Download OpenAPI specification:Download
The Splunk Mission Control Automation API allows your team to automate their response to Mission Control incidents using Splunk SOAR playbooks. This API documentation corresponds to the actions available in the Mission Control block in the Splunk SOAR Visual Playbook Editor (VPE). To learn more about the Mission Control block, see Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks in Investigate and Respond to Threats in Splunk Mission Control. The following APIs are not applicable for use cases outside of the Mission Control/SOAR integration. Any other use of these or other Mission Control APIs is not supported.
Add an attachment to the KV Store.
id required | string The |
file_name required | string The name of the uploaded file. Include the file extension. |
data required | string The file data. This data is base64 encoded. |
source_type required | string Enum: "Note" "Incident" The source type of the file. |
{- "file_name": "Test_File.txt",
- "data": "aGkgdGhpcyBpcyBhIHRlc3QgZmlsZQ==",
- "source_type": "Incident"
}
{- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
Add the note to the incident.
id required | string The |
title required | string The title of the response plan note. |
content required | string The data stored within the note. |
files | Array of strings An array of file IDs to add to a note. |
{- "title": "Create ticket - Task Note - 1",
- "content": "Note for task Create Ticket",
- "files": [
- "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46"
]
}
{- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
Apply a response template to an incident.
id required | string The |
response_template_id required | string The ID of the response template to be applied. |
{- "response_template_id": "142ba3eb-1fd9-4cb3-a040-e139aac107ff"
}
{- "id": "5c674507-50c2-4a94-b458-fdcb5eec333d",
- "version": 1,
- "is_default": true,
- "source_template_id": "142ba3eb-1fd9-4cb3-a040-e139aac107ff",
- "create_time": 1676492834.50028,
- "update_time": 1676492834.500499,
- "name": "Suspicious Email",
- "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods.",
- "template_status": "published",
- "creator": "Splunk",
- "updated_by": "Splunk",
- "phases": [
- {
- "id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40",
- "name": "Ingestion",
- "order": 1,
- "create_time": 1676492834.50028,
- "update_time": 1676492834.500499,
- "tasks": [
- {
- "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd",
- "name": "Create ticket",
- "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "status": "Started",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false,
- "start_time": 1676493726.238174,
- "end_time": 1676493727.238301,
- "suggestions": {
- "actions": [
- {
- "id": "876ab1de-d825-43c0-8b6c-e30c959d9044",
- "name": "geolocate ip - MaxMind",
- "description": "This action validates the configuration of an asset.",
- "type": "geolocate ip",
- "last_job_id": 0,
- "action": 1394,
- "app_id": 169,
- "asset": 1,
- "parameters": [
- {
- "ip": "1.1.1.1"
}
], - "update_time": 1676495407.1743503,
- "create_time": 1676495280.719768
}
], - "playbooks": [
- {
- "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6",
- "last_job_id": 0,
- "playbook_id": "community/suspicious_email_domain_enrichment",
- "name": "suspicious_email_domain_enrichment",
- "description": "This playbook geolocates an address.",
- "scope": "all",
- "update_time": 1676495407.17426,
- "create_time": 1676495280.719677
}
], - "searches": [
- {
- "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d",
- "name": "Access - Access Over Time By App",
- "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app",
- "description": "Use Splunk searches to list the stats for app accessing",
- "update_time": 1676496024.7015831,
- "create_time": 1676495280.719843
}
]
}, - "notes": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "files": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
], - "create_time": 1689110850.869705,
- "update_time": 1689110850.869705,
- "total_time_taken": 2
}
]
}
]
}
Add a task to the response plan phase you are currently working on.
id required | string The |
Response task object
name required | string The name of the task. |
order required | integer The order of the task in respect to all tasks in the phase. |
description | string The description of the task. |
owner | string The owner of the task. |
is_note_required | boolean Determines whether a note is required to be created in order to complete or end the task. |
{- "name": "Create ticket",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false
}
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Add an attachment to a task.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
file_name required | string The name of the file to be uploaded. Be sure to include the file extension. |
data required | string The file data. This data is base64 encoded. |
{- "file_name": "splunk-logo-dark.svg",
- "data": "SGksIHRoaXMgaXMgYW4gZXhhbXBsZSBvZiBhIGZpbGUncyBkYXRhIGVuY29kZWQgaW4gYmFzZTY0Lg=="
}
{- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
Add a note to a task. The author and update time are populated automatically.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
title required | string The title of the response plan note. |
content required | string The data stored within the note. |
files | Array of strings An array of file IDs to add to a note. |
{- "title": "Create ticket - Task Note - 1",
- "content": "Note for task Create Ticket",
- "files": [
- "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46"
]
}
{- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
Create events in Splunk Mission Control.
incident_id required | string The |
required | Array of objects A list of fields that describe the event. |
{- "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
- "pairs": [
- {
- "name": "src_ip",
- "value": "United Kingdom"
}
]
}
{- "id": "189c4f74-ede9-4e71-a435-829a5e91e377"
}
Create an incident in Splunk Mission Control.
Request payload for a single incident.
name required | string The name of the incident. |
incident_origin | string Where the incident came from. For example, Splunk Enterprise Security, a risk-based alerting notable, or a Splunk Mission Control incident. |
description | string The description of the incident. |
incident_type required | string The incident type of the incident. Incident types are used to categorize related incidents by use case or source. |
disposition | string The classification of the incident. For example, “True Positive - Suspicious Activity” or “False Positive - Incorrect Analytic Logic”. |
status | string The status of the incident. For example, “New” or “In Progress”. |
assignee | string The person or group assigned to the incident. |
urgency | string Enum: "informational" "low" "medium" "high" "critical" The urgency of the incident. Valid choices are informational, low, medium, high, or critical. |
sensitivity | string Enum: "White" "Green" "Amber" "Red" "Unassigned" The sensitivity of the incident. Valid choices are White, Green, Amber, Red, or Unassigned. |
{- "name": "Sample Threat Activity Detection",
- "incident_origin": "ES Notable Event",
- "description": "Sample Incident for Mission Control",
- "incident_type": "threat investigation",
- "disposition": "True Positive - Suspicious Activity",
- "status": "New",
- "assignee": "admin",
- "urgency": "informational",
- "sensitivity": "Red"
}
{- "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}
Delete an event that is part of an incident.
id required | string The |
event_id required | string The ID of the event to be deleted. |
{- "id": "e3490048-4b7e-4e46-b01c-663f4ea725de"
}
Delete an incident file from the KV store.
id required | string Example: 74730fac-1d5c-4713-bef5-d30ed1c62188 The |
attachment_id required | string The attachment ID of the file to be deleted. |
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Delete a note in an incident.
id required | string The |
note_id required | string The ID of the note from the response plan task. |
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Delete the attachment from a task and from the collection, if applicable.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
file_id required | string The unique ID of the file. |
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Delete the note and attachments from a task.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
note_id required | string The ID of the note from the response plan task. |
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Download an attachment added within the incident.
id required | string The |
attachment_id required | string The ID of the file from the response plan. |
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Return all files from an incident.
id required | string The |
{- "items": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
], - "skip": 0,
- "limit": 0,
- "total": 0
}
Retrieve an incident by the incident GUID or display ID without running a search. The response matches the data available for dispatch to automation.
id required | string The |
include_parent_child | string Enum: "True" "true" "t" "1" "False" "false" "f" "0" Example: include_parent_child=true Optional flag to include the consolidated summary and a mapping of where these values have originated from. |
{- "id": "00000000-0000-0000-0000-000000000000",
- "display_id": "MC-00001",
- "name": "Sample Threat Activity Detection",
- "create_time": 1676497520,
- "mc_create_time": 1676497763.861311,
- "update_time": 1676497800.160927,
- "incident_origin": "ES Notable Event",
- "source": "Threat - Mission Control - Sample ES Notables - Rule",
- "description": "Sample Incident for Mission Control",
- "incident_type": "threat investigation",
- "notable_id": "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9",
- "disposition": "disposition:1",
- "disposition_name": "True Positive - Suspicious Activity",
- "response_plans": [
- {
- "id": "5c674507-50c2-4a94-b458-fdcb5eec333d",
- "version": 1,
- "is_default": true,
- "source_template_id": "142ba3eb-1fd9-4cb3-a040-e139aac107ff",
- "create_time": 1676492834.50028,
- "update_time": 1676492834.500499,
- "name": "Suspicious Email",
- "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods.",
- "template_status": "published",
- "creator": "Splunk",
- "updated_by": "Splunk",
- "phases": [
- {
- "id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40",
- "name": "Ingestion",
- "order": 1,
- "create_time": 1676492834.50028,
- "update_time": 1676492834.500499,
- "tasks": [
- {
- "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd",
- "name": "Create ticket",
- "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "status": "Started",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false,
- "start_time": 1676493726.238174,
- "end_time": 1676493727.238301,
- "suggestions": {
- "actions": [
- {
- "id": null,
- "name": null,
- "description": null,
- "type": null,
- "last_job_id": null,
- "action": null,
- "app_id": null,
- "asset": null,
- "parameters": [ ],
- "update_time": null,
- "create_time": null
}
], - "playbooks": [
- {
- "id": null,
- "last_job_id": null,
- "playbook_id": null,
- "name": null,
- "description": null,
- "scope": null,
- "update_time": null,
- "create_time": null
}
], - "searches": [
- {
- "id": null,
- "name": null,
- "spl": null,
- "description": null,
- "update_time": null,
- "create_time": null
}
]
}, - "notes": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": { },
- "response_phase": { },
- "response_task": { }
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "files": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": { },
- "response_phase": { },
- "response_task": { }
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
], - "create_time": 1689110850.869705,
- "update_time": 1689110850.869705,
- "total_time_taken": 2
}
]
}
]
}
], - "status": 1,
- "status_name": "New",
- "assignee": "admin",
- "urgency": "informational",
- "sensitivity": "Red",
- "sla": {
- "sla_condition": "default_sla",
- "sla_total_time": 24,
- "sla_units": "h",
- "sla_id": "598905ab-9c58-4b5f-9925-a049ee1b3d6a",
- "sla": 1676584163.861112
}, - "es_notable_fields": [
- "src",
- "dest"
], - "attachments": [
- "c7f677fc-8767-4b48-a29d-c28c3f979752"
], - "notes": [
- "c7f677fc-8767-4b48-a29d-c28c3f979752"
], - "current_response_plan_phase": {
- "phase_id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40",
- "response_plan_id": "5c674507-50c2-4a94-b458-fdcb5eec333d"
}, - "parent_incidents": [ ],
- "child_incidents": {
- "incident_ids": [
- "11111111-1111-1111-1111-111111111111",
- "11111111-1111-1111-1111-111111111112"
], - "field_inheritors": [
- "11111111-1111-1111-1111-111111111111"
]
}, - "summary": {
- "src": "10.39.210.66",
- "dest": "8.235.139.88"
}, - "consolidated_summary": {
- "src": "10.39.210.66",
- "dest": "8.235.139.88",
- "app": "splunk"
}, - "incident_summary_mapping": {
- "src_ip": {
- "10.39.210.66": [
- "00000000-0000-0000-0000-000000000000",
- "11111111-1111-1111-1111-111111111111"
]
}, - "dest": {
- "8.235.139.88": [
- "00000000-0000-0000-0000-000000000000",
- "11111111-1111-1111-1111-111111111112"
]
}, - "app": {
- "splunk": [
- "11111111-1111-1111-1111-111111111111",
- "11111111-1111-1111-1111-111111111112"
]
}
}
}
Get notes from the incident.
id required | string The |
search | string Keywords to be searched for in the title or content of notes. |
type | string Enum: "Task" "Incident" "All" The source type of a note. Only notes of this type will be returned. |
{- "items": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "skip": 0,
- "limit": 0,
- "total": 0
}
Get current response plan phase of an incident.
id required | string The |
{- "id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40",
- "name": "Ingestion",
- "order": 1,
- "create_time": 1676492834.50028,
- "update_time": 1676492834.500499,
- "tasks": [
- {
- "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd",
- "name": "Create ticket",
- "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "status": "Started",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false,
- "start_time": 1676493726.238174,
- "end_time": 1676493727.238301,
- "suggestions": {
- "actions": [
- {
- "id": "876ab1de-d825-43c0-8b6c-e30c959d9044",
- "name": "geolocate ip - MaxMind",
- "description": "This action validates the configuration of an asset.",
- "type": "geolocate ip",
- "last_job_id": 0,
- "action": 1394,
- "app_id": 169,
- "asset": 1,
- "parameters": [
- {
- "ip": "1.1.1.1"
}
], - "update_time": 1676495407.1743503,
- "create_time": 1676495280.719768
}
], - "playbooks": [
- {
- "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6",
- "last_job_id": 0,
- "playbook_id": "community/suspicious_email_domain_enrichment",
- "name": "suspicious_email_domain_enrichment",
- "description": "This playbook geolocates an address.",
- "scope": "all",
- "update_time": 1676495407.17426,
- "create_time": 1676495280.719677
}
], - "searches": [
- {
- "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d",
- "name": "Access - Access Over Time By App",
- "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app",
- "description": "Use Splunk searches to list the stats for app accessing",
- "update_time": 1676496024.7015831,
- "create_time": 1676495280.719843
}
]
}, - "notes": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "files": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
], - "create_time": 1689110850.869705,
- "update_time": 1689110850.869705,
- "total_time_taken": 2
}
]
}
Retrieve a phase ID by providing the incident ID, phase name, and response template name. The response matches the data available for dispatch to automation.
id required | string The |
response_template_name required | string The name of the response template. |
phase_name required | string The name of the phase you want to retrieve the phase ID from. |
{- "phase_id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd"
}
Get all response templates within Splunk Mission Control.
skip | integer Used as part of pagination. Internal use only. |
limit | integer Used as part of pagination. Internal use only. |
{- "items": [
- {
- "id": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "_key": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "version": 2,
- "is_default": false,
- "name": "Test Response Template",
- "description": "This is a response template created by a user",
- "template_status": "Published",
- "creator": "John Doe",
- "updated_by": "John Doe",
- "create_time": 1690743671.088105,
- "update_time": 1690743671.088105,
- "phases": [
- {
- "name": "Phase 1",
- "order": 1,
- "create_time": 1690743671.088105,
- "update_time": 1690743671.088105,
- "tasks": [
- {
- "name": "Create ticket",
- "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false,
- "start_time": 1676493726.238174,
- "end_time": 1676493727.238301,
- "suggestions": {
- "actions": [
- {
- "id": null,
- "name": null,
- "description": null,
- "type": null,
- "last_job_id": null,
- "action": null,
- "app_id": null,
- "asset": null,
- "parameters": [ ],
- "update_time": null,
- "create_time": null
}
], - "playbooks": [
- {
- "id": null,
- "last_job_id": null,
- "playbook_id": null,
- "name": null,
- "description": null,
- "scope": null,
- "update_time": null,
- "create_time": null
}
], - "searches": [
- {
- "id": null,
- "name": null,
- "spl": null,
- "description": null,
- "update_time": null,
- "create_time": null
}
]
}, - "notes": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": { },
- "response_phase": { },
- "response_task": { }
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "files": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": { },
- "response_phase": { },
- "response_task": { }
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
]
}
]
}
]
}
], - "skip": 0,
- "limit": 0,
- "total": 0
}
Get a specific response plan task from the current response plan phase.
id required | string The |
task_id required | string The ID of the task from the response plan. |
{- "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd",
- "name": "Create ticket",
- "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "status": "Started",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false,
- "start_time": 1676493726.238174,
- "end_time": 1676493727.238301,
- "suggestions": {
- "actions": [
- {
- "id": "876ab1de-d825-43c0-8b6c-e30c959d9044",
- "name": "geolocate ip - MaxMind",
- "description": "This action validates the configuration of an asset.",
- "type": "geolocate ip",
- "last_job_id": 0,
- "action": 1394,
- "app_id": 169,
- "asset": 1,
- "parameters": [
- {
- "ip": "1.1.1.1"
}
], - "update_time": 1676495407.1743503,
- "create_time": 1676495280.719768
}
], - "playbooks": [
- {
- "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6",
- "last_job_id": 0,
- "playbook_id": "community/suspicious_email_domain_enrichment",
- "name": "suspicious_email_domain_enrichment",
- "description": "This playbook geolocates an address.",
- "scope": "all",
- "update_time": 1676495407.17426,
- "create_time": 1676495280.719677
}
], - "searches": [
- {
- "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d",
- "name": "Access - Access Over Time By App",
- "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app",
- "description": "Use Splunk searches to list the stats for app accessing",
- "update_time": 1676496024.7015831,
- "create_time": 1676495280.719843
}
]
}, - "notes": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "files": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
], - "create_time": 1689110850.869705,
- "update_time": 1689110850.869705,
- "total_time_taken": 2
}
Get the base64 file contents from an attachment in a task.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
file_id required | string The unique ID of the file. |
{- "data": "SGksIHRoaXMgaXMgYW4gZXhhbXBsZSBvZiBhIGZpbGUncyBkYXRhIGVuY29kZWQgaW4gYmFzZTY0Lg"
}
Retrieve a task ID by providing the incident ID, phase name, and response template name. The response matches the data available for dispatch to automation.
id required | string The |
response_template_name required | string The name of the response template. |
phase_name required | string The name of the phase you want to retrieve the phase ID from. |
task_name required | string The name of the task you want to retrieve the task ID from. |
{- "task_id": "74730fac-1d5c-4713-bef5-d30ed1c62188"
}
Get all the notes from a response plan task.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
[- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
]
Get tasks of an incident in Splunk Mission Control.
id required | string The |
[- {
- "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd",
- "name": "Create ticket",
- "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "owner": "admin",
- "is_note_required": false,
- "start_time": 1676493726.238174,
- "end_time": 1676493727.238301,
- "suggestions": {
- "actions": [
- {
- "id": "876ab1de-d825-43c0-8b6c-e30c959d9044",
- "name": "geolocate ip - MaxMind",
- "description": "This action validates the configuration of an asset.",
- "type": "geolocate ip",
- "last_job_id": 0,
- "action": 1394,
- "app_id": 169,
- "asset": 1,
- "parameters": [
- {
- "ip": "1.1.1.1"
}
], - "update_time": 1676495407.1743503,
- "create_time": 1676495280.719768
}
], - "playbooks": [
- {
- "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6",
- "last_job_id": 0,
- "playbook_id": "community/suspicious_email_domain_enrichment",
- "name": "suspicious_email_domain_enrichment",
- "description": "This playbook geolocates an address.",
- "scope": "all",
- "update_time": 1676495407.17426,
- "create_time": 1676495280.719677
}
], - "searches": [
- {
- "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d",
- "name": "Access - Access Over Time By App",
- "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app",
- "description": "Use Splunk searches to list the stats for app accessing",
- "update_time": 1676496024.7015831,
- "create_time": 1676495280.719843
}
]
}, - "notes": [
- {
- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
], - "files": [
- {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
- "file_name": "splunk-logo-dark.svg",
- "incident_type": "threat investigation",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "reference_list": [
- "1982c0a4-b710-4827-856d-0a9c4f77e70b"
], - "size": 5829,
- "source_type": "Task",
- "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_user": "admin",
- "created_on": 1676494088.786956,
- "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
- "_user": ""
}
], - "response_plan_id": "5c674507-50c2-4a94-b458-fdcb5eec333d",
- "phase_id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40"
}
]
Remove summary fields. If a specified field does not exist, this action has no affect.
incident_id required | string The |
field_names required | Array of strings The names of summary fields to remove from the incident. |
{- "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
- "field_names": [
- "dest_country_name",
- "src_country_name"
]
}
{- "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}
Set the current response plan phase of an incident.
id required | string The |
Dictionary of response plan ID and phase ID
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the response plan phase. |
{- "response_plan_id": "c674507-50c2-4a94-b458-fdcb5eec333d",
- "phase_id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40"
}
{- "message": "Current phase was set successfully"
}
Set summary fields on an incident. Fields that already exist will be updated. Fields that don’t exist yet will be created.
parameters
incident_id required | string The |
required | Array of objects A list of fields to set on the incident. |
{- "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
- "pairs": [
- {
- "name": "dest_country_name",
- "value": "United Kingdom"
}
]
}
{- "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}
Update events in Splunk Mission Control.
parameters
incident_id required | string The |
event_id required | string The ID of the event that will be updated. |
required | Array of objects A list of fields that describe the event. |
{- "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
- "event_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
- "pairs": [
- {
- "name": "src_ip",
- "value": "8.8.8.8"
}
]
}
{- "id": "189c4f74-ede9-4e71-a435-829a5e91e377"
}
Update a Splunk Mission Control incident.
incident_id required | string The |
Update a Splunk Mission Control incident.
name | string The name of the incident. |
description | string The description of the incident. |
incident_type | string The incident type of the incident. Incident types are used to categorize related incidents by use case or source. |
disposition | string The classification of the incident. For example, “True Positive - Suspicious Activity” or “False Positive - Incorrect Analytic Logic”. |
status | string The status of the incident. For example, “New” or “In Progress”. |
assignee | string The person or group assigned to the incident. |
urgency | string Enum: "informational" "low" "medium" "high" "critical" The urgency of the incident. Valid choices are informational, low, medium, high, or critical. |
sensitivity | string Enum: "White" "Green" "Amber" "Red" "Unassigned" The sensitivity of the incident. Valid choices are White, Green, Amber, Red, or Unassigned. |
{- "name": "Sample Threat Activity Detection",
- "description": "Sample Incident for Mission Control",
- "incident_type": "threat investigation",
- "disposition": "True Positive - Suspicious Activity",
- "status": "New",
- "assignee": "admin",
- "urgency": "informational",
- "sensitivity": "Red"
}
{- "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}
Update a note in an incident.
id required | string The |
note_id required | string The ID of the note from the response plan task. |
title | string The title of the note. |
content | string The data stored within the note. |
files | Array of strings An array of file IDs to add to a note. |
{- "title": "Create ticket - Task Note - 1",
- "content": "Note for task Create Ticket",
- "files": [
- "f0ea1f3cbabf013f3e7fc4c88077aabff50c7e0847c0112a8269fc2c9a6bb2bd",
- "f7ec3cdc1bb01ef3507d4e814568d325c69fed63232bdc04565c5cac627027c6"
]
}
{- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}
Update a specific response plan task in current response plan phase.
id required | string The |
task_id required | string The ID of the task from a response plan. |
Response Task Object
name | string The name of the task. |
order | integer The order of the task in respect to all tasks in the phase. |
description | string The description of the task. |
status | string Enum: "Started" "Ended" "Reopened" "Pending" The status of the task. Available options are Started, Ended, or Reopened. |
owner | string The owner of the task. |
is_note_required | boolean Determines whether a note is required to be created in order to complete or end the task. |
{- "name": "Create ticket",
- "order": 1,
- "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
- "status": "Started",
- "owner": "admin",
- "is_note_required": false
}
{- "code": "MC_0100",
- "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
- "message": "Oops...something went wrong."
}
Update a note in a task.
id required | string The |
response_plan_id required | string The ID of the response plan. |
phase_id required | string The ID of the phase from the response plan. |
task_id required | string The ID of the task from the response plan. |
note_id required | string The ID of the note from the response plan task. |
title | string The title of the note. |
content | string The data stored within the note. |
files | Array of strings An array of file IDs to add to a note. |
{- "title": "Create ticket - Task Note - 1",
- "content": "Note for task Create Ticket",
- "files": [
- "f0ea1f3cbabf013f3e7fc4c88077aabff50c7e0847c0112a8269fc2c9a6bb2bd",
- "f7ec3cdc1bb01ef3507d4e814568d325c69fed63232bdc04565c5cac627027c6"
]
}
{- "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
- "title": "Create ticket - Task Note - 1",
- "author": {
- "username": "admin"
}, - "last_edited_by": "bob@splunk.com",
- "response_plan_info": {
- "response_plan": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Plan - 1"
}, - "response_phase": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Phase - 1"
}, - "response_task": {
- "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "name": "Response Task - 1"
}
}, - "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "source_type": "Task",
- "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
- "content": "Note for task Create Ticket",
- "files": [
- "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3"
], - "create_time": 1676494561.553658,
- "update_time": 1676494561.553894
}