List available actions for an observable - Cisco XDR APIs

{"type":"api","title":"List available actions for an observable","meta":{"id":"/apps/pubhub/media/cisco-xdr-api-docs/fa9197522b1e6452b6dbfc472555dcc7ceeb71bd/e9fbb387-4438-3b4b-b9f2-c8cb296686dc","info":{"title":"IROH-INT Response","description":"Manage Response from modules","contact":{"name":"Cisco Security Business Group -- Advanced Threat","email":"cisco-intel-api-support@cisco.com"},"license":{"name":"All Rights Reserved","url":"https://www.cisco.com"},"version":"1.0.107"},"security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read","playbook:read"]}],"tags":[{"name":"Response","description":"IROH Response"}],"x-parser-conf":{"serverConfig":"select","overview":{"markdownPath":"reference/response/overview.md","uri":"response-api-guide"},"disableAuthEditing":true,"exampleAsDefault":true,"oAuth2":{"clientId":"client-546e34fc-c6bf-4951-ac69-f6d7987a7814","clientSecret":"MYw4_E_tBdFwUwrX6WFYKVD5LQrG2k7XrJ5J046wWE0s1gAKCxJ8VA","proxyEnabled":false},"meta":{"useProxy":true}},"openapi":"3.0.1","servers":[{"url":"https://visibility.amp.cisco.com"}],"securitySchemes":{"oAuth2":{"type":"oauth2","flows":{"clientCredentials":{"tokenUrl":"https://visibility.amp.cisco.com/iroh/oauth2/token","scopes":{"telemetry":"Collect application data for analytics","integration:read":"Manage your modules","private-intel:read":"Access Private Intelligence","admin":"Provide admin privileges","cognitive":"Cognitive Integration","profile:read":"Get your profile information","inspect:read":"Extract Observables and data from text","asset":"Access and modify your assets","event":"Read IROH Events","feedback":"Submit Customer Feedback","sse":"SSE Integration. Manage your Devices.","registry":"Manage registry entries","users:read":"Manage users of your organization","investigation":"Perform threat analysis investigation","invite:read":"Invite users into your organization","casebook":"Access and modify your casebooks","playbook":"Access and modify your playbooks","orbital":"Orbital Integration.","enrich:read":"Query your configured modules for threat intelligence","oauth:read":"Manage OAuth2 Clients","vault":"Grants access to Module Vaults","response:read":"List and execute response actions using configured modules","notification":"Receive notifications from integrations","global-intel:read":"Access AMP Global Intelligence","webhook":"Manage your Webhooks","ao:read":"AO Integration."}}}}}},"spec":{"tags":["Response"],"summary":"List available actions for an observable","description":"[required scopes](/iroh/doc/iroh-auth/#scopes): `response/observables:read`\n\n","parameters":[{"name":"params","in":"query","allowEmptyValue":true,"schema":{"type":"string"}}],"requestBody":{"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","content":{"application/json":{"schema":{"type":"array","description":"a list of observables","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/x-yaml":{"schema":{"type":"array","description":"a list of observables","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/edn":{"schema":{"type":"array","description":"a list of observables","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/transit+json":{"schema":{"type":"array","description":"a list of observables","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/transit+msgpack":{"schema":{"type":"array","description":"a list of observables","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}}},"required":true},"responses":{"200":{"description":"","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"required":["description","id","module","module_instance_id","module_type_id","title","url"],"type":"object","properties":{"description":{"type":"string"},"module_instance_state":{"type":"string"},"module_type_id":{"type":"string"},"title":{"type":"string"},"module":{"type":"string"},"categories":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"id":{"type":"string"},"url":{"type":"string"},"module_instance_id":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/Action"}},"errors":{"type":"array","items":{"required":["code","message","module_instance_id","module_type_id","type"],"type":"object","properties":{"module_instance_id":{"type":"string"},"module_type_id":{"type":"string"},"module_instance_state":{"type":"string"},"code":{"type":"string"},"message":{"type":"string"},"type":{"type":"string","enum":["fatal","warning","error"]},"module":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/ErrorMessage"}}},"additionalProperties":false,"$$ref":"#/components/schemas/EnvelopedActions"}},"application/x-yaml":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"required":["description","id","module","module_instance_id","module_type_id","title","url"],"type":"object","properties":{"description":{"type":"string"},"module_instance_state":{"type":"string"},"module_type_id":{"type":"string"},"title":{"type":"string"},"module":{"type":"string"},"categories":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"id":{"type":"string"},"url":{"type":"string"},"module_instance_id":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/Action"}},"errors":{"type":"array","items":{"required":["code","message","module_instance_id","module_type_id","type"],"type":"object","properties":{"module_instance_id":{"type":"string"},"module_type_id":{"type":"string"},"module_instance_state":{"type":"string"},"code":{"type":"string"},"message":{"type":"string"},"type":{"type":"string","enum":["fatal","warning","error"]},"module":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/ErrorMessage"}}},"additionalProperties":false,"$$ref":"#/components/schemas/EnvelopedActions"}},"application/edn":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"required":["description","id","module","module_instance_id","module_type_id","title","url"],"type":"object","properties":{"description":{"type":"string"},"module_instance_state":{"type":"string"},"module_type_id":{"type":"string"},"title":{"type":"string"},"module":{"type":"string"},"categories":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"id":{"type":"string"},"url":{"type":"string"},"module_instance_id":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/Action"}},"errors":{"type":"array","items":{"required":["code","message","module_instance_id","module_type_id","type"],"type":"object","properties":{"module_instance_id":{"type":"string"},"module_type_id":{"type":"string"},"module_instance_state":{"type":"string"},"code":{"type":"string"},"message":{"type":"string"},"type":{"type":"string","enum":["fatal","warning","error"]},"module":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/ErrorMessage"}}},"additionalProperties":false,"$$ref":"#/components/schemas/EnvelopedActions"}},"application/transit+json":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"required":["description","id","module","module_instance_id","module_type_id","title","url"],"type":"object","properties":{"description":{"type":"string"},"module_instance_state":{"type":"string"},"module_type_id":{"type":"string"},"title":{"type":"string"},"module":{"type":"string"},"categories":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"id":{"type":"string"},"url":{"type":"string"},"module_instance_id":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/Action"}},"errors":{"type":"array","items":{"required":["code","message","module_instance_id","module_type_id","type"],"type":"object","properties":{"module_instance_id":{"type":"string"},"module_type_id":{"type":"string"},"module_instance_state":{"type":"string"},"code":{"type":"string"},"message":{"type":"string"},"type":{"type":"string","enum":["fatal","warning","error"]},"module":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/ErrorMessage"}}},"additionalProperties":false,"$$ref":"#/components/schemas/EnvelopedActions"}},"application/transit+msgpack":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"required":["description","id","module","module_instance_id","module_type_id","title","url"],"type":"object","properties":{"description":{"type":"string"},"module_instance_state":{"type":"string"},"module_type_id":{"type":"string"},"title":{"type":"string"},"module":{"type":"string"},"categories":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"id":{"type":"string"},"url":{"type":"string"},"module_instance_id":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/Action"}},"errors":{"type":"array","items":{"required":["code","message","module_instance_id","module_type_id","type"],"type":"object","properties":{"module_instance_id":{"type":"string"},"module_type_id":{"type":"string"},"module_instance_state":{"type":"string"},"code":{"type":"string"},"message":{"type":"string"},"type":{"type":"string","enum":["fatal","warning","error"]},"module":{"type":"string"}},"additionalProperties":false,"$$ref":"#/components/schemas/ErrorMessage"}}},"additionalProperties":false,"$$ref":"#/components/schemas/EnvelopedActions"}}}}},"x-no-doc":false,"x-codegen-request-body-name":"Observable","security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read","playbook:read"]}],"method":"post","path":"/iroh/iroh-response/respond/observables"}}