createResponseAction

You can use this method to take response actions on user nodes generated in GravityZone XDR incidents or your own SOC generated incidents. You can make the request based on an XDR incident ID, or based on user data specified in the node.

Parameters

Parameter	Description	Included in request	Type	Values
`username`	The username involved in the event.	Mandatory if `actiontype` is `1`, `2`, `3`, `4`, `5`, `8` or `9`. If `actionType` is `6`, the username is reqired only if the incident ID is not provided.	String	No additional requirements. Example "username": "user@bitdefender.com"
`emailId`	The email ID associated to the user node.	Mandatory if `actionType` is `6`.	String	No additional requirements. Example "username": "user@bitdefender.com"
`actionType`	Use this parameter to determine the action you want to take and the type of environment you want to take it on.	Mandatory	Integer	Possible value: `1` - Reset credentials for an Office 365 user. `2` - Reset credentials for an Active Directory user. `3` - Disable an Office 365 user. `4` - Disable an Active Directory user. `5` - Mark an Office 365 user as compromised. `6` - Delete an email from the account of an Office 365 user. `8` - Disable a Google user. `9` - Reset credentials for a Google user. `10` - Delete an Office 365 OneDrive or SharePoint file. `12` - Disable an AWS user. Example "actionType": 4
`incidentId`	The ID of the incident to which the user nodes belong.	Either `incidentId` or `integrationIdentifiers` must be included in the request.	String	No additional requirements. Example "incidentId": "5b680f6fb1a43d860a7b23c0"
`integrationIdentifiers`	The information required to identify the integration used for importing the user.		Object	Refer to `integrationIdentifiers` Example "integrationIdentifiers": { "companyId": "66b08ace2f15a991ca079343", "officeTenantId": "123e4567-e89b-12d3-a456-426614174000" }

Objects

`integrationIdentifiers`

Parameter	Description	Included in request	Type	Values
`companyId`	The ID of the company where the integration was performed.	Mandatory	String	No additional requirements.
`adUserSid`	The Security Identifier (SID) of the target user.	Mandatory	String	No additional requirements.

Parameter	Description	Included in request	Type	Values
`companyId`	The ID of the company where the integration was performed.	Mandatory	String	No additional requirements.
`officeTenantId`	The Office 365 identifier used when creating the integrations.	Mandatory	String	No additional requirements.

Parameter	Description	Included in request	Type	Values
`companyId`	The ID of the company where the integration was performed.	Mandatory	String	No additional requirements.
`sensorIdentifier`	The Google client email used when the integration was created.	Mandatory	String	No additional requirements.

For deactivating an AWS user

Parameter

Description

Included in request

Type

Values

companyId

The ID of the company where the integration was performed.

Mandatory

String

No additional requirements.

accessKeyId

The AWS Access Key ID used when configuring the AWS integration.

It identifies the specific AWS account through which the deactivation request will be executed. This ensures that the “Deactivate AWS user” action is applied in the correct AWS environment.

Mandatory

String

No additional requirements.

Return value

Attribute	Type	Description
`result`	String	The ID of the response action created.

Examples

Request

Creating a response action based on an incident ID:

Create request based on the company ID and integration identifiers:

Response

{
    "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8",
    "jsonrpc": "2.0",
    "result": "6560a95884f89d6eca0b61b1"
}

In this section: