SecureWorks Taegis XDR

the secureworks taegis xdr connector allows for seamless integration with swimlane, enabling automated threat detection and response workflows secureworks taegis xdr is an advanced threat detection and response platform that provides comprehensive visibility and analysis across an organization's digital environment this connector enables swimlane turbine users to automate critical security operations tasks, such as aggregating and resolving alerts, managing assets, and conducting investigations within taegis xdr by integrating with secureworks taegis xdr, users can streamline incident response, enhance asset management, and accelerate investigation processes, all from within the swimlane turbine platform the connector's actions are designed to facilitate efficient security automation, allowing users to focus on strategic decision making and threat mitigation prerequisites to effectively utilize the secureworks taegis xdr connector with swimlane, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with the following parameters url endpoint url for secureworks taegis xdr api access client id unique identifier for the application making the request client secret a secret key provided by secureworks taegis xdr to authenticate the application asset setup to obtain the required asset paramaters host, client id, client secret, see https //docs ctpx secureworks com/apis/using xdr apis/ tasks setup for all the specific actions all that is needed are the same variables for the matching query/mutation, and for the "run generic query" action the whole graphql query needs to be provided configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions aggregate alerts compiles alerts based on a specified cql query in secureworks taegis xdr, facilitating streamlined alert management endpoint url graphql method post input argument name type required description cql query string required query used to filter alerts limit number optional maximum number of alerts to retrieve offset number optional offset to start retrieving alerts from input example {"cql query" "string","limit" 500,"offset" 123} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data alertsservicesearch object response data data alertsservicesearch alerts object response data data alertsservicesearch alerts group by array response data data alertsservicesearch alerts group by key string response data data alertsservicesearch alerts group by value number response data data alertsservicesearch alerts total results number response data data alertsservicesearch reason string response data data alertsservicesearch status string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 18 27 19 gmt","content type" "application/json","content length" "443","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache delete assets removes specified assets from secureworks taegis xdr using a list of asset ids provided by the user endpoint url graphql method post input argument name type required description asset ids array required list of ids of the assets to be deleted input example {"asset ids" \["string"]} get alerts fetches alerts from secureworks taegis xdr using a specified cql query filter to streamline incident response endpoint url graphql method post input argument name type required description cql query string required query used to filter alerts limit number optional maximum number of alerts to retrieve offset number optional offset to start retrieving alerts from input example {"cql query" "string","limit" 500,"offset" 123} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data alertsservicesearch object response data data alertsservicesearch alerts object response data data alertsservicesearch alerts list array response data data alertsservicesearch alerts list attack technique ids array response data data alertsservicesearch alerts list entities object response data data alertsservicesearch alerts list id string response data data alertsservicesearch alerts list investigation ids array response data data alertsservicesearch alerts list metadata object response data data alertsservicesearch alerts list resolution reason string response data data alertsservicesearch alerts list sensor types array response data data alertsservicesearch alerts list status string response data data alertsservicesearch alerts list suppressed boolean response data data alertsservicesearch alerts list suppression rules object response data data alertsservicesearch alerts list tenant id string response data data alertsservicesearch alerts total results number response data data alertsservicesearch reason string response data data alertsservicesearch status string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 18 53 34 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "", get assets retrieves a list of assets from secureworks taegis xdr based on the provided cql query endpoint url graphql method post input argument name type required description order by string optional key to order by filter asset state string optional asset state filter limit number optional maximum number of alerts to retrieve offset number optional offset to start retrieving alerts from input example {"order by" "string","filter asset state" "string","limit" 500,"offset" 123} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data allassets object response data data allassets assets array response data data allassets assets endpointtype string response data data allassets assets hostid string response data data allassets assets hostnames array response data data allassets assets hostnames hostname string response data data allassets assets id string response data data allassets assets osversion string response data data allassets assets sensorid string response data data allassets assets sensortenant string response data data allassets assets sensorversion string response data data allassets totalresults number response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 18 50 36 gmt","content type" "application/json","content length" "650","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache get investigation alerts retrieve alerts associated with a specific investigation id in secureworks taegis xdr endpoint url graphql method post input argument name type required description investigation id string required unique identifier page number optional parameter for get investigation alerts per page number optional parameter for get investigation alerts filter query string optional parameter for get investigation alerts order by field string optional parameter for get investigation alerts order direction string optional parameter for get investigation alerts input example {"investigation id" "string","page" 123,"per page" 123,"filter query" "string","order by field" "string","order direction" "string"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data investigationalerts object response data data investigationalerts alerts array response data data investigationalerts alerts id string response data data investigationalerts alerts2 array response data data investigationalerts alerts2 id string response data data investigationalerts totalcount number response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 20 03 46 gmt","content type" "application/json","content length" "164","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache get investigation assets retrieve assets associated with a specific investigation in secureworks taegis xdr using the provided investigation id endpoint url graphql method post input argument name type required description investigation id string required unique identifier page number optional parameter for get investigation assets per page number optional parameter for get investigation assets input example {"investigation id" "string","page" 123,"per page" 123} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data investigationassets object response data data investigationassets assets array response data data investigationassets assets id string response data data investigationassets totalcount number response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 20 13 14 gmt","content type" "application/json","content length" "106","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache get investigation events retrieve event details associated with a specific investigation id in secureworks taegis xdr endpoint url graphql method post input argument name type required description investigation id string required unique identifier page number optional parameter for get investigation events per page number optional parameter for get investigation events input example {"investigation id" "string","page" 123,"per page" 123} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data investigationevents object response data data investigationevents events array response data data investigationevents events file name string response data data investigationevents events file string response data data investigationevents totalcount number response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 20 10 35 gmt","content type" "application/json","content length" "61","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache c get investigation files retrieve all files associated with a given investigation id in secureworks taegis xdr endpoint url graphql method post input argument name type required description investigation id string required unique identifier input example {"investigation id" "string"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data investigationfiles array response data data investigationfiles file name string response data data investigationfiles file string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 20 18 24 gmt","content type" "application/json","content length" "34","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache c get investigation status summary retrieve a summary of the current investigation status within secureworks taegis xdr endpoint url graphql method post input argument name type required description updated after string optional timestamp filter from updated before string optional timestamp filter to input example {"updated after" "string","updated before" "string"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data investigationstatussummary array response data data investigationstatussummary count number response data data investigationstatussummary date string response data data investigationstatussummary status string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 19 51 49 gmt","content type" "application/json","content length" "89","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache c get investigations fetches a list of current investigations from secureworks taegis xdr for further analysis or tracking endpoint url graphql method post input argument name type required description cql query string optional query used to filter alerts page number optional page to retrieve per page number optional how many records to retrieve per page filter text string optional text to use for free text search order by field string optional field to order by order direction string optional direction to order input example {"cql query" "string","page" 1,"per page" 100,"filter text" "string","order by field" "string","order direction" "string"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data investigationssearch object response data data investigationssearch investigations array response data data investigationssearch investigations alerts array response data data investigationssearch investigations alerts file name string response data data investigationssearch investigations alerts file string response data data investigationssearch investigations assets array response data data investigationssearch investigations assets file name string response data data investigationssearch investigations assets file string response data data investigationssearch investigations created at string response data data investigationssearch investigations events array response data data investigationssearch investigations events file name string response data data investigationssearch investigations events file string response data data investigationssearch investigations files count object response data data investigationssearch investigations id string response data data investigationssearch investigations status string response data data investigationssearch investigations tags array response data data investigationssearch investigations tags file name string response data data investigationssearch investigations tags file string response data data investigationssearch investigations tenant id string response data data investigationssearch investigations updated at string response data data investigationssearch totalcount number response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 20 19 57 gmt","content type" "application/json","content length" "522","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache isolate asset isolates a specified asset in secureworks taegis xdr using the asset's id and a provided reason for isolation endpoint url graphql method post input argument name type required description asset id string required id of the asset to isolate reason string required reason for why the asset is being isolated input example {"asset id" "string"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data isolateasset object response data data isolateasset id string response data data isolateasset updatedat string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 19 05 23 gmt","content type" "application/json","content length" "113","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache resolve alerts resolves specified alerts in secureworks taegis xdr by their unique identifiers endpoint url graphql method post input argument name type required description alert ids array optional list of ids of the alerts to be resolved reason string optional response reason phrase resolution status string optional status value input example {"alert ids" \["string"],"resolution status" "active"} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data alertsserviceupdateresolutioninfo object response data data alertsserviceupdateresolutioninfo reason string response data data alertsserviceupdateresolutioninfo resolution status string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 18 52 12 gmt","content type" "application/json","content length" "127","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache run generic query executes a specified query within secureworks taegis xdr and returns the results endpoint url graphql method post input argument name type required description query string required parameter for run generic query input example {"query" "string"} update investigation updates an existing investigation in secureworks taegis xdr using the specified investigation id and details endpoint url graphql method post input argument name type required description investigation id string required unique identifier investigation object required parameter for update investigation investigation tags array optional parameter for update investigation investigation genesis alerts array optional parameter for update investigation investigation genesis events array optional parameter for update investigation investigation alerts array optional parameter for update investigation investigation events array optional parameter for update investigation investigation assets array optional parameter for update investigation investigation auth credentials array optional parameter for update investigation investigation search queries array optional parameter for update investigation investigation contributors array optional parameter for update investigation investigation key findings string optional parameter for update investigation investigation description string required parameter for update investigation investigation notified at string optional parameter for update investigation investigation created by string optional parameter for update investigation investigation status string optional status value investigation service desk id string optional unique identifier investigation service desk type string optional type of the resource investigation assignee id string optional unique identifier investigation notes string optional parameter for update investigation investigation priority number optional parameter for update investigation investigation type string optional type of the resource input example {"investigation id" "string","investigation" {"tags" \["string"],"genesis alerts" \["string"],"genesis events" \["string"],"alerts" \["string"],"events" \["string"],"assets" \["string"],"auth credentials" \["string"],"search queries" \["string"],"contributors" \["string"],"key findings" "string","description" "string","notified at" "string","created by" "string","status" "active","service desk id" "string","service desk type" "string","assignee id" "string","notes" "string","priority" 123,"type" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data updateinvestigation object response data data updateinvestigation alerts array response data data updateinvestigation alerts id string response data data updateinvestigation assets array response data data updateinvestigation assets file name string response data data updateinvestigation assets file string response data data updateinvestigation created at string response data data updateinvestigation events array response data data updateinvestigation events id string response data data updateinvestigation files count object response data data updateinvestigation id string response data data updateinvestigation status string response data data updateinvestigation tags array response data data updateinvestigation tags file name string response data data updateinvestigation tags file string response data data updateinvestigation tenant id string response data data updateinvestigation updated at string response data output example {"status code" 200,"response headers" {"date" "thu, 01 dec 2022 20 51 11 gmt","content type" "application/json","content length" "401","connection" "keep alive","access control allow credentials" "true","access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ","access control allow methods" "","access control allow origin" "api delta taegis secureworks com","access control expose headers" "link","access control request method" "","cache response headers header description example access control allow credentials http response header access control allow credentials true access control allow headers http response header access control allow headers content type, content length, accept encoding, x csrf token, x tenant context, content type, authorization, accept, accept language, origin, cache control, x requested with, strict transport security, content security policy, x content type options, x frame options, x xss protection, referrer policy, x id token, access control allow credentials, x graphql schema, apollographql client name, apollographql client version access control allow methods http response header access control allow methods access control allow origin http response header access control allow origin api delta taegis secureworks com access control expose headers http response header access control expose headers link access control request method http response header access control request method cache control directives for caching mechanisms no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 443 content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 dec 2022 18 50 36 gmt pragma http response header pragma no cache referrer policy http response header referrer policy same origin set cookie http response header set cookie access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoexmbfvhvyj9 eyjodhrwczovl21pc3npb25ll29jdg9sywjzl2lvl2p0asi6ijgxzjrmmznjltawymmtngyzys1hnmfjlwixnjjlzgq1m2nhosisimh0dhbzoi8vbwlzc2lvbmuvb2n0b2xhynmvaw8vdgvuyw50swrzijoimtm2ode1iiwiahr0chm6ly9taxnzaw9uzs9vy3rvbgficy9pby90zw5hbnrzx3yyijoimtm2ode1onrlbmfudefuywx5c3qilcjodhrwczovl21pc3npb25ll29jdg9sywjzl2lvl3jvbgvzijoidgvuyw50qw5hbhlzdcisimlzcyi6imh0dhbzoi8vdgflz2lzlnrhzwdpcy5hdxromc5jb20viiwic3viijoirknzuxjvtmizmmzzs1ayyu9nv0jveji5wwhsuenzzenay2xpzw50cyisimf1zci6imh0dhbzoi8vyxbplmrlbhrhlnrhzwdpcy5zzwn1cmv3b3jrcy5jb20viiwiawf0ijoxnjy5oti1ndm1lcjlehaioje2njk5nje0mzusimf6cci6ikzdc1fyvu5imzjmwutqmmfpz1dcb3oyovlobfbdc2rdiiwic2nvcguioijyzwfkonvzzxjziiwiz3r5ijoiy2xpzw50lwnyzwrlbnrpywxzin0 tuy2waiith3mhjeajqhw1m28qr1gypkrwefx4fkrkqjxbj4amvjawjdnpxc6zg7phw8 owd9eeeb9kmemo68io3kwidyewm3i5wvecmnon6dgn7gfdsmm q5jglzyflfvzfxctsf9nkf8q guxeioylqriptlaf1jjhfbl3n7515fcdkg1jzsasrmg2n4riud5l56cnmujr8tkbv2qyxbvlgt n6 eiytuoozeescm bixr3vuyoxc78iyoju8pcnexovnubk6yui4l3rskquqjbyyzao2biykbuml66 qjebn9ms7dsz0a uiffknhukv b4vl 6xtj3df t u7 q; path=/; expires=thu, 01 dec 2022 21 10 35 gmt strict transport security http response header strict transport security max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x request id a unique identifier for the request root=1 6388f82e 4e27546c423705412c1c2327 x xss protection http response header x xss protection 1; mode=block