Actions API

DRAFT — Internal Developer Use Only

This API reference is for internal development teams.

Overview

What it is: The actions API lets you manage automated actions that Discovery executes in response to triggers and workflows. Actions include sending emails, creating incidents, and custom operations.

Endpoints

Method	Path	Description	Auth required
`GET`	`/api/v1/actions`	List all actions	JWT + API token
`GET`	`/api/v1/actions/:actionID`	Get a specific action	JWT + API token
`PUT`	`/api/v1/actions/:actionID`	Update an action	JWT + API token
`DELETE`	`/api/v1/actions/:actionID`	Delete an action	JWT + API token
`POST`	`/api/v1/actions/:actionID/send-email`	Execute email action	JWT + API token
`POST`	`/api/v1/actions/:actionID/create-incident`	Execute incident creation	JWT + API token

GET /api/v1/actions

List all configured actions.

Request:

http

GET /api/v1/actions
Authorization: Bearer <token>

Response (200):

json

[
  {
    "actionID": "action-uuid-001",
    "name": "Notify Admin",
    "type": "email",
    "enabled": true,
    "config": {
      "recipients": ["admin@example.com"],
      "subject": "Alert: {{trigger.name}}"
    }
  },
  {
    "actionID": "action-uuid-002",
    "name": "Create ServiceNow Ticket",
    "type": "incident",
    "enabled": true,
    "config": {
      "provider": "servicenow",
      "priority": "high"
    }
  }
]

PUT /api/v1/actions/:actionID

Update an existing action configuration.

Request:

http

PUT /api/v1/actions/action-uuid-001
Authorization: Bearer <token>
Content-Type: application/json

{
  "name": "Notify Security Team",
  "enabled": true,
  "config": {
    "recipients": ["security@example.com"],
    "subject": "Security Alert: {{trigger.name}}"
  }
}

Response (200): Returns the updated action object.

POST /api/v1/actions/:actionID/send-email

Execute an email action immediately.

Request:

http

POST /api/v1/actions/action-uuid-001/send-email
Authorization: Bearer <token>
Content-Type: application/json

{
  "context": {
    "trigger": "manual",
    "entityId": "entity-uuid"
  }
}

Response (200):

json

{
  "status": "sent",
  "recipients": 1
}

POST /api/v1/actions/:actionID/create-incident

Execute an incident creation action (e.g., ServiceNow ticket).

Request:

http

POST /api/v1/actions/action-uuid-002/create-incident
Authorization: Bearer <token>
Content-Type: application/json

{
  "context": {
    "trigger": "threat-detection",
    "entityId": "entity-uuid",
    "severity": "high"
  }
}

Response (200):

json

{
  "status": "created",
  "incidentId": "INC0012345"
}

On-prem Deployment

Client Deployment

Global Search

Entity Details Pages

Search Library

Access

Discover

Data Sources

Universal Collector Overview

Identify

Threat Detection Rules

Automate

Tenants

OpenID Providers

Settings

Credentials

Assistant

Configuration Refererence

All Tenants - On-prem only

BeyondTrust

CyberArk

How to use the CyberArk Integration

Actions API

Overview

Endpoints

GET /api/v1/actions

PUT /api/v1/actions/:actionID

POST /api/v1/actions/:actionID/send-email

POST /api/v1/actions/:actionID/create-incident

Data Sources

Universal Collector Overview

Threat Detection Rules

OpenID Providers

Credentials

How to use the CyberArk Integration

Actions API ​

Overview ​

Endpoints ​

GET /api/v1/actions ​

PUT /api/v1/actions/:actionID ​

POST /api/v1/actions/:actionID/send-email ​

POST /api/v1/actions/:actionID/create-incident ​

Actions API

Overview

Endpoints

GET /api/v1/actions

PUT /api/v1/actions/:actionID

POST /api/v1/actions/:actionID/send-email

POST /api/v1/actions/:actionID/create-incident