Creates custom actions with given arguments
About
Create Action endpoint creates a custom action with specified parameters and processes. You can create an action by giving it a name, defining its attack module, category, and execution processes. Each action contains play processes that define the execution steps and optional rewind processes for cleanup operations.
- At least one play process must be provided
- Attack module and category define the action's classification
- Process result and action result define the expected outcomes
Process IDs: Using Process List endpoint you can observe and decide processes to be used.
After creation of the action, you can use action id and summary response for further usage.
Example for Basic Action Creation
Create a simple action with a single play process.
curl --location 'https://api.picussecurity.com/v1/threat-library/actions' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data '{
"name": "Apidoc-Example-Action",
"description": "description",
"attack_module": "Endpoint Scenario",
"category": "Attack Scenario",
"affected_os": ["Windows"],
"ukc_phase_id": 7,
"use_case": "Sensitive Data Exposure",
"sources": [],
"affected_platform_ids": [1],
"tags": ["APT 10"],
"process_result": "P1",
"action_result": "unblocked",
"tactic_id": 6,
"technique_id": 25,
"is_privileged": false,
"is_sensitive_content": false,
"keyword": "(((\"path\" AND \"argument\") OR (\"cs-log\") OR (\"e612e63113f6600a44782d73df090e11\" OR \"663d34ee57fe906e5b17b1d86251c79f127b2f53\" OR \"4f58703573fb0aae3d6579030a78758f2f5f2fd4e8cc0cc686d0dfeda13b6360\")) AND NOT ((\"PICUS_REWIND\") OR (\"File created:\" AND (\"Scenarios\" OR \"Simulation\"))))",
"play_processes": [
{
"cond_name": 1,
"process_id": 1015385,
"rank": 1,
"is_blocked": "unblocked"
}
],
"rewind_processes": []
}'
{
"action": {
"id": 1026424,
"created_at": "2025-06-24T07:54:13.161602715Z",
"name": "Apidoc-Example-Action",
"description": "description",
"tags": [
"APT 10"
],
"display_id": 1000013
}
}
Required Fields
Name
- Required: No (validation rules not specified)
- Type: String
- Description: The name of the custom action
Attack Module
- Required: No (validation rules not specified)
- Type: String
- Description: Defines the attack module category
- Examples:
"Endpoint Scenario"
,"Network Infiltration"
,"Web Application"
Category
- Required: No (validation rules not specified)
- Type: String
- Description: Defines the action category
- Examples:
"Attack Scenario"
,"Post-Exploitation"
Play Processes
- Required: No (validation rules not specified)
- Type: Array of Process Objects
- Description: Defines the execution processes for the action
Process Object Fields:
- cond_name: Condition name (required, min: 1, max: 100)
- process_id: Process ID (required, min: 1000000)
- is_blocked: Block status (required)
- rank: Execution order (required, min: 1)
Optional Fields
Description
The description
field is optional and allows you to provide detailed information about the action's purpose, behavior, or attack methodology. Maximum length is not specified in validation rules.
Affected OS
- Type: Array of Strings
- Options:
"Windows"
,"Linux"
,"macOS"
- Description: Operating systems where the action can be executed
UKC Phase ID
- Type: Integer
- Description: Unified Kill Chain phase identifier
Use Case
- Type: String
- Description: Describes the action's use case
- Examples:
"Sensitive Data Exposure"
,"Privilege Escalation"
Sources
- Type: Array of Strings
- Description: Detection sources for the action
- Examples:
["EDR"]
,["Log files", "Endpoint monitoring"]
Affected Platform IDs
- Type: Array of Integers
- Description: Platform identifiers where action applies
Tags
- Type: Array of Strings
- Description: Tags for categorizing the action
- Examples:
["APT 10"]
,["MITRE ATT&CK", "Privilege Escalation"]
Process Result
- Type: String
- Description: Expected process execution result
- Examples:
"P1"
,"Success"
Action Result
- Type: String
- Description: Expected action outcome
- Examples:
"unblocked"
,"Privileges escalated"
Tactic ID
- Type: Integer
- Description: MITRE ATT&CK tactic identifier
Technique ID
- Type: Integer
- Description: MITRE ATT&CK technique identifier
Is Privileged
- Type: Boolean
- Description: Whether the action requires elevated privileges
- Default:
false
Is Sensitive Content
- Type: Boolean
- Description: Whether the action contains sensitive information
- Default:
false
Keyword
- Type: String
- Description: Detection keywords and logic for the action
Rewind Processes
- Type: Array of Process Objects
- Description: Optional cleanup processes to revert action effects