post https://api.picussecurity.com/v1/threat-library/actions
Creates custom actions with given arguments
About
Create Action endpoint creates a custom action with specified parameters and processes. You can create an action by giving it a name, defining its attack module, category, and execution processes. Each action contains play processes that define the execution steps and optional rewind processes for cleanup operations.
- At least one play process must be provided
- Attack module and category define the action's classification
- Process result and action result define the expected outcomes
Process IDs: Using Process List endpoint you can observe and decide processes to be used.
After creation of the action, you can use action id and summary response for further usage.
Example for Basic Action Creation
Create a simple action with a single play process.
curl --location 'https://api.picussecurity.com/v1/threat-library/actions' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data '{
"name": "Apidoc-Example-Action",
"description": "description",
"attack_module": "Endpoint Scenario",
"category": "Attack Scenario",
"affected_os": ["Windows"],
"ukc_phase_id": 7,
"use_case": "Sensitive Data Exposure",
"sources": [],
"affected_platform_ids": [1],
"tags": ["APT 10"],
"process_result": "P1",
"action_result": "unblocked",
"tactic_id": 6,
"technique_id": 25,
"is_privileged": false,
"is_sensitive_content": false,
"keyword": "(((\"path\" AND \"argument\") OR (\"cs-log\") OR (\"e612e63113f6600a44782d73df090e11\" OR \"663d34ee57fe906e5b17b1d86251c79f127b2f53\" OR \"4f58703573fb0aae3d6579030a78758f2f5f2fd4e8cc0cc686d0dfeda13b6360\")) AND NOT ((\"PICUS_REWIND\") OR (\"File created:\" AND (\"Scenarios\" OR \"Simulation\"))))",
"play_processes": [
{
"cond_name": 1,
"process_id": 1015385,
"rank": 1,
"is_blocked": "unblocked"
}
],
"rewind_processes": []
}'
{
"action": {
"id": 1026424,
"created_at": "2025-06-24T07:54:13.161602715Z",
"name": "Apidoc-Example-Action",
"description": "description",
"tags": [
"APT 10"
],
"display_id": 1000013
}
}
Fields
Field Name | Required | Type | Constraints | Default Value | Options/Examples | Description |
---|---|---|---|---|---|---|
name | ✅ Yes | String | Max 255 characters | - | - | The name of the custom action |
attack_module | ✅ Yes | String | Max 100 characters | - | "Endpoint Scenario" , "Network Infiltration" , "Web Application" | Defines the attack module category |
category | ✅ Yes | String | Max 100 characters | - | "Attack Scenario" , "Post-Exploitation" | Defines the action category |
play_processes | ❌ No | Array | - | - | See process object sub-fields below | Defines the execution processes for the action |
play_processes.cond_name | ✅ Yes | String | Min: 1, Max: 100 | - | - | Condition name for the process |
play_processes.process_id | ✅ Yes | Integer | Min: 1000000 | - | - | Process ID for execution |
play_processes.is_blocked | ✅ Yes | Boolean | - | - | true (Blocked), false (Allowed) | Block status for the process |
play_processes.rank | ✅ Yes | Integer | Min: 1 | - | Execution order numbers | Execution order for the process |
description | ❌ No | String | Max 1000 characters | - | - | Detailed information about the action's purpose, behavior, or attack methodology |
title | ✅ Yes | String | Max 100 characters | - | "Download" , "Execute" | Title for the action (used in UI) |
affected_os | ❌ No | Array | - | - | "Windows" , "Linux" , "macOS" | Operating systems where the action can be executed |
ukc_phase_id | ✅ Yes | Integer | - | - | Phase identifiers (1-8) | Unified Kill Chain phase identifier |
use_case | ❌ No | String | - | - | "Sensitive Data Exposure" , "Privilege Escalation" | Describes the action's use case |
sources | ❌ No | Array | - | - | ["EDR"] , ["Log files", "Endpoint monitoring"] | Detection sources for the action |
affected_platform_ids | ❌ No | Array | - | - | Array of platform identifiers | Platform identifiers where action applies |
tags | ❌ No | Array | - | - | ["APT 10"] , ["MITRE ATT&CK", "Privilege Escalation"] | Tags for categorizing the action |
process_result | ❌ No | String | - | - | "P1" , "Success" | Expected process execution result |
action_result | ❌ No | String | - | - | "unblocked" , "Privileges escalated" | Expected action outcome |
tactic_id | ❌ No | Integer | - | - | MITRE ATT&CK tactic IDs | MITRE ATT&CK tactic identifier |
technique_id | ❌ No | Integer | - | - | MITRE ATT&CK technique IDs | MITRE ATT&CK technique identifier |
is_privileged | ❌ No | Boolean | - | false | true (Requires elevated privileges), false (No special privileges) | Whether the action requires elevated privileges |
is_sensitive_content | ❌ No | Boolean | - | false | true (Contains sensitive info), false (No sensitive content) | Whether the action contains sensitive information |
keyword | ❌ No | String | - | - | Detection keywords and logic | Detection keywords and logic for the action |
rewind_processes | ❌ No | Array | - | - | Same structure as play_processes | Optional cleanup processes to revert action effects |