SecureWorks Taegis XDR

the secureworks taegis xdr connector allows for seamless integration with swimlane, enabling automated threat detection and response workflows secureworks taegis xdr is an advanced threat detection and response platform that provides comprehensive visibility and analysis across an organization's digital environment this connector enables swimlane turbine users to automate critical security operations tasks, such as aggregating and resolving alerts, managing assets, and conducting investigations within taegis xdr by integrating with secureworks taegis xdr, users can streamline incident response, enhance asset management, and accelerate investigation processes, all from within the swimlane turbine platform the connector's actions are designed to facilitate efficient security automation, allowing users to focus on strategic decision making and threat mitigation prerequisites to effectively utilize the secureworks taegis xdr connector with swimlane, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with the following parameters url endpoint url for secureworks taegis xdr api access client id unique identifier for the application making the request client secret a secret key provided by secureworks taegis xdr to authenticate the application asset setup to obtain the required asset paramaters host, client id, client secret, see https //docs ctpx secureworks com/apis/using xdr apis/ https //docs ctpx secureworks com/apis/using xdr apis/ tasks setup for all the specific actions all that is needed are the same variables for the matching query/mutation, and for the "run generic query" action the whole graphql query needs to be provided configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions aggregate alerts compiles alerts based on a specified cql query in secureworks taegis xdr, facilitating streamlined alert management endpoint url graphql method post input argument name type required description cql query string required query used to filter alerts limit number optional maximum number of alerts to retrieve offset number optional offset to start retrieving alerts from output parameter type description status code number http status code of the response reason string response reason phrase data object response data alertsservicesearch object output field alertsservicesearch alerts object output field alerts group by array output field group by key string output field key value number value for the parameter total results number result of the operation reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 18 27 19 gmt", "content type" "application/json", "content length" "443", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] delete assets removes specified assets from secureworks taegis xdr using a list of asset ids provided by the user endpoint url graphql method post input argument name type required description asset ids array required list of ids of the assets to be deleted get alerts fetches alerts from secureworks taegis xdr using a specified cql query filter to streamline incident response endpoint url graphql method post input argument name type required description cql query string required query used to filter alerts limit number optional maximum number of alerts to retrieve offset number optional offset to start retrieving alerts from output parameter type description status code number http status code of the response reason string response reason phrase data object response data alertsservicesearch object output field alertsservicesearch alerts object output field alerts list array output field list attack technique ids array unique identifier entities object output field entities id string unique identifier investigation ids array unique identifier metadata object response data resolution reason string response reason phrase sensor types array type of the resource status string status value suppressed boolean output field suppressed suppression rules object output field suppression rules tenant id string unique identifier total results number result of the operation reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 18 53 34 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "content encoding" "gzip", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex " }, "reason" "ok", "json body" { "data" {} } } ] get assets retrieves a list of assets from secureworks taegis xdr based on the provided cql query endpoint url graphql method post input argument name type required description order by string optional key to order by filter asset state string optional asset state filter limit number optional maximum number of alerts to retrieve offset number optional offset to start retrieving alerts from output parameter type description status code number http status code of the response reason string response reason phrase data object response data allassets object output field allassets assets array output field assets endpointtype string type of the resource hostid string unique identifier hostnames array name of the resource hostname string name of the resource id string unique identifier osversion string output field osversion sensorid string unique identifier sensortenant string output field sensortenant sensorversion string output field sensorversion totalresults number result of the operation example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 18 50 36 gmt", "content type" "application/json", "content length" "650", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] get investigation alerts retrieve alerts associated with a specific investigation id in secureworks taegis xdr endpoint url graphql method post input argument name type required description investigation id string required unique identifier page number optional parameter for get investigation alerts per page number optional parameter for get investigation alerts filter query string optional parameter for get investigation alerts order by field string optional parameter for get investigation alerts order direction string optional parameter for get investigation alerts output parameter type description status code number http status code of the response reason string response reason phrase data object response data investigationalerts object output field investigationalerts alerts array output field alerts id string unique identifier alerts2 array output field alerts2 id string unique identifier totalcount number count value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 20 03 46 gmt", "content type" "application/json", "content length" "164", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] get investigation assets retrieve assets associated with a specific investigation in secureworks taegis xdr using the provided investigation id endpoint url graphql method post input argument name type required description investigation id string required unique identifier page number optional parameter for get investigation assets per page number optional parameter for get investigation assets output parameter type description status code number http status code of the response reason string response reason phrase data object response data investigationassets object output field investigationassets assets array output field assets id string unique identifier totalcount number count value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 20 13 14 gmt", "content type" "application/json", "content length" "106", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] get investigation events retrieve event details associated with a specific investigation id in secureworks taegis xdr endpoint url graphql method post input argument name type required description investigation id string required unique identifier page number optional parameter for get investigation events per page number optional parameter for get investigation events output parameter type description status code number http status code of the response reason string response reason phrase data object response data investigationevents object output field investigationevents events array output field events file name string name of the resource file string output field file totalcount number count value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 20 10 35 gmt", "content type" "application/json", "content length" "61", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] get investigation files retrieve all files associated with a given investigation id in secureworks taegis xdr endpoint url graphql method post input argument name type required description investigation id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data investigationfiles array output field investigationfiles file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 20 18 24 gmt", "content type" "application/json", "content length" "34", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] get investigation status summary retrieve a summary of the current investigation status within secureworks taegis xdr endpoint url graphql method post input argument name type required description updated after string optional timestamp filter from updated before string optional timestamp filter to output parameter type description status code number http status code of the response reason string response reason phrase data object response data investigationstatussummary array status value count number count value date string date value status string status value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 19 51 49 gmt", "content type" "application/json", "content length" "89", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] get investigations fetches a list of current investigations from secureworks taegis xdr for further analysis or tracking endpoint url graphql method post input argument name type required description cql query string optional query used to filter alerts page number optional page to retrieve per page number optional how many records to retrieve per page filter text string optional text to use for free text search order by field string optional field to order by order direction string optional direction to order output parameter type description status code number http status code of the response reason string response reason phrase data object response data investigationssearch object output field investigationssearch investigations array output field investigations alerts array output field alerts file name string name of the resource file string output field file assets array output field assets file name string name of the resource file string output field file created at string output field created at events array output field events file name string name of the resource file string output field file files count object count value id string unique identifier status string status value tags array output field tags file name string name of the resource file string output field file tenant id string unique identifier updated at string output field updated at totalcount number count value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 20 19 57 gmt", "content type" "application/json", "content length" "522", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "content encoding" "gzip", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex " }, "reason" "ok", "json body" { "data" {} } } ] isolate asset isolates a specified asset in secureworks taegis xdr using the asset's id and a provided reason for isolation endpoint url graphql method post input argument name type required description asset id string required id of the asset to isolate reason string required reason for why the asset is being isolated output parameter type description status code number http status code of the response reason string response reason phrase data object response data isolateasset object output field isolateasset id string unique identifier updatedat string output field updatedat example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 19 05 23 gmt", "content type" "application/json", "content length" "113", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] resolve alerts resolves specified alerts in secureworks taegis xdr by their unique identifiers endpoint url graphql method post input argument name type required description alert ids array optional list of ids of the alerts to be resolved reason string optional response reason phrase resolution status string optional status value output parameter type description status code number http status code of the response reason string response reason phrase data object response data alertsserviceupdateresolutioninfo object output field alertsserviceupdateresolutioninfo reason string response reason phrase resolution status string status value example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 18 52 12 gmt", "content type" "application/json", "content length" "127", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] run generic query executes a specified query within secureworks taegis xdr and returns the results endpoint url graphql method post input argument name type required description query string required parameter for run generic query update investigation updates an existing investigation in secureworks taegis xdr using the specified investigation id and details endpoint url graphql method post input argument name type required description investigation id string required unique identifier investigation object required parameter for update investigation tags array optional parameter for update investigation genesis alerts array optional parameter for update investigation genesis events array optional parameter for update investigation alerts array optional parameter for update investigation events array optional parameter for update investigation assets array optional parameter for update investigation auth credentials array optional parameter for update investigation search queries array optional parameter for update investigation contributors array optional parameter for update investigation key findings string optional parameter for update investigation description string required parameter for update investigation notified at string optional parameter for update investigation created by string optional parameter for update investigation status string optional status value service desk id string optional unique identifier service desk type string optional type of the resource assignee id string optional unique identifier notes string optional parameter for update investigation priority number optional parameter for update investigation type string optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase data object response data updateinvestigation object output field updateinvestigation alerts array output field alerts id string unique identifier assets array output field assets file name string name of the resource file string output field file created at string output field created at events array output field events id string unique identifier files count object count value id string unique identifier status string status value tags array output field tags file name string name of the resource file string output field file tenant id string unique identifier updated at string output field updated at example \[ { "status code" 200, "response headers" { "date" "thu, 01 dec 2022 20 51 11 gmt", "content type" "application/json", "content length" "401", "connection" "keep alive", "access control allow credentials" "true", "access control allow headers" "content type, content length, accept encoding, x csrf token, x tenant context, c ", "access control allow methods" "", "access control allow origin" "api delta taegis secureworks com", "access control expose headers" "link", "access control request method" "", "cache control" "no store", "pragma" "no cache", "referrer policy" "same origin", "set cookie" "access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoex ", "strict transport security" "max age=63072000; includesubdomains; preload" }, "reason" "ok", "json body" { "data" {} } } ] response headers header description example access control allow credentials http response header access control allow credentials true access control allow headers http response header access control allow headers content type, content length, accept encoding, x csrf token, x tenant context, content type, authorization, accept, accept language, origin, cache control, x requested with, strict transport security, content security policy, x content type options, x frame options, x xss protection, referrer policy, x id token, access control allow credentials, x graphql schema, apollographql client name, apollographql client version access control allow methods http response header access control allow methods access control allow origin http response header access control allow origin api delta taegis secureworks com access control expose headers http response header access control expose headers link access control request method http response header access control request method cache control directives for caching mechanisms no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 401 content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 dec 2022 19 05 23 gmt pragma http response header pragma no cache referrer policy http response header referrer policy same origin set cookie http response header set cookie access token=eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ikf3mhfpm2i2d1hjqjlzoexmbfvhvyj9 eyjodhrwczovl21pc3npb25ll29jdg9sywjzl2lvl2p0asi6ijcznjhlnziwltvmzdqtndfjnc04mzc5lwu3ytu1ntczmjc4zcisimh0dhbzoi8vbwlzc2lvbmuvb2n0b2xhynmvaw8vdgvuyw50swrzijoimtm2ode1iiwiahr0chm6ly9taxnzaw9uzs9vy3rvbgficy9pby90zw5hbnrzx3yyijoimtm2ode1onrlbmfudefuywx5c3qilcjodhrwczovl21pc3npb25ll29jdg9sywjzl2lvl3jvbgvzijoidgvuyw50qw5hbhlzdcisimlzcyi6imh0dhbzoi8vdgflz2lzlnrhzwdpcy5hdxromc5jb20viiwic3viijoirknzuxjvtmizmmzzs1ayyu9nv0jveji5wwhsuenzzenay2xpzw50cyisimf1zci6imh0dhbzoi8vyxbplmrlbhrhlnrhzwdpcy5zzwn1cmv3b3jrcy5jb20viiwiawf0ijoxnjy5otiwnjm2lcjlehaioje2njk5nty2mzysimf6cci6ikzdc1fyvu5imzjmwutqmmfpz1dcb3oyovlobfbdc2rdiiwic2nvcguioijyzwfkonvzzxjziiwiz3r5ijoiy2xpzw50lwnyzwrlbnrpywxzin0 x9gg cmidf z c38diyvo903i8zpzmsmig6ltvsf0zw3ho o1pk rpx8wwr1e3b2if6xanbcwelutqhw7ma epnk klvaaoevvrhgxhl6nmdhp8wsby63p6v5zq5hxy3d5fmwe8keuzscydhu ieeuupccfiuofmqgdgpurr1zeh uxwswclgefzfqd5ijhecjb8pwltch029egrvjtgoxnatk456okywwbjjneoda7c2uzqcnf9ggphy3sxolmzbu80yotgjnqhawfzmfdmy1h6emms7sam2myhekfhvpgctkipqa59ggo77ictbbs1y09prgkysa 2mfcpo2becw; path=/; expires=thu, 01 dec 2022 19 50 36 gmt strict transport security http response header strict transport security max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x request id a unique identifier for the request root=1 63890c10 1723f03867514b83562dac05 x xss protection http response header x xss protection 1; mode=block