{ "kom": { "komandVersion": "1.176.5-0-gfecde", "komFileVersion": "2.0.0", "exportedAt": "2024-01-12T14:07:01.831615905Z", "workflowVersions": [ { "name": "Superna Zero Trust Critical Data Protection Snapshot v3", "type": "runnable", "version": "", "description": "# Description\n\nThe Hello IDR Alert workflow is meant to introduce InsightIDR users to the InsightIDR User Behavior Analytics (UBA) Alert Trigger in InsightConnect and to help them run their first response workflow from an Investigation in InsightIDR.\n\nTo use this workflow, import and activate it in InsightConnect. Then, open an Investigation in InsightIDR and use the Take Action menu to find your Custom InsightConnect Workflow and run it!\n\n# Key Features\n\n* Learn how to run response workflows from an InsightIDR Investigation\n* Learn which trigger output variables are available for use in custom workflows\n* Experience using InsightConnect along with InsightIDR firsthand!\n\n# Requirements\n\n* InsightIDR License\n* InsightConnect License\n\n# Documentation\n\n## Setup\n\nSimply import and activate the workflow in InsightConnect! No additional setup is required for this workflow.\n\n### Usage\n\n1. Open an Investigation in InsightIDR\n2. Click the `Take Action` button in the Investigation to open the response panel\n3. Select `Custom InsightConnect Workflows` from the `Action Category` list\n4. Select the `Hello IDR Alert` workflow (Note: If you changed the name of the workflow during the import process, then you will see a different workflow name!)\n5. Select all Users, Assets, and/or Indicators (IPs, URLs, Domains, or Processes) available in the IDR Investigation\n6. Click `Take Action`!\n\nAn event will be automatically added to your Investigation Timeline in InsightIDR. Click on it to see the results of your workflow!\n\n## Technical Details\n\nPlugins utilized by workflow:\n\n|Plugin|Version|Count|\n|----|----|--------|\n\n## Troubleshooting\n\n_There is no troubleshooting information at this time_\n\n# Version History\n\n* 1.0.1 - Updated artifact\n* 1.0.0 - Initial workflow\n\n# Links\n\n## References\n", "graph": { "edges": { "4a847901-43f2-4d7a-a8ca-495fe8cac3e4": { "id": "4a847901-43f2-4d7a-a8ca-495fe8cac3e4", "name": "", "description": "", "parentNodeId": "", "fromNodeId": "1c857813-dc83-422e-84fc-46d619db4141", "toNodeId": "a77ed7cc-0a20-40a0-8875-bea7433b64ee" }, "b4f6d57a-e799-4a70-9e86-6b9923ad52ae": { "id": "b4f6d57a-e799-4a70-9e86-6b9923ad52ae", "name": "", "description": "", "parentNodeId": "", "fromNodeId": "da6c5160-f135-4e1b-a3a8-61f4b0ef86cb", "toNodeId": "" }, "be03afbd-e006-48eb-9bd7-ee15f639d1ce": { "id": "be03afbd-e006-48eb-9bd7-ee15f639d1ce", "name": "", "description": "", "parentNodeId": "", "fromNodeId": "a77ed7cc-0a20-40a0-8875-bea7433b64ee", "toNodeId": "da6c5160-f135-4e1b-a3a8-61f4b0ef86cb" } }, "nodes": { "1c857813-dc83-422e-84fc-46d619db4141": { "id": "1c857813-dc83-422e-84fc-46d619db4141", "parentNodeId": "" }, "a77ed7cc-0a20-40a0-8875-bea7433b64ee": { "id": "a77ed7cc-0a20-40a0-8875-bea7433b64ee", "parentNodeId": "" }, "da6c5160-f135-4e1b-a3a8-61f4b0ef86cb": { "id": "da6c5160-f135-4e1b-a3a8-61f4b0ef86cb", "parentNodeId": "" } } }, "steps": { "1c857813-dc83-422e-84fc-46d619db4141": { "nodeId": "1c857813-dc83-422e-84fc-46d619db4141", "name": "Superna Zero Trust Snapshot Protect", "description": "Use this workflow to protect critical data protected by Superna Security Edition", "type": "trigger", "continueOnFailure": false, "isDisabled": false, "triggerId": "0382c751-5f6d-4a6f-8f34-dce9eabe8d00", "defaultInputJSONSchema": { "definitions": { "actor": { "properties": { "assets": { "description": "The assets that are part of the investigation", "items": { "$ref": "#/definitions/asset" }, "order": 2, "title": "Assets", "type": "array" }, "users": { "description": "The users that are part of the investigation", "items": { "$ref": "#/definitions/user" }, "order": 1, "title": "Users", "type": "array" } }, "title": "Actor", "type": "object" }, "asset": { "properties": { "assetId": { "description": "the ID of the asset", "order": 1, "title": "AssetId", "type": "string" }, "fqdn": { "description": "The fully qualified domain name", "order": 3, "title": "Fqdn", "type": "string" }, "shortname": { "description": "shortname of the asset", "order": 2, "title": "Shortname", "type": "string" } }, "required": [ "shortname", "assetId" ], "title": "Asset", "type": "object" }, "content": { "properties": { "domains": { "description": "A list of domains to check", "items": { "type": "string" }, "order": 2, "title": "Domains", "type": "array" }, "ipAddresses": { "description": "A list of ip addresses to check", "items": { "$ref": "#/definitions/ipAddress" }, "order": 3, "title": "IpAddresses", "type": "array" }, "processes": { "description": "A list of processes to check", "items": { "$ref": "#/definitions/process" }, "order": 4, "title": "Processes", "type": "array" }, "urls": { "description": "A list of URLs to check", "items": { "type": "string" }, "order": 1, "title": "Urls", "type": "array" } }, "title": "Content", "type": "object" }, "hash": { "properties": { "hash": { "description": "The actual hash", "order": 1, "title": "Hash", "type": "string" }, "type": { "description": "The algorithm used to generate the hash", "order": 2, "title": "Type", "type": "string" } }, "required": [ "hash", "type" ], "title": "Hash", "type": "object" }, "ipAddress": { "properties": { "ip": { "description": "The raw IP", "order": 1, "title": "Ip", "type": "string" }, "type": { "description": "Denotes if an IP is internal or external", "order": 2, "title": "Type", "type": "string" } }, "required": [ "ip", "type" ], "title": "IpAddress", "type": "object" }, "process": { "properties": { "assetId": { "description": "The asset id associated with the process", "order": 1, "title": "AssetId", "type": "string" }, "cmdLine": { "description": "The raw value of the command line call used to invoke the process", "order": 5, "title": "CmdLine", "type": "string" }, "hashes": { "description": "The list of hashes to check", "items": { "$ref": "#/definitions/hash" }, "order": 3, "title": "Hashes", "type": "array" }, "name": { "description": "The name of the process", "order": 4, "title": "Name", "type": "string" }, "processId": { "description": "The PID from the running process on the asset", "order": 2, "title": "ProcessId", "type": "integer" } }, "required": [ "assetId", "processId" ], "title": "Process", "type": "object" }, "user": { "properties": { "distinguishedName": { "description": "The Active Directory distinguished name of the user", "order": 2, "title": "DistinguishedName", "type": "string" }, "emails": { "description": "The email addresses associated with the user", "items": { "type": "string" }, "order": 3, "title": "Emails", "type": "array" }, "name": { "description": "The name of the user, as ' ' if available, or account name otherwise", "order": 1, "title": "Name", "type": "string" } }, "required": [ "name", "emails" ], "title": "User", "type": "object" } }, "properties": { "actors": { "$ref": "#/definitions/actor", "description": "The insightIDR actors that are part of the investigation", "order": 7, "title": "Actors" }, "contents": { "$ref": "#/definitions/content", "description": "The contents to enrich", "order": 8, "title": "Contents" }, "description": { "description": "The description of the alert", "order": 4, "title": "Description", "type": "string" }, "investigationId": { "description": "The investigation id", "order": 6, "title": "InvestigationId", "type": "string" }, "link": { "description": "The deep link to the investigation in insightIDR", "order": 5, "title": "Link", "type": "string" }, "name": { "description": "The human-readable name of the alert", "order": 3, "title": "Name", "type": "string" }, "timestamp": { "description": "The time the alert was triggered in ISO 8601 extended timestamp format", "order": 1, "title": "Timestamp", "type": "string" }, "type": { "description": "The type of alert", "order": 2, "title": "Type", "type": "string" } }, "required": [ "investigationId", "actors", "timestamp", "type", "name", "description", "link" ], "title": "Variables", "type": "object" }, "defaultOutputJSONSchema": { "definitions": { "actor": { "properties": { "assets": { "description": "The assets that are part of the investigation", "items": { "$ref": "#/definitions/asset" }, "order": 2, "title": "Assets", "type": "array" }, "users": { "description": "The users that are part of the investigation", "items": { "$ref": "#/definitions/user" }, "order": 1, "title": "Users", "type": "array" } }, "title": "Actor", "type": "object" }, "asset": { "properties": { "assetId": { "description": "the ID of the asset", "order": 1, "title": "AssetId", "type": "string" }, "fqdn": { "description": "The fully qualified domain name", "order": 3, "title": "Fqdn", "type": "string" }, "shortname": { "description": "shortname of the asset", "order": 2, "title": "Shortname", "type": "string" } }, "required": [ "shortname", "assetId" ], "title": "Asset", "type": "object" }, "content": { "properties": { "domains": { "description": "A list of domains to check", "items": { "type": "string" }, "order": 2, "title": "Domains", "type": "array" }, "ipAddresses": { "description": "A list of ip addresses to check", "items": { "$ref": "#/definitions/ipAddress" }, "order": 3, "title": "IpAddresses", "type": "array" }, "processes": { "description": "A list of processes to check", "items": { "$ref": "#/definitions/process" }, "order": 4, "title": "Processes", "type": "array" }, "urls": { "description": "A list of URLs to check", "items": { "type": "string" }, "order": 1, "title": "Urls", "type": "array" } }, "title": "Content", "type": "object" }, "hash": { "properties": { "hash": { "description": "The actual hash", "order": 1, "title": "Hash", "type": "string" }, "type": { "description": "The algorithm used to generate the hash", "order": 2, "title": "Type", "type": "string" } }, "required": [ "hash", "type" ], "title": "Hash", "type": "object" }, "ipAddress": { "properties": { "ip": { "description": "The raw IP", "order": 1, "title": "Ip", "type": "string" }, "type": { "description": "Denotes if an IP is internal or external", "order": 2, "title": "Type", "type": "string" } }, "required": [ "ip", "type" ], "title": "IpAddress", "type": "object" }, "process": { "properties": { "assetId": { "description": "The asset id associated with the process", "order": 1, "title": "AssetId", "type": "string" }, "cmdLine": { "description": "The raw value of the command line call used to invoke the process", "order": 5, "title": "CmdLine", "type": "string" }, "hashes": { "description": "The list of hashes to check", "items": { "$ref": "#/definitions/hash" }, "order": 3, "title": "Hashes", "type": "array" }, "name": { "description": "The name of the process", "order": 4, "title": "Name", "type": "string" }, "processId": { "description": "The PID from the running process on the asset", "order": 2, "title": "ProcessId", "type": "integer" } }, "required": [ "assetId", "processId" ], "title": "Process", "type": "object" }, "user": { "properties": { "distinguishedName": { "description": "The Active Directory distinguished name of the user", "order": 2, "title": "DistinguishedName", "type": "string" }, "emails": { "description": "The email addresses associated with the user", "items": { "type": "string" }, "order": 3, "title": "Emails", "type": "array" }, "name": { "description": "The name of the user, as ' ' if available, or account name otherwise", "order": 1, "title": "Name", "type": "string" } }, "required": [ "name", "emails" ], "title": "User", "type": "object" } }, "properties": { "actors": { "$ref": "#/definitions/actor", "description": "The insightIDR actors that are part of the investigation", "order": 7, "title": "Actors" }, "contents": { "$ref": "#/definitions/content", "description": "The contents to enrich", "order": 8, "title": "Contents" }, "description": { "description": "The description of the alert", "order": 4, "title": "Description", "type": "string" }, "investigationId": { "description": "The investigation id", "order": 6, "title": "InvestigationId", "type": "string" }, "link": { "description": "The deep link to the investigation in insightIDR", "order": 5, "title": "Link", "type": "string" }, "name": { "description": "The human-readable name of the alert", "order": 3, "title": "Name", "type": "string" }, "timestamp": { "description": "The time the alert was triggered in ISO 8601 extended timestamp format", "order": 1, "title": "Timestamp", "type": "string" }, "type": { "description": "The type of alert", "order": 2, "title": "Type", "type": "string" } }, "required": [ "investigationId", "actors", "timestamp", "type", "name", "description", "link" ], "title": "Variables", "type": "object" }, "outputJSONSchema": null, "defaultImageData": "https://ca.cdn-assets.connect.insight.rapid7.com/step-type-icons/trigger-api-idr.svg", "connectionType": "NONE", "caseManagementInputJsonSchema": null, "caseManagementOutputJsonSchema": null }, "a77ed7cc-0a20-40a0-8875-bea7433b64ee": { "nodeId": "a77ed7cc-0a20-40a0-8875-bea7433b64ee", "name": "Alert Artifact", "type": "artifact", "continueOnFailure": false, "isDisabled": false, "parameters": { "input": { "content": "You have run a critical data snapshot workflow for this incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access. This is necessary to root cause what data was affected by a security incident.\n\nThe snapshots created will persistent by default for 4 hours. You can run this workflow multiple times to generate more recovery points.\n\nStorage space consumed will be freed up after the 4 hour expiry on the snapshot." }, "type": "markdown" }, "defaultInputJSONSchema": null, "defaultOutputJSONSchema": null, "outputJSONSchema": null, "defaultImageData": "https://ca.cdn-assets.connect.insight.rapid7.com/step-type-icons/artifact.svg", "connectionType": "NONE", "caseManagementInputJsonSchema": null, "caseManagementOutputJsonSchema": null }, "da6c5160-f135-4e1b-a3a8-61f4b0ef86cb": { "nodeId": "da6c5160-f135-4e1b-a3a8-61f4b0ef86cb", "name": "Issue Zero Trust API to protect File Systems", "type": "action", "plugin": { "name": "HTTP Requests", "slugVendor": "rapid7", "slugName": "rest", "slugVersion": "6.0.4", "imageData": "https://ca.cdn-assets.connect.insight.rapid7.com/icons/rapid7/rest/6.0.4/icon.png" }, "identifier": "post", "continueOnFailure": false, "isDisabled": false, "isCloud": false, "parameters": { "input": { "body_any": "", "body_object": {}, "headers": {}, "route": "/" } }, "defaultInputJSONSchema": { "properties": { "body_any": { "description": "Payload (string) to submit to the server when making the HTTP Request call. This can be any type of input, such as an array or integers etc.. If a data object is to be sent, please use the 'Body Object' input", "order": 4, "title": "Body (Any)", "type": "string" }, "body_object": { "description": "Payload to submit to the server when making the HTTP Request call", "order": 3, "title": "Body (Object)", "type": "object" }, "headers": { "description": "Headers to use for the request. These will override any default headers", "order": 2, "title": "Headers", "type": "object" }, "route": { "description": "The route to append to the base URL e.g. /org/users", "order": 1, "title": "Route", "type": "string" } }, "required": [ "route" ], "title": "Variables", "type": "object" }, "defaultOutputJSONSchema": { "properties": { "body_object": { "description": "Response payload from the server as an object. Note, if the response has invalid object structure (list, string..) plugin will wrap it with object map", "order": 1, "title": "Body Object", "type": "object" }, "body_string": { "description": "Response payload from the server as a string", "order": 2, "title": "Body String", "type": "string" }, "headers": { "description": "Response headers from the server", "order": 4, "title": "Headers", "type": "object" }, "status": { "description": "Status code of the response from the server", "order": 3, "title": "Status", "type": "integer" } }, "title": "Variables", "type": "object" }, "outputJSONSchema": null, "defaultImageData": "", "connectionType": "CONNECTION", "caseManagementInputJsonSchema": null, "caseManagementOutputJsonSchema": null } }, "tags": [ "Alerting & Notifications", "Rapid7", "Utility" ], "humanCostSeconds": 60, "humanCostDisplayUnit": "minutes", "parameters": { "definitionSchema": null }, "summary": "This workflow issues a Superna Zero trust API to protect critical NAS storage devices by creating an immutable snapshot that allows data recovery using Superna security edition Cyber Recovery Manager. This workflow can be called multiple times to create more than one restore point. SecOPS can use this if they suspect Ransomware may have infiltrated the environment. " } ], "triggers": [ { "id": "0382c751-5f6d-4a6f-8f34-dce9eabe8d00", "name": "Superna Zero Trust Snapshot Protect", "description": "Use this workflow to protect critical data protected by Superna Security Edition", "input": null, "inputJsonSchema": { "definitions": { "actor": { "properties": { "assets": { "description": "The assets that are part of the investigation", "items": { "$ref": "#/definitions/asset" }, "order": 2, "title": "Assets", "type": "array" }, "users": { "description": "The users that are part of the investigation", "items": { "$ref": "#/definitions/user" }, "order": 1, "title": "Users", "type": "array" } }, "title": "Actor", "type": "object" }, "asset": { "properties": { "assetId": { "description": "the ID of the asset", "order": 1, "title": "AssetId", "type": "string" }, "fqdn": { "description": "The fully qualified domain name", "order": 3, "title": "Fqdn", "type": "string" }, "shortname": { "description": "shortname of the asset", "order": 2, "title": "Shortname", "type": "string" } }, "required": [ "shortname", "assetId" ], "title": "Asset", "type": "object" }, "content": { "properties": { "domains": { "description": "A list of domains to check", "items": { "type": "string" }, "order": 2, "title": "Domains", "type": "array" }, "ipAddresses": { "description": "A list of ip addresses to check", "items": { "$ref": "#/definitions/ipAddress" }, "order": 3, "title": "IpAddresses", "type": "array" }, "processes": { "description": "A list of processes to check", "items": { "$ref": "#/definitions/process" }, "order": 4, "title": "Processes", "type": "array" }, "urls": { "description": "A list of URLs to check", "items": { "type": "string" }, "order": 1, "title": "Urls", "type": "array" } }, "title": "Content", "type": "object" }, "hash": { "properties": { "hash": { "description": "The actual hash", "order": 1, "title": "Hash", "type": "string" }, "type": { "description": "The algorithm used to generate the hash", "order": 2, "title": "Type", "type": "string" } }, "required": [ "hash", "type" ], "title": "Hash", "type": "object" }, "ipAddress": { "properties": { "ip": { "description": "The raw IP", "order": 1, "title": "Ip", "type": "string" }, "type": { "description": "Denotes if an IP is internal or external", "order": 2, "title": "Type", "type": "string" } }, "required": [ "ip", "type" ], "title": "IpAddress", "type": "object" }, "process": { "properties": { "assetId": { "description": "The asset id associated with the process", "order": 1, "title": "AssetId", "type": "string" }, "cmdLine": { "description": "The raw value of the command line call used to invoke the process", "order": 5, "title": "CmdLine", "type": "string" }, "hashes": { "description": "The list of hashes to check", "items": { "$ref": "#/definitions/hash" }, "order": 3, "title": "Hashes", "type": "array" }, "name": { "description": "The name of the process", "order": 4, "title": "Name", "type": "string" }, "processId": { "description": "The PID from the running process on the asset", "order": 2, "title": "ProcessId", "type": "integer" } }, "required": [ "assetId", "processId" ], "title": "Process", "type": "object" }, "user": { "properties": { "distinguishedName": { "description": "The Active Directory distinguished name of the user", "order": 2, "title": "DistinguishedName", "type": "string" }, "emails": { "description": "The email addresses associated with the user", "items": { "type": "string" }, "order": 3, "title": "Emails", "type": "array" }, "name": { "description": "The name of the user, as ' ' if available, or account name otherwise", "order": 1, "title": "Name", "type": "string" } }, "required": [ "name", "emails" ], "title": "User", "type": "object" } }, "properties": { "actors": { "$ref": "#/definitions/actor", "description": "The insightIDR actors that are part of the investigation", "order": 7, "title": "Actors" }, "contents": { "$ref": "#/definitions/content", "description": "The contents to enrich", "order": 8, "title": "Contents" }, "description": { "description": "The description of the alert", "order": 4, "title": "Description", "type": "string" }, "investigationId": { "description": "The investigation id", "order": 6, "title": "InvestigationId", "type": "string" }, "link": { "description": "The deep link to the investigation in insightIDR", "order": 5, "title": "Link", "type": "string" }, "name": { "description": "The human-readable name of the alert", "order": 3, "title": "Name", "type": "string" }, "timestamp": { "description": "The time the alert was triggered in ISO 8601 extended timestamp format", "order": 1, "title": "Timestamp", "type": "string" }, "type": { "description": "The type of alert", "order": 2, "title": "Type", "type": "string" } }, "required": [ "investigationId", "actors", "timestamp", "type", "name", "description", "link" ], "title": "Variables", "type": "object" }, "outputJsonSchema": { "definitions": { "actor": { "properties": { "assets": { "description": "The assets that are part of the investigation", "items": { "$ref": "#/definitions/asset" }, "order": 2, "title": "Assets", "type": "array" }, "users": { "description": "The users that are part of the investigation", "items": { "$ref": "#/definitions/user" }, "order": 1, "title": "Users", "type": "array" } }, "title": "Actor", "type": "object" }, "asset": { "properties": { "assetId": { "description": "the ID of the asset", "order": 1, "title": "AssetId", "type": "string" }, "fqdn": { "description": "The fully qualified domain name", "order": 3, "title": "Fqdn", "type": "string" }, "shortname": { "description": "shortname of the asset", "order": 2, "title": "Shortname", "type": "string" } }, "required": [ "shortname", "assetId" ], "title": "Asset", "type": "object" }, "content": { "properties": { "domains": { "description": "A list of domains to check", "items": { "type": "string" }, "order": 2, "title": "Domains", "type": "array" }, "ipAddresses": { "description": "A list of ip addresses to check", "items": { "$ref": "#/definitions/ipAddress" }, "order": 3, "title": "IpAddresses", "type": "array" }, "processes": { "description": "A list of processes to check", "items": { "$ref": "#/definitions/process" }, "order": 4, "title": "Processes", "type": "array" }, "urls": { "description": "A list of URLs to check", "items": { "type": "string" }, "order": 1, "title": "Urls", "type": "array" } }, "title": "Content", "type": "object" }, "hash": { "properties": { "hash": { "description": "The actual hash", "order": 1, "title": "Hash", "type": "string" }, "type": { "description": "The algorithm used to generate the hash", "order": 2, "title": "Type", "type": "string" } }, "required": [ "hash", "type" ], "title": "Hash", "type": "object" }, "ipAddress": { "properties": { "ip": { "description": "The raw IP", "order": 1, "title": "Ip", "type": "string" }, "type": { "description": "Denotes if an IP is internal or external", "order": 2, "title": "Type", "type": "string" } }, "required": [ "ip", "type" ], "title": "IpAddress", "type": "object" }, "process": { "properties": { "assetId": { "description": "The asset id associated with the process", "order": 1, "title": "AssetId", "type": "string" }, "cmdLine": { "description": "The raw value of the command line call used to invoke the process", "order": 5, "title": "CmdLine", "type": "string" }, "hashes": { "description": "The list of hashes to check", "items": { "$ref": "#/definitions/hash" }, "order": 3, "title": "Hashes", "type": "array" }, "name": { "description": "The name of the process", "order": 4, "title": "Name", "type": "string" }, "processId": { "description": "The PID from the running process on the asset", "order": 2, "title": "ProcessId", "type": "integer" } }, "required": [ "assetId", "processId" ], "title": "Process", "type": "object" }, "user": { "properties": { "distinguishedName": { "description": "The Active Directory distinguished name of the user", "order": 2, "title": "DistinguishedName", "type": "string" }, "emails": { "description": "The email addresses associated with the user", "items": { "type": "string" }, "order": 3, "title": "Emails", "type": "array" }, "name": { "description": "The name of the user, as ' ' if available, or account name otherwise", "order": 1, "title": "Name", "type": "string" } }, "required": [ "name", "emails" ], "title": "User", "type": "object" } }, "properties": { "actors": { "$ref": "#/definitions/actor", "description": "The insightIDR actors that are part of the investigation", "order": 7, "title": "Actors" }, "contents": { "$ref": "#/definitions/content", "description": "The contents to enrich", "order": 8, "title": "Contents" }, "description": { "description": "The description of the alert", "order": 4, "title": "Description", "type": "string" }, "investigationId": { "description": "The investigation id", "order": 6, "title": "InvestigationId", "type": "string" }, "link": { "description": "The deep link to the investigation in insightIDR", "order": 5, "title": "Link", "type": "string" }, "name": { "description": "The human-readable name of the alert", "order": 3, "title": "Name", "type": "string" }, "timestamp": { "description": "The time the alert was triggered in ISO 8601 extended timestamp format", "order": 1, "title": "Timestamp", "type": "string" }, "type": { "description": "The type of alert", "order": 2, "title": "Type", "type": "string" } }, "required": [ "investigationId", "actors", "timestamp", "type", "name", "description", "link" ], "title": "Variables", "type": "object" }, "tags": [], "type": "trigger_api_idr" } ] } }