Sekoia Defend (XDR)

the sekoia defend (xdr) connector enables automated interactions with the sekoia defend platform, facilitating advanced threat detection and response through swimlane turbine sekoia defend (xdr) is a cutting edge security platform that specializes in event search and asset management, providing a comprehensive view of an organization's security posture this connector enables swimlane turbine users to automate the integration of sekoia defend's capabilities into their security workflows by leveraging this connector, users can initiate event search jobs, retrieve detailed asset and community information, and manage alert workflows, enhancing their threat detection and response strategies sekoia defend (xdr) connector is an extended detection and response platform that automates your soc it manages alerts produced by sic engines prerequisites before integrating sekoia defend (xdr) with swimlane turbine, ensure you have the following prerequisites http bearer token authentication with the following parameters url endpoint url for sekoia defend (xdr) api the api key a valid api key for authenticating requests to sekoia defend (xdr) capabilities this connector provides the following capabilities create an event search job get a community get a cyber kill chain stage get an asset by uuid get an event search job get the events found by an event search job get the fields of the events get the timeline of an alert by its uuid list alerts search assets trigger an action on the alert workflow triggers a status update on a list of alerts api documentation link api authentication documentation link https //docs sekoia io/xdr/develop/quickstart/sekoia defend (xdr) api documentation link https //docs sekoia io/xdr/develop/rest api/alert/#tag/alert additional notes if you are using the get a cyber kill chain stage action, then please provide the following mentioned permissions and follow this action related api documentation link https //docs sekoia io/xdr/develop/rest api/alert/#tag/cyber kill chain/operation/get alert kill chain resource “view alerts” (9ea2b8a3 593f 4bab 92f5 d0af9b563f6f) if you are using the trigger an action on the alert workflow action, then please provide the following mentioned permissions and follow this action related api documentation link https //docs sekoia io/xdr/develop/rest api/alert/#tag/alert status/operation/patch alert workflow resource “update alert status” (9f3df1b1 4db7 44bd b615 af5873ad7f8a) if you are using the get the timeline of an alert by its uuid action, then please provide the following mentioned permissions and follow this action related api documentation link https //docs sekoia io/xdr/develop/rest api/alert/#tag/detection/operation/get alert timeline resource “view alerts” (9ea2b8a3 593f 4bab 92f5 d0af9b563f6f) the action uuid (also referred to as status uuid in this table) represents a unique identifier (uuid) for different alert statuses available action uuids for status updates action description action uuid pending this alert needs to be addressed 2efc4930 1442 4abb acf2 58ba219a4fd0 acknowledge alert will be evaluated (true or false positive?) 8f206505 af6d 433e 93f4 775d46dc7d0f ongoing alert might be a true positive, action must be taken 1f2f88d5 ff5b 48bf bbbc 00c2fff82d9f reject it is a false positive or will not be addressed 4f68da89 38e0 4703 a6ab 652f02bdf24e close it was a true positive, and the alert has been addressed 1738b1c1 767d 489e bada 19176621a007 configurations sekoia defend (xdr) http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create an event search job initiates a search job for events within sekoia defend (xdr) based on specified utc time boundaries endpoint url /v1/sic/conf/events/search/jobs method post input argument name type required description term string optional event search term term lang string optional optional language of the event search term if undefined and term is not a valid dork search, falls back to es query string search mode filters array optional list of filters to apply field string optional field to filter value object optional value that the field should have operator string optional filter operator supported values '=', 'startswith', 'endswith', 'contains', 'exists', '>', '>=', '<', '<=' excluded boolean optional should matches be excluded? disabled boolean optional is this filter disabled? earliest time string optional earliest time of the time range of the search latest time string optional latest time of the time range of the search results ttl number optional the job time to leave (allowed range is 10 86400), default is 1800 view uuid string optional the identifier of the view to be used for searching events visible boolean optional define if the job should be retrievable only eternal boolean optional only search inside eternal events community uuids array optional list of community uuids max last events number optional maximum number of listed events date field string optional optional name of the field used for the event's date boundaries '@timestamp' is used by default storage string optional kind of storage to search supported values 'hot', 'archives' default is 'hot' output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier status number status value total number output field total retrieved number output field retrieved term string output field term term lang string output field term lang filters array output field filters field string output field field value object value for the parameter operator string output field operator excluded boolean output field excluded disabled boolean output field disabled created by string output field created by created by type string type of the resource created at string output field created at started at string output field started at canceled by string output field canceled by canceled by type string type of the resource canceled at string output field canceled at ended at string output field ended at earliest time string time value latest time string time value results ttl number result of the operation example \[ { "status code" 200, "reason" "ok", "json body" { "uuid" "ae0e6607 8c52 4243 a7a1 b3e8a10d3852", "status" 0, "total" 0, "retrieved" 0, "term" "term", "term lang" "term lang", "filters" \[], "created by" "created by", "created by type" "created by type", "created at" "2025 05 08t06 46 55 856z", "started at" "2025 05 08t06 46 55 856z", "canceled by" "canceled by", "canceled by type" "canceled by type", "canceled at" "2025 05 08t06 46 55 856z", "ended at" "2025 05 08t06 46 55 856z" } } ] get a community retrieve detailed information about a specific community in sekoia defend (xdr) using the community uuid endpoint url /v1/communities/{{community uuid}} method get input argument name type required description community uuid string required the unique identifier of the community output parameter type description status code number http status code of the response reason string response reason phrase licenses array output field licenses uuid string unique identifier license type string type of the resource plan object output field plan uuid string unique identifier title string output field title required properties array output field required properties optional properties array output field optional properties limits array output field limits module object output field module uuid string unique identifier name string name of the resource description string output field description properties string output field properties limits string output field limits start string output field start end string output field end duration number output field duration transaction id string unique identifier management community uuid string unique identifier beneficiary community uuid string unique identifier created at string output field created at created by string output field created by example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "licenses" \[], "limits" "limits" } } ] get a cyber kill chain stage retrieve a specific cyber kill chain stage definition from sekoia defend (xdr) using the provided uuid endpoint url /v1/sic/kill chains/{{uuid}} method get input argument name type required description uuid string required unique identifier of the kill chain step output parameter type description status code number http status code of the response reason string response reason phrase order id number unique identifier uuid string unique identifier short id string unique identifier name string name of the resource description string output field description stix name string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "order id" 0, "uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f", "short id" "string", "name" "string", "description" "string", "stix name" "string" } } ] get an asset by uuid retrieve detailed information for a specific asset in sekoia defend (xdr) using the unique uuid provided endpoint url /v2/asset management/assets/{{uuid}} method get input argument name type required description uuid string required asset's uuid with telemetry boolean optional enrich returned assets with their telemetry statistics cookies object optional parameter for get an asset by uuid access token cookie string optional access token cookie output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier entity uuid string unique identifier community uuid string unique identifier name string name of the resource type string type of the resource category string output field category criticality number output field criticality created at string output field created at created by string output field created by created by type string type of the resource updated at string output field updated at first seen string output field first seen last seen string output field last seen nb events number output field nb events nb alerts number output field nb alerts nb atoms number output field nb atoms atoms object output field atoms props object output field props tags array output field tags revoked boolean output field revoked revoked at string output field revoked at revoked by string output field revoked by reviewed boolean output field reviewed example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 18 mar 2025 20 37 23 gmt" }, "reason" "ok", "json body" { "uuid" "095be615 a8ad 4c33 8e9c c7612fbf6c9f", "entity uuid" "ccd0bbaa 1979 4620 9054 a91c61d70e41", "community uuid" "e391588b 4c35 45eb a5af 211fba0cde08", "name" "string", "type" "string", "category" "string", "criticality" 0, "created at" "2019 08 24t14 15 22z", "created by" "ee824cad d7a6 4f48 87dc e8461a9201c4", "created by type" "string", "updated at" "2019 08 24t14 15 22z", "first seen" "2019 08 24t14 15 22z", "last seen" "2019 08 24t14 15 22z", "nb events" 0, "nb alerts" 0 } } ] get an event search job retrieve details for a specific event search job in sekoia defend (xdr) by using the event search job uuid endpoint url /v1/sic/conf/events/search/jobs/{{event search job uuid}} method get input argument name type required description event search job uuid string required uuid of the event search job the uuid is a 36 character string consisting of hexadecimal digits and hyphens output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier status number status value total number output field total retrieved number output field retrieved term string output field term term lang string output field term lang filters array output field filters field string output field field value object value for the parameter operator string output field operator excluded boolean output field excluded disabled boolean output field disabled created by string output field created by created by type string type of the resource created at string output field created at started at string output field started at canceled by string output field canceled by canceled by type string type of the resource canceled at string output field canceled at ended at string output field ended at earliest time string time value latest time string time value results ttl number result of the operation example \[ { "status code" 200, "reason" "ok", "json body" { "uuid" "d036c419 f1bc 4a42 9848 d411ab49ebb3", "status" 0, "total" 0, "retrieved" 0, "term" "term", "term lang" "term lang", "filters" \[], "created by" "created by", "created by type" "created by type", "created at" "2025 05 08t06 50 11 883z", "started at" "2025 05 08t06 50 11 883z", "canceled by" "canceled by", "canceled by type" "canceled by type", "canceled at" "2025 05 08t06 50 11 883z", "ended at" "2025 05 08t06 50 11 883z" } } ] get the events found by an event search job retrieves events matched by a specific event search job using its uuid in sekoia defend (xdr), requiring path parameter 'event search job uuid' endpoint url /v1/sic/conf/events/search/jobs/{{event search job uuid}}/events method get input argument name type required description limit integer optional limit a number of items (allowed range is 1 1000), default is 100 offset integer optional a number of items to skip, default is 0 latest time string optional the latest (exclusive) time bounds for the requested event in utc time (in seconds) earliest time string optional the earliest (inclusive) time bounds for the requested event in utc time (in seconds) event search job uuid string required uuid of the event search job the uuid is a 36 character string consisting of hexadecimal digits and hyphens output parameter type description status code number http status code of the response reason string response reason phrase items array output field items total number output field total paging token string output field paging token example \[ { "status code" 200, "reason" "ok", "json body" { "items" \[], "total" 0, "paging token" "paging token" } } ] get the fields of the events retrieve event field details from sekoia defend (xdr) using a specific event search job uuid; an http 410 error indicates an expired job endpoint url /v1/sic/conf/events/search/jobs/{{event search job uuid}}/fields method get input argument name type required description limit number optional limit a number of items (allowed range is 1 1000), default is 100 offset number optional a number of items to skip, default is 0 event search job uuid string required uuid of the event search job the uuid is a 36 character string consisting of hexadecimal digits and hyphens output parameter type description status code number http status code of the response reason string response reason phrase items array output field items name string name of the resource display name string name of the resource description string output field description value type string type of the resource most common values array value for the parameter name string name of the resource value number value for the parameter total number output field total retrieved number output field retrieved example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "total" 0, "retrieved" 0 } } ] get the timeline of an alert by its uuid retrieve a detailed timeline of a specific alert in sekoia defend (xdr) by using the alert's unique identifier (uuid) endpoint url /v1/sic/alerts/{{alert uuid}}/timeline method get input argument name type required description alert uuid string required the alert's uuid type string optional type of timeline (supported values are '24h', '14d') frame length number optional size in observed data of the requested frame output parameter type description status code number http status code of the response reason string response reason phrase timeline array output field timeline start string output field start end string output field end value number value for the parameter frame object output field frame start string output field start end string output field end example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "access control allow origin" " ", "x sekoia traceid" "c4e688b3ce225feb3c160449ddba33aa", "strict transport security" "max age=63072000; includesubdomains; preload", "x frame options" "sameorigin", "x content type options" "nosniff", "content encoding" "gzip", "content length" "263", "expires" "tue, 18 mar 2025 09 58 05 gmt", "cache control" "max age=0, no cache, no store", "pragma" "no cache", "date" "tue, 18 mar 2025 09 58 05 gmt", "connection" "keep alive" }, "reason" "ok", "json body" { "timeline" \[], "frame" {} } } ] list alerts retrieve a paginated list of alerts from sekoia defend (xdr), with optional filters for targeting specific incidents endpoint url /v1/sic/alerts method get input argument name type required description match\[community uuid] string optional match alerts by their community uuids match\[entity name] string optional match alerts by their entity names (separated by commas) match\[entity uuid] string optional match alerts by their entity uuids (separated by commas) match\[status uuid] string optional match alerts by their status uuids (separated by commas) match\[status name] string optional match alerts by their status name (separated by commas) match\[type category] string optional match alerts by their type categories (separated by commas) match\[type value] string optional match alerts by their type values (separated by commas) match\[source] string optional match alerts by their sources (separated by commas) match\[target] string optional match alerts by their targets (separated by commas) match\[node] string optional match alerts either by their sources or their targets (separated by commas) match\[stix object] string optional match alerts that contains requested stix objects ids match\[rule uuid] string optional match alerts by their rule uuids (separated by commas) match\[rule name] string optional match alerts by their rule names (separated by commas) match\[short id] string optional match alerts by their short id (separated by commas) match\[uuid] string optional match alerts by their uuid (separated by commas) match\[title] string optional match alerts by their title (separated by commas) match\[asset uuid] string optional match alerts for specific assets (separated by commas) match\[urgency display] string optional match alerts for specific urgency display (separated by commas) date\[created at] string optional filter alerts by their creation dates date\[updated at] string optional filter alerts by their update dates range\[urgency] string optional filter alerts by their urgencies range\[similar] string optional filter alerts by their number of similar occurrences visible boolean optional filter alerts according their visibility similar to string optional filter alerts similar to the provided alert short id nomatch\[asset uuid] string optional exclude alerts for specific assets (separated by commas) output parameter type description status code number http status code of the response reason string response reason phrase items array output field items uuid string unique identifier title string output field title created at number output field created at created by string output field created by created by type string type of the resource updated at number output field updated at updated by string output field updated by updated by type string type of the resource community uuid string unique identifier short id string unique identifier entity object output field entity uuid string unique identifier name string name of the resource urgency object output field urgency current value number value for the parameter value number value for the parameter severity number output field severity criticity number output field criticity display string output field display alert type object type of the resource value string value for the parameter category string output field category example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 11 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "items" \[], "total" 0, "has more" true } } ] search assets retrieve a paginated, sortable, and filterable list of assets from sekoia defend (xdr) endpoint url /v2/asset management/assets method get input argument name type required description limit number optional limit a number of items (allowed range is 1 100), default is 20 offset number optional a number of items to skip, default is 0 values must be greater than or equal to 0 search string optional search assets by name also search in detection properties boolean optional search by attached detection property too also search in tags boolean optional search by asset tags too uuids string optional filter by comma separated list of asset uuids community uuids string optional filter by comma separated list of community uuids type string optional filter by comma separated list of asset types category string optional filter by comma separated list of asset categories source string optional filter by comma separated list of asset sources tags string optional filter by comma separated list of tags reviewed boolean optional filter reviewed assets only criticality number optional filter assets with higher criticality sort string optional sort criterion direction string optional sort order with telemetry boolean optional enrich returned assets with their telemetry statistics incorporate atoms boolean optional enrich returned assets with their detection properties include revoked boolean optional include revoked assets in the search results rule uuid string optional filter by comma separated list of asset discovery rules uuids rule version string optional filter by comma separated list of asset discovery rules versions format string optional format return assets using legacy assets api v1 0 format cookies object optional parameter for search assets access token cookie string optional access token cookie output parameter type description status code number http status code of the response reason string response reason phrase total number output field total items array output field items uuid string unique identifier entity uuid string unique identifier community uuid string unique identifier name string name of the resource type string type of the resource category string output field category criticality number output field criticality created at string output field created at created by string output field created by created by type string type of the resource updated at string output field updated at first seen string output field first seen last seen string output field last seen nb events number output field nb events nb alerts number output field nb alerts nb atoms number output field nb atoms atoms object output field atoms props object output field props tags array output field tags revoked boolean output field revoked revoked at string output field revoked at example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 18 mar 2025 20 37 23 gmt" }, "reason" "ok", "json body" { "total" 0, "items" \[] } } ] trigger an action on the alert workflow executes a specified action on an alert in sekoia defend (xdr) using the alert's uuid to update its workflow status endpoint url /v1/sic/alerts/{{uuid}}/workflow method patch input argument name type required description uuid string required the alert's uuid action uuid string required uuid of the action to trigger, or the status to set for more details see readme comment string optional a comment to describe why the alert status has changed output parameter type description status code number http status code of the response reason string response reason phrase actions array output field actions id string unique identifier name string name of the resource description string output field description example \[ { "status code" 200, "response headers" { "content type" "application/json", "content length" "3", "access control allow origin" " ", "x sekoia traceid" "75a030b6ae2104d007ef0aab26e974ef", "strict transport security" "max age=63072000; includesubdomains; preload", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "tue, 18 mar 2025 10 25 39 gmt", "cache control" "max age=0, no cache, no store", "pragma" "no cache", "date" "tue, 18 mar 2025 10 25 39 gmt", "connection" "keep alive" }, "reason" "ok", "json body" { "actions" \[] } } ] triggers a status update on a list of alerts updates the status of selected sekoia defend (xdr) alerts using specific alert and action identifiers endpoint url /v1/sic/alerts/bulk/workflow method patch input argument name type required description match\[uuid] string required match alerts by their identifier (uuid or short id; separated by commas) action uuid string required uuid of the action to trigger, or the status to set comment string optional a comment to describe why the alert status has changed output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 204, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 11 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example access control allow origin http response header access control allow origin cache control directives for caching mechanisms max age=0, no cache, no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 263 content type the media type of the resource application/json date the date and time at which the message was originated mon, 11 dec 2023 20 37 23 gmt expires the date/time after which the response is considered stale tue, 18 mar 2025 09 58 05 gmt pragma http response header pragma no cache strict transport security http response header strict transport security max age=63072000; includesubdomains; preload vary http response header vary accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x sekoia traceid http response header x sekoia traceid c4e688b3ce225feb3c160449ddba33aa