createResponseAction

Parameters

Parameter	Description	Included in request	Type	Values
`username`	The username involved in the event.	Mandatory if `actiontype` is `1`, `2`, `3`, `4`, `5`, `8`, `9`, or `12`. If `actionType` is `6`, the username is required only if the incident ID is not provided.	String	No additional requirements. Example "username": "user@bitdefender.com"
`emailId`	The email ID associated with the user node. For `actionType` `11`, this is the ID of the reference email used to identify similar emails.	Mandatory if `actionType` is `6`. Mandatory if `actionType` is `11` and `incidentId` is used.	String	No additional requirements. Example "emailId": "AAMkADNiNWU0YTljLTRiYmEtNGFlMi1iNzRhLWI5NDk4Y2QwOWM1NQBGAAAAAAD3LHfFVxR-TIchBqXPMdrxBwAlFp_8PvdsSKRtFCjiDPaqAAAAAAEMAAAlFp_8PvdsSKRtFCjiDPaqAAAQLe0eAAA=""username": "user@bitdefender.com"
`actionType`	The type of action to be taken and the type of environment it will be applied to.	Mandatory	Integer	Possible values: `1` - Reset credentials for a Microsoft 365 (Office 365) or Entra ID (Azure AD) user. `2` - Reset credentials for an Active Directory user. `3` - Disable a Microsoft 365 (Office 365) or Entra ID (Azure AD) user. `4` - Disable an on-premises Active Directory user. `5` - Mark a Microsoft 365 (Office 365) or Entra ID (Azure AD) user as compromised. `6` - Delete an email from the account of a Microsoft 365 (Office 365) user. `8` - Disable a Google user. `9` - Reset credentials for a Google user. `10` - Delete a Microsoft 365 (Office 365) OneDrive or SharePoint file. `11` - Delete emails similar to a reference email from a Microsoft 365 (Office 365) user. `12` - Disable an AWS user. Example "actionType": 4
`incidentId`	The ID of the incident to which the user nodes belong.	Either `incidentId` or `integrationIdentifiers` must be included in the request.	String	No additional requirements. Example "incidentId": "5b680f6fb1a43d860a7b23c0"
`integrationIdentifiers`	The information required to identify the integration used for importing the user.		Object	Refer to `integrationIdentifiers` Example "integrationIdentifiers": { "companyId": "66b08ace2f15a991ca079343", "officeTenantId": "123e4567-e89b-12d3-a456-426614174000" }
`targets`	Supported exclusively for `actionType` `11`. Indicates which similar Microsoft 365 (Office 365) emails should be deleted. Each email can be identified by user and email ID or by a similarity hash.	Mandatory when using `integrationIdentifiers`. Not applicable when `incidentId` is used.	Object or Array of Objects	When it is an Array of Objects, each object contains `userId` and `mailIds`. When it is an Object, it contains only the `similarityHash`. Refer to `targets`. Example Delete all emails with the same similarity hash "targets": { "similarityHash": "a1b2c3d4e5f6" } Delete the listed emails identified by user and email ID "targets": [ { "userId": "d0c55688-45c4-4bfc-a033-c49caa3b3b9d", "mailIds": [ "AAMkADhkNTIyNjYzLTQ1ZmYtNDZlNi1iMjExLWVmZjhlYWRjYzIxNABGAAAAAAB7fiYJE372QbIC-lf_MXEHBwAJPJXoGMjpRYZoFcE4nZMWAAAAAAEPAAAJPJXoGMjpRYZoFcE4nZMWAAPF9SdxAAA=" ] } ]

General parameters

These are common parameters, available across all public API methods:

Parameter	Description	Included in request	Type	Values
`id`	This parameter adds an identifier to the request, linking it to its corresponding response. The target replies with the same value in the response, allowing easy call tracking.	Mandatory	String	No additional requirements. Example "id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
`method`	The name of the method you are using to send the request.	Mandatory	String	Must be a valid method name. Example "method": "methodName"
`jsonrpc`	The version of JSON-RPC used by the request and the response.	Mandatory	Integer	Possible values: `2.0` Example "jsonrpc": "2.0"
`params`	An object containing the configuration of the request.	Mandatory	Object	No additional requirements. Example "params": {...}

Objects

`integrationIdentifiers`

Name	Description	Included in request	Type
`companyId`	The ID of the company where the integration was performed.	Mandatory	String
`adUserSid`	The Security Identifier (SID) of the target user.	Mandatory	String

Name	Description	Included in request	Type
`companyId`	The ID of the company where the integration was performed.	Mandatory	String
`officeTenantId`	The Microsoft 365 (Office 365) identifier used when creating the integration.	Mandatory	String

Name	Description	Included in request	Type
`companyId`	The ID of the company where the integration was performed.	Mandatory	String
`sensorIdentifier`	The Google client email used when the integration was created.	Mandatory	String

For deactivating an AWS user

Parameter

Description

Included in request

Type

companyId

The ID of the company where the integration was performed.

Mandatory

String

accessKeyId

The AWS Access Key ID used when configuring the AWS integration.

It identifies the specific AWS account through which the deactivation request will be executed. This ensures that the Deactivate AWS user action is applied in the correct AWS environment.

Mandatory

String

`targets`

Name	Description	Included in request	Type
`similarityHash`	The similarity hash used to identify similar emails.	Optional	String
`userId`	The external ID of the user who received or sent the emails to be deleted.	Required when used with `mailIds`. Not applicable when `similarityHash` is specified.	String
`mailIds`	The IDs of the emails to be deleted that belong to the user identified by `userId`.	Required when used with `userId`. Not applicable when `similarityHash` is specified.	Array of Strings

Return value

Attribute	Type	Description
`result`	String	The ID of the response action created.

Examples

Request

Create a response action based on an incident ID:

Create a request based on the company ID and integration identifiers:

11 - Delete the listed similar emails (identified by user and email ID) from a Microsoft 365 (Office 365) user

{
    "params": {
        "actionType": 11,
        "integrationIdentifiers": {
            "companyId": "5b680f6fb1a43d860a7b23c8",
            "officeTenantId": "3b8624b5-06e7-45fc-8b56-4e24a9909bc0"
        },
        "targets": [
            {
                "userId": "d0c55688-45c4-4bfc-a033-c49caa3b3b9d",
                "mailIds": [
                    "AAMkADhkNTIyNjYzLTQ1ZmYtNDZlNi1iMjExLWVmZjhlYWRjYzIxNABGAAAAAAB7fiYJE372QbIC-lf_MXEHBwAJPJXoGMjpRYZoFcE4nZMWAAAAAAEPAAAJPJXoGMjpRYZoFcE4nZMWAAPF9SdxAAA="
                ]
            }
        ]
    },
    "jsonrpc": "2.0",
    "method": "createResponseAction",
    "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8"
}

Response

{
    "id": "7d2864e9-c67b-48a2-9ba3-0a11d47e83c8",
    "jsonrpc": "2.0",
    "result": "6560a95884f89d6eca0b61b1"
}