Skip to main content

Quarterback AI

Respond (CFTR)

The Respond (CFTR) Connector App allows security teams to integrate with the Cyber Fusion and Threat Response (CFTR) application, a threat response automation platform. The Connector App enables analysts to perform actions related to Incident Response and Management, Threat Actor Management, Vulnerability Management, Malware Management, Triage Management, and more that help you automate threat response.

Supported Actions and Example Prompts

The following table lists the supported actions and prompt examples for an action:

Action Name

Description

Prompt Examples

Create Incident

This action creates an incident. For more information, see Action: Create Incident.

Create an incident with the title Phishing Email Found in Respond.

Get Incident Summary

This action retrieves the executive summary of the incident using its ID. For more information, see Action: Get Incident Summary.

Get the summary of the incident INC103 using Respond.

List Incidents

This action retrieves a list of incidents from Respond. For more information, see Action: List Incidents.

List all incidents from Respond

Update Incident Details

This action updates the details of an incident. For more information, see Action: Update Incident Details.

Update the status to Open of the incident INC103 using Respond.

Install and Configure the App

Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.

Before you Start

Ensure that you have the API token to authenticate with the Respond (CFTR) app.

Steps:

To install and configure an app, follow these steps:

  1. Go to the application, in the left pane, select Quarterback AI.

  2. In Apps, select Respond (CFTR) and click Install.

  3. After the app is installed, click Configure and enter the following details to create an instance:

    • Instance Name: Enter a name for the instance.

    • Instance Description: Enter a description for the instance.

    • Expiry: Select an expiry date for the instance.

    • Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.

    • Base URL: Enter the base URL to access the Respond application.

    • Access ID: Enter the access ID to access the Respond application.

    • Secret Key: Enter the secret key to access the Respond application.

    • TLS verification: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.

    • Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Respond. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.

  4. Click Done.

The instance is created, and you can view it in Instances. To create another instance, click Add Instance.

Action: Create Incident

This action creates an incident in the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Title 

Enter a title for the incident.

Example:

Found a Phishing Email 

Text

Required

Description 

Enter a description of the incident.

Example:

Incident detected

Text

Optional

Status 

Enter the status of the incident.

Example:

untriaged

Text

Optional

Allowed values: 

  • open

  • closed 

  • untriaged

  • merged

Default value: 

untriaged

Incident Type 

Enter the type of the incident. 

Example:

  • malware

  • phishing 

  • Ransomware

Text

Optional

Business Unit Impacted 

Enter the unique IDs of the impacted business units. 

Example:

$LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b]

List

Optional

Locations Impacted 

Enter the unique IDs of the impacted locations. 

Example:

$LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b]

List

Optional

Source 

Enter the unique IDs of the impacted sources. 

Example:

7c81cbda-11d8-4026-ae2f-287eaa643a9b

Text

Optional

Incident Date 

Enter the date of when the incident occurred in ISO 8601-time format. 

Example:

2021-10-28t19:37:16.321856z

Text

Optional

Detection Date 

Enter the date when the incident was detected as malicious in ISO 8601 time format. 

Example:

2021-10-28t19:37:16.321856z

Text

Optional

Level 

Enter the severity level of the incident. 

Example

  • critical

  • high

  • low

Text

Optional

Assigned Group 

Enter the group_comm_id of the group that needs to be assigned to the incident.

Example:

4e046ee1-5bc9-4320-965f-3bf24dbb9256

Text

Optional

Extra Fields 

Enter the key-value pairs of additional information to add to this incident.

Key Value

Optional

Readable Type 

Select true to enter the readable type values. This allows you to create incidents using the values of locations, business units, sources, assigned groups, labels, and the email IDs of assigned users.

Boolean

Optional

Default value: 

false

Example Request 

[
  {
    "title": "New Incident",
    "description": "Incident Detected,
    "status": "Open",
    "ie_incident_type": "Malware",
    "business_unit_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "locations_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "source": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
    "incident_date": "2021-10-28T19:37:16.321856Z", 
    "detection_date": "2021-10-28T19:37:16.321856Z", 
    "level": "Critical", 
    "assigned_group": "AssignmentID_12"
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Returns the response retrieved from the app action.

app_instance.response.title 

String

Title of the incident.

app_instance.response.unique_id 

String

Unique Identifier String of UUID-4 format of the incident.

app_instance.response.readable_id 

String

Readable ID of the incident. For example, INC320.

app_instance.response.incident_date 

String

Date and time of when the incident happened.

app_instance.response.detection_date 

String

Date and time when the incident was detected as malicious.

app_instance.response.status 

String

Status of the incident workflow. 

Possible values: 

  • active

  • inactive

app_instance.response.phase 

String

Current phase of the incident. The phase describes the UUID of the phase, part of the Incident Workflow.

app_instance.response.machine_generated 

Boolean

Displays if the incident is machine-generated or not.

app_instance.response.phase_data 

JSON Object

Details of the current phase of the incident.

app_instance.response.level 

String

Severity level of the incident. For example, high.

app_instance.response.level_data 

JSON Object

Details of the severity level of the incident.

app_instance.response.created_by 

String

user_id of the user who created the incident.

app_instance.response.is_protected 

Boolean

Shows if the incident is protected or not.

app_instance.response.is_removed 

Boolean

Shows if the incident is in the deleted state or not.

app_instance.response.created_by_data 

JSON Object

Details of the user who created the incident.

app_instance.response.modified_by_data 

JSON Object

Details of the user who last modified the incident.

app_instance.response.closed_by_data 

JSON Object

Details of the used who closed the incident.

app_instance.response.created 

String

Incident creation date and time.

app_instance.response.modified 

String

Last updated date and time of the incident.

app_instance.response.Opened_on 

Timestamp

Date and time when the incident was opened.

app_instance.response.closed_on 

Timestamp

Date and time when the incident was closed. 

If the incident is not closed, the value of this parameter is null.

app_instance.response.ie_num_of_pii_exposed 

Integer

Number of PIRs that were exposed in the incident.

app_instance.response.description 

String

Description of the Incident.

app_instance.response.assigned_to 

String

user_id of the assigned user.

app_instance.response.assigned_to_data 

Object

Details of the assigned user.

app_instance.response.assigned_group 

String

group_comm_id of the assigned user group.

app_instance.response.assigned_group_data 

Object

Details of the assigned user group.

app_instance.response.assignment_sla 

String

Assignment SLA details of the incident. This includes the following two keys: 

  • color: Associated color code (according to SLA breach level). 

  • data: This includes two keys: 

    • sla_duration: SLA Breach time. 

    • elapsed_time: Time elapsed between incident opening and SLA completion.

app_instance.response.ie_incident_type 

Strings

The type of incident. Example: hacking.

app_instance.response.days_open 

Integer

Number of days the incident is open.

app_instance.response.resolution_sla 

String

Resolution SLA details of the incident. This includes two keys: 

  • color: Associated color code(according to SLA breach level). 

  • data: This includes two keys: 

    • sla_duration: SLA Breach time. 

    • elapsed_time: Time elapsed between incident opening and SLA completion.

app_instance.response.notification_sla 

String

Details of the Incident notifications (if enabled in admin).

app_instance.response.total_cost 

Integer

Total cost incurred due to the incident.

app_instance.response.is_bookmarked 

Boolean

Shows if the incident is bookmarked or not.

app_instance.response.permanently_closed 

Boolean

Shows if the incident is permanently closed or not.

app_instance.response.resolution_due_date 

String

Resolution SLA breach date of the incident.

app_instance.response.can_update_instance 

Boolean

Shows whether the instance can be updated by the user who requested it or not.

app_instance.response.is_paused 

Boolean

Shows if the incident is paused or not.

app_instance.response.paused_by 

String

user_id of the user who paused the incident.

app_instance.response.paused_by_data 

JSON Object

Details of the user who paused the incident.

app_instance.response.schema 

String

Unique ID of the Incident Workflow that is being used by the incident.

app_instance.response.schema_type 

String

Type of the incident Workflow. 

Allowed values: 

'draft' or 'published'

app_instance.response.schema_data 

JSON Object

Details of the Incident Workflow that is being used by the incident.

app_instance.response.sources 

Array

List of the sources for the incident.

app_instance.response.sources_data 

Array of JSON Objects

Details of the sources for the incident.

app_instance.response.labels 

Array

List of the labels that are added to the incident.

app_instance.response.labels_data 

Array of JSON Objects

Details of the labels that are added to the incident.

app_instance.response.tactic_technique_pair 

Array

List of the tactics and techniques used by the incident.

app_instance.response.tactic_technique_pair_data 

Array of JSON Objects

Details of the tactics and techniques used by the incident.

app_instance.response.business_units_impacted_data 

Array of JSON Objects

List of business units that are impacted by the incident.

app_instance.response.locations_impacted_data 

Array of JSON Objects

List of locations that are impacted by the incident.

app_instance.response.incident_state 

String

Current state of the incident.

Possible values:

  • open

  • closed

  • merged

app_instance.response.status_data 

JSON Object

Details of the status of the incident.

app_instance.response.applications 

Array of UUID Strings

List of unique_id of the connected applications.

app_instance.response.applications_data 

Array of JSON Objects

Details of the connected applications.

app_instance.response.softwares 

Array of UUID Strings

List of unique_id of the connected software.

app_instance.response.softwares_data 

Array of JSON Objects

Details of the connected software.

app_instance.response.users 

Array of UUID Strings

List of unique_id of the connected users.

app_instance.response.users_data 

Array of JSON Objects

Details of the connected users.

app_instance.response.endpoints 

Array of UUID Strings

List of unique_id of the connected devices.

app_instance.response.endpoints_data 

Array of JSON Objects

Details of the connected devices.

app_instance.response.briefings 

Array of UUID Strings

List of unique_id of the connected threat briefings.

app_instance.response.briefings_data 

Array of JSON Objects

Details of the connected threat briefings.

app_instance.response.campaigns 

Array of UUID Strings

List of unique_id of the connected campaigns.

app_instance.response.campaigns_data 

Array of JSON Objects

Details of the connected campaigns.

app_instance.response.malwares 

Array of UUID Strings

List of unique_id of the connected malware.

app_instance.response.malwares_data 

Array of JSON Objects

Details of the connected malware.

app_instance.response.threat_actors 

Array of UUID Strings

List of unique_id of the connected threat actors.

app_instance.response.threat_actors_data 

Array of JSON Objects

Details of the connected threat actors.

app_instance.response.vulnerabilities 

Array of UUID Strings

List of unique_id of the connected vulnerabilities.

app_instance.response.vulnerabilities_data 

Array of JSON Objects

Details of the connected vulnerabilities.

app_instance.response.enhancements 

Array of UUID Strings

List of unique_id of the connected enhancements.

app_instance.response.enhancements_data 

Array of JSON Objects

Details of the connected enhancements.

app_instance.response.actions_data 

Array of JSON Objects

Details of the actions that are added to the incident.

app_instance.response.attachments_data 

Array of JSON Objects

Details of the attachments uploaded to the incident.

app_instance.status_code 

Integer

HTTP status code of the API request received from the instance.

Action: Get Incident Summary

This action retrieves the executive summary of the incident using the incident ID.

App Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID 

Enter the incident ID to retrieve the summary.

Example:

INC103

Text

Required

Example Request 

[
  {
    "incident_id": "INC103"
  }
]

Action Response Parameters 

Parameter

Type

Description

app_instance

Object

Returns the root object containing the response and status code.

app_instance.response

Object

Displays the response data of the query.

app_instance.status_code

Integer

Returns the HTTP status code of the response.

app_instance.response.actions_data

Array

Returns an array of action objects.

app_instance.response.actions_data.readable_id

String

Returns the Readable ID of the action.

app_instance.response.actions_data.title

String

Return the title of the action in the incident.

app_instance.response.actions_data.title_display

String

Displays the title of the action linked to the incident.

app_instance.response.applicable_compliance

Array

Returns the list of applicable compliance standards to the incident.

app_instance.response.applicable_compliance_data

Array

Returns an array of compliance option objects.

app_instance.response.applicable_compliance_data[].option_name

String

Returns the name of the compliance option.

app_instance.response.applications_data

Array

Returns an array of application objects.

app_instance.response.attack_vector

Null

Returns attack vector linked to the incident.

app_instance.response.attack_vector_data

Null

Returns the details of the Attack vector linked to the incident. 

app_instance.response.base_line_changes

Null

Returns the baseline changes.

app_instance.response.briefings_data

Array

Returns an array of briefing objects.

app_instance.response.business_impact

Array

Returns an array of business units impacted by the incident.

app_instance.response.business_impact_data

Array

Returns an array of business units impacted option objects.

app_instance.response.business_impact_data.option_name

String

Returns the name of the business units impact option.

app_instance.response.campaigns_data

String

Returns an array of campaign objects.

app_instance.response.closure_comments

String

Returns closure comments in the incident.

app_instance.response.containment_hash

String

Returns the value for containment hash 

app_instance.response.containment_host

String

Returns Containment host

app_instance.response.containment_ip

String

Returns Containment IP

app_instance.response.containment_result

String

Returns Containment result

app_instance.response.containment_summary

String

Returns Containment summary 

app_instance.response.containment_url

String

Containment URL

app_instance.response.description

String

Description of the incident

app_instance.response.destination_hostname

String

Destination host name

app_instance.response.destination_ip

String

Destination IP

app_instance.response.destination_port

String

Destination port

app_instance.response.endpoints_data

Array

An array of endpoint objects

app_instance.response.enhancements_data

Array

An array of enhancement objects

app_instance.false_positive

Array

False positive indicator

app_instance.response.false_positive_data

String

False positive data 

app_instance.response.ie_customer_notification_required

Null

Customer notification indicator

app_instance.response.ie_customer_notification_required_data

String

Returns customer notification data

app_instance.response.ie_findings_summary

String

Returns findings summary

app_instance.response.ie_forensics_details

String

Returns forensics details

app_instance.response.ie_impact_on_intellectual_property

Null

Impact on intellectual property

app_instance.response.ie_incident_type

String

Returns the incident type.

app_instance.response.ie_incident_type_data

Object

Returns the incident type data.

app_instance.response.ie_incident_type_data.option_name

String

Returns the name of the incident type option.

app_instance.response.ie_invegtigation_eradication_exception

Null

Investigation eradication exception.

app_instance.response.ie_lessons_learned

Null

Returns lessons learned

app_instance.response.ie_log_analysis_summary

Null

Returns log analysis summary

app_instance.response.ie_malware_analysis_summary

Null

Malware analysis summary

app_instance.response.ie_motives

Array

An array of motive objects

app_instance.response.ie_motives_data

Array

An array of motive data objects

app_instance.response.ie_num_of_assets_impacted

Null

Number of assets impacted by the incident.

app_instance.response.ie_num_of_users_impacted

Null

Number of users impacted by the incident.

app_instance.response.ie_port_numbers_impacted

Null

Port numbers impacted

app_instance.response.ie_regulatory_notifications_required

Null

Regulatory notifications required

app_instance.response.ie_regulatory_notifications_required_data

Null

Regulatory notifications required data

app_instance.response.ie_regulatory_reporting

Array

An array of regulatory reporting objects.

app_instance.response.ie_regulatory_reporting_data

Array

An array of regulatory reporting data objects.

app_instance.response.ie_regulatory_reporting_date

Null

Regulatory reporting date.

app_instance.response.ie_root_cause

Null

Root cause of the incident.

app_instance.response.ie_root_cause_data

Null

Root cause data

app_instance.response.incident_analysis

Null

Incident analysis 

app_instance.response.incident_identified

Array

An array of incident identified objects.

app_instance.response.incident_identified_data

Array

An array of incident identified data objects.

app_instance.response.incident_learning

Null

Incident learning

app_instance.response.ioc_MD5

Array

An array of MD5 Indicator of Compromise.

app_instance.response.ioc_MD5_data

Array

An array of MD5 IoC data objects.

app_instance.response.ioc_SHA1

Array

An array of SHA1 Indicator of Compromise.

app_instance.response.ioc_SHA1_data

Array

An array of SHA1 IoC data objects.

app_instance.response.ioc_SHA256

Array

An array of SHA256 Indicator of Compromise.

app_instance.response.ioc_SHA256_data

Array

An array of SHA256 IoC data objects.

app_instance.response.ioc_domain

Array

An array of IOC domain objects.

app_instance.response.ioc_domain_data

Array

An array of IOC domain data objects.

app_instance.response.ioc_email

Array

An array of IOC email objects.

app_instance.response.ioc_email_data

Array

An array of IOC email data objects.

app_instance.response.ioc_ip

Array

An array of IOC IP objects.

app_instance.response.ioc_ip_data.value

String

IP address value.

app_instance.response.ioc_url

Array

An array of IoC URL objects.

app_instance.response.ioc_url_data

Array

An array of IoC URL data objects.

app_instance.response.ip_reputation

Null

IP Reputation of the incident.

app_instance.response.kill_chain_phase

String

Current phase in the kill chain of the incident.

app_instance.response.kill_chain_phase_data

Object

Details of the current phase in the kill chain.

app_instance.response.kill_chain_phase_data.option_name

String

Phase name in the kill chain of the incident.

app_instance.response.knowledge_base_data

Array

An array of knowledge base objects.

app_instance.response.level

String

Incident level of the incident.

app_instance.response.level_data

Object

Details of the incident level.

app_instance.response.level_data.option_name

String

Incident level option name.

app_instance.response.malwares_data

Array

An array of malware objects.

app_instance.response.methods_monitor_recovery_actions

Null

Methods to monitor recovery actions.

app_instance.response.methods_validate_recovery_actions

Null

Methods to validate recovery actions.

app_instance.response.phase

String

The current phase of the incident.

app_instance.response.phase_data

Object

Details of the current phase.

app_instance.response.phase_data.option_name

String

Indicates the phase of the incident

app_instance.response.pirs_data

Array

An array of PIR (Priority Intelligence Requirements) objects.

app_instance.response.readable_id

String

Readable ID of the incident.

app_instance.response.recovery_details

Null

Details of the recovery in incident.

app_instance.response.related_incidents_data

Array

An array of related incident data objects.

app_instance.response.softwares_data

Array

An array of software data objects.

app_instance.response.source_hostname

Null

Source host name.

app_instance.response.source_ip

Null

Source IP address.

app_instance.response.source_port

Null

Source port

app_instance.response.sources_data

Object

An object containing source data.

app_instance.response.sources_data.created

String (datetime)

Creation timestamp of the source data.

app_instance.response.sources_data.modified

String (datetime)

Modification timestamp of the source data.

app_instance.response.sources_data.source_display_name

String

Display name of the source.

app_instance.response.sources_data.source_type

String

Type identifier of the source.

app_instance.response.sources_data.source_type_data

Object

Additional data about the source type.

app_instance.response.sources_data.source_type_data.created

String (datetime)

Creation timestamp of the source type data.

app_instance.response.sources_data.source_type_data.title

String

Title of the source type.

app_instance.response.sources_data.source_type_data.unique_id

String

Unique identifier of the source type data.

app_instance.response.sources_data.unique_id

String

Unique identifier of the source data.

app_instance.response.sources_data.value

String

Value of the source data.

app_instance.response.status

String

Status of the incident.

app_instance.response.status_data

Object

Additional data about the status.

app_instance.response.status_data.option_name

String

Indicates status option name.

app_instance.response.threat_actors_data

Array

An array of threat actor objects in the incident.

app_instance.response.time_to_resolve

Null

Time taken to resolve the incident.

app_instance.response.title

String

Title of the incident.

app_instance.response.url_reputation

Null

URL reputation in a phase

app_instance.response.users_data

Array

An array of user data objects.

app_instance.response.vulnerabilities_data

Array

An array of vulnerability data objects.

Action: List Incidents

This action retrieves a list of incidents from the application.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Parameters 

Enter the query parameters in the form of key-value pairs to filter the results.

Key Value

Optional

Allowed values: 

q (str), page (int): by default, the value is 1, page_size (int): by default, the value is 10, status (str): open, closed, untriaged, merged, participant (bool), self_assigned_groups (bool), self_assigned (bool), bookmarked (bool), mentioned (bool), assigned_to (bool), is_protected (bool), is_paused (bool), attack_techniques (id), attack_tactics (id), phase (str), business_units (id), created_by (id), detection_date__gte (epochtime), detection_date__lte (epochtime), incident_date__gte (epochtime), incident_date__lte (epochtime), modified_date__gte (epochtime), modified_date__lte (epochtime), created_date__gte (epochtime), created_date__lte (epochtime), locations (id), level (str): type of severity, kill_chain_phase (id), labels (id), created_date__n_months (int): 3, 6, created_date__n_days (int): 7, 30, 90, resolution_overdue (bool), assignment_overdue (bool)

Example Request 

[
  {
    "query_params": 
    {
      "page": 1,
      "page_size": 10,
      "status": "open"
    }
  }
]

Action Response Parameters 

Parameter

Type

Description

link 

JSON Object

This parameter may include the following keys:

  • previous key shows the API endpoint to the previous page of the response.

  • next key shows the API endpoint to the next page of the response.

count 

Integer

Total number of incidents in CFTR application according to the filters applied.

results 

Array of JSON Objects

List of incident details. Each object provides details of one incident.

results[x].unique_id 

String

Unique ID of the Incident in UUID-4 format.

results[x].readable_id 

String

Unique readable ID of the incident. It starts with INC followed by a unique number.

results[x].created 

String

Incident creation date and time in Epoch format.

results[x].description 

String

Description of the Incident.

results[x].modified 

String

Last updated date and time of the incident.

results[x].title 

String

Title of the incident.

results[x].machine_generated 

Boolean

True: Incident is considered machine generated when it is generated using the CFTR OpenAPI. False: Incident created manually.

results[x].status 

String

Current status of the incident. Possible values: open, closed, untriaged, merged

results[x].closed_on 

String

Date and time when the incident was closed. If incident is not closed, value of this param will be null.

results[x].title_display 

String

Title of the incident.

results[x].is_protected 

Boolean

Returns true if the incident is marked as protected.

results[x].level 

String

Severity level of the incident.

results[x].phase 

String

Current phase of the incident.

results[x].is_paused 

Boolean

Returns true if the incident is paused.

results[x].opened_on 

String

Date and time when the incident was opened. If incident is not opened yet, value of this param will be null.

results[x].assignment_sla 

JSON Object

Assignment SLA details of the incident. It has two keys: 1. color: Associated color code(according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: Time elapsed between incident opening and SLA completion.

results[x].resolution_sla 

JSON Object

Resolution SLA details of the incident. It has two keys: 1. color: Associated color code(according to SLA breach level). 2. data: It has two keys: - sla_duration: SLA Breach time. - elapsed_time: Time elapsed between incident opening and SLA completion.

results[x].is_bookmarked 

Boolean

Shows if the incident is bookmarked or not.

results[x].resolution_due_date 

Timestamp

Resolution SLA breach date of the incident.

results[x].opened_by_data 

JSON Object

Details of the user who opened the incident. Details include: username, email ,first_name, last_name, and user_id.

results[x].parent_data 

JSON Object

Details of the parent incident if the incident is merged. Details include: title, unique_id, and readable_id.

results[x].modified_by_data 

JSON Object

Details of the user who last updated the Incident. Details include: username, email ,first_name, last_name, and user_id.

results[x].assigned_group_data 

JSON Object

Details of the assigned user group. Details include: group name and group ID.

results[x].created_by_data 

JSON Object

Details of the user who created the incident. Details include: username, email ,first_name, last_name, and user_id.

results[x].assigned_to_data 

JSON Object

Details of the assigned user. Details include: username, email ,first_name, last_name, and user_id.

results[x].labels_data 

Array of JSON Objects

Details of labels added to the incident. Details include: title, unique_id, color_code, and more.

results[x].business_units_impacted_data 

JSON Object

Details of business unit impacted by the incident. Details include: title and unique_id of the business unit.

results[x].locations_impacted_data 

Array of JSON Objects

Details of locations impacted by the incident. Details include: title and unique_id.

results[x].phase_data 

JSON Object

Details of the current phase of the incident. Details include: 

option_name: The name of the phase 

unique_id: Unique ID of the phase

results[x].ie_incident_type_data 

JSON Object

Details of the incident type associated with the incident. Details include: option_name, unique_id, and more.

results[x].ie_incident_type 

String

Incident type associated with the incident.

results[x].level_data 

JSON Object

Details of the severity level of the incident. Details include: option_name, unique_id, and more.

results[x].kill_chain_phase 

String

Current kill chain phase of the incident.

results[x].kill_chain_phase_data 

JSON Object

Details of the kill chain phase of the incident. Details include: unique_id, option_name, and more.

results[x].ie_motives_data 

Array of JSON Objects

Details of the motivations of the incident. Details include: unique_id, option_name, and more.

results[x].ie_motives 

Array

List of motivations of the incident.

results[x].applicable_compliance_data 

Array of JSON Objects

Details of the compliance standards that are applicable to the incident. Details include: unique_id, option_name, and more.

results[x].applicable_compliance 

Array

List of compliance standards that are applicable to the incident.

results[x].ie_root_cause_data 

JSON Objects

Details of the root cause of the incident.

results[x].ie_root_cause 

String

Root cause of the incident.

Action: Update Incident Details

This action updates the details of an incident.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID 

Enter the unique ID of an incident. 

Example:

p53ff8942-612d-4bc1-b54f-d8195c002404

Text

Optional

You can retrieve the list of incidents and their IDs using the action List Incidents.

Note

If you enter both Incident ID and Readable Incident ID, Readable Incident ID takes precedence.

Readable Incident ID 

Enter the ID of the incident in a readable format.

Example:

INC140

Text

Optional

You can retrieve the list of incidents and their readable IDs using the action List Incidents.

Note

If you enter both Incident ID and Readable Incident ID, Readable Incident ID takes precedence.

Incident Status 

Enter the status of the incident. 

Example:

merged

Text

Optional

Allowed values: 

  • untriaged

  • open

  • closed

  • merged

Incident Phase 

Enter the phase of the incident.

Example:

recovery

Text

Optional

Allowed values: 

  • detection analysis

  • containment

  • investigation and eradication 

  • recovery

  • closure

Readable Type 

Select true to enter the readable type values. This allows you to update incidents using the values of locations, business units, sources, assigned groups, and the email IDs of assigned users.

Boolean

Optional

Default value:

false

Title 

Enter a title for the incident.

Text

Optional

Business Units Impacted 

Enter the unique ID of the impacted business unit.

Example:

728277db-83be-4108-a8d7-e52c5deefc2c

Text

Optional

Locations Impacted 

Enter one or more unique IDs of the impacted locations.

Example:

$LIST[fc6c98ae-6995-4cc3-80b8-21ebdec648d9,671961e6-0119-460c-8d55-9b697f6e2d6e]

List

Optional

Assigned Group 

Enter the unique ID of the user group to assign the incident.

Example:

h53ff8942-612d-4bc1-b54f-d8195c002404

Text

Optional

Note

If you update Assigned Group, you must also enter the Handoff Description and Handoff Comment Type parameters.

Description 

Enter a description that best describes the key details of the incident.

Example:

Sample Description

Text

Optional

Handoff Description 

Enter the handoff description while updating Assigned Group or Assigned Users for an incident.

If you provide a handoff description, you must also specify the handoff comment type, and vice versa.

Example:

updating assignee

Text

Optional

Handoff Comment Type 

Enter the type of comment while updating Assigned Group or Assigned Users for an incident.

If you provide a comment type, you must also specify the handoff description, and vice versa.

Example:

handoff

Text

Optional

Additional Information 

Enter other incident details in the form of key-value pairs to update. 

Example:

labels: Important

Key Value

Optional

Example Request 

[
  {
    "phase": "Detection Analysis",
    "title": "Sample Incident Title",
    "status": "open",
    "unique_id": "5e0fef7a-5460-4d56-a008-7f24673d713c",
    "incident_id": "INC140"
    "description": "This is a sample description",
    "comment_type": "handoff",
    "extra_fields": {},
    "readable_type": false,
    "assigned_group": "cde925f0-a6a4-464d-b6a1-9727178d10ee",
    "locations_impacted": [
      "e02447d4-9b47-44de-ae4f-d810dfe72770",
      "fc6c98ae-6995-4cc3-80b8-21ebdec648d9"
    ],
    "handoff_description": "updating assignee",
    "business_units_impacted": [
      "c24ab8cd-df74-4192-bd16-b135353486dd"
    ]
  }
] 

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Returns the response retrieved from the app action.

app_instance.response.modified_by_data 

JSON Object

Details of the user who last modified the incident.

app_instance.response.modified 

String

Last updated date and time of the incident.

app_instance.response.update_index 

Integer

Update index of the incident.

app_instance.status_code 

Integer

HTTP status code of the API request received from the instance.