API Reference

# CreateAction

post https://api.picussecurity.com/v1/threat-library/actions

Creates custom actions with given arguments

About

Create Action endpoint creates a custom action with specified parameters and processes. You can create an action by giving it a name, defining its attack module, category, and execution processes. Each action contains play processes that define the execution steps and optional rewind processes for cleanup operations.

  • At least one play process must be provided
  • Attack module and category define the action's classification
  • Process result and action result define the expected outcomes

Process IDs: Using Process List endpoint you can observe and decide processes to be used.

After creation of the action, you can use action id and summary response for further usage.

Example for Basic Action Creation

Create a simple action with a single play process.

curl --location 'https://api.picussecurity.com/v1/threat-library/actions' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Apidoc-Example-Action",
    "description": "description",
    "attack_module": "Endpoint Scenario",
    "category": "Attack Scenario",
    "affected_os": ["Windows"],
    "ukc_phase_id": 7,
    "use_case": "Sensitive Data Exposure",
    "sources": [],
    "affected_platform_ids": [1],
    "tags": ["APT 10"],
    "process_result": "P1",
    "action_result": "unblocked",
    "tactic_id": 6,
    "technique_id": 25,
    "is_privileged": false,
    "is_sensitive_content": false,
    "keyword": "(((\"path\" AND \"argument\") OR (\"cs-log\") OR (\"e612e63113f6600a44782d73df090e11\" OR \"663d34ee57fe906e5b17b1d86251c79f127b2f53\" OR \"4f58703573fb0aae3d6579030a78758f2f5f2fd4e8cc0cc686d0dfeda13b6360\")) AND NOT ((\"PICUS_REWIND\") OR (\"File created:\" AND (\"Scenarios\" OR \"Simulation\"))))",
    "play_processes": [
        {
            "cond_name": 1,
            "process_id": 1015385,
            "rank": 1,
            "is_blocked": "unblocked"
        }
    ],
    "rewind_processes": []
}'

{
    "action": {
        "id": 1026424,
        "created_at": "2025-06-24T07:54:13.161602715Z",
        "name": "Apidoc-Example-Action",
        "description": "description",
        "tags": [
            "APT 10"
        ],
        "display_id": 1000013
    }
}

Required Fields

Name

  • Required: No (validation rules not specified)
  • Type: String
  • Description: The name of the custom action

Attack Module

  • Required: No (validation rules not specified)
  • Type: String
  • Description: Defines the attack module category
  • Examples: "Endpoint Scenario", "Network Infiltration", "Web Application"

Category

  • Required: No (validation rules not specified)
  • Type: String
  • Description: Defines the action category
  • Examples: "Attack Scenario", "Post-Exploitation"

Play Processes

  • Required: No (validation rules not specified)
  • Type: Array of Process Objects
  • Description: Defines the execution processes for the action

Process Object Fields:

  • cond_name: Condition name (required, min: 1, max: 100)
  • process_id: Process ID (required, min: 1000000)
  • is_blocked: Block status (required)
  • rank: Execution order (required, min: 1)

Optional Fields

Description

The description field is optional and allows you to provide detailed information about the action's purpose, behavior, or attack methodology. Maximum length is not specified in validation rules.

Affected OS

  • Type: Array of Strings
  • Options: "Windows", "Linux", "macOS"
  • Description: Operating systems where the action can be executed

UKC Phase ID

  • Type: Integer
  • Description: Unified Kill Chain phase identifier

Use Case

  • Type: String
  • Description: Describes the action's use case
  • Examples: "Sensitive Data Exposure", "Privilege Escalation"

Sources

  • Type: Array of Strings
  • Description: Detection sources for the action
  • Examples: ["EDR"], ["Log files", "Endpoint monitoring"]

Affected Platform IDs

  • Type: Array of Integers
  • Description: Platform identifiers where action applies

Tags

  • Type: Array of Strings
  • Description: Tags for categorizing the action
  • Examples: ["APT 10"], ["MITRE ATT&CK", "Privilege Escalation"]

Process Result

  • Type: String
  • Description: Expected process execution result
  • Examples: "P1", "Success"

Action Result

  • Type: String
  • Description: Expected action outcome
  • Examples: "unblocked", "Privileges escalated"

Tactic ID

  • Type: Integer
  • Description: MITRE ATT&CK tactic identifier

Technique ID

  • Type: Integer
  • Description: MITRE ATT&CK technique identifier

Is Privileged

  • Type: Boolean
  • Description: Whether the action requires elevated privileges
  • Default: false

Is Sensitive Content

  • Type: Boolean
  • Description: Whether the action contains sensitive information
  • Default: false

Keyword

  • Type: String
  • Description: Detection keywords and logic for the action

Rewind Processes

  • Type: Array of Process Objects
  • Description: Optional cleanup processes to revert action effects
Language
Credentials
Header
Click Try It! to start a request and see the response here!