Respond (CFTR)
The Respond (CFTR) Connector App allows security teams to integrate with the Cyber Fusion and Threat Response (CFTR) application, a threat response automation platform. The Connector App enables analysts to perform actions related to Incident Response and Management, Threat Actor Management, Vulnerability Management, Malware Management, Triage Management, and more that help you automate threat response.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Examples |
|---|---|---|
Create Incident | This action creates an incident. For more information, see Action: Create Incident. | Create an incident with the title Phishing Email Found in Respond. |
Get Incident Summary | This action retrieves the executive summary of the incident using its ID. For more information, see Action: Get Incident Summary. | Get the summary of the incident INC103 using Respond. |
List Incidents | This action retrieves a list of incidents from Respond. For more information, see Action: List Incidents. | List all incidents from Respond |
Update Incident Details | This action updates the details of an incident. For more information, see Action: Update Incident Details. | Update the status to Open of the incident INC103 using Respond. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the Respond (CFTR) app.
Steps:
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select Respond (CFTR) and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Base URL: Enter the base URL to access the Respond application.
Access ID: Enter the access ID to access the Respond application.
Secret Key: Enter the secret key to access the Respond application.
TLS verification: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Respond. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Create Incident
This action creates an incident in the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter a title for the incident. Example: Found a Phishing Email | Text | Required | |
Description | Enter a description of the incident. Example: Incident detected | Text | Optional | |
Status | Enter the status of the incident. Example: untriaged | Text | Optional | Allowed values:
Default value: untriaged |
Incident Type | Enter the type of the incident. Example:
| Text | Optional | |
Business Unit Impacted | Enter the unique IDs of the impacted business units. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | List | Optional | |
Locations Impacted | Enter the unique IDs of the impacted locations. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | List | Optional | |
Source | Enter the unique IDs of the impacted sources. Example: 7c81cbda-11d8-4026-ae2f-287eaa643a9b | Text | Optional | |
Incident Date | Enter the date of when the incident occurred in ISO 8601-time format. Example: 2021-10-28t19:37:16.321856z | Text | Optional | |
Detection Date | Enter the date when the incident was detected as malicious in ISO 8601 time format. Example: 2021-10-28t19:37:16.321856z | Text | Optional | |
Level | Enter the severity level of the incident. Example
| Text | Optional | |
Assigned Group | Enter the group_comm_id of the group that needs to be assigned to the incident. Example: 4e046ee1-5bc9-4320-965f-3bf24dbb9256 | Text | Optional | |
Extra Fields | Enter the key-value pairs of additional information to add to this incident. | Key Value | Optional | |
Readable Type | Select true to enter the readable type values. This allows you to create incidents using the values of locations, business units, sources, assigned groups, labels, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Example Request
[
{
"title": "New Incident",
"description": "Incident Detected,
"status": "Open",
"ie_incident_type": "Malware",
"business_unit_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
"locations_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
"source": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
"incident_date": "2021-10-28T19:37:16.321856Z",
"detection_date": "2021-10-28T19:37:16.321856Z",
"level": "Critical",
"assigned_group": "AssignmentID_12"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Returns the response retrieved from the app action. |
| String | Title of the incident. |
| String | Unique Identifier String of UUID-4 format of the incident. |
| String | Readable ID of the incident. For example, INC320. |
| String | Date and time of when the incident happened. |
| String | Date and time when the incident was detected as malicious. |
| String | Status of the incident workflow. Possible values:
|
| String | Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow. |
| Boolean | Displays if the incident is machine-generated or not. |
| JSON Object | Details of the current phase of the incident. |
| String | Severity level of the incident. For example, high. |
| JSON Object | Details of the severity level of the incident. |
| String |
|
| Boolean | Shows if the incident is protected or not. |
| Boolean | Shows if the incident is in the deleted state or not. |
| JSON Object | Details of the user who created the incident. |
| JSON Object | Details of the user who last modified the incident. |
| JSON Object | Details of the used who closed the incident. |
| String | Incident creation date and time. |
| String | Last updated date and time of the incident. |
| Timestamp | Date and time when the incident was opened. |
| Timestamp | Date and time when the incident was closed. If the incident is not closed, the value of this parameter is null. |
| Integer | Number of PIRs that were exposed in the incident. |
| String | Description of the Incident. |
| String |
|
| Object | Details of the assigned user. |
| String |
|
| Object | Details of the assigned user group. |
| String | Assignment SLA details of the incident. This includes the following two keys:
|
| Strings | The type of incident. Example: hacking. |
| Integer | Number of days the incident is open. |
| String | Resolution SLA details of the incident. This includes two keys:
|
| String | Details of the Incident notifications (if enabled in admin). |
| Integer | Total cost incurred due to the incident. |
| Boolean | Shows if the incident is bookmarked or not. |
| Boolean | Shows if the incident is permanently closed or not. |
| String | Resolution SLA breach date of the incident. |
| Boolean | Shows whether the instance can be updated by the user who requested it or not. |
| Boolean | Shows if the incident is paused or not. |
| String |
|
| JSON Object | Details of the user who paused the incident. |
| String | Unique ID of the Incident Workflow that is being used by the incident. |
| String | Type of the incident Workflow. Allowed values: 'draft' or 'published' |
| JSON Object | Details of the Incident Workflow that is being used by the incident. |
| Array | List of the sources for the incident. |
| Array of JSON Objects | Details of the sources for the incident. |
| Array | List of the labels that are added to the incident. |
| Array of JSON Objects | Details of the labels that are added to the incident. |
| Array | List of the tactics and techniques used by the incident. |
| Array of JSON Objects | Details of the tactics and techniques used by the incident. |
| Array of JSON Objects | List of business units that are impacted by the incident. |
| Array of JSON Objects | List of locations that are impacted by the incident. |
| String | Current state of the incident. Possible values:
|
| JSON Object | Details of the status of the incident. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected applications. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected software. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected users. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected devices. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected threat briefings. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected campaigns. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected malware. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected threat actors. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected vulnerabilities. |
| Array of UUID Strings | List of |
| Array of JSON Objects | Details of the connected enhancements. |
| Array of JSON Objects | Details of the actions that are added to the incident. |
| Array of JSON Objects | Details of the attachments uploaded to the incident. |
| Integer | HTTP status code of the API request received from the instance. |
Action: Get Incident Summary
This action retrieves the executive summary of the incident using the incident ID.
App Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to retrieve the summary. Example: INC103 | Text | Required |
Example Request
[
{
"incident_id": "INC103"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
app_instance | Object | Returns the root object containing the response and status code. |
app_instance.response | Object | Displays the response data of the query. |
app_instance.status_code | Integer | Returns the HTTP status code of the response. |
app_instance.response.actions_data | Array | Returns an array of action objects. |
app_instance.response.actions_data.readable_id | String | Returns the Readable ID of the action. |
app_instance.response.actions_data.title | String | Return the title of the action in the incident. |
app_instance.response.actions_data.title_display | String | Displays the title of the action linked to the incident. |
app_instance.response.applicable_compliance | Array | Returns the list of applicable compliance standards to the incident. |
app_instance.response.applicable_compliance_data | Array | Returns an array of compliance option objects. |
app_instance.response.applicable_compliance_data[].option_name | String | Returns the name of the compliance option. |
app_instance.response.applications_data | Array | Returns an array of application objects. |
app_instance.response.attack_vector | Null | Returns attack vector linked to the incident. |
app_instance.response.attack_vector_data | Null | Returns the details of the Attack vector linked to the incident. |
app_instance.response.base_line_changes | Null | Returns the baseline changes. |
app_instance.response.briefings_data | Array | Returns an array of briefing objects. |
app_instance.response.business_impact | Array | Returns an array of business units impacted by the incident. |
app_instance.response.business_impact_data | Array | Returns an array of business units impacted option objects. |
app_instance.response.business_impact_data.option_name | String | Returns the name of the business units impact option. |
app_instance.response.campaigns_data | String | Returns an array of campaign objects. |
app_instance.response.closure_comments | String | Returns closure comments in the incident. |
app_instance.response.containment_hash | String | Returns the value for containment hash |
app_instance.response.containment_host | String | Returns Containment host |
app_instance.response.containment_ip | String | Returns Containment IP |
app_instance.response.containment_result | String | Returns Containment result |
app_instance.response.containment_summary | String | Returns Containment summary |
app_instance.response.containment_url | String | Containment URL |
app_instance.response.description | String | Description of the incident |
app_instance.response.destination_hostname | String | Destination host name |
app_instance.response.destination_ip | String | Destination IP |
app_instance.response.destination_port | String | Destination port |
app_instance.response.endpoints_data | Array | An array of endpoint objects |
app_instance.response.enhancements_data | Array | An array of enhancement objects |
app_instance.false_positive | Array | False positive indicator |
app_instance.response.false_positive_data | String | False positive data |
app_instance.response.ie_customer_notification_required | Null | Customer notification indicator |
app_instance.response.ie_customer_notification_required_data | String | Returns customer notification data |
app_instance.response.ie_findings_summary | String | Returns findings summary |
app_instance.response.ie_forensics_details | String | Returns forensics details |
app_instance.response.ie_impact_on_intellectual_property | Null | Impact on intellectual property |
app_instance.response.ie_incident_type | String | Returns the incident type. |
app_instance.response.ie_incident_type_data | Object | Returns the incident type data. |
app_instance.response.ie_incident_type_data.option_name | String | Returns the name of the incident type option. |
app_instance.response.ie_invegtigation_eradication_exception | Null | Investigation eradication exception. |
app_instance.response.ie_lessons_learned | Null | Returns lessons learned |
app_instance.response.ie_log_analysis_summary | Null | Returns log analysis summary |
app_instance.response.ie_malware_analysis_summary | Null | Malware analysis summary |
app_instance.response.ie_motives | Array | An array of motive objects |
app_instance.response.ie_motives_data | Array | An array of motive data objects |
app_instance.response.ie_num_of_assets_impacted | Null | Number of assets impacted by the incident. |
app_instance.response.ie_num_of_users_impacted | Null | Number of users impacted by the incident. |
app_instance.response.ie_port_numbers_impacted | Null | Port numbers impacted |
app_instance.response.ie_regulatory_notifications_required | Null | Regulatory notifications required |
app_instance.response.ie_regulatory_notifications_required_data | Null | Regulatory notifications required data |
app_instance.response.ie_regulatory_reporting | Array | An array of regulatory reporting objects. |
app_instance.response.ie_regulatory_reporting_data | Array | An array of regulatory reporting data objects. |
app_instance.response.ie_regulatory_reporting_date | Null | Regulatory reporting date. |
app_instance.response.ie_root_cause | Null | Root cause of the incident. |
app_instance.response.ie_root_cause_data | Null | Root cause data |
app_instance.response.incident_analysis | Null | Incident analysis |
app_instance.response.incident_identified | Array | An array of incident identified objects. |
app_instance.response.incident_identified_data | Array | An array of incident identified data objects. |
app_instance.response.incident_learning | Null | Incident learning |
app_instance.response.ioc_MD5 | Array | An array of MD5 Indicator of Compromise. |
app_instance.response.ioc_MD5_data | Array | An array of MD5 IoC data objects. |
app_instance.response.ioc_SHA1 | Array | An array of SHA1 Indicator of Compromise. |
app_instance.response.ioc_SHA1_data | Array | An array of SHA1 IoC data objects. |
app_instance.response.ioc_SHA256 | Array | An array of SHA256 Indicator of Compromise. |
app_instance.response.ioc_SHA256_data | Array | An array of SHA256 IoC data objects. |
app_instance.response.ioc_domain | Array | An array of IOC domain objects. |
app_instance.response.ioc_domain_data | Array | An array of IOC domain data objects. |
app_instance.response.ioc_email | Array | An array of IOC email objects. |
app_instance.response.ioc_email_data | Array | An array of IOC email data objects. |
app_instance.response.ioc_ip | Array | An array of IOC IP objects. |
app_instance.response.ioc_ip_data.value | String | IP address value. |
app_instance.response.ioc_url | Array | An array of IoC URL objects. |
app_instance.response.ioc_url_data | Array | An array of IoC URL data objects. |
app_instance.response.ip_reputation | Null | IP Reputation of the incident. |
app_instance.response.kill_chain_phase | String | Current phase in the kill chain of the incident. |
app_instance.response.kill_chain_phase_data | Object | Details of the current phase in the kill chain. |
app_instance.response.kill_chain_phase_data.option_name | String | Phase name in the kill chain of the incident. |
app_instance.response.knowledge_base_data | Array | An array of knowledge base objects. |
app_instance.response.level | String | Incident level of the incident. |
app_instance.response.level_data | Object | Details of the incident level. |
app_instance.response.level_data.option_name | String | Incident level option name. |
app_instance.response.malwares_data | Array | An array of malware objects. |
app_instance.response.methods_monitor_recovery_actions | Null | Methods to monitor recovery actions. |
app_instance.response.methods_validate_recovery_actions | Null | Methods to validate recovery actions. |
app_instance.response.phase | String | The current phase of the incident. |
app_instance.response.phase_data | Object | Details of the current phase. |
app_instance.response.phase_data.option_name | String | Indicates the phase of the incident |
app_instance.response.pirs_data | Array | An array of PIR (Priority Intelligence Requirements) objects. |
app_instance.response.readable_id | String | Readable ID of the incident. |
app_instance.response.recovery_details | Null | Details of the recovery in incident. |
app_instance.response.related_incidents_data | Array | An array of related incident data objects. |
app_instance.response.softwares_data | Array | An array of software data objects. |
app_instance.response.source_hostname | Null | Source host name. |
app_instance.response.source_ip | Null | Source IP address. |
app_instance.response.source_port | Null | Source port |
app_instance.response.sources_data | Object | An object containing source data. |
app_instance.response.sources_data.created | String (datetime) | Creation timestamp of the source data. |
app_instance.response.sources_data.modified | String (datetime) | Modification timestamp of the source data. |
app_instance.response.sources_data.source_display_name | String | Display name of the source. |
app_instance.response.sources_data.source_type | String | Type identifier of the source. |
app_instance.response.sources_data.source_type_data | Object | Additional data about the source type. |
app_instance.response.sources_data.source_type_data.created | String (datetime) | Creation timestamp of the source type data. |
app_instance.response.sources_data.source_type_data.title | String | Title of the source type. |
app_instance.response.sources_data.source_type_data.unique_id | String | Unique identifier of the source type data. |
app_instance.response.sources_data.unique_id | String | Unique identifier of the source data. |
app_instance.response.sources_data.value | String | Value of the source data. |
app_instance.response.status | String | Status of the incident. |
app_instance.response.status_data | Object | Additional data about the status. |
app_instance.response.status_data.option_name | String | Indicates status option name. |
app_instance.response.threat_actors_data | Array | An array of threat actor objects in the incident. |
app_instance.response.time_to_resolve | Null | Time taken to resolve the incident. |
app_instance.response.title | String | Title of the incident. |
app_instance.response.url_reputation | Null | URL reputation in a phase |
app_instance.response.users_data | Array | An array of user data objects. |
app_instance.response.vulnerabilities_data | Array | An array of vulnerability data objects. |
Action: List Incidents
This action retrieves a list of incidents from the application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional | Allowed values: q (str), page (int): by default, the value is 1, page_size (int): by default, the value is 10, status (str): open, closed, untriaged, merged, participant (bool), self_assigned_groups (bool), self_assigned (bool), bookmarked (bool), mentioned (bool), assigned_to (bool), is_protected (bool), is_paused (bool), attack_techniques (id), attack_tactics (id), phase (str), business_units (id), created_by (id), detection_date__gte (epochtime), detection_date__lte (epochtime), incident_date__gte (epochtime), incident_date__lte (epochtime), modified_date__gte (epochtime), modified_date__lte (epochtime), created_date__gte (epochtime), created_date__lte (epochtime), locations (id), level (str): type of severity, kill_chain_phase (id), labels (id), created_date__n_months (int): 3, 6, created_date__n_days (int): 7, 30, 90, resolution_overdue (bool), assignment_overdue (bool) |
Example Request
[
{
"query_params":
{
"page": 1,
"page_size": 10,
"status": "open"
}
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter may include the following keys:
|
| Integer | Total number of incidents in CFTR application according to the filters applied. |
| Array of JSON Objects | List of incident details. Each object provides details of one incident. |
| String | Unique ID of the Incident in UUID-4 format. |
| String | Unique readable ID of the incident. It starts with INC followed by a unique number. |
| String | Incident creation date and time in Epoch format. |
| String | Description of the Incident. |
| String | Last updated date and time of the incident. |
| String | Title of the incident. |
| Boolean | True: Incident is considered machine generated when it is generated using the CFTR OpenAPI. False: Incident created manually. |
| String | Current status of the incident. Possible values: open, closed, untriaged, merged |
| String | Date and time when the incident was closed. If incident is not closed, value of this param will be null. |
| String | Title of the incident. |
| Boolean | Returns true if the incident is marked as protected. |
| String | Severity level of the incident. |
| String | Current phase of the incident. |
| Boolean | Returns true if the incident is paused. |
| String | Date and time when the incident was opened. If incident is not opened yet, value of this param will be null. |
| JSON Object | Assignment SLA details of the incident. It has two keys: 1. |
| JSON Object | Resolution SLA details of the incident. It has two keys: 1. |
| Boolean | Shows if the incident is bookmarked or not. |
| Timestamp | Resolution SLA breach date of the incident. |
| JSON Object | Details of the user who opened the incident. Details include: |
| JSON Object | Details of the parent incident if the incident is merged. Details include: |
| JSON Object | Details of the user who last updated the Incident. Details include: |
| JSON Object | Details of the assigned user group. Details include: group name and group ID. |
| JSON Object | Details of the user who created the incident. Details include: |
| JSON Object | Details of the assigned user. Details include: |
| Array of JSON Objects | Details of labels added to the incident. Details include: |
| JSON Object | Details of business unit impacted by the incident. Details include: |
| Array of JSON Objects | Details of locations impacted by the incident. Details include: |
| JSON Object | Details of the current phase of the incident. Details include:
|
| JSON Object | Details of the incident type associated with the incident. Details include: |
| String | Incident type associated with the incident. |
| JSON Object | Details of the severity level of the incident. Details include: |
| String | Current kill chain phase of the incident. |
| JSON Object | Details of the kill chain phase of the incident. Details include: |
| Array of JSON Objects | Details of the motivations of the incident. Details include: |
| Array | List of motivations of the incident. |
| Array of JSON Objects | Details of the compliance standards that are applicable to the incident. Details include: |
| Array | List of compliance standards that are applicable to the incident. |
| JSON Objects | Details of the root cause of the incident. |
| String | Root cause of the incident. |
Action: Update Incident Details
This action updates the details of an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the unique ID of an incident. Example: p53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Optional | You can retrieve the list of incidents and their IDs using the action List Incidents. NoteIf you enter both Incident ID and Readable Incident ID, Readable Incident ID takes precedence. |
Readable Incident ID | Enter the ID of the incident in a readable format. Example: INC140 | Text | Optional | You can retrieve the list of incidents and their readable IDs using the action List Incidents. NoteIf you enter both Incident ID and Readable Incident ID, Readable Incident ID takes precedence. |
Incident Status | Enter the status of the incident. Example: merged | Text | Optional | Allowed values:
|
Incident Phase | Enter the phase of the incident. Example: recovery | Text | Optional | Allowed values:
|
Readable Type | Select true to enter the readable type values. This allows you to update incidents using the values of locations, business units, sources, assigned groups, and the email IDs of assigned users. | Boolean | Optional | Default value: false |
Title | Enter a title for the incident. | Text | Optional | |
Business Units Impacted | Enter the unique ID of the impacted business unit. Example: 728277db-83be-4108-a8d7-e52c5deefc2c | Text | Optional | |
Locations Impacted | Enter one or more unique IDs of the impacted locations. Example: $LIST[fc6c98ae-6995-4cc3-80b8-21ebdec648d9,671961e6-0119-460c-8d55-9b697f6e2d6e] | List | Optional | |
Assigned Group | Enter the unique ID of the user group to assign the incident. Example: h53ff8942-612d-4bc1-b54f-d8195c002404 | Text | Optional | NoteIf you update Assigned Group, you must also enter the Handoff Description and Handoff Comment Type parameters. |
Description | Enter a description that best describes the key details of the incident. Example: Sample Description | Text | Optional | |
Handoff Description | Enter the handoff description while updating Assigned Group or Assigned Users for an incident. If you provide a handoff description, you must also specify the handoff comment type, and vice versa. Example: updating assignee | Text | Optional | |
Handoff Comment Type | Enter the type of comment while updating Assigned Group or Assigned Users for an incident. If you provide a comment type, you must also specify the handoff description, and vice versa. Example: handoff | Text | Optional | |
Additional Information | Enter other incident details in the form of key-value pairs to update. Example: labels: Important | Key Value | Optional |
Example Request
[
{
"phase": "Detection Analysis",
"title": "Sample Incident Title",
"status": "open",
"unique_id": "5e0fef7a-5460-4d56-a008-7f24673d713c",
"incident_id": "INC140"
"description": "This is a sample description",
"comment_type": "handoff",
"extra_fields": {},
"readable_type": false,
"assigned_group": "cde925f0-a6a4-464d-b6a1-9727178d10ee",
"locations_impacted": [
"e02447d4-9b47-44de-ae4f-d810dfe72770",
"fc6c98ae-6995-4cc3-80b8-21ebdec648d9"
],
"handoff_description": "updating assignee",
"business_units_impacted": [
"c24ab8cd-df74-4192-bd16-b135353486dd"
]
}
] Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Returns the response retrieved from the app action. |
| JSON Object | Details of the user who last modified the incident. |
| String | Last updated date and time of the incident. |
| Integer | Update index of the incident. |
| Integer | HTTP status code of the API request received from the instance. |