Response Action (Preview)

  • Published on Jun 16, 2025
Prev Next

Note: This feature is in private preview. To request access please reach out to our support team.

Overview

Hunters Response Actions enable you to initiate automated workflows directly from Hunters alerts. This feature lets you trigger and track workflows from within the Hunters UI—empowering faster, automated response directly from a Lead and will only show the relevant actions related to this lead.

Hunters provides some out-of-the-box response actions, which you only need to create the relevant connector if missing and connection, in addition to being fully customizable - either modify the OOTB recipes or create your own from scratch.

Setting Up Response Action

Folder Structure

To support visibility of Response Actions in Hunters leads and alerts, if it does not already exist, you must have the following folder structure in Workflow Manager. Recipes in those folders will be used as candidates for response actions within a lead.

Response_Actions

├── Hunters_Actions     # Hunters-provided templats - DO NOT ACTIVATE*

└── Custom_Actions    # Your custom response actions

Note: Do not modify or activate recipies directly in Hunters_Actions, instead clone first to "Custom_Actions", modify if needed and activate there.

Visibility Requirements

To appear in the Hunters UI, each recipe in the relevant folders must:

  • Include the visible tag

  • Be in a running state

Note: The user must have “Workflow Builder” or “Workflow Viewer” roles to see the action button

Organize actions by categories

You can organize the actions in categories by adding a tag to the recipe

  • Setting ‘category:communication’ tag will list the action under the Communication category

  • Actions without a category will be listed under the "uncategorized" group


Recipe Configurations

Each Response Action (aka Recipe) you create must have the following steps in this order.
After the first two steps, you can set whatever logic needed.

  1. Webhook Trigger

    • Defined the parameters that will be used by this recipe under Payload Schema

    • Includes actionToken in the payload schema

    • You must give a name to the webhook - can be any name you like

  2. "Connect recipe to hunters" Action

    • Must be added immediately after the webhook trigger

    • Returns the job ID back to Hunters for tracking

To make it easier, you can go to any existing script from within the supported folders, clone and modify as needed.




Input Field (aka payload schema)

Field types define how users interact with recipes from the Hunters UI.
They are defined in the webhook trigger's payload schema.

Read-Only Fields

  • Auto-filled from Hunters Lead attributes and sent from Hunters lead to the recipe to be used in any way needed.

  • Pattern: readonly_lead_<field>

  • Example: readonly_lead_uuid

  • Supported readonly_lead_<field>:

readonly_lead_uuid – Unique identifier of the lead.

readonly_lead_id – Detection ID or rule name that triggered the lead.

readonly_lead_created_at – Timestamp when the lead was created in Hunters.

readonly_lead_riskRisk level assigned to the lead (e.g., 1–5).

readonly_lead_severitySeverity level of the detection (e.g., 1–5).

readonly_lead_confidenceConfidence in the detection’s accuracy.

readonly_lead_maliciousness_status – Maliciousness classification (e.g., malicious)

readonly_lead_lead_state – Internal state of the lead in Hunters.

readonly_lead_assignee – User ID of the assignee (if assigned).

readonly_lead_tenant_name – Name of the organization

User Input Fields

These request input from users when the user triggers the action and will be used as defined in the recipe.

  • Free Text: Single-line input
    Pattern:     freetext_<name>
     Example: freetext_subject

  • Text Area: Multi-line input
    Pattern:     textarea_<name>
     Example: textarea_description

  • Assignee: Dropdown of all Hunters users
    Pattern:     assignee_<name>
     Example: assignee_owner
     Used for assigning tasks in systems like Jira or ServiceNow

Note: You can use the “Label” field when adding such input field, and it will be used in Hunters UI to make it easier to read.

Attribute Fields

  • Users are asked to choose one option from the matching values found in the lead - for example, using ‘email_user’ will list all the emails associated with this lead and present it for the user to choose.

  • No prefix (e.g., email, target_process_name, agent_id)

  • Pulled from matching Summary or Entity attributes

  • Recipes are only shown if all attribute fields have matches in the lead from which you are trying to initiate the response action.

  • How do I know what the names of the attribute fields are?

    • Hovering over the lead attribute for 3 seconds, you will see a pop-up with a quick copy option, which you can use in the payload schema setting

System Fields

  • actionToken: JWT token used for authentication
    Required in all recipes. Managed by Hunters.