8d34-92cdd20026d8" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the PIR. |
| String | Unique ID of the PIR in UUID-4 format. |
| String | Readable ID of the PIR. |
| Text | Description of the PIR. |
| String | Creation date and time of the PIR in ISO format. |
| String | Last updated date and time of the PIR in ISO format. |
| String | Current status of the PIR. Allowed values:
|
| Object | Details of user who created the PIR. |
| String |
|
| Object | Details of user who closed the PIR. |
| String | Closing date and time of the PIR in ISO format. |
| Boolean | Shows whether the PIR is bookmarked or not. |
| List of String | List of |
| List of Objects | Details of the attached labels. |
| String | Priority level of the PIR. Allowed values: - - - - - |
| Object | Details of the priority of the PIR. |
| List of Stings | List of Unique IDs of the assigned users in UUID-4 format. |
| List of Objects | Details on the list of assigned users of the PIR. Details include:
|
| String | Unique ID of the assigned user group in UUID-4 format. |
| Object | Details of the assigned user group. Details include:
|
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
Action: Get Recommended Users for an Incident
This action retrieves the list of users that are automatically recommended for assigning to a specific incident based on their roster and the history of incidents handled.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Incident ID | Enter the unique ID of the incident. | Text | Required | You can retrieve the list of incidents and their IDs using the following action: Get Incidents |
Allocation Datetime | Enter the allocation time in EPOCH format | Text | Optional |
Example Request
[ { "unique_id": "1cc818a1-2676-4746-ac2e-6610832c4d65" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
results | Array of Objects | List of recommended users. |
username | String | The username of the recommended user. |
first_name | String | The first name of the recommended user. |
last_name | String | The last name of the recommended user. |
profile_background_color | String | The profile background color of the recommended user. |
user_id | String | The user ID of the recommended user. |
display_pic | String (nullable) | The display picture of the recommended user. Can be null. |
String | The email of the recommended user. | |
score | Number | The recommendation score of the user. |
Action: Get Roster
This action retrieves a list of rosters from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page No | Enter the page number to retrieve the list of rosters. Example: 1 | Integer | Optional | Default: 1 |
Page Size | Enter the page size to retrieve the list of rosters. Example: 10 | Integer | Optional | Default: 10 |
All Data | Select true to retrieve all the data. | Boolean | Optional | Rosters are returned as per the values defined in the Page No and Page Size parameters. If you enter false, then the rosters list is returned in a paginated manner. Default value: true |
Search Query | Enter the search query to filter the data. Example: indicator | Text | Optional |
Example Request
{ "page_no": 1, "page_size": 10, "all_data": false, "search_query": "analyst" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | This parameter has two keys:
|
count | Integer | The total number of rosters returned as per the entered query parameters. |
results | List of Objects | Details of the rosters. Each object provides the details of one roster. |
unique_id | String | Unique ID of the roster. |
is_removed | Boolean | Indicates if the roster is removed. |
title | String | Title of the roster. |
created_by_data | Object | Details of the user who created the roster. |
modified_by_data | Object | Details of the user who modified the roster. |
start | String | Start date and time of the roster (ISO 8601 format). |
end | String | End date and time of the roster (ISO 8601 format). |
shift_model | String | ID of the shift model associated with the roster. |
shift_model_data | Object | Details of the shift model associated with the roster. |
created | String | Creation date and time of the roster (ISO 8601 format). |
modified | String | Last modified date and time of the roster (ISO 8601 format). |
is_draft | Boolean | Indicates if the roster is in draft status. |
exceptions | Array | List of exceptions for the roster. |
users_data | Array | Details of the users associated with the roster. |
Action: Get Source Details
This action retrieves the details of a source.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Source ID | Enter the unique ID of the source. Example: 53ff8942-612d-4bc1-b54f-d8195c002907 | Text | Required | You can retrieve the list of sources and their IDs using the following action: Get Sources |
Example Request
{ "unique_id": "53ff8942-612d-4bc1-b54f-d8195c002907" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | The name of the source. |
| String | Unique ID of the source type in UUID-4 format. |
| String | Display name of the source. |
| String | Unique ID of the source in UUID-4 format. |
| String | Creation date and time of the source in ISO format. |
| String | Last modified date and time of the source in ISO format. |
| Object | Details of the source type. |
| String | Unique ID of the source type in UUID-4 format . |
| String | Creation date and time of the source type in ISO format. |
| String | The title of the source type. |
Action: Get Templates
This action retrieves the list of templates from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Number | Enter the page number to retrieve the list of templates. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size to retrieve the list of templates. Example: 10 | Integer | Optional | Default value: 10 |
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action: Get Threat Actor Details
This action retrieves the details of a threat actor using the ID of the threat actor.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Actor ID | Enter the unique ID of the threat actor. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of IDs of threat actors using the following action: Get Threat Actors |
Example Request
[ { "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the threat actor. |
| String | Unique ID of the threat actor. |
| String | Readable ID of the threat actor. |
| Text | Description of the threat actor. |
| String | Creation time of the threat actor in ISO format. |
| String | Last Updated time of the threat actor in ISO format. |
| String | Current status of the threat actor. Allowed values:
|
| String | Risk associated with the threat actor. Allowed Values: - - - - - |
| String | Priority of the threat actor. Allowed values: - - - - - |
| Object | Details of user who created the threat actor. |
| String |
|
| Object | Details of user who closed the threat actor. |
| String | Closing date of the threat actor in ISO format. |
| Boolean | Shows whether the threat actor is bookmarked or not. |
| Array of Objects | Details of each attachment of the threat actor. |
| Array of Objects | Details of the actions that are added for the threat actor. |
| Array of UUID Strings | List of the enhancements that are added for the threat actor. |
| Array of Objects | Details of the enhancements that are added for the threat actor. |
| Array of Objects | Details of the PIRs that are added for the threat actor. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA1 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected MD5 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA256 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected IP Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected URL Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected domain Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected email Threat Intels. |
Action: Get Threat Briefing Details
This action retrieves the details of a threat briefing.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Briefing ID | Enter the unique ID of the threat briefing. Example: y53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of threat briefings and their IDs using the following action: Get Threat Briefings |
Example Request
[ { "unique_id": "y53ff8942-612d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the Threat Briefing. |
| String | Readable ID of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Text | Description of the threat briefing. |
| String | Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE |
| String | Created date and time of the Threat Briefing. |
| String | Last updated date and time of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Boolean | Shows whether the Threat Briefing is bookmarked or not. |
| List | List of |
| List of Objects | Details of the attached labels. |
| List of Objects | Details of the locations linked to the Threat Briefing. |
| List of Objects | Details of the business units linked to the Threat Briefing. |
| String | Unique ID of the user who created the Threat Briefing. |
| Object | Details of the user who created the Threat Briefing. |
| Array of Objects | Details of each attachment of the Threat Briefing. |
| Array of Objects | Details of the actions that are added for the Threat Briefing. |
| Array of UUID Strings | List of the enhancements that are added for the Threat Briefing. |
| Array of Objects | Details of the enhancements that are added for the Threat Briefing. |
| Array of Objects | Details of the PIRs that are added for the Threat Briefing. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
Action: Get Threat Intel (IOC) Details
This action retrieves the details of a threat intel (IOC).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Intel (IOC) ID | Enter the unique ID of the threat intel. Example: f53ff8979-615d-4bc1-b54f-d8195c002404 | Text | Required | Use the following action to retrieve the list of threat intel (IOC) and their IDs: Get List of Threat Intel (IOC) |
Example Request
[ { "unique_id": "f53ff8979-615d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Value of the Threat Intel. |
| String | Unique ID of the Threat Intel in UUID-4 format. |
| String | Creation date and time of the Threat Intel. |
| String | Last Updated date and time of the Threat Intel. |
| List of Objects | Details of the location of threat intel. |
| String | TLP associated with the threat intel. Allowed values:
|
| List of Objects | Details of Incidents associated with the Threat Intel. Details include: |
| String |
|
| String | Current status of the Threat Intel. Allowed values:
|
| List | List of |
| List of Objects | Details of labels added to the Threat Intel. Details include |
| List of Objects | Details of Malware associated with the Threat Intel. Details include: |
| List of Objects | Details of Threat Actors associated with the Threat Intel. |
| List of Objects | Details of Vulnerabilities associated with the Threat Intel. Details include: |
| Integer | Number of Actions added to the Threat Intel. |
| Integer | Number of comments added to the Threat Intel. |
| String |
|
| Object | Details of the Indicator Type. |
Action: Get Threat Intel Form Structure
This action retrieves the form field structure of the Threat Intel component.
Action Input Parameters
There are no input parameters required for this action.
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the Tab. |
| String | Title of the tab. |
| Boolean | Shows if the tab is active or not. |
| Boolean | Shows if the tab can be edited or not. |
| Boolean | Shows whether the tab is in deleted state or not. |
| String | Shows the string name for Threat Intel module. |
| List of Objects | Details of the fields added in the tab. Note: The tab fields are further explained in the table below. |
| String | The tab type. Examples of tab types are:
|
| String |
|
| List | Details of children tabs. |
| Boolean | Shows if tab can be removed or not. |
| String | Validation expression (if any) added. It is used for Threat Intel. |
| Integer | Order of the tab. |
| String | Unique Identifier String of UUID-4 format of the Field. |
| String | Title of the field. |
| String | The type of field. Allowed values:
|
| Boolean | Shows whether field is active or not. |
| Boolean | Shows whether the field is in deleted state or not. |
| String | Placeholder of the field. |
| String | Help text o.f the field |
| List of Objects | Details of the options. |
| Boolean | Shows whether field can be edited or not. |
| Boolean | Shows whether field can be deleted or not. |
| Boolean | Shows whether the field is mandatory or not. |
| String | Unique readable key for receiving field data from external sources. |
| Boolean | Shows whether the widget can be created for this field or not. (Applicable only on select/multi-select fields) |
| String | Validation expression (if any) added. It is used for Threat Intel. |
| Boolean | Shows whether the field is one time entry field or not. |
| Boolean | Shows whether the filter option should be provided for this field or not. (Applicable only on select/multi-select fields) |
| Boolean | Shows whether the field access is restricted by user group. |
| List | List of |
| Boolean | Shows whether the current user has write access to the field or not. |
| List of Objects | Basic details of user groups that have write access to the field. |
| Boolean | Shows whether the field is selected as a parent parameter or not. |
| Integer | Order of the field. (Defines the position of the field in the form) |
| Integer | Column number of the field. (Defines the column of the field in the form). Allowed values:
|
Action: Get User Group Details
This action retrieves the details of a user group.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
User Group ID | Enter the unique ID of a user group. Example: 4e046ee1-5bc9-4320-965f-3bf24dbb9256 | Text | Required | You can retrieve the list of user groups and their IDs using the following action: Get User Groups |
Example Request
{ "unique_id": "4e046ee1-5bc9-4320-965f-3bf24dbb9256" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the user group in UUID-4 format. |
| String | Name of the user group. |
| Text | Description of the user group. |
| List of Objects | List of permission objects of the user group. Each object includes the details of one permission. |
| Object | Unique ID of the user who created the user group. |
| Positive Integer | Number of users assigned to the user group. |
| Positive Integer | Count of the number of |
| Boolean | Shows whether the user group is currently active or not. |
| Boolean | Shows whether the user group is editable or not. |
| Integer | Creation date and time of the user group in EPOCH time format. |
| List of Strings | List of unique IDs of the users assigned to the user group in UUID-4 format. |
| List of Objects | Details of the users assigned to the user group. Each object includes the details of one user. |
| Float | Analyst cost associated with the users of the user group. The default cost is configured as per the daily rate. |
| List of Strings | List of unique IDs of the Cyware Orchestrate Playbook tags added to the User Group in UUID-4 format. |
| List of Objects | Details of the Playbook tags. Each object includes the details of one Playbook tag. |
| Boolean | Shows whether the group is read only or not. |
| String | Shows the associated SAML groups with the user group. |
| String | Unique ID of the permission in UUID-4 format. |
| String | Display name of the permission. |
| String | Unique string of the permission. |
| String | Level of grant associated with each permission in CFTR. Allowed values: - - - |
| String | Verbose name given to the permission. |
| String | Username of the user. |
| String | First name of the user. |
| String | Last name of the user. |
| String | Hex value of the user profile background color. |
| String | Unique ID of the user in UUID-4 format. |
| String | Link to the display picture of the user. |
| Boolean | Shows whether the user is an active user or not. |
| String | Email ID of the user. |
| String | Full name of the user. |
| String | Unique ID of the Playbook in UUID-4 format. |
| String | Title of the Playbook. |
| Text | Description of the Playbook. |
Action: Get Vulnerability Details
This action retrieves the details of a vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Vulnerability ID | Enter the unique ID of the vulnerability. Example: e53ff8972-618d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of vulnerabilities and their IDs using the following action: Get Vulnerabilities |
Example Request
[ { "unique_id": "e53ff8972-618d-4bc1-b54f-d8195c002404" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the vulnerability. |
| String | Unique ID of the vulnerability. |
| String | Readable ID of the vulnerability. |
| Text | Description of the vulnerability. |
| String | Creation time of the vulnerability in ISO format. |
| String | Last Updated time of the vulnerability in ISO format. |
| String | Current status of the vulnerability. Allowed values:
|
| String | Risk associated with the vulnerability. Allowed Values: - - - - - |
| String | Priority of the vulnerability. Allowed values: - - - - - |
| Object | Details of user who created the vulnerability. |
| String |
|
| Object | Details of user who closed the vulnerability. |
| String | Closing date of the vulnerability in ISO format. |
| Boolean | Shows whether the vulnerability is bookmarked or not. |
| Array of Objects | Details of each attachment of the vulnerability. |
| Array of Objects | Details of the actions that are added for the vulnerability. |
| Array of UUID Strings | List of the enhancements that are added for the vulnerability. |
| Array of Objects | Details of the enhancements that are added for the vulnerability. |
| Array of Objects | Details of the PIRs that are added for the vulnerability. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA1 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected MD5 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA256 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected IP Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected URL Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected domain Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected email Threat Intels. |
Action: List Actions
This action retrieves a list of actions using query string and query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of Actions in CFTR application as per the query parameters. |
| List of Objects | Details of the Actions. Each object provides details of one Action. |
| String | The title of the action. |
| String | Unique ID of the action. |
| String | Created date of the action in EPOCH time format. |
| String | Last modified date of the action in EPOCH time format. |
| String | Description the an action. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. Details include: group_comm_id and group_name of the user group. |
| String | Status of the action. For example, open. |
| String | Readable ID of the action. For example, ACT379. |
| Object | Details of the user who created the action. Details include: username, email ,first name, last name, and so on. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | True: Action is bookmarked. False: Action is not bookmarked. |
| Object | Details of the user who closed the action. Details include: username, email ,first name, last name, and so on. |
| String | Closure date of the action in EPOCH time format. |
| String | Resolved date of the action in EPOCH time format. |
| String | Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Resolution due date of the action. |
| String | Date and time at which the SLA stopped for the action. |
| String | Type of the action. For example, Recovery. |
| String | Priority level of the action |
| Object | Details of the type of the action. Details include: unique_id, option_name, is_active, and so on. |
| Object | Details of the priority level of the action. |
| List of Strings | Unique IDs of the list of labels added to the action. |
| Object | Details of the labels added to the action. Details include: unique_id, title, color code, and so on. |
| Boolean | Displays if the action is created using a template or not. |
Action: List Asset Applications
This action retrieves a list of asset applications from the Applications module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | The total number of applications returned as per the entered query parameters. |
| List of Objects | Details of the applications. Each object provides the details of one application. |
| String | Unique ID of the application. |
| String | Created date and time of the application. |
| String | Last updated date and time of the application. |
| String | Title of the application. |
| String | Production date of application. |
| String | Readable ID of the application. |
| List | List of the labels associated with the application. |
| List of Objects | Details of labels added to the application. The details include:
|
| String | Status of the application. |
Action: List Asset Software
This action retrieves a list of asset software from the Software module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | The total number of software returned as per the entered query parameters. |
| List of Objects | Details of the softwares. Each object provides the details of one software. |
| String | Unique ID of the software. |
| String | Created date and time of the software. |
| String | Last updated date and time of the software. |
| String | Name of the software. |
| String | Readable ID of the software. |
| List | List of the labels that are added to the software. |
| List of Objects | Details of labels added to the software. The details include:
|
| String | Status of the sofware. For example, active. |
Action: List Asset Users
This action retrieves a list of asset users from the Users module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | The total number of users returned as per the entered query parameters. |
| List of Objects | Details of the users. Each object provides the details of one user. |
| String | Unique ID of the user. |
| String | Created date and time of the user. |
| String | Last updated date and time of the user. |
| String | Name of the user. |
| String | Email ID of the user. |
| String | Name of the user. |
| String | Readable ID of the user. |
| List | List of labels that are added to the user. |
| List of Objects | Details of labels added to the user. The details include:
|
| String | Status of the user. |
| Float | Risk score of the user. |
Action: List Attachments
This action retrieves the attachments from a component.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the identifier of a component. | Text | Required | Allowed values:
|
Unique ID | Enter the unique ID of the component entry to which you want to add an attachment. | Text | Required | If the component identifier is Incident, then the unique ID must be a specific Incident ID. |
Example Request
[ { "component_name": "incident", "unique_id": "Example Unique ID", } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | This parameter has two keys:
|
count | Integer | The total number of attachments returned as per the entered query parameters. |
results | List of Objects | Details of the attachments. Each object provides the details of one attachment. |
title | Text | Name of the file. |
uploaded_file | URL | URL of the file from where it can be downloaded. |
unique_id | String | Unique ID for the file. |
created_by_data | Object | Details of the user who uploaded the file. |
created | Datetime | File upload time. |
modified | Datetime | File modified time. |
readable_id | String | Unique readable ID of the file. |
file_hash | String | Hash of the file. |
file_type | String | Type of the file. I Allowed values:
|
file_size | Integer | Size of the file. |
parent_readable_id | String |
|
parent_component | String | Component name in which file is uploaded. Example: |
parent_unique_id | String |
|
Action: List Business Units
This action retrieves a list of business units from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of Business Units in CFTR application according to the filters applied. |
| List of Objects | Details of the Business Unit. Each object provides details of one Business Unit. |
| String | The title of the Business Unit. |
| Text | Description of the Business Unit. |
| String | Unique ID of the Business Unit in UUID-4 format. |
| String | Creation date and time of the Business Unit in ISO format. |
| String | Last modified date and time of the Business Unit in ISO format. |
| String | Unique readable ID of the Business Unit. It starts with BU followed by a unique number. Example: "BU102" |
| String | Emails of the recepients to whom the notifications are sent. |
Action: List Campaigns
This action retrieves a list of campaigns.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10, "status": "ACTIVE" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | This parameter has two keys:
|
count | Integer | Total number of campaigns in CFTR application according to the filters applied. |
results | List of Objects | Details of the campaigns. Each object provides details of one campaign. |
unique_id | String | Unique ID of the campaign in UUID-4 format. |
readable_id | String | Unique readable ID of the campaign. It starts with Example: CMP101 |
created | String | Campaign creation date and time. |
description | Text | Description of the campaign. |
modified | String | Last updated date and time of the campaign. |
title | String | Title of the campaign. |
title_display | String | Title of the campaign. |
status | String | Current status of the campaign. Allowed values:
|
is_bookmarked | Boolean | Shows if the campaign is bookmarked or not. |
created_by_data | Object | Details of user who created the campaign. Details include:
|
labels | List of Strings | Unique ID of the labels associated with the campaign in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the campaign. Details include:
|
Action: List CFTR Users
This action retrieves a list of users from the User Management module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of users in CFTR application according to the filters applied. |
| List of Objects | Details of the users. Each object provides details of one user. |
| String | Unique ID of the users in UUID-4 format. |
| String | First name of the user. |
| String | Last name of the user. |
| String | Email ID of the user. |
| String | The link to the display picture of the user. |
| String | Username of the user. |
| String | Hex key of the background color of the user profile. |
| Boolean | Shows whether a user is an active user or not. |
| String | Full name of the user. |
Action: List Comments
This action retrieves the comments of an entry.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the identifier of a component. Example: incident | Text | Required | Allowed values:
|
Unique ID | Enter the unique ID of the component entry to which you want to add comments. Example: 1cc818a1-2676-4746-ac2e-6610832c4d65 | Text | Required | If component identifier is Incident, then unique ID must be specific Incident. |
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } "component_name": "incident", "unique_id": "Example Unique ID" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
count | Integer | Number of comments added in a module object. |
unique_id | String | Unique ID of the comment. |
description | Text | Content of the comment. |
created_by | Object | Details of the user who added the comment. |
modified_by | Object | Details of the user who last updated the comment. |
mentioned_users | List of UUID | List of |
mentioned_users_data | List of Objects | Details of the users mentioned in the comment. |
created | Datetime | Comment creation time in EPOCH time format. |
modified | Datetime | Comment last updated time in EPOCH time format. |
comment_type | String | Type of Comment. Examples:
|
content_object | String | Component in which the comment is added. Example: |
content_object_readable_id | String |
|
content_object_unique_id | String |
|
description_with_img_src | Text | Content of the content with the image URLs (if any image is added in the comment). |
Pinned | Boolean | Shows if the comment is pinned or not. |
Action: List Countries
This action retrieves a list of countries from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action: List Custom Module Entries
This action retrieves all the entries of a custom module with their details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the component identifier of the module. Example: module21 | Text | Required | You can retrieve the list of components and their component identifiers using the following action: List Custom Modules |
Example Request
[ { "component_identifier": "module21" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of entries of the custom module in CFTR application as per the filters applied. |
| List of Objects | Details of the entries of the custom module. Each object provides details of one entry. |
| String | Unique ID of the entry in UUID-4 format. |
| String | Unique readable ID of the entry. It starts with the configured Module Identifier followed by a unique number. |
| String | Creation date and time of the entry. |
| String | Last updated date and time of the entry. |
| List | List of labels added to the entry. |
| String | UUID of the user who last modified the custom module entry. |
| String | UUID of the user who created the custom module entry. |
| Text | Title of the entry. |
| Text | Description of the entry. |
| String | Current status of the entry. |
| Object | Details of the status of the entry. Details include:
|
| Boolean | Shows if the entry is bookmarked or not. |
| Object | Details of the user who last updated the entry. Details include:
|
| Object | Details of the user who created the entry. Details include:
|
| List of Objects | Details of labels added to the entry. Details include:
|
| Boolean | Displays whether the entry is bookmarked or not. |
| Boolean | Displays whether the custom module entry is in the deleted state or not. |
| Integer | Unique number of the entry. |
Action: List Custom Modules
This action retrieves the list of custom modules.
Action Input Parameters
There are no input parameters required for this action.
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | This parameter has two keys:
|
count | Integer | Total number of custom modules in CFTR application according to the filters applied. |
results | List of Objects | Details of the custom modules. Each object provides details of one incident. |
| String | Component identifier of a custom module. Example, MOD. |
| String | Name of the custom module. |
| String | The icon identifier that is being used for the custom module. |
| String | Unique ID of the custom module. |
| Boolean | Shows whether the custom module can be deleted or not.
|
Action: List Devices
This action retrieves a list of devices from the Devices module.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action: List Enhancements
This action retrieves a list of enhancements.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
link | Object | This parameter has two keys:
|
count | Integer | Total number of enhancements in the CFTR application as per the filters applied. |
results | List of Objects | Details of the enhancements. Each object provides details of one enhancement. |
unique_id | String | Unique ID of the enhancement in UUID-4 format. |
readable_id | String | Unique readable ID of the enhancement. It starts with Example: ENH101 |
created | String | Enhancement creation date and time. |
description | Text | Description of the enhancement. |
modified | String | Last updated date and time of the enhancement. |
title | Text | Title of the enhancement. |
status | String | Current status of the enhancement. Allowed values: - - |
priority | String | Priority level of the enhancement. |
priority_data | Object | Details of the priority assigned. Details include:
|
is_bookmarked | Boolean | Shows if the enhancement is bookmarked or not. |
modified_by_data | Object | Details of the user who last updated the enhancement. Details include:
|
assigned_group | String | Unique ID of the assigned user group of the enhancement in UUID-4 format. |
assigned_group_data | Object | Details of the assigned user group. Details include: |
created_by_data | Object | Details of user who created the enhancement. Details include
|
assigned_to | String | Unique ID of the assigned user of the enhancement in UUID-4 format. |
assigned_to_data | Object | Details of the assigned user. Details include
|
labels | List of Strings | List of Unique IDs of the labels associated with the enhancement in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the enhancement. Details include
|
enhancement_type | List of Strings | Option name of the enhancement types associated with the enhancement. |
enhancement_type_data | List of Objects | Details of the enhancement types associated with the enhancement. |
Action: List Incidents
This action retrieves a list of incidents from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional | Allowed values: q (str), page (int): by default, the value is 1, page_size (int): by default, the value is 10, status (str): open, closed, untriaged, merged, participant (bool), self_assigned_groups (bool), self_assigned (bool), bookmarked (bool), mentioned (bool), assigned_to (bool), is_protected (bool), is_paused (bool), attack_techniques (id), attack_tactics (id), phase (str), business_units (id), created_by (id), detection_date__gte (epochtime), detection_date__lte (epochtime), incident_date__gte (epochtime), incident_date__lte (epochtime), modified_date__gte (epochtime), modified_date__lte (epochtime), created_date__gte (epochtime), created_date__lte (epochtime), locations (id), level (str): type of severity, kill_chain_phase (id), labels (id), created_date__n_months (int): 3, 6, created_date__n_days (int): 7, 30, 90, resolution_overdue (bool), assignment_overdue (bool) |
Example Request
[ { "query_params": { "page": 1, "page_size": 10, "status": "open" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter may include the following keys:
|
| Integer | Total number of incidents in CFTR application according to the filters applied. |
| Array of JSON Objects | List of incident details. Each object provides details of one incident. |
| String | Unique ID of the Incident in UUID-4 format. |
| String | Unique readable ID of the incident. It starts with INC followed by a unique number. |
| String | Incident creation date and time in Epoch format. |
| String | Description of the Incident. |
| String | Last updated date and time of the incident. |
| String | Title of the incident. |
| Boolean | True: Incident is considered machine generated when it is generated using the CFTR OpenAPI. False: Incident created manually. |
| String | Current status of the incident. Possible values: open, closed, untriaged, merged |
| String | Date and time when the incident was closed. If incident is not closed, value of this param will be null. |
| String | Title of the incident. |
| Boolean | Returns true if the incident is marked as protected. |
| String | Severity level of the incident. |
| String | Current phase of the incident. |
| Boolean | Returns true if the incident is paused. |
| String | Date and time when the incident was opened. If incident is not opened yet, value of this param will be null. |
| JSON Object | Assignment SLA details of the incident. It has two keys: 1. |
| JSON Object | Resolution SLA details of the incident. It has two keys: 1. |
| Boolean | Shows if the incident is bookmarked or not. |
| Timestamp | Resolution SLA breach date of the incident. |
| JSON Object | Details of the user who opened the incident. Details include: |
| JSON Object | Details of the parent incident if the incident is merged. Details include: |
| JSON Object | Details of the user who last updated the Incident. Details include: |
| JSON Object | Details of the assigned user group. Details include: group name and group ID. |
| JSON Object | Details of the user who created the incident. Details include: |
| JSON Object | Details of the assigned user. Details include: |
| Array of JSON Objects | Details of labels added to the incident. Details include: |
| JSON Object | Details of business unit impacted by the incident. Details include: |
| Array of JSON Objects | Details of locations impacted by the incident. Details include: |
| JSON Object | Details of the current phase of the incident. Details include:
|
| JSON Object | Details of the incident type associated with the incident. Details include: |
| String | Incident type associated with the incident. |
| JSON Object | Details of the severity level of the incident. Details include: |
| String | Current kill chain phase of the incident. |
| JSON Object | Details of the kill chain phase of the incident. Details include: |
| Array of JSON Objects | Details of the motivations of the incident. Details include: |
| Array | List of motivations of the incident. |
| Array of JSON Objects | Details of the compliance standards that are applicable to the incident. Details include: |
| Array | List of compliance standards that are applicable to the incident. |
| JSON Objects | Details of the root cause of the incident. |
| String | Root cause of the incident. |
Action: List Incident Workflows
This action retrieves a list of all the incident workflows with the details from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the Incident Workflow. |
| String | Description of the Incident Workflow. |
| String | Unique Identifier String of UUID-4 format of the Incident Worflow. |
| String | Defines the state of Incident Workflow as `draft` OR `published`. |
| String | Describes the state of Incident Workflow as `active` or `inactive`. |
| Boolean | Determines whether the Incident Workflow is the default one or not. |
| String | Determines the string name for Incident Module. |
| String | Determines the selected flow of Workflow phases as `linear` or `non-linear`. |
| String | Timestamp String in ISO Format describing the date-time of creation of the Incident Workflow. |
| String | Timestamp String in ISO Format describing the date-time of latest modification of the Incident Workflow. |
| String |
|
| String |
|
| Object | Basic details of the user who created the Incident Workflow. |
| Object | Basic details of the user who lastly modified the Incident Workflow. |
| Boolean | Determines whether the Workflow is in deleted state or not. |
| Boolean | Determines whether the Incident Workflow has been mapped to parent parameters or not. |
| Integer | Determines the number of phases present in the Incident Workflow. |
| Boolean | Determines if the Workflow is imported or not. |
Action: List Locations
This action retrieves a list of locations from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of locations in CFTR application according to the filters applied. |
| List of Objects | Details of the location. Each object provides details of one location. |
| String | The title of the location. |
| String | Unique ID of the location in UUID-4 format. |
| String | Unique ID of the corresponding country in UUID-4 format. |
| Object | Details of the corresponding country. |
| String | The name of the Country. |
| String | Unique ID of the corresponding country in UUID-4 format. |
| String | Unique ID of the corresponding state in UUID-4 format. |
| Object | Details of the corresponding state. |
| String | The name of the State. |
| String | Unique ID of the corresponding state in UUID-4 format. |
| String | Name of the city. |
| String | Name of the site. |
| String | PIN code of the site. |
| String | Creation date and time of the location in ISO format. |
| String | Last modified date and time of the location in ISO format. |
| Boolean | Shows if the location is active or not. |
| String | Unique ID of the longitude of the location. |
| String | Unique ID of the lantitude of the location. |
Action: List Malware
This action retrieves a list of malware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of malware for activity logs of a component in CFTR. |
| List of Objects | Details of the malware for activity logs. Each object provides details of one malware. |
| String | Unique ID of the malware. |
| String | Readable ID of the malware. |
| String | Created date of the malware in EPOCH time format. |
| String | Last modified date of the malware in EPOCH time format. |
| String | Title of the malware. |
| String | Status of the malware. |
| Boolean | Shows if the malware is bookmarked or not. |
| Object | Details of the user who created the malware. Details include: username, email, first name, last name, and so on. |
| String | Title of the malware. |
| Object | Unique IDs of the associated labels. |
| Object | Details of the associated labels, such as unique_id, title, color_code, and so on. |
| Object | Details of the type of malware. |
| Object | Type of the malware. |
| Object | Details of malware file type. |
| Object | Malware file type. For example, exe, bat, dll, zip, and so on_._ |
| Object | Details of platform affected by the malware. |
| Object | Lists platforms affected by malware. For example, Windows, Windows XP, and so on. |
Action: List Manufacturers
This action retrieves a list of manufacturers from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of manufacturers in the CFTR application according to the filters applied. |
| List of Objects | Details of the manufacturers. Each object provides details of one manufacturer. |
| String | The title of the manufacturer. |
| String | Unique ID of the manufacturer in UUID-4 format. |
| String | Unique readable ID of the manufacturer. It starts with MFR followed by a unique number. Example: "MFR101" |
| Text | Description of the manufacturer. |
| String | Creation date and time of the manufacturer in ISO format. |
| String | Last modified date and time of the manufacturer in ISO format. |
Action: List OS Types
This action retrieves a list of operating system (OS) types from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action: List PIRs
This action retrieves a list of PIRs (Priority Intel Requirement) using the ID of the PIR.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | The total number of PIRs returned as per the entered query parameters. |
| List of Objects | Details of the PIRs. Each object provides the details of one PIR. |
| String | Title of the PIR. |
| String | Unique ID of the PIR in UUID-4 format. |
| String | Readable ID of the PIR. |
| Text | Description of the PIR. |
| String | Creation date and time of the PIR in ISO format. |
| String | Last updated date and time of the PIR in ISO format. |
| String | Current status of the PIR. Allowed values:
|
| Object | Details of user who created the PIR. |
| String |
|
| Object | Details of user who closed the PIR. |
| String | Closing date and time of the PIR in ISO format. |
| Boolean | Shows whether the PIR is bookmarked or not. |
| List of String | List of |
| List of Objects | Details of the attached labels. |
| String | Priority level of the PIR. Allowed values: - - - - - |
| Object | Details of the priority of the PIR. |
| List of Stings | List of Unique IDs of the assigned users in UUID-4 format. |
| List of Objects | Details on the list of assigned users of the PIR. Details include:
|
| String | Unique ID of the assigned user group in UUID-4 format. |
| Object | Details of the assigned user group. Details include:
|
Action: List Sources
This action retrieves a list of sources from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: Page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of sources in CFTR application according to the filters applied. |
| List of Objects | Details of the source. Each object provides details of one source. |
| String | The name of the source. |
| String | Unique ID of the source type in UUID-4 format. |
| String | Display name of the source. |
| String | Unique ID of the source in UUID-4 format. |
| String | Creation date and time of the source in ISO format. |
| String | Last modified date and time of the source in ISO format. |
| Object | Details of the source type. |
| String | Unique ID of the source type in UUID-4 format . |
| String | Creation date and time of the source type in ISO format. |
| String | The title of the source type. |
Action: List Threat Actors
This action retrieves a list of threat actors.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of Business Units in CFTR application according to the filters applied. |
| List of Objects | Details of the Business Unit. Each object provides details of one Business Unit. |
| String | Title of the threat actor. |
| String | Unique ID of the threat actor. |
| String | Readable ID of the threat actor. |
| Text | Description of the threat actor. |
| String | Creation time of the threat actor in ISO format. |
| String | Last Updated time of the threat actor in ISO format. |
| String | Current status of the threat actor. Allowed values:
|
| String | Risk associated with the threat actor. Allowed Values: - - - - - |
| String | Priority of the threat actor. Allowed values: - - - - - |
| Object | Details of user who created the threat actor. |
| String |
|
| Object | Details of user who closed the threat actor. |
| String | Closing date of the threat actor in ISO format. |
| Boolean | Shows whether the threat actor is bookmarked or not. |
Action: List Threat Briefings
This action retrieves a list of threat briefings.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10, "status": "ACTIVE" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | The total number of Threat Briefings returned as per the entered query parameters. |
| List of Objects | Details of the Threat Briefings. Each object provides the details of one Threat Briefing. |
| String | Unique ID of the Threat Briefing. |
| String | Readable ID of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Text | Description of the threat briefing. |
| String | Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE |
| String | Created date and time of the Threat Briefing. |
| String | Last updated date and time of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Boolean | Shows whether the Threat Briefing is bookmarked or not. |
| List | List of |
| List of Objects | Details of the attached labels. |
| List of Objects | Details of the locations linked to the Threat Briefing. |
| List of Objects | Details of the business units linked to the Threat Briefing. |
| String | Unique ID of the user who created the Threat Briefing. |
| Object | Details of the user who created the Threat Briefing. |
Action: List Threat Intel (IOCs)
This action retrieves a list of threat intel (IOCs).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "type": "ioc_domain", "tlp": "RED", "status": "cleaned", "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of Threat Intels in CFTR application. |
| List | Details of the Threat Intels. Each object provides details of one Threat Intel. |
| String | Value of the Threat Intel. |
| String | Unique ID of the Threat Intel in UUID-4 format. |
| String | Creation date and time of the Threat Intel. |
| String | Last updated date and time of the Threat Intel. |
| String | TLP associated with the Threat Intel. Allowed values:
|
| List of Objects | Details of Incidents associated with the Threat Intel. Details include: |
| String | Current status of the Threat Intel. Allowed values:
|
| List of Objects | Details of labels added to the Threat Intel. Details include |
| List of Objects | Details of the Malware associated with the Threat Intel. Details include: |
| List of Objects | Details of Threat Actors associated with the Threat Intel. |
| List of Objects | Details of Vulnerabilities associated with the Threat Intel. Details include: |
| Integer | Number of Actions added to the Threat Intel. |
| Integer | Number of comments added to the Threat Intel. |
| String |
|
| Object | Details of the Indicator type. |
Action: List User Groups
This action retrieves a list of user groups from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of User Groups in CFTR application as per the query parameters. |
| List of Objects | Details of the User Groups. Each object provides details of one User Group. |
| String | Unique ID of the User Group in UUID-4 format. |
| String | Name of the User Group. |
| Text | Description of the User Group. |
| List of Objects | List of permission objects of the usser group. Each object includes the details of one permission. |
| Object | Unique ID of the user who created the user group. |
| Positive Integer | Number of users assigned to the user group. |
| Positive Integer | Count of the number of |
| Boolean | Shows whether the user group is currently active or not. |
| Boolean | Shows whether the user group is editable or not. |
| Integer | Creation date and time of the user group in EPOCH time format. |
| List of Strings | List of unique IDs of the users assigned to the user group in UUID-4 format. |
| List of Objects | Details of the users assigned to the user group. Each object includes the details of one user. |
| Float | Analyst cost associated with the users of the user group. The default cost is configured as per the daily rate. |
| List of Strings | List of unique IDs of the Cyware Orchestrate Playbook tags added to the user group in UUID-4 format. |
| List of Objects | Details of the Playbook tags. Each object includes the details of one Playbook tag. |
| Boolean | Shows whether the group is read-only or not. |
| String | SAML groups associated with the user group |
| String | Unique ID of the permission in UUID-4 format. |
| String | Display name of the permission. |
| String | Unique string of the permission. |
| String | Level of grant associated with each permission in CFTR. Allowed values: - - - |
| String | Verbose name given to the permission. |
| String | Unique ID of the Playbook in UUID-4 format. |
| String | Title of the Playbook. |
| Text | Description of the Playbook. |
Action: List Vulnerabilities
This action retrieves a list of vulnerabilities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Query Parameters | Enter the query parameters in key-value pairs to filter the results. Example: page: 10 | Key Value | Optional | Allowed values:
|
Example Request
[ { "query_params": { "page": 1, "page_size": 10 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| Object | This parameter has two keys:
|
| Integer | Total number of vulnerabilities returned as per the entered query parameters. |
| List of Objects | Details of the vulnerabilities. Each object provides the details of one vulnerability. |
| String | Unique ID of the vulnerability. |
| String | Readable ID of the vulnerability. For example, VUL115. |
| String | Title of the vulnerability. |
| String | Current status of the vulnerability. Allowed values: - - |
| String | Created date of the vulnerability. |
| String | Last updated date of the vulnerability. |
| String | Title of the vulnerability. |
| Boolean | Shows whether the vulnerability is bookmarked or not. |
| List | List of |
| List of Objects | Details of the attached labels. |
| Object | Details of risk associated with the vulnerability. |
| String | Risk level associated with the vulnerability. Allowed Values: - - - - - |
| Object | Details of the risk associated with the vulnerability. |
| Object | Details of the priority of the vulnerability. |
| String | Priority level of the vulnerability. Allowed values: - - - - - |
Action: Merge Incidents
This action merges incidents with a parent incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Parent Incident ID | Enter the unique ID of the parent incident. Example: af043f9f-27d9-4f0d-8f38-9c4788a7e35b | Text | Required | You can retrieve the list of incidents and their IDs using the following action: Get Incidents |
Child Incidents | Enter the unique ID of the child incidents to be merged with the parent incident. Example: af043f9f-27d9-4f0d-8f38-9c4788a7e35f | List | Required | |
Template ID | Enter the template ID of the child incidents to merge with the parent incident. Example: af043f9f-27d9-4f0d-8f38-9c4788a7e35e | Text | Required | You can retrieve the list of templates and their IDs using the following action: Get Templates |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
response | Integer | Status code 200 for a successful merging of incidents. |
Action: Update Action Details
This action updates the details of an action using the ID of the action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Action ID | Enter the unique ID of the action. Example: f0900171-be25-490e-bddc-fa8bf29d6453 | Text | Required | You can retrieve the list of actions and their IDs from the application using the following action: Get Actions |
Additional Information | Enter the additional information in the form of key-value pairs. Example: status: open | Key Value | Optional |
|
Readable Type | Select true to enter the readable type values. This allows you to update actions using the values of assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "open" } } ]
Action Response Parameters
Parameters | Type | Description |
---|---|---|
| String | The title of the action. |
| String | Unique ID of the action. |
| String | Created date of the action in EPOCH time format. |
| String | Last modified date of the action in EPOCH time format. |
| String | Description of the action. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. Details include: group_comm_id, group_name. |
| String | Status of the action. |
| String | Readable ID of the action. For example, ACT379. |
| Object | Details of the user who created the action. Details include: username, email ,first name, last name, and so on. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | True: Action is bookmarked. False: Action is not bookmarked. |
| Object | Details of the user who closed the action. Details include: username, email ,first name, last name, and so on. |
| String | Closure date of the action in EPOCH time format. |
| String | Resolved date of the action in EPOCH time format. |
| String | Details of assignment SLA details of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Details of resolution SLA of the action. This parameter has two keys: 1. color: Associated color code (according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: time elapsed between action opening and SLA completion. |
| String | Resolution due date of the action. |
| String | Date and time at which the SLA stopped for the action. |
| String | Type of the action. |
| String | Priority level of the action |
| Object | Details of the type of the action. |
| Object | Details of the priority level of the action. |
| Boolean | Shows if the action is created using a template or not. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of the connected users. |
| Array of Objects | Details of the connected users. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected devices. |
| Array of Objects | Details of the connected devices. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected software. |
| Array of Objects | Details of the connected software. |
| Array of UUID-4 Strings | Array of UUID-4 strings containing unique IDs of connected applications. |
| Array of Objects | Details of the connected applications. |
| Array of Objects | Details of the connected threat briefings. |
| Array of Objects | Details of the connected campaigns. |
| Object | Details of the connected incidents. |
| Array of Objects | Details of the connected malware. |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the connected threat actors. |
Action: Update Asset Application Details
This action updates the details of an application using the ID of the application and additional fields.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Application ID | Enter the unique ID of the application. Example: a8007b20-bf76-4ce8-a761-45a453512479 | Text | Required | You can retrieve the list of applications and their IDs using the following action: Get Asset Applications |
Additional Information | Enter the details in key-value pairs to be updated in the asset application. Example: status: active | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to update applications using the values of locations, business units, and labels. | Boolean | Optional | Default value: false |
Example Request
[ { "unique_id": "Example Unique ID", { "extra_fields": { "title": "VirusTotal", "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "active" } } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the application. |
| String | Application creation date and time. |
| String | Application last updated date and time. |
| String | Title of the application. |
| Float | Version of the application. |
| String | Title of the application. |
| String | Readable ID of the application. |
| String | Current status of the the application. |
| String | Type of the application. For example, Security. |
| String | Status of the application. For example, Live. |
| String | Production date of the application. |
| String |
|
| Object | Details of user who created the application. |
| List | List of |
| List of Objects | Details of the labels that are added to the application. |
| List of Objects | Details of business units that are impacted by the application |
| List of Objects | Details of locations that are impacted by the application. |
| URL | URL of the application. |
| Object | Details of the owner of the application. |
| String | UUID of the application owner. |
| Object | Details of the manager of the application. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
Action: Update Asset Software Details
This action modifies the details of an asset software.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Asset Software ID | Enter the unique ID of the asset software. Example: b251f6a2-a5b8-41d6-aaf6-8f59ad72d6e3 | Text | Required | You can retrieve the list of assets and their IDs using the following action: Get Asset Software List |
Additional Information | Enter the details in key-value pairs to be updated in the asset software. Example: status: open | Key Value | Optional |
Example Request
[ { "unique_id": "b251f6a2-a5b8-41d6-aaf6-8f59ad72d6e3", { "extra_fields": { "title": "Desktop Computer", "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "software_status": "active" } } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the software. |
| String | Software creation date and time. |
| String | Software last updated date and time. |
| String | Name of the software. |
| String | ID of the software. |
| List | Type of the software. For example, Development Software. |
| String | Name of software. |
| String | Readable ID of software. For example, SFT115. |
| String | Current status of the software. |
| String | Purchase date of the software. |
| String |
|
| Object | Details of user who added the software. |
| List | List of |
| List of Objects | Details of the labels that are added to the software. |
| List of Objects | Details of business units that are impacted by the software |
| List of Objects | Details of locations that are impacted by the software. |
| Object | Details of the software type. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities . |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malwares . |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
Action: Update Asset User Details
This action updates the details of an asset user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Asset User ID | Enter the unique ID of the asset user. Example: b3184a17-e59f-46cb-82c3-d8aabbefff7e | Text | Required | You can retrieve the list of asset users and their IDs using the following action: Get Asset Users |
Additional Information | Enter the details in key-value pairs to update the asset user. Example: location: New York | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create assets using the values of labels, and business units. | Boolean | Optional | Default value: false |
Example Request
[ { "unique_id": "b3184a17-e59f-46cb-82c3-d8aabbefff7e", { "extra_fields": { "full_name": "John Doe" } } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the user. |
| String | User creation date and time. |
| String | User last updated date and time. |
| String | Name of the user. |
| String | Email ID of the user. |
| String | Name of the user. |
| String | Readable ID of the user. |
| String | Current Status of the user. |
| String | Hiring date of the user. |
| String |
|
| Object | Details of the CFTR user who created the asset user. |
| List | List of |
| List of Objects | Details of the labels that are added to the user. |
| List of Objects | Details of business units of the user. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the applications owned by the user. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the managed devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
Action: Update Campaign Details
This action updates the details of a campaign.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Campaign ID | Enter the unique ID of the campaign. Example: k53ff8942-612d-4bc1-b54f-d8195c002404. | Text | Required | You can retrieve the list of campaigns and their IDs using the following action: Get Campaigns |
Readable Type | Select true to enter the readable type values. This allows you to update campaigns using the values of labels. | Boolean | Optional | Default: false |
Additional Information | Enter the additional details of the campaign in the form of key-value pairs. Example: description: new campaign found | Key Value | Optional |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the campaign in UUID-4 format. |
readable_id | String | Unique readable ID of the campaign. It starts with Example: CMP101 |
created | String | Campaign creation date and time. |
description | Text | Description of the campaign. |
modified | String | Last updated date and time of the campaign. |
title | String | Title of the campaign. |
title_display | String | Title of the campaign. |
status | String | Current status of the campaign. Allowed values:
|
is_bookmarked | Boolean | Shows if the campaign is bookmarked or not. |
created_by_data | Object | Details of the user who created the campaign. Details include:
|
labels | List of Strings | Unique ID of the labels associated with the campaign in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the campaign. Details include:
|
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array UID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the actions that are added to the campaign. |
| Array of Objects | Details of the PIRs that are added to the campaign. |
| Array of Objects | Details of the enhancements that are added to the campaign. |
Action: Update Custom Module Entry
This action updates a custom module entry.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Component Identifier | Enter the component identifier of the module. Example: module21 | Text | Required | You can retrieve the list of custom modules and their component identifier using the following action: List Custom Modules |
Instance Unique ID | Enter the unique ID of the entry. Example: 822c2781-8ea0-4122-8176-8995a4c81dca | Text | Required | You can retrieve the list of custom module entries and their IDs using the following action: List Custom Module Entries |
Payload | Enter the additional information to be added in the custom module entry in key-value pairs. Use the field_readable_key of the custom fields as keys. | Key Value | Required |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the entry. |
| String | Unique ID of the entry. |
| String | Current status of the entry. |
| Text | Description of the entry. |
| String |
|
| String |
|
| Object | Details of the user who created the entry. |
| Object | Details of the user who last modified the entry. |
| String | Creation date and time of the entry. |
| String | Last updated date and time of the entry. |
| Boolean | Shows if the entry is bookmarked or not. |
| Boolean | Shows whether the entry can be updated by the user who requested it or not. |
| Array | List of the labels that are added to the entry. |
| Array of Objects | Details of the labels that are added to the entry. |
| Boolean | Displays if the entry is in deleted state or not. |
| Array of Objects | Displays the details of the status of the entry. |
| Array of Objects | Details of each attachment of the entry. |
Action: Update Device Details
This action updates the details of a device using the ID of the device.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Device ID | Enter the unique ID of the device. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | |
Additional Information | Enter the details in key-value pairs to be updated in the device. Example: hostname: updated security device | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to update devices using the values of locations, business units, manufacturers, labels, and operation system types. | Boolean | Optional | Default: false |
Example Request
[ { "unique_id": "h53ff8942-612d-4bc1-b54f-d8195c002404", { "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "hostname": "EC2AMAZ-8V2J535", "endpoint_status": "clean" } } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the device. |
| String | Device creation time in EPOCH time format. |
| String | Device Last Updated Time in EPOCH time format. |
| String | Serial number of the device. |
| String | Hostname of the device. |
| String | Readable ID of the device. For example, DVC116. |
| String | Current status of the device. |
| String | Owner of the device. |
| String | Physical location of the device. |
| String | Hostname of the device |
| Float | IP address of the device. |
| String |
|
| Object | Details of user who created the device. Details include:
|
| String | Status of the device. |
| List | List of |
| List of Objects | Details of the labels that are added to the device. |
| List of Objects | Details of business units that are impacted by the device. |
| List of Objects | Details of locations that are impacted by the device. |
| String | Risk level of the device. |
| Object | Details of the risk of the device. |
| String | Priority of the device. |
| String | Type of the endpoint. For example, Desktop. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Object | Details of the owner of device. |
| Object | Details of the manager of device. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of Objects | Details of the actions that are added to the device. |
Action: Update Enhancement Details
This action updates the details of an enhancement using the ID of the enhancement.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Enhancement ID | Enter the unique ID of the enhancement. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of enhancements using the following action: Get Enhancements |
Additional Information | Enter the enhancement details in the form of key-value pairs. Example: description: this is an important enhancement | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create enhancements using the values of assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "closed" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
unique_id | String | Unique ID of the enhancement in UUID-4 format. |
readable_id | String | Unique readable ID of the enhancement. It starts with Example: ENH101 |
created | Datetime | Enhancement creation date and time. |
description | Text | Description of the enhancement. |
modified | Datetime | Last updated date and time of the enhancement. |
title | Text | Title of the enhancement. |
status | String | Current status of the enhancement. Allowed values: - - |
priority | String | Priority level of the enhancement. |
priority_data | Object | Details of the priority assigned. Details include:
|
priority_data.unique_id | String | Unique ID of the priority in UUID-4 format. |
priority_data.option_name | String | Display Name of the priority |
priority_data.color_code | String | Hex value of the priority display color. |
is_bookmarked | Boolean | Shows if the enhancement is bookmarked or not. |
modified_by_data | Object | Details of the user who last updated the enhancement. Details include:
|
assigned_group | String | Unique ID of the user group the enhancement belongs to in UUID-4 format. |
assigned_group_data | Object | Details of the assigned user group. Details include group name and group ID. |
created_by_data | Object | Details of the user who created the enhancement. Details include:
|
assigned_to | String | Unique ID of the assigned user of the enhancement in UUID-4 format. |
assigned_to_data | Object | Details of the assigned user. Details include:
|
labels | List of Strings | List of Unique IDs of the labels attached to the enhancement in UUID-4 format. |
labels_data | List of Objects | Details of labels added to the enhancement. Details include:
|
labels_data.unique_id | String | Unique ID of the label in UUID-4 format. |
labels_data.option_name | String | Display name of the label |
labels_data.color_code | String | Hex value of the label display color. |
enhancement_type | List of Strings | Option name of the enhancement types associated with the enhancement. |
enhancement_type_data | List of Objects | Details of the enhancement types associated with the enhancement. |
enhancement_type_data.unique_id | String | Unique ID of the enhancement in UUID-4 format. |
enhancement_type_data.option_name | String | Display Name of the enhancement type |
enhancement_type_data.color_code | String | Hex value of the enhancement type display color. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
attachments_data | Array of Objects | Details of each attachment of the enhancement. |
Action: Update Incident Details
This action updates the details of an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Incident ID | Enter the unique ID of an incident. Example: p53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Required | You can retrieve the list of incidents and their IDs using the following action: Get Incidents |
Incident Status | Enter the status of the incident. Example: merged | Text | Optional | Allowed values:
|
Incident Phase | Enter the phase of the incident. Example: recovery | Text | Optional | Allowed values:
|
Readable Type | Select true to enter the readable type values. This allows you to update incidents using the values of locations, business units, sources, assigned groups, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Additional Information | Enter other incident details in the form of key-value pairs to update. Example: labels: Important | Key Value | Optional |
Example Request
[ { "phase": "Detection Analysis", "title": "Sample Title", "status": "open", "unique_id": "a341fbb0-6046-4fb3-8b2c-29652af3584e", "description": "This is a sample description.", "extra_fields": {}, "handoff_note": { "description": "updating assignee", "comment_type": "handoff" }, "readable_type": false, "assigned_group": "cde925f0-a6a4-464d-b6a1-9727178d10ee", "locations_impacted": [ "e02447d4-9b47-44de-ae4f-d810dfe72770", "fc6c98ae-6995-4cc3-80b8-21ebdec648d9" ], "business_units_impacted": "c24ab8cd-df74-4192-bd16-b135353486dd" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Returns the response retrieved from the app action. |
| JSON Object | Details of the user who last modified the incident. |
| String | Last updated date and time of the incident. |
| Integer | Update index of the incident. |
| Integer | HTTP status code of the API request received from the instance. |
Action: Update Malware Details
This action updates the details of a malware record using the malware ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Malware ID | Enter the unique ID of the malware. Example: h53ff8942-612d-4bc1-b54f-d8195c002404. | Text | Required | You can retrieve the list of malware and their IDs using the following action: List Malware |
Additional Information | Enter the additional information in the form of key-value pairs. Example: description: new malware found | Key Value | Optional |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "active" } } ]
Action Response Parameters
Parameters | Type | Description |
---|---|---|
| Object | Type of the malware. |
| Object | Unique IDs of the email IOC type. |
| Object | List of affected platforms. |
| Object | Unique IDs of the IP IOC type. |
| Object | Unique IDs of the MD5 Hash IOC type. |
| Object | File types of the malware. For example, dll, exe, docx, zip. |
| Object | Unique IDs of the domain IOC type. |
| Object | Unique IDs of the SHA1 IOC type. |
| Object | Unique IDs of the SHA256 IOC type. |
| Object | Unique IDs of the URL IOC type. |
| String | Unique ID of the malware. |
| String | Readable ID of the malware. |
| String | Created date of the malware in EPOCH time format. |
| String | Last modified date of the malware in EPOCH time format. |
| String | Title of the malware. |
| String | Description of the malware. |
| Object | Unique ID of the linked incidents. |
| String | Status of the malware. |
| Object | Unique ID of the linked threat briefings. |
| Object | Details of the linked threat briefings. |
| Object | Details of the linked incidents. |
| Boolean | Shows if the malware is bookmarked or not. |
| Object | Details of the linked actions. |
| Object | Unique ID of the linked campaigns. |
| Object | Details of the linked campaigns. |
| Object | Unique ID of the linked vulnerabilities. |
| Object | Details of the linked vulnerabilities. |
| Object | Unique ID of the linked threat actors. |
| Object | Details of the linked threat actors. |
| Object | Details of the linked PIRs. |
| Object | Details of the attachments. |
| Object | Details of the user who created the malware. Details include: username, email, first name, last name, and so on. |
| Object | Unique ID of the linked labels. |
| Object | Details of the linked labels. |
| Object | Details of the linked tactic technique pairs. |
| String | Date on which malware is seen for the first time. |
| Object | Last modified date of the malware. |
| Object | Unique ID of the linked applications. |
| Object | Details of the linked applications. |
| Object | Unique ID of the linked software. |
| Object | Details of the Linked Asset Softwares. |
| Object | Unique ID of the linked devices. |
| Object | Details of the linked devices. |
| Object | Unique ID of the linked enhancements. |
| Object | Details of the linked enhancements. |
| Object | Details of the malware type. |
| Object | Details of the malware file type. |
| Object | Details of the affected platforms. |
Action: Update PIR Details
This action updates a PIR (Priority Intel Requirement) record using the ID of the PIR.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
PIR (Priority Intel Requirement) ID | Enter the unique ID of the PIR. Example: 06863326-10f4-472a-9d8e-f45f4cd2dbcd | Text | Required | You can retrieve the list of PIRs and their IDs using the following action: Get PIRs |
Additional Information | Enter the details in the form of key-value pairs. Example: status: open | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to update a PIR using the values of assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default: false |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the PIR. |
| String | Unique ID of the PIR in UUID-4 format. |
| String | Readable ID of the PIR. |
| Text | Description of the PIR. |
| String | Creation date and time of the PIR in ISO format. |
| String | Last updated date and time of the PIR in ISO format. |
| String | Current status of the PIR. Allowed values:
|
| Object | Details of user who created the PIR. |
| String |
|
| Object | Details of user who closed the PIR. |
| String | Closing date and time of the PIR in ISO format. |
| Boolean | Shows whether the PIR is bookmarked or not. |
| List of String | List of |
| List of Objects | Details of the attached labels. |
| String | Priority level of the PIR. Allowed values: - - - - - |
| Object | Details of the priority of the PIR. |
| List of Stings | List of Unique IDs of the assigned users in UUID-4 format. |
| List of Objects | Details on the list of assigned users of the PIR. Details include:
|
| String | Unique ID of the assigned user group in UUID-4 format. |
| Object | Details of the assigned user group. Details include:
|
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
Action: Update Threat Actor Details
This action updates the details of a threat actor.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Actor ID | Enter the unique ID of the threat actor. Example: 497b2aa0-11f3-44f0-9d21-2a67453d8c94 | Text | Required | You can retrieve the list of threat actors using the following action: Get Threat Actors |
Additional Information | Enter the additional information in the form of key-value pairs. Example: description: A new threat actor found | Key Value | Optional |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "type": "Hacktivist" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the threat actor. |
| String | Unique ID of the threat actor. |
| String | Readable ID of the threat actor. |
| Text | Description of the threat actor. |
| String | Creation time of the threat actor in ISO format. |
| String | Last Updated time of the threat actor in ISO format. |
| String | Current status of the threat actor. Allowed values:
|
| String | Risk associated with the threat actor. Allowed Values: - - - - - |
| String | Priority of the threat actor. Allowed values: - - - - - |
| Object | Details of user who created the threat actor. |
| String |
|
| Object | Details of user who closed the threat actor. |
| String | Closing date of the threat actor in ISO format. |
| Boolean | Shows whether the threat actor is bookmarked or not. |
| Array of Objects | Details of each attachment of the threat actor. |
| Array of Objects | Details of the actions that are added for the threat actor. |
| Array of UUID Strings | List of the enhancements that are added for the threat actor. |
| Array of Objects | Details of the enhancements that are added for the threat actor. |
| Array of Objects | Details of the PIRs that are added for the threat actor. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA1 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected MD5 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA256 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected IP Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected URL Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected domain Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected email Threat Intels. |
Action: Update Threat Briefing Details
This action updates the details of a threat briefing.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Briefing ID | Enter the unique ID of the threat briefing. Example: w53ff8942-612d-4bc1-b54f-d8195c002404. | Text | Required | You can retrieve the list of threat briefings and their IDs using the following action: Get Threat Briefings |
Additional Information | Enter additional information in the threat briefing in the form of key-value pairs. Example: labels: important | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to update threat briefings using the values of locations, business units, and labels. | Boolean | Optional | Default value: false |
Example Request
[ { "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "status": "Active" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Unique ID of the Threat Briefing. |
| String | Readable ID of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Text | Description of the threat briefing. |
| String | Current status of the Threat Briefing. Allowed values: - ACTIVE - INACTIVE |
| String | Created date and time of the Threat Briefing. |
| String | Last updated date and time of the Threat Briefing. |
| String | Title of the Threat Briefing. |
| Boolean | Shows whether the Threat Briefing is bookmarked or not. |
| List | List of |
| List of Objects | Details of the attached labels. |
| List of Objects | Details of the locations linked to the Threat Briefing. |
| List of Objects | Details of the business units linked to the Threat Briefing. |
| String | Unique ID of the user who created the Threat Briefing. |
| Object | Details of the user who created the Threat Briefing. |
| Array of Objects | Details of each attachment of the Threat Briefing. |
| Array of Objects | Details of the actions that are added for the Threat Briefing. |
| Array of UUID Strings | List of the enhancements that are added for the Threat Briefing. |
| Array of Objects | Details of the enhancements that are added for the Threat Briefing. |
| Array of Objects | Details of the PIRs that are added for the Threat Briefing. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
Action: Update Threat Intel (IOC)
This action updates threat intel (IOC) using the threat intel ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat Intel (IOC) ID | Enter the unique ID of the threat intel (IOC) Example: f0900171-be25-490e-bddc-fa8bf29d6453 | Text | Required | You can retrieve the list of threat intel using the following action: Get List of Threat Intel (IOC) |
Additional Information | Enter the additional information to be updated in key-value pairs. Example: status: cleaned | Key Value | Optional |
Example Request
[ { "tlp": "WHITE", "value": "5075f76fb61ce1a56d9b7758f97c7903796933b0b0737a274bf8d347b5fa4473", "status": "none", "created": "2021-07-30T07:35:58.756888Z", "ioc_type": "371b43d3-e28d-42f8-80c3-f32039d38954", "modified": "2021-07-30T07:35:58.756888Z", "unique_id": "b7392170-ea74-467c-9665-0103020cd926" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Value of the Threat Intel. |
| String | Unique ID of the Threat Intel in UUID-4 format. |
| String | Creation date and time of the Threat Intel. |
| String | Last Updated date and time of the Threat Intel. |
| List of Objects | Details of the location of threat intel. |
| String | TLP associated with the threat intel. Allowed values:
|
| List of Objects | Details of Incidents associated with the Threat Intel. Details include: |
| String |
|
| String | Current status of the Threat Intel. Allowed values:
|
| List | List of |
| List of Objects | Details of labels added to the Threat Intel. Details include |
| List of Objects | Details of Malware associated with the Threat Intel. Details include: |
| List of Objects | Details of Threat Actors associated with the Threat Intel. |
| List of Objects | Details of Vulnerabilities associated with the Threat Intel. Details include: |
| Integer | Number of Actions added to the Threat Intel. |
| Integer | Number of comments added to the Threat Intel. |
| String |
|
| Object | Details of the Indicator Type. |
Action: Update Vulnerability Details
This action updates the details of a vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Vulnerability ID | Enter the unique ID of the vulnerability. Example: e53ff8972-618d-4bc1-b54f-d8195c002404. | Text | Required | You can retrieve the list of vulnerabilities and their IDs using the following action: Get Vulnerabilties |
Additional information | Enter the details to be updated in key-value pairs. Example: status: closed | Key Value | Optional |
Example Request
[ { "risk": "Very Low", "title": "Critical VUL1243", "unique_id": "afce2d6f-0495-4540-984b-c47652a9785b", "extra_fields": { "created": "2021-07-23T11:36:59.803613Z", "modified": "2021-07-23T11:36:59.803613Z", "cvss_score":8 } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| String | Title of the vulnerability. |
| String | Unique ID of the vulnerability. |
| String | Readable ID of the vulnerability. |
| Text | Description of the vulnerability. |
| String | Creation time of the vulnerability in ISO format. |
| String | Last Updated time of the vulnerability in ISO format. |
| String | Current status of the vulnerability. Allowed values:
|
| String | Risk associated with the vulnerability. Allowed Values: - - - - - |
| String | Priority of the vulnerability. Allowed values: - - - - - |
| Object | Details of user who created the vulnerability. |
| String |
|
| Object | Details of user who closed the vulnerability. |
| String | Closing date of the vulnerability in ISO format. |
| Boolean | Shows whether the vulnerability is bookmarked or not. |
| Array of Objects | Details of each attachment of the vulnerability. |
| Array of Objects | Details of the actions that are added for the vulnerability. |
| Array of UUID Strings | List of the enhancements that are added for the vulnerability. |
| Array of Objects | Details of the enhancements that are added for the vulnerability. |
| Array of Objects | Details of the PIRs that are added for the vulnerability. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected incidents. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA1 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected MD5 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected SHA256 Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected IP Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected URL Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected domain Threat Intels. |
| Array of UUID Strings | List of |
| Array of Objects | Details of the connected email Threat Intels. |
Action: Upload Attachment
This action uploads an attachment to a component
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object Identifier | Enter the object identifier of the component to which you want to add an attachment. Example: incident, action | Text | Required | Allowed values:
|
Object Unique ID | Enter the unique ID of the object. Example: df0ce907-baca-4d21-96ae-15e63f527191 | Text | Required | |
File Path | Enter the file path. Example: /Users/JohnDoe/Documents/security-details.txt | Text | Required | |
File Type | Enter the file type. Example: evidence | Text | Optional | Allowed values:
Default value: artifact |
Example Request
{ "object_unique_id": "df0xxxx7-baca-4d21-96ae-15xxx7191", "object_identifier": "incident", "file_path": "/tmp/d70dd6a1-71f3-412a-9f1d-6c5d74b544fc/local_file.txt" }
Action Response Parameters
Parameter | Type | Description |
---|---|---|
title | Text | Name of the file. |
uploaded_file | URL | URL of the file from where it can be downloaded. |
unique_id | String | Unique ID for the file. |
created_by_data | Object | Details of the user who uploaded the file. |
created | Datetime | File upload time. |
modified | Datetime | File modified time. |
readable_id | String | Unique readable ID of the file. |
file_hash | String | Hash of the file. |
file_type | String | Type of the file. I Allowed values:
|
file_size | Integer | Size of the file. |
parent_readable_id | String |
|
parent_component | String | Component name in which file is uploaded. Example: |
parent_unique_id | String |
|
Action: Generic Action
This is a generic action to perform any additional use case in the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Endpoint | Enter the endpoint to make the API request. Example: /cftrapi/openapi/v1/comments/ | Text | Required | |
HTTP Method | Enter the HTTP method to make the API request. Example: GET, POST | Text | Required | |
Query Params | Enter query parameters to filter the results. | Key value | Optional | |
Payload JSON | Enter the JSON payload to pass to the API. Example: $JSON[{'data': {'type': type,'id': id}}] | Any | Optional | |
Payload Data | Enter the payload to pass to the API. | Any | Optional |