# CreateAction

About

Create Action endpoint creates a custom action with specified parameters and processes. You can create an action by giving it a name, defining its attack module, category, and execution processes. Each action contains play processes that define the execution steps and optional rewind processes for cleanup operations.

At least one play process must be provided
Attack module and category define the action's classification
Process result and action result define the expected outcomes

Process IDs: Using Process List endpoint you can observe and decide processes to be used.

After creation of the action, you can use action id and summary response for further usage.

Example for Basic Action Creation

Create a simple action with a single play process.

curl --location 'https://api.picussecurity.com/v1/threat-library/actions' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Apidoc-Example-Action",
    "description": "description",
    "attack_module": "Endpoint Scenario",
    "category": "Attack Scenario",
    "affected_os": ["Windows"],
    "ukc_phase_id": 7,
    "use_case": "Sensitive Data Exposure",
    "sources": [],
    "affected_platform_ids": [1],
    "tags": ["APT 10"],
    "process_result": "P1",
    "action_result": "unblocked",
    "tactic_id": 6,
    "technique_id": 25,
    "is_privileged": false,
    "is_sensitive_content": false,
    "keyword": "(((\"path\" AND \"argument\") OR (\"cs-log\") OR (\"e612e63113f6600a44782d73df090e11\" OR \"663d34ee57fe906e5b17b1d86251c79f127b2f53\" OR \"4f58703573fb0aae3d6579030a78758f2f5f2fd4e8cc0cc686d0dfeda13b6360\")) AND NOT ((\"PICUS_REWIND\") OR (\"File created:\" AND (\"Scenarios\" OR \"Simulation\"))))",
    "play_processes": [
        {
            "cond_name": 1,
            "process_id": 1015385,
            "rank": 1,
            "is_blocked": "unblocked"
        }
    ],
    "rewind_processes": []
}'

{
    "action": {
        "id": 1026424,
        "created_at": "2025-06-24T07:54:13.161602715Z",
        "name": "Apidoc-Example-Action",
        "description": "description",
        "tags": [
            "APT 10"
        ],
        "display_id": 1000013
    }
}

Fields

Field Name	Required	Type	Constraints	Default Value	Options/Examples	Description
name	✅ Yes	String	Max 255 characters			The name of the custom action
attack_module	✅ Yes	String	Max 100 characters		`"Endpoint Scenario"`, `"Network Infiltration"`, `"Web Application"`	Defines the attack module category
category	✅ Yes	String	Max 100 characters		`"Attack Scenario"`, `"Post-Exploitation"`	Defines the action category
play_processes	⚠️ Conditional	Array	If category is is Attack Scenario it is required		See process object sub-fields below	Defines the execution processes for the action
play_processes.cond_name	✅ Yes	String	Min: 1, Max: 100			Condition name for the process
play_processes.process_id	✅ Yes	Integer	Min: 1000000			Process ID for execution
play_processes.is_blocked	✅ Yes	Boolean			`true` (Blocked), `false` (Allowed)	Block status for the process
play_processes.rank	✅ Yes	Integer	Min: 1		Execution order numbers	Execution order for the process
description	❌ No	String	Max 1000 characters			Detailed information about the action's purpose, behavior, or attack methodology
title	✅ Yes	String	Max 100 characters		`"Download"`, `"Execute"`	Title for the action (used in UI)
affected_os	❌ No	Array			`"Windows"`, `"Linux"`, `"macOS"`	Operating systems where the action can be executed
ukc_phase_id	✅ Yes	Integer			Phase identifiers (1-8)	Unified Kill Chain phase identifier
use_case	❌ No	String			`"Sensitive Data Exposure"`, `"Privilege Escalation"`	Describes the action's use case
sources	❌ No	Array			`["EDR"]`, `["Log files", "Endpoint monitoring"]`	Detection sources for the action
affected_platform_ids	❌ No	Array			Array of platform identifiers	Platform identifiers where action applies
tags	❌ No	Array			`["APT 10"]`, `["MITRE ATT&CK", "Privilege Escalation"]`	Tags for categorizing the action
process_result	⚠️ Conditional	String	If category is is Attack Scenario it is required		`"P1"`, `"Success"`	Expected process execution result
action_result	⚠️ Conditional	String	If category is is Attack Scenario it is required		`"unblocked"`, `"Privileges escalated"`	Expected action outcome
tactic_id	❌ No	Integer			MITRE ATT&CK tactic IDs	MITRE ATT&CK tactic identifier
technique_id	❌ No	Integer			MITRE ATT&CK technique IDs	MITRE ATT&CK technique identifier
is_privileged	❌ No	Boolean		false	`true` (Requires elevated privileges), `false` (No special privileges)	Whether the action requires elevated privileges
is_sensitive_content	❌ No	Boolean		false	`true` (Contains sensitive info), `false` (No sensitive content)	Whether the action contains sensitive information
keyword	❌ No	String			Detection keywords and logic	Detection keywords and logic for the action
rewind_processes	❌ No	Array			Same structure as play_processes	Optional cleanup processes to revert action effects