Sekoia Defend (XDR)

the sekoia defend (xdr) connector enables automated interactions with the sekoia defend platform, facilitating advanced threat detection and response through swimlane turbine sekoia defend (xdr) is a cutting edge security platform that specializes in event search and asset management, providing a comprehensive view of an organization's security posture this connector enables swimlane turbine users to automate the integration of sekoia defend's capabilities into their security workflows by leveraging this connector, users can initiate event search jobs, retrieve detailed asset and community information, and manage alert workflows, enhancing their threat detection and response strategies sekoia defend (xdr) connector is an extended detection and response platform that automates your soc it manages alerts produced by sic engines prerequisites before integrating sekoia defend (xdr) with swimlane turbine, ensure you have the following prerequisites http bearer token authentication with the following parameters url endpoint url for sekoia defend (xdr) api the api key a valid api key for authenticating requests to sekoia defend (xdr) capabilities this connector provides the following capabilities create an event search job get a community get a cyber kill chain stage get an asset by uuid get an event search job get the events found by an event search job get the fields of the events get the timeline of an alert by its uuid list alerts search assets trigger an action on the alert workflow triggers a status update on a list of alerts api documentation link https //docs sekoia io/xdr/develop/quickstart/ https //docs sekoia io/xdr/develop/rest api/alert/#tag/alert additional notes if you are using the get a cyber kill chain stage action, then please provide the following mentioned permissions and follow this https //docs sekoia io/xdr/develop/rest api/alert/#tag/cyber kill chain/operation/get alert kill chain resource “view alerts” (9ea2b8a3 593f 4bab 92f5 d0af9b563f6f) if you are using the trigger an action on the alert workflow action, then please provide the following mentioned permissions and follow this https //docs sekoia io/xdr/develop/rest api/alert/#tag/alert status/operation/patch alert workflow resource “update alert status” (9f3df1b1 4db7 44bd b615 af5873ad7f8a) if you are using the get the timeline of an alert by its uuid action, then please provide the following mentioned permissions and follow this https //docs sekoia io/xdr/develop/rest api/alert/#tag/detection/operation/get alert timeline resource “view alerts” (9ea2b8a3 593f 4bab 92f5 d0af9b563f6f) the action uuid (also referred to as status uuid in this table) represents a unique identifier (uuid) for different alert statuses available action uuids for status updates action description action uuid pending this alert needs to be addressed 2efc4930 1442 4abb acf2 58ba219a4fd0 acknowledge alert will be evaluated (true or false positive?) 8f206505 af6d 433e 93f4 775d46dc7d0f ongoing alert might be a true positive, action must be taken 1f2f88d5 ff5b 48bf bbbc 00c2fff82d9f reject it is a false positive or will not be addressed 4f68da89 38e0 4703 a6ab 652f02bdf24e close it was a true positive, and the alert has been addressed 1738b1c1 767d 489e bada 19176621a007 configurations sekoia defend (xdr) http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create an event search job initiates a search job for events within sekoia defend (xdr) based on specified utc time boundaries endpoint url /v1/sic/conf/events/search/jobs method post input argument name type required description term string optional event search term term lang string optional optional language of the event search term if undefined and term is not a valid dork search, falls back to es query string search mode filters array optional list of filters to apply filters field string optional field to filter filters value object optional value that the field should have filters operator string optional filter operator supported values '=', 'startswith', 'endswith', 'contains', 'exists', '>', '>=', '<', '<=' filters excluded boolean optional should matches be excluded? filters disabled boolean optional is this filter disabled? earliest time string optional earliest time of the time range of the search latest time string optional latest time of the time range of the search results ttl number optional the job time to leave (allowed range is 10 86400), default is 1800 view uuid string optional the identifier of the view to be used for searching events visible boolean optional define if the job should be retrievable only eternal boolean optional only search inside eternal events community uuids array optional list of community uuids max last events number optional maximum number of listed events date field string optional optional name of the field used for the event's date boundaries '@timestamp' is used by default storage string optional kind of storage to search supported values 'hot', 'archives' default is 'hot' input example {"json body" {"term" "term","term lang" "dork","filters" \[{"field" "field","value"\ null,"operator" "=","excluded"\ true,"disabled"\ true}],"earliest time" "earliest time","latest time" "latest time","results ttl" 10,"view uuid" "view uuid","visible"\ true,"only eternal"\ true,"community uuids" \["community uuids"],"max last events" 0,"date field" "@timestamp","storage" "hot"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier status number status value total number output field total retrieved number output field retrieved term string output field term term lang string output field term lang filters array output field filters filters field string output field filters field filters value object value for the parameter filters operator string output field filters operator filters excluded boolean output field filters excluded filters disabled boolean output field filters disabled created by string output field created by created by type string type of the resource created at string output field created at started at string output field started at canceled by string output field canceled by canceled by type string type of the resource canceled at string output field canceled at ended at string output field ended at earliest time string time value latest time string time value results ttl number result of the operation output example {"status code" 200,"reason" "ok","json body" {"uuid" "ae0e6607 8c52 4243 a7a1 b3e8a10d3852","status" 0,"total" 0,"retrieved" 0,"term" "term","term lang" "term lang","filters" \[{}],"created by" "created by","created by type" "created by type","created at" "2025 05 08t06 46 55 856z","started at" "2025 05 08t06 46 55 856z","canceled by" "canceled by","canceled by type" "canceled by type","canceled at" "2025 05 08t06 46 55 856z","ended at" "2025 05 08t06 46 55 856z"}} get a community retrieve detailed information about a specific community in sekoia defend (xdr) using the community uuid endpoint url /v1/communities/{{community uuid}} method get input argument name type required description path parameters community uuid string required the unique identifier of the community input example {"path parameters" {"community uuid" "7ea88310 b725 4de6 9035 0f6739dfcf8a"}} output parameter type description status code number http status code of the response reason string response reason phrase licenses array output field licenses licenses uuid string unique identifier licenses license type string type of the resource licenses plan object output field licenses plan licenses plan uuid string unique identifier licenses plan title string output field licenses plan title licenses plan required properties array output field licenses plan required properties licenses plan optional properties array output field licenses plan optional properties licenses plan limits array output field licenses plan limits licenses plan module object output field licenses plan module licenses plan module uuid string unique identifier licenses plan module name string name of the resource licenses plan module description string output field licenses plan module description licenses properties string output field licenses properties licenses limits string output field licenses limits licenses start string output field licenses start licenses end string output field licenses end licenses duration number output field licenses duration licenses transaction id string unique identifier licenses management community uuid string unique identifier licenses beneficiary community uuid string unique identifier licenses created at string output field licenses created at licenses created by string output field licenses created by output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"licenses" \[{}],"limits" "limits"}} get a cyber kill chain stage retrieve a specific cyber kill chain stage definition from sekoia defend (xdr) using the provided uuid endpoint url /v1/sic/kill chains/{{uuid}} method get input argument name type required description path parameters uuid string required unique identifier of the kill chain step input example {"path parameters" {"uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f"}} output parameter type description status code number http status code of the response reason string response reason phrase order id number unique identifier uuid string unique identifier short id string unique identifier name string name of the resource description string output field description stix name string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"order id" 0,"uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","short id" "string","name" "string","description" "string","stix name" "string"}} get an asset by uuid retrieve detailed information for a specific asset in sekoia defend (xdr) using the unique uuid provided endpoint url /v2/asset management/assets/{{uuid}} method get input argument name type required description path parameters uuid string required asset's uuid parameters with telemetry boolean optional enrich returned assets with their telemetry statistics cookies object optional parameter for get an asset by uuid cookies access token cookie string optional access token cookie input example {"parameters" {"with telemetry"\ false},"path parameters" {"uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier entity uuid string unique identifier community uuid string unique identifier name string name of the resource type string type of the resource category string output field category criticality number output field criticality created at string output field created at created by string output field created by created by type string type of the resource updated at string output field updated at first seen string output field first seen last seen string output field last seen nb events number output field nb events nb alerts number output field nb alerts nb atoms number output field nb atoms atoms object output field atoms props object output field props tags array output field tags revoked boolean output field revoked revoked at string output field revoked at revoked by string output field revoked by reviewed boolean output field reviewed output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 18 mar 2025 20 37 23 gmt"},"reason" "ok","json body" {"uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","entity uuid" "ccd0bbaa 1979 4620 9054 a91c61d70e41","community uuid" "e391588b 4c35 45eb a5af 211fba0cde08","name" "string","type" "string","category" "string","criticality" 0,"created at" "2019 08 24t14 15 22z","created by" "ee824cad d7a6 4f48 87dc e8461a9201c4","created by type" "string" get an event search job retrieve details for a specific event search job in sekoia defend (xdr) by using the event search job uuid endpoint url /v1/sic/conf/events/search/jobs/{{event search job uuid}} method get input argument name type required description path parameters event search job uuid string required uuid of the event search job the uuid is a 36 character string consisting of hexadecimal digits and hyphens input example {"path parameters" {"event search job uuid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier status number status value total number output field total retrieved number output field retrieved term string output field term term lang string output field term lang filters array output field filters filters field string output field filters field filters value object value for the parameter filters operator string output field filters operator filters excluded boolean output field filters excluded filters disabled boolean output field filters disabled created by string output field created by created by type string type of the resource created at string output field created at started at string output field started at canceled by string output field canceled by canceled by type string type of the resource canceled at string output field canceled at ended at string output field ended at earliest time string time value latest time string time value results ttl number result of the operation output example {"status code" 200,"reason" "ok","json body" {"uuid" "d036c419 f1bc 4a42 9848 d411ab49ebb3","status" 0,"total" 0,"retrieved" 0,"term" "term","term lang" "term lang","filters" \[{}],"created by" "created by","created by type" "created by type","created at" "2025 05 08t06 50 11 883z","started at" "2025 05 08t06 50 11 883z","canceled by" "canceled by","canceled by type" "canceled by type","canceled at" "2025 05 08t06 50 11 883z","ended at" "2025 05 08t06 50 11 883z"}} get the events found by an event search job retrieves events matched by a specific event search job using its uuid in sekoia defend (xdr), requiring path parameter 'event search job uuid' endpoint url /v1/sic/conf/events/search/jobs/{{event search job uuid}}/events method get input argument name type required description parameters limit integer optional limit a number of items (allowed range is 1 1000), default is 100 parameters offset integer optional a number of items to skip, default is 0 parameters latest time string optional the latest (exclusive) time bounds for the requested event in utc time (in seconds) parameters earliest time string optional the earliest (inclusive) time bounds for the requested event in utc time (in seconds) path parameters event search job uuid string required uuid of the event search job the uuid is a 36 character string consisting of hexadecimal digits and hyphens input example {"parameters" {"limit" 100,"offset" 0,"latest time" "2023 10 01t00 00 00z","earliest time" "2023 09 01t00 00 00z"},"path parameters" {"event search job uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items total number output field total paging token string output field paging token output example {"status code" 200,"reason" "ok","json body" {"items" \[{}],"total" 0,"paging token" "paging token"}} get the fields of the events retrieve event field details from sekoia defend (xdr) using a specific event search job uuid; an http 410 error indicates an expired job endpoint url /v1/sic/conf/events/search/jobs/{{event search job uuid}}/fields method get input argument name type required description parameters limit number optional limit a number of items (allowed range is 1 1000), default is 100 parameters offset number optional a number of items to skip, default is 0 path parameters event search job uuid string required uuid of the event search job the uuid is a 36 character string consisting of hexadecimal digits and hyphens input example {"parameters" {"limit" 100,"offset" 0},"path parameters" {"event search job uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items name string name of the resource items display name string name of the resource items description string output field items description items value type string type of the resource items most common values array value for the parameter items most common values name string name of the resource items most common values value number value for the parameter total number output field total retrieved number output field retrieved output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"total" 0,"retrieved" 0}} get the timeline of an alert by its uuid retrieve a detailed timeline of a specific alert in sekoia defend (xdr) by using the alert's unique identifier (uuid) endpoint url /v1/sic/alerts/{{alert uuid}}/timeline method get input argument name type required description path parameters alert uuid string required the alert's uuid parameters type string optional type of timeline (supported values are '24h', '14d') parameters frame length number optional size in observed data of the requested frame input example {"parameters" {"type" "24h","frame length" 2}} output parameter type description status code number http status code of the response reason string response reason phrase timeline array output field timeline timeline start string output field timeline start timeline end string output field timeline end timeline value number value for the parameter frame object output field frame frame start string output field frame start frame end string output field frame end output example {"status code" 200,"response headers" {"content type" "application/json","vary" "accept encoding","access control allow origin" " ","x sekoia traceid" "c4e688b3ce225feb3c160449ddba33aa","strict transport security" "max age=63072000; includesubdomains; preload","x frame options" "sameorigin","x content type options" "nosniff","content encoding" "gzip","content length" "263","expires" "tue, 18 mar 2025 09 58 05 gmt","cache control" "max age=0, no cache, no store","pragma" "no cache","date" "tue, 1 list alerts retrieve a paginated list of alerts from sekoia defend (xdr), with optional filters for targeting specific incidents endpoint url /v1/sic/alerts method get input argument name type required description parameters match\[community uuid] string optional match alerts by their community uuids parameters match\[entity name] string optional match alerts by their entity names (separated by commas) parameters match\[entity uuid] string optional match alerts by their entity uuids (separated by commas) parameters match\[status uuid] string optional match alerts by their status uuids (separated by commas) parameters match\[status name] string optional match alerts by their status name (separated by commas) parameters match\[type category] string optional match alerts by their type categories (separated by commas) parameters match\[type value] string optional match alerts by their type values (separated by commas) parameters match\[source] string optional match alerts by their sources (separated by commas) parameters match\[target] string optional match alerts by their targets (separated by commas) parameters match\[node] string optional match alerts either by their sources or their targets (separated by commas) parameters match\[stix object] string optional match alerts that contains requested stix objects ids parameters match\[rule uuid] string optional match alerts by their rule uuids (separated by commas) parameters match\[rule name] string optional match alerts by their rule names (separated by commas) parameters match\[short id] string optional match alerts by their short id (separated by commas) parameters match\[uuid] string optional match alerts by their uuid (separated by commas) parameters match\[title] string optional match alerts by their title (separated by commas) parameters match\[asset uuid] string optional match alerts for specific assets (separated by commas) parameters match\[urgency display] string optional match alerts for specific urgency display (separated by commas) parameters date\[created at] string optional filter alerts by their creation dates parameters date\[updated at] string optional filter alerts by their update dates parameters range\[urgency] string optional filter alerts by their urgencies parameters range\[similar] string optional filter alerts by their number of similar occurrences parameters visible boolean optional filter alerts according their visibility parameters similar to string optional filter alerts similar to the provided alert short id parameters nomatch\[asset uuid] string optional exclude alerts for specific assets (separated by commas) input example {"parameters" {"match\[community uuid]" "e391588b 4c35 45eb a5af 211fba0cde08","match\[entity name]" "entity names","match\[entity uuid]" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","match\[status uuid]" "e392588b 4c35 45eb a5af 211fba0cde09","match\[status name]" "status name","match\[type category]" "type categories","match\[type value]" "type values","match\[source]" "sources","match\[target]" "targets","match\[node]" "string","match\[stix object]" "stix objects ids","match\[rule uuid]" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","match\[rule name]" "rule names","match\[short id]" "short id","match\[uuid]" "085be615 a8ad 4c34 8e9c c7612fbf6c8f","match\[title]" "title","match\[asset uuid]" "497f6eca 6276 4993 bfeb 53cbbbba6f08","match\[urgency display]" "urgency display","date\[created at]" "null","date\[updated at]" "null","range\[urgency]" "null","range\[similar]" "null","visible"\ true,"similar to" "null","nomatch\[asset uuid]" "497f6eca 6276 4993 bfeb 53cbbbba6f08","nomatch\[entity uuid]" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","nomatch\[rule uuid]" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","nomatch\[rule name]" "rule names","nomatch\[source]" "sources","nomatch\[target]" "targets","nomatch\[status uuid]" "e392588b 4c35 45eb a5af 211fba0cde09","nomatch\[stix object]" "stix objects ids","nomatch\[type value]" "type values","nomatch\[urgency display]" "urgency display","limit" 20,"offset" 0,"stix"\ false,"sort" "created at","direction" "asc","with count"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items uuid string unique identifier items title string output field items title items created at number output field items created at items created by string output field items created by items created by type string type of the resource items updated at number output field items updated at items updated by string output field items updated by items updated by type string type of the resource items community uuid string unique identifier items short id string unique identifier items entity object output field items entity items entity uuid string unique identifier items entity name string name of the resource items urgency object output field items urgency items urgency current value number value for the parameter items urgency value number value for the parameter items urgency severity number output field items urgency severity items urgency criticity number output field items urgency criticity items urgency display string output field items urgency display items alert type object type of the resource items alert type value string type of the resource items alert type category string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 11 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"items" \[{}],"total" 0,"has more"\ true}} search assets retrieve a paginated, sortable, and filterable list of assets from sekoia defend (xdr) endpoint url /v2/asset management/assets method get input argument name type required description parameters limit number optional limit a number of items (allowed range is 1 100), default is 20 parameters offset number optional a number of items to skip, default is 0 values must be greater than or equal to 0 parameters search string optional search assets by name parameters also search in detection properties boolean optional search by attached detection property too parameters also search in tags boolean optional search by asset tags too parameters uuids string optional filter by comma separated list of asset uuids parameters community uuids string optional filter by comma separated list of community uuids parameters type string optional filter by comma separated list of asset types parameters category string optional filter by comma separated list of asset categories parameters source string optional filter by comma separated list of asset sources parameters tags string optional filter by comma separated list of tags parameters reviewed boolean optional filter reviewed assets only parameters criticality number optional filter assets with higher criticality parameters sort string optional sort criterion parameters direction string optional sort order parameters with telemetry boolean optional enrich returned assets with their telemetry statistics parameters incorporate atoms boolean optional enrich returned assets with their detection properties parameters include revoked boolean optional include revoked assets in the search results parameters rule uuid string optional filter by comma separated list of asset discovery rules uuids parameters rule version string optional filter by comma separated list of asset discovery rules versions parameters format string optional format return assets using legacy assets api v1 0 format cookies object optional parameter for search assets cookies access token cookie string optional access token cookie input example {"parameters" {"limit" 20,"offset" 0,"search" "","also search in detection properties"\ false,"also search in tags"\ false,"uuids" "","community uuids" "","type" "","category" "","source" "","tags" "","reviewed"\ true,"criticality" 1,"sort" "name","direction" "desc","with telemetry"\ false,"incorporate atoms"\ false,"include revoked"\ false,"rule uuid" "32fa9e3e fc95 4447 9cd6 8b81210a70f6","rule version" "","format" ""},"cookies" {"access token cookie" ""}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total items array output field items items uuid string unique identifier items entity uuid string unique identifier items community uuid string unique identifier items name string name of the resource items type string type of the resource items category string output field items category items criticality number output field items criticality items created at string output field items created at items created by string output field items created by items created by type string type of the resource items updated at string output field items updated at items first seen string output field items first seen items last seen string output field items last seen items nb events number output field items nb events items nb alerts number output field items nb alerts items nb atoms number output field items nb atoms items atoms object output field items atoms items props object output field items props items tags array output field items tags items revoked boolean output field items revoked items revoked at string output field items revoked at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 18 mar 2025 20 37 23 gmt"},"reason" "ok","json body" {"total" 0,"items" \[{}]}} trigger an action on the alert workflow executes a specified action on an alert in sekoia defend (xdr) using the alert's uuid to update its workflow status endpoint url /v1/sic/alerts/{{uuid}}/workflow method patch input argument name type required description path parameters uuid string required the alert's uuid action uuid string optional uuid of the action to trigger, or the status to set for more details see readme comment string optional a comment to describe why the alert status has changed input example {"path parameters" {"uuid" "9f3df1b1 4db7 44bd b615 af5873ad7f8a"}} output parameter type description status code number http status code of the response reason string response reason phrase actions array output field actions actions id string unique identifier actions name string name of the resource actions description string output field actions description output example {"status code" 200,"response headers" {"content type" "application/json","content length" "3","access control allow origin" " ","x sekoia traceid" "75a030b6ae2104d007ef0aab26e974ef","strict transport security" "max age=63072000; includesubdomains; preload","x frame options" "sameorigin","x content type options" "nosniff","expires" "tue, 18 mar 2025 10 25 39 gmt","cache control" "max age=0, no cache, no store","pragma" "no cache","date" "tue, 18 mar 2025 10 25 39 gmt","connection" "keep alive"}," triggers a status update on a list of alerts updates the status of selected sekoia defend (xdr) alerts using specific alert and action identifiers endpoint url /v1/sic/alerts/bulk/workflow method patch input argument name type required description parameters match\[uuid] string required match alerts by their identifier (uuid or short id; separated by commas) parameters action uuid string required uuid of the action to trigger, or the status to set parameters comment string optional a comment to describe why the alert status has changed input example {"parameters" {"match\[uuid]" "9f3df1b1 4db7 44bd b615 af5873ad7f8a","action uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f","comment" "comment"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "mon, 11 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example access control allow origin http response header access control allow origin cache control directives for caching mechanisms max age=0, no cache, no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 263 content type the media type of the resource application/json date the date and time at which the message was originated tue, 18 mar 2025 09 58 05 gmt expires the date/time after which the response is considered stale tue, 18 mar 2025 10 25 39 gmt pragma http response header pragma no cache strict transport security http response header strict transport security max age=63072000; includesubdomains; preload vary http response header vary accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x sekoia traceid http response header x sekoia traceid c4e688b3ce225feb3c160449ddba33aa