createResponseAction

You can use this method to take response actions on user nodes generated in GravityZone XDR incidents or your own SOC generated incidents. You can make the request based on an XDR incident ID, or based on user data specified in the node.

Parameters

Parameter	Description	Included in request	Type	Values
`username`	The username involved in the event.	Mandatory if `actiontype` is `1`, `2`, `3`, `4`, or `5`. If `actionType` is `6`, the username is reqired only if the incident ID is not provided.	String	No additional requirements. Example "username": "[email protected]"
`emailId`	The email ID associated to the user node.	Mandatory if `actionType` is `6`.	String	No additional requirements. Example "username": "[email protected]"
`actionType`	Use this parameter to determine the action you want to take and the type of environment you want to take it on.	Mandatory	Integer	Possible value: `1` - Reset credentials for an Office 365 user. `2` - Reset credentials for an Active Directory user. `3` - Disable an Active Directory user. `4` - Disable an Office 365 user. `5` - Mark an Office 365 user as compromised. `6` - Delete an email account from an Office 365 user. Example "actionType": 4
`incidentId`	The ID of the incident to which the user nodes belong.	Either `incidentId` or `integrationIdentifiers` must be included in the request.	String	No additional requirements. Example incidentId": "5b680f6fb1a43d860a7b23c0"
`integrationIdentifiers`	The information required to identify the integration used for importing the user.		Object	Refer to `integrationIdentifiers` Example "integrationIdentifiers": { "companyId": "66b08ace2f15a991ca079343", "officeTenantId": "123e4567-e89b-12d3-a456-426614174000" }

Objects

`integrationIdentifiers`

Parameter	Description	Included in request	Type	Values
`companyId`	The ID of the company where the integration was performed.	Mandatory	String	No additional requirements.
`adUserSid`	The Active DIrectory idenfier used when creating the integrations.	Mandatory	String	No additional requirements.

Parameter	Description	Included in request	Type	Values
`companyId`	The ID of the company where the integration was performed.	Mandatory	String	No additional requirements.
`officeTenantId`	The Office 365 idenfier used when creating the integrations.	Mandatory	String	No additional requirements.

Return value

Attribute	Type	Description
`result`	String	The ID of the response action created.

Examples

Request

Creating a response action based on an incident ID:

{
      "params": {
          "username": "username",
          "actionType": 3,
          incidentId": "5b680f6fb1a43d860a7b23c0"
},
      "jsonrpc": "2.0",
      "method": "createResponseAction",
      "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8"
}

Creating a response action based on integration identifiers (company ID and Office 365 idenfier):

{
  "params": {
    "emailId": "AAMkAGRlNjg4ZjM4LTNjNWMtNDdiOS04OWE5LTMzYT=",
    "username": "[email protected]",
    "actionType": 6,
    "integrationIdentifiers": {
      "companyId": "66b08ace2f15a991ca079343",
      "officeTenantId": "123e4567-e89b-12d3-a456-426614174000"
    }
  },
  "jsonrpc": "2.0",
  "method": "createResponseAction",
  "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8"
}

Creating a response action based on integration identifiers (company ID and Active Directory idenfier):

{
  "params": {
      "username": "domain\\user",
      "actionType": 4,
      "integrationIdentifiers": {
          "companyId": "5b680f6fb1a43d860a7b23c8",
          "adUserSid": "S-1-5-21-3623811015-3361044348-30300820-1013"
      }
  },
  "jsonrpc": "2.0",
  "method": "createResponseAction",
  "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8"
}

Response

{
    "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8",
    "jsonrpc":"2.0",
    "result": "6560a95884f89d6eca0b61b1"
}

In this section: