API docs by Redocly

Splunk Mission Control Automation API Reference (3.1.0)

Download OpenAPI specification:Download

The Splunk Mission Control Automation API allows your team to automate their response to Mission Control incidents using Splunk SOAR playbooks. This API documentation corresponds to the actions available in the Mission Control block in the Splunk SOAR Visual Playbook Editor (VPE). To learn more about the Mission Control block, see Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks in Investigate and Respond to Threats in Splunk Mission Control. The following APIs are not applicable for use cases outside of the Mission Control/SOAR integration. Any other use of these or other Mission Control APIs is not supported.

Mission Control

add incident file

Add an attachment to the KV Store.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Request Body schema: application/json
file_name
required
string

The name of the uploaded file. Include the file extension.

data
required
string

The file data. This data is base64 encoded.

source_type
required
string
Enum: "Note" "Incident"

The source type of the file.

Responses

Request samples

Content type
application/json
{
  • "file_name": "Test_File.txt",
  • "data": "aGkgdGhpcyBpcyBhIHRlc3QgZmlsZQ==",
  • "source_type": "Incident"
}

Response samples

Content type
application/json
{
  • "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
  • "file_name": "splunk-logo-dark.svg",
  • "incident_type": "threat investigation",
  • "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "response_plan_info": {
    },
  • "reference_list": [
    ],
  • "size": 5829,
  • "source_type": "Task",
  • "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "source_user": "admin",
  • "created_on": 1676494088.786956,
  • "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
  • "_user": ""
}

add incident note

Add the note to the incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident that the event is associated with.

Request Body schema: application/json
title
required
string

The title of the response plan note.

content
required
string

The data stored within the note.

files
Array of strings

An array of file IDs to add to a note.

Responses

Request samples

Content type
application/json
{
  • "title": "Create ticket - Task Note - 1",
  • "content": "Note for task Create Ticket",
  • "files": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
  • "title": "Create ticket - Task Note - 1",
  • "author": {
    },
  • "last_edited_by": "bob@splunk.com",
  • "response_plan_info": {
    },
  • "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "source_type": "Task",
  • "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "content": "Note for task Create Ticket",
  • "files": [
    ],
  • "create_time": 1676494561.553658,
  • "update_time": 1676494561.553894
}

add response plan

Apply a response template to an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Request Body schema: application/json
response_template_id
required
string

The ID of the response template to be applied.

Responses

Request samples

Content type
application/json
{
  • "response_template_id": "142ba3eb-1fd9-4cb3-a040-e139aac107ff"
}

Response samples

Content type
application/json
{
  • "id": "5c674507-50c2-4a94-b458-fdcb5eec333d",
  • "version": 1,
  • "is_default": true,
  • "source_template_id": "142ba3eb-1fd9-4cb3-a040-e139aac107ff",
  • "create_time": 1676492834.50028,
  • "update_time": 1676492834.500499,
  • "name": "Suspicious Email",
  • "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods.",
  • "template_status": "published",
  • "creator": "Splunk",
  • "updated_by": "Splunk",
  • "phases": [
    ]
}

add task

Add a task to the response plan phase you are currently working on.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Request Body schema: application/json
required

Response task object

name
required
string

The name of the task.

order
required
integer

The order of the task in respect to all tasks in the phase.

description
string

The description of the task.

owner
string

The owner of the task.

is_note_required
boolean

Determines whether a note is required to be created in order to complete or end the task.

Responses

Request samples

Content type
application/json
{
  • "name": "Create ticket",
  • "order": 1,
  • "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
  • "owner": "admin",
  • "is_note_required": false
}

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

add task file

Add an attachment to a task.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

Request Body schema: application/json
file_name
required
string

The name of the file to be uploaded. Be sure to include the file extension.

data
required
string

The file data. This data is base64 encoded.

Responses

Request samples

Content type
application/json
{
  • "file_name": "splunk-logo-dark.svg",
  • "data": "SGksIHRoaXMgaXMgYW4gZXhhbXBsZSBvZiBhIGZpbGUncyBkYXRhIGVuY29kZWQgaW4gYmFzZTY0Lg=="
}

Response samples

Content type
application/json
{
  • "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8",
  • "file_name": "splunk-logo-dark.svg",
  • "incident_type": "threat investigation",
  • "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "response_plan_info": {
    },
  • "reference_list": [
    ],
  • "size": 5829,
  • "source_type": "Task",
  • "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "source_user": "admin",
  • "created_on": 1676494088.786956,
  • "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46",
  • "_user": ""
}

add task note

Add a note to a task. The author and update time are populated automatically.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

Request Body schema: application/json
title
required
string

The title of the response plan note.

content
required
string

The data stored within the note.

files
Array of strings

An array of file IDs to add to a note.

Responses

Request samples

Content type
application/json
{
  • "title": "Create ticket - Task Note - 1",
  • "content": "Note for task Create Ticket",
  • "files": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
  • "title": "Create ticket - Task Note - 1",
  • "author": {
    },
  • "last_edited_by": "bob@splunk.com",
  • "response_plan_info": {
    },
  • "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "source_type": "Task",
  • "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "content": "Note for task Create Ticket",
  • "files": [
    ],
  • "create_time": 1676494561.553658,
  • "update_time": 1676494561.553894
}

create event

Create events in Splunk Mission Control.

Request Body schema: application/json
incident_id
required
string

The id (GUID) or the display_id of the incident.

required
Array of objects

A list of fields that describe the event.

Responses

Request samples

Content type
application/json
{
  • "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
  • "pairs": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "189c4f74-ede9-4e71-a435-829a5e91e377"
}

create incident

Create an incident in Splunk Mission Control.

Request Body schema: application/json
required

Request payload for a single incident.

name
required
string

The name of the incident.

incident_origin
string

Where the incident came from. For example, Splunk Enterprise Security, a risk-based alerting notable, or a Splunk Mission Control incident.

description
string

The description of the incident.

incident_type
required
string

The incident type of the incident. Incident types are used to categorize related incidents by use case or source.

disposition
string

The classification of the incident. For example, “True Positive - Suspicious Activity” or “False Positive - Incorrect Analytic Logic”.

status
string

The status of the incident. For example, “New” or “In Progress”.

assignee
string

The person or group assigned to the incident.

urgency
string
Enum: "informational" "low" "medium" "high" "critical"

The urgency of the incident. Valid choices are informational, low, medium, high, or critical.

sensitivity
string
Enum: "White" "Green" "Amber" "Red" "Unassigned"

The sensitivity of the incident. Valid choices are White, Green, Amber, Red, or Unassigned.

Responses

Request samples

Content type
application/json
{
  • "name": "Sample Threat Activity Detection",
  • "incident_origin": "ES Notable Event",
  • "description": "Sample Incident for Mission Control",
  • "incident_type": "threat investigation",
  • "disposition": "True Positive - Suspicious Activity",
  • "status": "New",
  • "assignee": "admin",
  • "urgency": "informational",
  • "sensitivity": "Red"
}

Response samples

Content type
application/json
{
  • "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}

delete event

Delete an event that is part of an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident that the event is associated with.

event_id
required
string

The ID of the event to be deleted.

Responses

Response samples

Content type
application/json
{
  • "id": "e3490048-4b7e-4e46-b01c-663f4ea725de"
}

delete incident file

Delete an incident file from the KV store.

Authorizations:
BearerAuth
path Parameters
id
required
string
Example: 74730fac-1d5c-4713-bef5-d30ed1c62188

The id (GUID) or the display_id of the incident.

attachment_id
required
string

The attachment ID of the file to be deleted.

Responses

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

delete incident note

Delete a note in an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

note_id
required
string

The ID of the note from the response plan task.

Responses

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

delete task file

Delete the attachment from a task and from the collection, if applicable.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

file_id
required
string

The unique ID of the file.

Responses

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

delete task note

Delete the note and attachments from a task.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

note_id
required
string

The ID of the note from the response plan task.

Responses

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

get file

Download an attachment added within the incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

attachment_id
required
string

The ID of the file from the response plan.

Responses

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

get files in incident

Return all files from an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Responses

Response samples

Content type
application/json
{
  • "items": [
    ],
  • "skip": 0,
  • "limit": 0,
  • "total": 0
}

get incident

Retrieve an incident by the incident GUID or display ID without running a search. The response matches the data available for dispatch to automation.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

query Parameters
include_parent_child
string
Enum: "True" "true" "t" "1" "False" "false" "f" "0"
Example: include_parent_child=true

Optional flag to include the consolidated summary and a mapping of where these values have originated from.

Responses

Response samples

Content type
application/json
{
  • "id": "00000000-0000-0000-0000-000000000000",
  • "display_id": "MC-00001",
  • "name": "Sample Threat Activity Detection",
  • "create_time": 1676497520,
  • "mc_create_time": 1676497763.861311,
  • "update_time": 1676497800.160927,
  • "incident_origin": "ES Notable Event",
  • "source": "Threat - Mission Control - Sample ES Notables - Rule",
  • "description": "Sample Incident for Mission Control",
  • "incident_type": "threat investigation",
  • "notable_id": "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9",
  • "disposition": "disposition:1",
  • "disposition_name": "True Positive - Suspicious Activity",
  • "response_plans": [
    ],
  • "status": 1,
  • "status_name": "New",
  • "assignee": "admin",
  • "urgency": "informational",
  • "sensitivity": "Red",
  • "sla": {
    },
  • "es_notable_fields": [
    ],
  • "attachments": [
    ],
  • "notes": [
    ],
  • "current_response_plan_phase": {
    },
  • "parent_incidents": [ ],
  • "child_incidents": {
    },
  • "summary": {
    },
  • "consolidated_summary": {
    },
  • "incident_summary_mapping": {
    }
}

get notes in incident

Get notes from the incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident that the event is associated with.

query Parameters
search
string

Keywords to be searched for in the title or content of notes.

type
string
Enum: "Task" "Incident" "All"

The source type of a note. Only notes of this type will be returned.

Responses

Response samples

Content type
application/json
{
  • "items": [
    ],
  • "skip": 0,
  • "limit": 0,
  • "total": 0
}

get phase

Get current response plan phase of an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Responses

Response samples

Content type
application/json
{
  • "id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40",
  • "name": "Ingestion",
  • "order": 1,
  • "create_time": 1676492834.50028,
  • "update_time": 1676492834.500499,
  • "tasks": [
    ]
}

get phase id

Retrieve a phase ID by providing the incident ID, phase name, and response template name. The response matches the data available for dispatch to automation.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

query Parameters
response_template_name
required
string

The name of the response template.

phase_name
required
string

The name of the phase you want to retrieve the phase ID from.

Responses

Response samples

Content type
application/json
{
  • "phase_id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd"
}

get response templates

Get all response templates within Splunk Mission Control.

Authorizations:
BearerAuth
query Parameters
skip
integer

Used as part of pagination. Internal use only.

limit
integer

Used as part of pagination. Internal use only.

Responses

Response samples

Content type
application/json
{
  • "items": [
    ],
  • "skip": 0,
  • "limit": 0,
  • "total": 0
}

get task

Get a specific response plan task from the current response plan phase.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

task_id
required
string

The ID of the task from the response plan.

Responses

Response samples

Content type
application/json
{
  • "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd",
  • "name": "Create ticket",
  • "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147",
  • "status": "Started",
  • "order": 1,
  • "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
  • "owner": "admin",
  • "is_note_required": false,
  • "start_time": 1676493726.238174,
  • "end_time": 1676493727.238301,
  • "suggestions": {
    },
  • "notes": [
    ],
  • "files": [
    ],
  • "create_time": 1689110850.869705,
  • "update_time": 1689110850.869705,
  • "total_time_taken": 2
}

get task file

Get the base64 file contents from an attachment in a task.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

file_id
required
string

The unique ID of the file.

Responses

Response samples

Content type
application/json
{
  • "data": "SGksIHRoaXMgaXMgYW4gZXhhbXBsZSBvZiBhIGZpbGUncyBkYXRhIGVuY29kZWQgaW4gYmFzZTY0Lg"
}

get task id

Retrieve a task ID by providing the incident ID, phase name, and response template name. The response matches the data available for dispatch to automation.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

query Parameters
response_template_name
required
string

The name of the response template.

phase_name
required
string

The name of the phase you want to retrieve the phase ID from.

task_name
required
string

The name of the task you want to retrieve the task ID from.

Responses

Response samples

Content type
application/json
{
  • "task_id": "74730fac-1d5c-4713-bef5-d30ed1c62188"
}

get task notes

Get all the notes from a response plan task.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

get tasks

Get tasks of an incident in Splunk Mission Control.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

remove summary fields

Remove summary fields. If a specified field does not exist, this action has no affect.

Request Body schema: application/json
required
incident_id
required
string

The id (GUID) or the display_id of the incident.

field_names
required
Array of strings

The names of summary fields to remove from the incident.

Responses

Request samples

Content type
application/json
{
  • "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
  • "field_names": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}

set phase

Set the current response plan phase of an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

Request Body schema: application/json
required

Dictionary of response plan ID and phase ID

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the response plan phase.

Responses

Request samples

Content type
application/json
{
  • "response_plan_id": "c674507-50c2-4a94-b458-fdcb5eec333d",
  • "phase_id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40"
}

Response samples

Content type
application/json
{
  • "message": "Current phase was set successfully"
}

set summary fields

Set summary fields on an incident. Fields that already exist will be updated. Fields that don’t exist yet will be created.

Request Body schema: application/json
required

parameters

incident_id
required
string

The id (GUID) or the display_id of the incident.

required
Array of objects

A list of fields to set on the incident.

Responses

Request samples

Content type
application/json
{
  • "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
  • "pairs": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}

update event

Update events in Splunk Mission Control.

Request Body schema: application/json
required

parameters

incident_id
required
string

The id (GUID) or the display_id of the incident.

event_id
required
string

The ID of the event that will be updated.

required
Array of objects

A list of fields that describe the event.

Responses

Request samples

Content type
application/json
{
  • "incident_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
  • "event_id": "1982c0a4-b710-4827-856d-0a9c4f77e70b",
  • "pairs": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "189c4f74-ede9-4e71-a435-829a5e91e377"
}

update incident

Update a Splunk Mission Control incident.

path Parameters
incident_id
required
string

The id (GUID) or the display_id of the incident.

Request Body schema: application/json
required

Update a Splunk Mission Control incident.

name
string

The name of the incident.

description
string

The description of the incident.

incident_type
string

The incident type of the incident. Incident types are used to categorize related incidents by use case or source.

disposition
string

The classification of the incident. For example, “True Positive - Suspicious Activity” or “False Positive - Incorrect Analytic Logic”.

status
string

The status of the incident. For example, “New” or “In Progress”.

assignee
string

The person or group assigned to the incident.

urgency
string
Enum: "informational" "low" "medium" "high" "critical"

The urgency of the incident. Valid choices are informational, low, medium, high, or critical.

sensitivity
string
Enum: "White" "Green" "Amber" "Red" "Unassigned"

The sensitivity of the incident. Valid choices are White, Green, Amber, Red, or Unassigned.

Responses

Request samples

Content type
application/json
{
  • "name": "Sample Threat Activity Detection",
  • "description": "Sample Incident for Mission Control",
  • "incident_type": "threat investigation",
  • "disposition": "True Positive - Suspicious Activity",
  • "status": "New",
  • "assignee": "admin",
  • "urgency": "informational",
  • "sensitivity": "Red"
}

Response samples

Content type
application/json
{
  • "id": "1982c0a4-b710-4827-856d-0a9c4f77e70b"
}

update incident note

Update a note in an incident.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

note_id
required
string

The ID of the note from the response plan task.

Request Body schema: application/json
title
string

The title of the note.

content
string

The data stored within the note.

files
Array of strings

An array of file IDs to add to a note.

Responses

Request samples

Content type
application/json
{
  • "title": "Create ticket - Task Note - 1",
  • "content": "Note for task Create Ticket",
  • "files": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
  • "title": "Create ticket - Task Note - 1",
  • "author": {
    },
  • "last_edited_by": "bob@splunk.com",
  • "response_plan_info": {
    },
  • "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "source_type": "Task",
  • "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "content": "Note for task Create Ticket",
  • "files": [
    ],
  • "create_time": 1676494561.553658,
  • "update_time": 1676494561.553894
}

update task

Update a specific response plan task in current response plan phase.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

task_id
required
string

The ID of the task from a response plan.

Request Body schema: application/json
required

Response Task Object

name
string

The name of the task.

order
integer

The order of the task in respect to all tasks in the phase.

description
string

The description of the task.

status
string
Enum: "Started" "Ended" "Reopened" "Pending"

The status of the task. Available options are Started, Ended, or Reopened.

owner
string

The owner of the task.

is_note_required
boolean

Determines whether a note is required to be created in order to complete or end the task.

Responses

Request samples

Content type
application/json
{
  • "name": "Create ticket",
  • "order": 1,
  • "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.",
  • "status": "Started",
  • "owner": "admin",
  • "is_note_required": false
}

Response samples

Content type
application/json
{
  • "code": "MC_0100",
  • "requestId": "74730fac-1d5c-4713-bef5-d30ed1c62188",
  • "message": "Oops...something went wrong."
}

update task note

Update a note in a task.

Authorizations:
BearerAuth
path Parameters
id
required
string

The id (GUID) or the display_id of the incident.

response_plan_id
required
string

The ID of the response plan.

phase_id
required
string

The ID of the phase from the response plan.

task_id
required
string

The ID of the task from the response plan.

note_id
required
string

The ID of the note from the response plan task.

Request Body schema: application/json
title
string

The title of the note.

content
string

The data stored within the note.

files
Array of strings

An array of file IDs to add to a note.

Responses

Request samples

Content type
application/json
{
  • "title": "Create ticket - Task Note - 1",
  • "content": "Note for task Create Ticket",
  • "files": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4",
  • "title": "Create ticket - Task Note - 1",
  • "author": {
    },
  • "last_edited_by": "bob@splunk.com",
  • "response_plan_info": {
    },
  • "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "source_type": "Task",
  • "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9",
  • "content": "Note for task Create Ticket",
  • "files": [
    ],
  • "create_time": 1676494561.553658,
  • "update_time": 1676494561.553894
}