# CreateAction

Creates custom actions with given arguments

About

Create Action endpoint creates a custom action with specified parameters and processes. You can create an action by giving it a name, defining its attack module, category, and execution processes. Each action contains play processes that define the execution steps and optional rewind processes for cleanup operations.

  • At least one play process must be provided
  • Attack module and category define the action's classification
  • Process result and action result define the expected outcomes

Process IDs: Using Process List endpoint you can observe and decide processes to be used.

After creation of the action, you can use action id and summary response for further usage.

Example for Basic Action Creation

Create a simple action with a single play process.

curl --location 'https://api.picussecurity.com/v1/threat-library/actions' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Apidoc-Example-Action",
    "description": "description",
    "attack_module": "Endpoint Scenario",
    "category": "Attack Scenario",
    "affected_os": ["Windows"],
    "ukc_phase_id": 7,
    "use_case": "Sensitive Data Exposure",
    "sources": [],
    "affected_platform_ids": [1],
    "tags": ["APT 10"],
    "process_result": "P1",
    "action_result": "unblocked",
    "tactic_id": 6,
    "technique_id": 25,
    "is_privileged": false,
    "is_sensitive_content": false,
    "keyword": "(((\"path\" AND \"argument\") OR (\"cs-log\") OR (\"e612e63113f6600a44782d73df090e11\" OR \"663d34ee57fe906e5b17b1d86251c79f127b2f53\" OR \"4f58703573fb0aae3d6579030a78758f2f5f2fd4e8cc0cc686d0dfeda13b6360\")) AND NOT ((\"PICUS_REWIND\") OR (\"File created:\" AND (\"Scenarios\" OR \"Simulation\"))))",
    "play_processes": [
        {
            "cond_name": 1,
            "process_id": 1015385,
            "rank": 1,
            "is_blocked": "unblocked"
        }
    ],
    "rewind_processes": []
}'
{
    "action": {
        "id": 1026424,
        "created_at": "2025-06-24T07:54:13.161602715Z",
        "name": "Apidoc-Example-Action",
        "description": "description",
        "tags": [
            "APT 10"
        ],
        "display_id": 1000013
    }
}

Fields

Field NameRequiredTypeConstraintsDefault ValueOptions/ExamplesDescription
name✅ YesStringMax 255 characters--The name of the custom action
attack_module✅ YesStringMax 100 characters-"Endpoint Scenario", "Network Infiltration", "Web Application"Defines the attack module category
category✅ YesStringMax 100 characters-"Attack Scenario", "Post-Exploitation"Defines the action category
play_processes❌ NoArray--See process object sub-fields belowDefines the execution processes for the action
play_processes.cond_name✅ YesStringMin: 1, Max: 100--Condition name for the process
play_processes.process_id✅ YesIntegerMin: 1000000--Process ID for execution
play_processes.is_blocked✅ YesBoolean--true (Blocked), false (Allowed)Block status for the process
play_processes.rank✅ YesIntegerMin: 1-Execution order numbersExecution order for the process
description❌ NoStringMax 1000 characters--Detailed information about the action's purpose, behavior, or attack methodology
title✅ YesStringMax 100 characters-"Download", "Execute"Title for the action (used in UI)
affected_os❌ NoArray--"Windows", "Linux", "macOS"Operating systems where the action can be executed
ukc_phase_id✅ YesInteger--Phase identifiers (1-8)Unified Kill Chain phase identifier
use_case❌ NoString--"Sensitive Data Exposure", "Privilege Escalation"Describes the action's use case
sources❌ NoArray--["EDR"], ["Log files", "Endpoint monitoring"]Detection sources for the action
affected_platform_ids❌ NoArray--Array of platform identifiersPlatform identifiers where action applies
tags❌ NoArray--["APT 10"], ["MITRE ATT&CK", "Privilege Escalation"]Tags for categorizing the action
process_result❌ NoString--"P1", "Success"Expected process execution result
action_result❌ NoString--"unblocked", "Privileges escalated"Expected action outcome
tactic_id❌ NoInteger--MITRE ATT&CK tactic IDsMITRE ATT&CK tactic identifier
technique_id❌ NoInteger--MITRE ATT&CK technique IDsMITRE ATT&CK technique identifier
is_privileged❌ NoBoolean-falsetrue (Requires elevated privileges), false (No special privileges)Whether the action requires elevated privileges
is_sensitive_content❌ NoBoolean-falsetrue (Contains sensitive info), false (No sensitive content)Whether the action contains sensitive information
keyword❌ NoString--Detection keywords and logicDetection keywords and logic for the action
rewind_processes❌ NoArray--Same structure as play_processesOptional cleanup processes to revert action effects
Language
Credentials
Header
Click Try It! to start a request and see the response here!