Recommend actions for an incident - Cisco XDR APIs

{"type":"api","title":"Recommend actions for an incident","meta":{"id":"/apps/pubhub/media/cisco-xdr-api-docs/f4e065ff5977829c89df289df08411f83205f526/f4d118ae-a2d7-3c4b-98c4-c1e55e1f5e68","info":{"title":"Conure v2","description":"Cisco XDR Incidents and Investigation API","contact":{"name":"Cisco Security Business Group -- Advanced Threat","email":"cisco-intel-api-support@cisco.com"},"license":{"name":"All Rights Reserved","url":"https://www.cisco.com"},"version":"51-1-6bee0d16"},"security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read"]}],"x-parser-conf":{"serverConfig":"select","overview":{"markdownPath":"reference/conure/overview.md","uri":"incidents-and-investigations-api-guide"},"disableAuthEditing":true,"exampleAsDefault":true,"oAuth2":{"clientId":"client-546e34fc-c6bf-4951-ac69-f6d7987a7814","clientSecret":"MYw4_E_tBdFwUwrX6WFYKVD5LQrG2k7XrJ5J046wWE0s1gAKCxJ8VA","proxyEnabled":false},"meta":{"useProxy":true}},"openapi":"3.0.1","servers":[{"url":"https://conure.us.security.cisco.com/{basePath}","variables":{"basePath":{"default":""}}}],"securitySchemes":{"oAuth2":{"type":"oauth2","flows":{"clientCredentials":{"tokenUrl":"https://visibility.amp.cisco.com/iroh/oauth2/token","scopes":{"telemetry":"Collect application data for analytics","integration:read":"Manage your modules","private-intel:read":"Access Private Intelligence","admin":"Provide admin privileges","cognitive":"Cognitive Integration","profile:read":"Get your profile information","inspect:read":"Extract Observables and data from text","asset":"Access and modify your assets","event":"Read IROH Events","feedback":"Submit Customer Feedback","sse":"SSE Integration. Manage your Devices.","registry":"Manage registry entries","users:read":"Manage users of your organization","investigation":"Perform threat analysis investigation","invite:read":"Invite users into your organization","casebook":"Access and modify your casebooks","orbital":"Orbital Integration.","enrich:read":"Query your configured modules for threat intelligence","oauth:read":"Manage OAuth2 Clients","vault":"Grants access to Module Vaults","response:read":"List and execute response actions using configured modules","notification":"Receive notifications from integrations","vglobal-intel:read":"Access AMP Global Intelligence","webhook":"Manage your Webhooks","ao:read":"AO Integration."}}}}}},"spec":{"tags":["Incident"],"summary":"Recommend actions for an incident.","parameters":[{"name":"incident-id","description":"The short-id for an incident, e.g. incident-64322795-2xx5-49bd-8d0b-106680ae434a.","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"","content":{"application/json":{"schema":{"required":["available_actions","completed_actions","errored_actions","incident","incident_id","running_actions"],"type":"object","properties":{"incident":{"required":["confidence","groups","id","incident_time","schema_version","status","type"],"type":"object","properties":{"assignees":{"type":"array","items":{"type":"string"}},"categories":{"type":"array","items":{"type":"string","enum":["Attrition","Denial of Service","Exercise","Exercise/Network Defense Testing","Explained Anomaly","Forensics","Improper Usage","Intelligence","Investigating","Investigation","Malicious Code","Malicious Logic","Non-Compliant","Reconnaissance","Root Level","Scans/Probes/Attempted Access","Unauthorized Access","Unsuccessful","User Level","eDiscovery"]}},"confidence":{"type":"string","enum":["High","Info","Low","Medium","None","Unknown"]},"discovery_method":{"type":"string","enum":["SecureX Threat Hunting","Agent Disclosure","Antivirus","Audit","Customer","External - Fraud Detection","Financial Audit","HIPS","IT Audit","Incident Response","Internal - Fraud Detection","Law Enforcement","Log Review","Monitoring Service","NIDS","Security Alarm","Unknown","Unrelated Party","User"]},"incident_time":{"required":["opened"],"type":"object","properties":{"opened":{"type":"string"},"closed":{"type":"string"},"discovered":{"type":"string"},"rejected":{"type":"string"},"remediated":{"type":"string"},"reported":{"type":"string"}}},"intended_effect":{"type":"string","enum":["Account Takeover","Advantage","Advantage - Economic","Advantage - Military","Advantage - Political","Brand Damage","Competitive Advantage","Degradation of Service","Denial and Deception","Destruction","Disruption","Embarrassment","Exposure","Extortion","Fraud","Harassment","ICS Control","Theft","Theft - Credential Theft","Theft - Identity Theft","Theft - Intellectual Property","Theft - Theft of Proprietary Information","Traffic Diversion","Unauthorized Access"]},"meta":{"type":"object","properties":{"ai_description":{"type":"boolean"}}},"promotion_method":{"type":"string","enum":["Automated","Manual"]},"scores":{"type":"object","properties":{"asset":{"maximum":10,"minimum":0,"type":"integer","format":"int64"},"global":{"maximum":1000,"minimum":0,"type":"integer","format":"int64"},"ttp":{"maximum":100,"minimum":0,"type":"integer","format":"int64"}}},"severity":{"type":"string","enum":["Critical","High","Info","Low","Medium","None","Unknown"]},"status":{"type":"string","enum":["Closed","Closed: Confirmed Threat","Closed: False Positive","Closed: Near-Miss","Closed: Other","Closed: Suspected","Closed: Under Review","Containment Achieved","Hold","Hold: External","Hold: Internal","Hold: Legal","Incident Reported","New","New: Presented","New: Processing","Open","Open: Contained","Open: Investigating","Open: Recovered","Open: Reported","Rejected","Restoration Achieved","Stalled"]},"tactics":{"type":"array","items":{"type":"string"}},"techniques":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"short_description":{"type":"string"},"source":{"type":"string"},"source_uri":{"type":"string"},"title":{"type":"string"},"language":{"type":"string"},"external_references":{"type":"array","items":{"required":["source_name"],"type":"object","properties":{"source_name":{"type":"string"},"hashes":{"type":"array","items":{"type":"string"}},"url":{"type":"string"},"description":{"type":"string"},"external_id":{"type":"string"}}}},"external_ids":{"type":"array","items":{"type":"string"}},"tlp":{"type":"string","enum":["amber","green","red","white"]},"id":{"type":"string"},"client_id":{"type":"string"},"modified":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"created":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"owner":{"type":"string","nullable":true,"x-anyOf":[{"type":"string"},{"type":"boolean"}]},"groups":{"type":"array","items":{"type":"string"}},"schema_version":{"type":"string"},"revision":{"minimum":0,"type":"integer","format":"int64"},"type":{"type":"string","enum":["incident"]},"timestamp":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]}}},"incident_id":{"type":"string","example":"incident-0a38949f-d192-4d30-91ae-e593c1f57c14"},"available_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"completed_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"running_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"errored_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}}}}},"application/transit+msgpack":{"schema":{"required":["available_actions","completed_actions","errored_actions","incident","incident_id","running_actions"],"type":"object","properties":{"incident":{"required":["confidence","groups","id","incident_time","schema_version","status","type"],"type":"object","properties":{"assignees":{"type":"array","items":{"type":"string"}},"categories":{"type":"array","items":{"type":"string","enum":["Attrition","Denial of Service","Exercise","Exercise/Network Defense Testing","Explained Anomaly","Forensics","Improper Usage","Intelligence","Investigating","Investigation","Malicious Code","Malicious Logic","Non-Compliant","Reconnaissance","Root Level","Scans/Probes/Attempted Access","Unauthorized Access","Unsuccessful","User Level","eDiscovery"]}},"confidence":{"type":"string","enum":["High","Info","Low","Medium","None","Unknown"]},"discovery_method":{"type":"string","enum":["SecureX Threat Hunting","Agent Disclosure","Antivirus","Audit","Customer","External - Fraud Detection","Financial Audit","HIPS","IT Audit","Incident Response","Internal - Fraud Detection","Law Enforcement","Log Review","Monitoring Service","NIDS","Security Alarm","Unknown","Unrelated Party","User"]},"incident_time":{"required":["opened"],"type":"object","properties":{"opened":{"type":"string"},"closed":{"type":"string"},"discovered":{"type":"string"},"rejected":{"type":"string"},"remediated":{"type":"string"},"reported":{"type":"string"}}},"intended_effect":{"type":"string","enum":["Account Takeover","Advantage","Advantage - Economic","Advantage - Military","Advantage - Political","Brand Damage","Competitive Advantage","Degradation of Service","Denial and Deception","Destruction","Disruption","Embarrassment","Exposure","Extortion","Fraud","Harassment","ICS Control","Theft","Theft - Credential Theft","Theft - Identity Theft","Theft - Intellectual Property","Theft - Theft of Proprietary Information","Traffic Diversion","Unauthorized Access"]},"meta":{"type":"object","properties":{"ai_description":{"type":"boolean"}}},"promotion_method":{"type":"string","enum":["Automated","Manual"]},"scores":{"type":"object","properties":{"asset":{"maximum":10,"minimum":0,"type":"integer","format":"int64"},"global":{"maximum":1000,"minimum":0,"type":"integer","format":"int64"},"ttp":{"maximum":100,"minimum":0,"type":"integer","format":"int64"}}},"severity":{"type":"string","enum":["Critical","High","Info","Low","Medium","None","Unknown"]},"status":{"type":"string","enum":["Closed","Closed: Confirmed Threat","Closed: False Positive","Closed: Near-Miss","Closed: Other","Closed: Suspected","Closed: Under Review","Containment Achieved","Hold","Hold: External","Hold: Internal","Hold: Legal","Incident Reported","New","New: Presented","New: Processing","Open","Open: Contained","Open: Investigating","Open: Recovered","Open: Reported","Rejected","Restoration Achieved","Stalled"]},"tactics":{"type":"array","items":{"type":"string"}},"techniques":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"short_description":{"type":"string"},"source":{"type":"string"},"source_uri":{"type":"string"},"title":{"type":"string"},"language":{"type":"string"},"external_references":{"type":"array","items":{"required":["source_name"],"type":"object","properties":{"source_name":{"type":"string"},"hashes":{"type":"array","items":{"type":"string"}},"url":{"type":"string"},"description":{"type":"string"},"external_id":{"type":"string"}}}},"external_ids":{"type":"array","items":{"type":"string"}},"tlp":{"type":"string","enum":["amber","green","red","white"]},"id":{"type":"string"},"client_id":{"type":"string"},"modified":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"created":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"owner":{"type":"string","nullable":true,"x-anyOf":[{"type":"string"},{"type":"boolean"}]},"groups":{"type":"array","items":{"type":"string"}},"schema_version":{"type":"string"},"revision":{"minimum":0,"type":"integer","format":"int64"},"type":{"type":"string","enum":["incident"]},"timestamp":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]}}},"incident_id":{"type":"string","example":"incident-0a38949f-d192-4d30-91ae-e593c1f57c14"},"available_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"completed_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"running_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"errored_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}}}}},"application/transit+json":{"schema":{"required":["available_actions","completed_actions","errored_actions","incident","incident_id","running_actions"],"type":"object","properties":{"incident":{"required":["confidence","groups","id","incident_time","schema_version","status","type"],"type":"object","properties":{"assignees":{"type":"array","items":{"type":"string"}},"categories":{"type":"array","items":{"type":"string","enum":["Attrition","Denial of Service","Exercise","Exercise/Network Defense Testing","Explained Anomaly","Forensics","Improper Usage","Intelligence","Investigating","Investigation","Malicious Code","Malicious Logic","Non-Compliant","Reconnaissance","Root Level","Scans/Probes/Attempted Access","Unauthorized Access","Unsuccessful","User Level","eDiscovery"]}},"confidence":{"type":"string","enum":["High","Info","Low","Medium","None","Unknown"]},"discovery_method":{"type":"string","enum":["SecureX Threat Hunting","Agent Disclosure","Antivirus","Audit","Customer","External - Fraud Detection","Financial Audit","HIPS","IT Audit","Incident Response","Internal - Fraud Detection","Law Enforcement","Log Review","Monitoring Service","NIDS","Security Alarm","Unknown","Unrelated Party","User"]},"incident_time":{"required":["opened"],"type":"object","properties":{"opened":{"type":"string"},"closed":{"type":"string"},"discovered":{"type":"string"},"rejected":{"type":"string"},"remediated":{"type":"string"},"reported":{"type":"string"}}},"intended_effect":{"type":"string","enum":["Account Takeover","Advantage","Advantage - Economic","Advantage - Military","Advantage - Political","Brand Damage","Competitive Advantage","Degradation of Service","Denial and Deception","Destruction","Disruption","Embarrassment","Exposure","Extortion","Fraud","Harassment","ICS Control","Theft","Theft - Credential Theft","Theft - Identity Theft","Theft - Intellectual Property","Theft - Theft of Proprietary Information","Traffic Diversion","Unauthorized Access"]},"meta":{"type":"object","properties":{"ai_description":{"type":"boolean"}}},"promotion_method":{"type":"string","enum":["Automated","Manual"]},"scores":{"type":"object","properties":{"asset":{"maximum":10,"minimum":0,"type":"integer","format":"int64"},"global":{"maximum":1000,"minimum":0,"type":"integer","format":"int64"},"ttp":{"maximum":100,"minimum":0,"type":"integer","format":"int64"}}},"severity":{"type":"string","enum":["Critical","High","Info","Low","Medium","None","Unknown"]},"status":{"type":"string","enum":["Closed","Closed: Confirmed Threat","Closed: False Positive","Closed: Near-Miss","Closed: Other","Closed: Suspected","Closed: Under Review","Containment Achieved","Hold","Hold: External","Hold: Internal","Hold: Legal","Incident Reported","New","New: Presented","New: Processing","Open","Open: Contained","Open: Investigating","Open: Recovered","Open: Reported","Rejected","Restoration Achieved","Stalled"]},"tactics":{"type":"array","items":{"type":"string"}},"techniques":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"short_description":{"type":"string"},"source":{"type":"string"},"source_uri":{"type":"string"},"title":{"type":"string"},"language":{"type":"string"},"external_references":{"type":"array","items":{"required":["source_name"],"type":"object","properties":{"source_name":{"type":"string"},"hashes":{"type":"array","items":{"type":"string"}},"url":{"type":"string"},"description":{"type":"string"},"external_id":{"type":"string"}}}},"external_ids":{"type":"array","items":{"type":"string"}},"tlp":{"type":"string","enum":["amber","green","red","white"]},"id":{"type":"string"},"client_id":{"type":"string"},"modified":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"created":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"owner":{"type":"string","nullable":true,"x-anyOf":[{"type":"string"},{"type":"boolean"}]},"groups":{"type":"array","items":{"type":"string"}},"schema_version":{"type":"string"},"revision":{"minimum":0,"type":"integer","format":"int64"},"type":{"type":"string","enum":["incident"]},"timestamp":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]}}},"incident_id":{"type":"string","example":"incident-0a38949f-d192-4d30-91ae-e593c1f57c14"},"available_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"completed_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"running_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"errored_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}}}}},"application/edn":{"schema":{"required":["available_actions","completed_actions","errored_actions","incident","incident_id","running_actions"],"type":"object","properties":{"incident":{"required":["confidence","groups","id","incident_time","schema_version","status","type"],"type":"object","properties":{"assignees":{"type":"array","items":{"type":"string"}},"categories":{"type":"array","items":{"type":"string","enum":["Attrition","Denial of Service","Exercise","Exercise/Network Defense Testing","Explained Anomaly","Forensics","Improper Usage","Intelligence","Investigating","Investigation","Malicious Code","Malicious Logic","Non-Compliant","Reconnaissance","Root Level","Scans/Probes/Attempted Access","Unauthorized Access","Unsuccessful","User Level","eDiscovery"]}},"confidence":{"type":"string","enum":["High","Info","Low","Medium","None","Unknown"]},"discovery_method":{"type":"string","enum":["SecureX Threat Hunting","Agent Disclosure","Antivirus","Audit","Customer","External - Fraud Detection","Financial Audit","HIPS","IT Audit","Incident Response","Internal - Fraud Detection","Law Enforcement","Log Review","Monitoring Service","NIDS","Security Alarm","Unknown","Unrelated Party","User"]},"incident_time":{"required":["opened"],"type":"object","properties":{"opened":{"type":"string"},"closed":{"type":"string"},"discovered":{"type":"string"},"rejected":{"type":"string"},"remediated":{"type":"string"},"reported":{"type":"string"}}},"intended_effect":{"type":"string","enum":["Account Takeover","Advantage","Advantage - Economic","Advantage - Military","Advantage - Political","Brand Damage","Competitive Advantage","Degradation of Service","Denial and Deception","Destruction","Disruption","Embarrassment","Exposure","Extortion","Fraud","Harassment","ICS Control","Theft","Theft - Credential Theft","Theft - Identity Theft","Theft - Intellectual Property","Theft - Theft of Proprietary Information","Traffic Diversion","Unauthorized Access"]},"meta":{"type":"object","properties":{"ai_description":{"type":"boolean"}}},"promotion_method":{"type":"string","enum":["Automated","Manual"]},"scores":{"type":"object","properties":{"asset":{"maximum":10,"minimum":0,"type":"integer","format":"int64"},"global":{"maximum":1000,"minimum":0,"type":"integer","format":"int64"},"ttp":{"maximum":100,"minimum":0,"type":"integer","format":"int64"}}},"severity":{"type":"string","enum":["Critical","High","Info","Low","Medium","None","Unknown"]},"status":{"type":"string","enum":["Closed","Closed: Confirmed Threat","Closed: False Positive","Closed: Near-Miss","Closed: Other","Closed: Suspected","Closed: Under Review","Containment Achieved","Hold","Hold: External","Hold: Internal","Hold: Legal","Incident Reported","New","New: Presented","New: Processing","Open","Open: Contained","Open: Investigating","Open: Recovered","Open: Reported","Rejected","Restoration Achieved","Stalled"]},"tactics":{"type":"array","items":{"type":"string"}},"techniques":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"short_description":{"type":"string"},"source":{"type":"string"},"source_uri":{"type":"string"},"title":{"type":"string"},"language":{"type":"string"},"external_references":{"type":"array","items":{"required":["source_name"],"type":"object","properties":{"source_name":{"type":"string"},"hashes":{"type":"array","items":{"type":"string"}},"url":{"type":"string"},"description":{"type":"string"},"external_id":{"type":"string"}}}},"external_ids":{"type":"array","items":{"type":"string"}},"tlp":{"type":"string","enum":["amber","green","red","white"]},"id":{"type":"string"},"client_id":{"type":"string"},"modified":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"created":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]},"owner":{"type":"string","nullable":true,"x-anyOf":[{"type":"string"},{"type":"boolean"}]},"groups":{"type":"array","items":{"type":"string"}},"schema_version":{"type":"string"},"revision":{"minimum":0,"type":"integer","format":"int64"},"type":{"type":"string","enum":["incident"]},"timestamp":{"type":"string","format":"date-time","x-anyOf":[{"type":"string","format":"date-time"},{"type":"string"}]}}},"incident_id":{"type":"string","example":"incident-0a38949f-d192-4d30-91ae-e593c1f57c14"},"available_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"completed_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"running_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}},"errored_actions":{"type":"array","items":{"required":["action","description","id","title","type"],"type":"object","properties":{"type":{"type":"string","enum":["task","ui","continue"]},"action":{"type":"string","enum":["execute","ui_select","continue","redirect"]},"id":{"type":"string"},"is_global":{"type":"boolean"},"task_id":{"type":"string"},"phase_id":{"type":"string"},"phase_title":{"type":"string","description":"Title of the phase.","example":"Identification"},"description":{"type":"string","description":"Description of the action, if this is type `task` it will map to the underlying task description.","example":"Upon analysis, change the incident status to match one of the following definitions:\n- Open - The incident is suspicious, escalated, or requires additional investigation or data for disposition.\n- Rejected - The incident is a false positive and considered an authorized exception.\n- Incident Reported - The incident is confirmed as being malicious, improper usage, or unauthorized activity that violates company policy.\n- Stalled - Data has been requested or the investigation cannot continue due to missing data or lack of clarity.\n\nAfter documenting and notifying, you should move to the containment phase."},"title":{"type":"string","description":"Title of the action.","example":"Confirm Incident"},"select":{"type":"array","description":"The selectable target types to display.","example":["amp_computer_guid"],"items":{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"],"x-anyOf":[{"type":"string","enum":["amp_computer_guid","certificate_common_name","certificate_issuer","certificate_serial","cisco_cm_id","cisco_mid","cisco_uc_id","cortex_agent_id","crowdstrike_id","cybereason_id","device","domain","email","email_messageid","email_subject","file_name","file_path","hostname","imei","imsi","ip","ipv6","mac_address","md5","ms_machine_id","mutex","ngfw_id","ngfw_name","odns_identity","odns_identity_label","orbital_node_id","pki_serial","process_args","process_hash","process_name","process_path","process_username","processor_id","registry_key","registry_name","registry_path","s1_agent_id","serial_number","sha1","sha256","swc_device_id","trend_micro_id","url","user","user_agent"]},{"type":"string"}]}},"url":{"type":"string"}}}}}}}}},"400":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"object"}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"object"}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"object"}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"object"}}}}}},"401":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Unauthorized"]}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Unauthorized"]}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Unauthorized"]}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Unauthorized"]}}}}}},"403":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Forbidden"]}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Forbidden"]}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Forbidden"]}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Forbidden"]}}}}}},"404":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Found"]}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Found"]}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Found"]}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Found"]}}}}}},"405":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Method Not Allowed"]}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Method Not Allowed"]}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Method Not Allowed"]}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Method Not Allowed"]}}}}}},"406":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Acceptable"]}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Acceptable"]}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Acceptable"]}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Not Acceptable"]}}}}}},"429":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Too many requests"]}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Too many requests"]}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Too many requests"]}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["Too many requests"]}}}}}},"500":{"description":"","content":{"application/json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["exception","default exception","sql exception","JSON too large","schema","external_request"]},"exception":{"type":"string","example":"SqlException"},"data":{"type":"object","description":"Any specific error information passed by custom errors.","example":""},"uri":{"type":"string","description":"The URI the error was seen at","example":"/global/v1/incident/?/incident-summary"}}}},"application/transit+msgpack":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["exception","default exception","sql exception","JSON too large","schema","external_request"]},"exception":{"type":"string","example":"SqlException"},"data":{"type":"object","description":"Any specific error information passed by custom errors.","example":""},"uri":{"type":"string","description":"The URI the error was seen at","example":"/global/v1/incident/?/incident-summary"}}}},"application/transit+json":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["exception","default exception","sql exception","JSON too large","schema","external_request"]},"exception":{"type":"string","example":"SqlException"},"data":{"type":"object","description":"Any specific error information passed by custom errors.","example":""},"uri":{"type":"string","description":"The URI the error was seen at","example":"/global/v1/incident/?/incident-summary"}}}},"application/edn":{"schema":{"required":["message"],"type":"object","properties":{"message":{"type":"string","enum":["exception","default exception","sql exception","JSON too large","schema","external_request"]},"exception":{"type":"string","example":"SqlException"},"data":{"type":"object","description":"Any specific error information passed by custom errors.","example":""},"uri":{"type":"string","description":"The URI the error was seen at","example":"/global/v1/incident/?/incident-summary"}}}}}}},"security":[{"JWT-Bearer":[]},{"oauth2":[]}],"method":"get","path":"/v2/incident/{incident-id}/recommend"}}