Query ⫘
The Taegis Alerts API is based on GraphQL, which can either be a read (Query) or a write (Mutation) operation. A GraphQL query is used to read or fetch values. Mutations write or post values. Responses are provided in a JSON format.
Field ⫘
alertsServiceRetrieveAlertsById Type: AlertsResponse ⫘
Provide a list of Alert IDs to retrieve each alert’s detail.
Arguments ⫘
in Type: GetByIDRequestInput ⫘
Field ⫘
alertsServiceRetrieveAlertsByHost Type: AlertsResponse ⫘
Provide a list of Host IDs to retrieve alert details about each alert that contains those hosts.
Arguments ⫘
in Type: GetByIDRequestInput ⫘
Field ⫘
alertsServiceRetrieveAlertsByEntity Type: AlertsResponse ⫘
Provide a list of entities to retrieve alert details about each alert that contains those entities.
Arguments ⫘
in Type: GetByIDRequestInput ⫘
Field ⫘
alertsServiceRetrieveAlertsByGroupKey Type: AlertsResponse ⫘
Provide a list of entities to retrieve alert details about each alert that contains the group_key. This is used by the service to aid in alert deduplication. This would not commonly be used by a tenant of XDR.
Arguments ⫘
in Type: GetByIDRequestInput ⫘
Field ⫘
alertsServiceSearch Type: AlertsResponse ⫘
Search alerts using Query Language. This is the same query language provided in Advanced Search page in Taegis XDR.
Arguments ⫘
in Type: SearchRequestInput ⫘
Field ⫘
alertsServicePoll Type: AlertsResponse ⫘
Poll for results for a specific search_id
.
Arguments ⫘
in Type: PollRequestInput ⫘
Field ⫘
alertsServiceAggregateAlertsBySeverity Type: AlertsAggregateResponse ⫘
Pull alert severity aggregates based on group_by
parameters: domain, watchlist, hostname, detector, user.
Arguments ⫘
in Type: AggregateAlertsBySeverityInputInput ⫘
Field ⫘
alertsServiceAlertsDashboardTriage Type: TriageDashboardOutput ⫘
Arguments ⫘
in Type: TriageDashboardInputInput ⫘
Field ⫘
node Type: Node ⫘
Arguments ⫘
id Type: ID! ⫘
Mutation ⫘
Field ⫘
alertsServiceUpdateInvestigationInfo Type: UpdateInvestigationResponse ⫘
Arguments ⫘
in Type: UpdateInvestigationRequestInput ⫘
Field ⫘
alertsServiceUpdateResolutionInfo Type: UpdateResolutionResponse ⫘
Add a resolution or modify an existing resolution for a give list of alert IDs.
Arguments ⫘
in Type: UpdateResolutionRequestInput ⫘
Field ⫘
alertsServiceBulkInvestigationsProcessor Type: BulkInvestigationsResponse ⫘
Bulk add alerts to an existing investigation by providing either a query or list of alert IDs. If a query is provided, then all alerts matching the query will be added to the investigation.
Arguments ⫘
in Type: BulkInvestigationsRequestInput ⫘
Field ⫘
alertsServiceEvict Type: EvictResponse ⫘
Evict a search request by search ID
Arguments ⫘
in Type: EvictRequestInput ⫘
Objects ⫘
AccountCompromiseDetectorDetail ⫘
Field ⫘
user_name Type: String ⫘
AggregationResponse ⫘
Field ⫘
key Type: String ⫘
Field ⫘
value Type: Float ⫘
Alert2 ⫘
Base schema for an alert.
Field ⫘
id Type: ID! ⫘
Alert resource name.
Field ⫘
group_key Type: [String!] ⫘
Alert group key
Field ⫘
metadata Type: AlertsMetadata ⫘
Alert metadata
Field ⫘
visibility Type: Visibility ⫘
Field ⫘
attack_technique_ids Type: [String!] ⫘
List of attack technique IDs
Field ⫘
tenant_id Type: String ⫘
Tenant ID associated with alert
Field ⫘
suppressed Type: Boolean ⫘
Was this rule suppressed. True or false
Field ⫘
suppression_rules Type: [AlertRuleReference!] ⫘
Suppression rules associated wiht alert
Field ⫘
alerting_rules Type: [AlertRuleReference!] ⫘
Rules associated with alert
Field ⫘
status Type: ResolutionStatus ⫘
Alert resolution status
Field ⫘
resolution_reason Type: String ⫘
Alert resolution reason
Field ⫘
resolution_history Type: [ResolutionMetadata!] ⫘
Field ⫘
severity_history Type: [SeverityUpdate!] ⫘
Field ⫘
tags Type: [String!] ⫘
List of tags associated to alert
Field ⫘
sensor_types Type: [String!] ⫘
Sensor types associated with alert
Field ⫘
entities Type: EntityRelationships ⫘
All entities that are associated with an alert
Field ⫘
key_entities Type: [EntityMetadata!] ⫘
Field ⫘
event_ids Type: [AuxiliaryEvent!] ⫘
All event IDs that are associated with an alert
Field ⫘
observation_ids Type: [Observation!] ⫘
All observation IDs that are associated with an alert
Field ⫘
investigation_ids Type: [Investigation!] ⫘
All investigation IDs that are associated with an alert
Field ⫘
collection_ids Type: [Collection!] ⫘
Field ⫘
enrichment_details Type: [EnrichmentDetail!] ⫘
Specific detectors may provide additional context to explain why the alert triggered or information to help an analyst review the alert.
Field ⫘
third_party_details Type: [ThirdPartyDetail!] ⫘
Alert third party details
Field ⫘
reference_details Type: [ReferenceDetail!] ⫘
List of detailed alert references provided by detector or watchlist rule
Field ⫘
priority Type: AlertPriority ⫘
AlertPriority ⫘
Field ⫘
value Type: Float ⫘
Field ⫘
prioritizer Type: String ⫘
Field ⫘
version Type: String ⫘
Field ⫘
model_name Type: String ⫘
Field ⫘
model_version Type: String ⫘
Field ⫘
evidence Type: [String!] ⫘
Field ⫘
applied_time Type: Timestamp ⫘
AlertRuleReference ⫘
Field ⫘
id Type: String ⫘
Field ⫘
version Type: String ⫘
AlertsAggregateResponse ⫘
Field ⫘
aggregation Type: [AlertsAggregateResponse_AlertsAggregation!] ⫘
AlertsAggregateResponse_AlertsAggregation ⫘
Field ⫘
key Type: String ⫘
Field ⫘
count Type: Int ⫘
Field ⫘
severities Type: AlertsAggregateResponse_AlertsAggregation_Severity ⫘
AlertsAggregateResponse_AlertsAggregation_Severity ⫘
Field ⫘
info Type: Int ⫘
Field ⫘
low Type: Int ⫘
Field ⫘
medium Type: Int ⫘
Field ⫘
high Type: Int ⫘
Field ⫘
critical Type: Int ⫘
AlertsInvestigationInfo ⫘
Field ⫘
alert_resource_id Type: String ⫘
Field ⫘
initial_access_vector_info Type: [InitialAccessVectorInfo!] ⫘
AlertsList ⫘
List of alerts and associated request metadata.
Field ⫘
list Type: [Alert2!] ⫘
List of Alert types
Field ⫘
total_results Type: Int ⫘
Total results available for request
Field ⫘
next_offset Type: Int ⫘
Field ⫘
previous_offset Type: Int ⫘
Field ⫘
last_offset Type: Int ⫘
Field ⫘
first_offset Type: Int ⫘
Field ⫘
total_parts Type: Int ⫘
Total parts of the result set
Field ⫘
part Type: Int ⫘
Part number of returned result set
Field ⫘
group_by Type: [AggregationResponse!] ⫘
Aggregation response, if the initial request included an aggregation
AlertsMetadata ⫘
Alert metadata information
Field ⫘
creator Type: Creator ⫘
Alert creator
Field ⫘
engine Type: Engine ⫘
Alert engine
Field ⫘
severity Type: Float ⫘
Alert severity - can be from 0 - 1
Field ⫘
severity_updated_at Type: Timestamp ⫘
Field ⫘
confidence Type: Float ⫘
Alert confidence - can be from 0 - 1
Field ⫘
title Type: String ⫘
Alert title
Field ⫘
description Type: String ⫘
Alert description
Field ⫘
began_at Type: Timestamp ⫘
When the behavior associated with the alert began at
Field ⫘
ended_at Type: Timestamp ⫘
When the behavior associated with the alert ended at
Field ⫘
created_at Type: Timestamp ⫘
When the alert was created
Field ⫘
inserted_at Type: Timestamp ⫘
When the alert was inserted into the database; this should be very close in time to created_at
Field ⫘
updated_at Type: Timestamp ⫘
Last time alert was updated; feedback, investigations
Field ⫘
first_seen_at Type: Timestamp ⫘
When the events triggering the alert were first seen. This is set by specific ingests based on data provided by the data source.
Field ⫘
first_investigated_at Type: Timestamp ⫘
When the alert first had an investigation associated with it
Field ⫘
first_resolved_at Type: Timestamp ⫘
When the alert was first resolved
Field ⫘
origin Type: Origin ⫘
Who created the event which generated this alert
AlertsResponse ⫘
Field ⫘
status Type: RPCResponseStatus ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
alerts Type: AlertsList ⫘
Field ⫘
search_id Type: String ⫘
Search ID can be used to request additional parts for search results containing more than 10k requested results
AuthScanDetail ⫘
Field ⫘
total_attempts Type: Int ⫘
Total successful or failed logins
Field ⫘
successful_logon_attempts Type: [AuthScanLogonAttempt!] ⫘
Field ⫘
failed_logon_attempts Type: [AuthScanLogonAttempt!] ⫘
AuthScanLogonAttempt ⫘
Field ⫘
target_user_name Type: String ⫘
User attempting login
Field ⫘
has_logon_success Type: Boolean ⫘
DEPRECATED. See list in successful_logon_attempts
Field ⫘
num_attempts Type: Int ⫘
Number of login attempts
AuxiliaryEvent ⫘
Field ⫘
id Type: ID! ⫘
ID of the Event
Field ⫘
event_data Type: Map ⫘
Use to retrieve the full event object. Note: this can slow the response, if the query retrieves a large volume of alerts.
BruteForceAuth ⫘
Field ⫘
win_event_id Type: String ⫘
Field ⫘
action Type: String ⫘
Field ⫘
domain Type: String ⫘
Field ⫘
target_username Type: String ⫘
Field ⫘
event_timestamp Type: Int ⫘
Field ⫘
resource_record_identifier Type: String ⫘
BruteForceDetails ⫘
Field ⫘
num_auth_failures Type: Int ⫘
Field ⫘
num_auth_successes Type: Int ⫘
Field ⫘
last_successful_auth Type: BruteForceAuth ⫘
Field ⫘
most_recent_auths_failures Type: [BruteForceAuth!] ⫘
BulkInvestigationsResponse ⫘
Field ⫘
id Type: String ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
status Type: ResponseStatus ⫘
Field ⫘
events Type: [String!] ⫘
Field ⫘
assets Type: [String!] ⫘
Field ⫘
access_vector_info Type: [AlertsInvestigationInfo!] ⫘
BulkResolutionResponse ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
resolution_status Type: ResponseStatus ⫘
Field ⫘
total_hits Type: Int ⫘
Field ⫘
total_done Type: Int ⫘
Field ⫘
total_failed Type: Int ⫘
Field ⫘
is_complete Type: Boolean ⫘
BusinessEmailCompromiseDetail ⫘
Field ⫘
source_address Type: String ⫘
Field ⫘
source_address_geo_summary Type: GeoSummary ⫘
Field ⫘
user_name Type: String ⫘
Collection ⫘
Field ⫘
id Type: ID! ⫘
CreateAlertsResponse ⫘
Field ⫘
status Type: RPCResponseStatus ⫘
Field ⫘
iDs Type: [String!] ⫘
Field ⫘
reason Type: String ⫘
CreationRule ⫘
Field ⫘
rule_id Type: String ⫘
Field ⫘
version Type: String ⫘
Creator ⫘
The Detector that created the alert.
Field ⫘
detector Type: Detector ⫘
Field ⫘
rule Type: CreationRule ⫘
DDosIpAddressOccurrenceCount ⫘
Field ⫘
ip_address Type: String ⫘
Field ⫘
count Type: Int ⫘
DDosIpCount ⫘
Field ⫘
date Type: Timestamp ⫘
Field ⫘
count Type: Int ⫘
DDosSourceIpCountDetail ⫘
Field ⫘
hour_partition Type: String ⫘
Detector compares historical netflow data occuring within this hour.
Field ⫘
sensor_id Type: String ⫘
ID of Sensor providing netflow data.
Field ⫘
host_id Type: String ⫘
Endpoint Host ID
Field ⫘
event_observable_count Type: Int ⫘
The number of unique source IPs observed in the device’s network connections in the current hour.
Field ⫘
event_observable_count_std_dev Type: Float ⫘
A comparison of the current count of unique source IPs to the Base Mean.
Field ⫘
baseline_observable_count_std_dev Type: Float ⫘
The variability, or spread, of the number of unique source IPs for this reporting device. A low standard deviation means the count of unique sources is consistent over time (a tall bell curve). A high standard deviation means the count varies greatly over time (a short bell curve).
Field ⫘
baseline_observable_count_mean Type: Float ⫘
The average number of unique source IPs, counted on an hourly basis, observed in the historical data for this reporting device.
Field ⫘
baseline_observable_count_median Type: Int ⫘
The midpoint value for the range of unique source IPs counted in the historical data for this reporting device.
Field ⫘
baseline_num_days Type: Int ⫘
The number of historical days considered in this alert. Days in which the device did not report connections are not included.
Field ⫘
analytic_observable_std_dev_threshold Type: Float ⫘
The minimum value for Standard Deviation Above Mean, which must be at least the value of the Standard Deviation Threshold in order to trigger an alert.
Field ⫘
analytic_observable_min_count Type: Int ⫘
The minimum number of unique source IPs that must be observed in the current hour in order to trigger an alert. Source IP Addresses is always at least this number.
Field ⫘
analytic_time_threshold Type: Int ⫘
Threshold time limit for detector to observe netflow activity.
Field ⫘
historical_ip_counts Type: [DDosIpCount!] ⫘
Historical count of unique source IPs per hour window.
Field ⫘
top_destination_ips Type: [DDosIpAddressOccurrenceCount!] ⫘
Top Destination IPs by occurrence.
DeleteAlertsResponse ⫘
Internal Type
Field ⫘
status Type: RPCResponseStatus ⫘
Field ⫘
reason Type: String ⫘
Detector ⫘
Information about the Detector that is associated with alert.
Field ⫘
detector_id Type: String ⫘
Field ⫘
detector_name Type: String ⫘
Field ⫘
version Type: String ⫘
DnsExfilEnrichment ⫘
Field ⫘
num_queries Type: Int ⫘
Estimated count of the number of DNS requests made by the host.
Engine ⫘
Alert engine
Field ⫘
name Type: String ⫘
Field ⫘
version Type: String ⫘
EnrichmentDetail ⫘
Specific detectors can provide additional context to help explain why it generated to alert or information to help an analyst review the alert.
Field ⫘
geo_ip Type: GeographicIp ⫘
Geolocation for IP Addresses.
Field ⫘
whois Type: WhoisSimple ⫘
WHOIS info for domain.
Field ⫘
dns_exfil Type: DnsExfilEnrichment ⫘
Suspicious DNS Activity Detector
Field ⫘
ddos_source_ip Type: DDosSourceIpCountDetail ⫘
DDoS Source IP Count Detector
Field ⫘
login_failure Type: LoginFailureDetail ⫘
Login Failure Detector
Field ⫘
rare_program_rare_ip Type: RareProgramRareIpDetail ⫘
Rare Program to Rare IP Detector
Field ⫘
travel_features Type: StolenCredsTravelFeatures ⫘
Stolen Credentials Detector - Travel features; speed of travel, distance travelled.
Field ⫘
trust_features Type: StolenCredsTrustFeatures ⫘
Stolen Credentials Detector - Trust features, unknown ASN, IP Address, Country across all tenants or username.
Field ⫘
tactic_graph_detail Type: TacticGraphDetail ⫘
Tactic Graphs Detector
Field ⫘
mitre_attack_info Type: MitreAttackDetails ⫘
MITRE ATT&CK Technique Detail
Field ⫘
watchlist_matches Type: WatchlistMatches ⫘
IOC Watchlist Detectors - IP/Domain/Filehash
Field ⫘
kerberoasting Type: Kerberoasting ⫘
Kerberoasting Detector
Field ⫘
brute_force_detail Type: BruteForceDetails ⫘
Brute Force Details Detector
Field ⫘
password_spray_detail Type: PasswordSprayDetail ⫘
Password Spray Detector
Field ⫘
improbable_logon_detail Type: ImprobableLogonDetail ⫘
Account Compromise Detector - Improbable Logon based on Baseline
Field ⫘
auth_scan_detail Type: AuthScanDetail ⫘
Auth Scan Detector
Field ⫘
hands_on_keyboard_details Type: HandsOnKeyboardDetails ⫘
Hands On Keyboard Detector
Field ⫘
business_email_compromise Type: BusinessEmailCompromiseDetail ⫘
Business Email Compromise Detector
Field ⫘
account_compromise_detector_detail Type: AccountCompromiseDetectorDetail ⫘
Field ⫘
generic Type: GenericDetail ⫘
Generic Detail Objects. These can be provided by any detector, but are commonly used for data from external sources of alerts.
EntityMetadata ⫘
Field ⫘
entity Type: String ⫘
Field ⫘
label Type: String ⫘
EntityRelationships ⫘
List of Entity Relationships extracted from the alert’s associated events.
Field ⫘
entities Type: [String!] ⫘
List of entities. Entities are formatted as <type>:<value>
.
Field ⫘
relationships Type: [Relationship!] ⫘
How entities are related based on events associated to the alert.
EvictResponse ⫘
Response from an alertsServiceEvict mutation.
Field ⫘
status Type: ResponseStatus ⫘
GenericDetail ⫘
Field ⫘
name Type: String ⫘
External source providing this data.
Field ⫘
generic Type: KeyValuePairsIndexed ⫘
Key value pairs that were indexed.
GeoSummary ⫘
Field ⫘
location Type: GeoSummary_Location ⫘
Field ⫘
city Type: GeoSummary_City ⫘
Field ⫘
continent Type: GeoSummary_Continent ⫘
Field ⫘
country Type: GeoSummary_Country ⫘
Field ⫘
asn Type: GeoSummary_ASN ⫘
GeoSummary_ASN ⫘
Field ⫘
autonomous_system_no Type: Int ⫘
Field ⫘
autonomous_system_org Type: String ⫘
GeoSummary_City ⫘
Field ⫘
geoname_id Type: Int ⫘
Field ⫘
locale_names Type: KeyValuePairsIndexed ⫘
Field ⫘
name Type: String ⫘
Field ⫘
confidence Type: Int ⫘
GeoSummary_Continent ⫘
Field ⫘
geoname_id Type: Int ⫘
Field ⫘
code Type: String ⫘
GeoSummary_Country ⫘
Field ⫘
geoname_id Type: Int ⫘
Field ⫘
iso_code Type: String ⫘
Field ⫘
code Type: String ⫘
Field ⫘
confidence Type: Int ⫘
GeoSummary_Location ⫘
Field ⫘
radius Type: Int ⫘
Field ⫘
latitude Type: Float ⫘
Field ⫘
longitude Type: Float ⫘
Field ⫘
us_metro_code Type: Int ⫘
Field ⫘
timezone Type: String ⫘
Field ⫘
gmt_offset Type: Int ⫘
Field ⫘
metro_code Type: Int ⫘
GeographicIp ⫘
IP Address Geolocation data. This is populated at time of alert generation.
Field ⫘
ip_address Type: String ⫘
Field ⫘
latitude Type: Float ⫘
Relative Geographic Latitude of IP Address.
Field ⫘
longitude Type: Float ⫘
Relative Geographic Longitude of IP Address.
Field ⫘
radius Type: Float ⫘
IP Address Geolocation Accurate within this radius of the lat/long.
Field ⫘
geohash Type: String ⫘
https://en.wikipedia.org/wiki/Geohash.
Field ⫘
country_code_iso Type: String ⫘
Country ISO code of the Geolocation.
Field ⫘
asn Type: Int ⫘
Autonomous System Number of IP Address.
HandsOnKeyboardDetails ⫘
Field ⫘
matched_process Type: [HandsOnKeyboardDetails_MatchedProcess!] ⫘
Field ⫘
total_num_events Type: Int ⫘
Field ⫘
matched_num_events Type: Int ⫘
Field ⫘
num_admin_events Type: Int ⫘
Field ⫘
common_parent_image_path Type: String ⫘
Field ⫘
host_id Type: String ⫘
Field ⫘
username Type: String ⫘
HandsOnKeyboardDetails_Commandline ⫘
Field ⫘
commandline Type: String ⫘
Field ⫘
matched_features Type: [String!] ⫘
HandsOnKeyboardDetails_Image ⫘
Field ⫘
image_path Type: String ⫘
Field ⫘
matched_features Type: [String!] ⫘
HandsOnKeyboardDetails_MatchedProcess ⫘
Field ⫘
process_resource_id Type: String ⫘
Field ⫘
image Type: HandsOnKeyboardDetails_Image ⫘
Field ⫘
commandline Type: HandsOnKeyboardDetails_Commandline ⫘
Field ⫘
num_matched_features Type: Int ⫘
Field ⫘
event_time_sec Type: Int ⫘
Field ⫘
score Type: Float ⫘
Field ⫘
severity Type: String ⫘
ImprobableLogonDetail ⫘
Field ⫘
user Type: String ⫘
Field ⫘
source_address Type: String ⫘
Field ⫘
feature_name Type: ImprobableLogonDetail_FeatureName ⫘
Field ⫘
logon_anomaly Type: LogonAnomaly ⫘
Field ⫘
user_logon_baselines Type: [UserLogonBaseline!] ⫘
InitialAccessVectorInfo ⫘
Field ⫘
created_at Type: Timestamp ⫘
Field ⫘
updated_at Type: Timestamp ⫘
Field ⫘
investigation_ids Type: String ⫘
Field ⫘
tenant_id Type: String ⫘
Field ⫘
name Type: String ⫘
Investigation ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
GenesisAlertsFlag Type: String ⫘
Kerberoasting ⫘
Field ⫘
user Type: String ⫘
User perpetrating the kerberoasting attack. This is the username performing the requests.
Field ⫘
user_baseline Type: Int ⫘
Number of days where the user made weakly encrypted (RC4, etc.) Ticket Granting Service (TGS) requests.
Field ⫘
user_avg_requests Type: Float ⫘
The average daily number of weakly encrypted Ticket Granting Service Requests this user generated in their baseline profile.
Field ⫘
user_max_requests Type: Int ⫘
The maximum daily number of weakly encrypted Ticket Granting Service Requests this user generated in their baseline profile.
Field ⫘
total_spns Type: Int ⫘
Total number of Service Principal Names found in the tenant’s historical data.
Field ⫘
suspicious_num_requests Type: Int ⫘
Count of weakly encrypted Ticket Granting Service Requests made by the user.
Field ⫘
percentage_accessed Type: Float ⫘
The percentage of the tenant’s total Service Principal Names that were accessed during the suspicious session.
Field ⫘
spns_accessed Type: [String!] ⫘
The list of exact names of the Service Principal Names that were accessed during the suspicious session.
Field ⫘
source_address Type: String ⫘
TGS service tickets requested by this IP Address.
Field ⫘
hostname Type: String ⫘
The Kerberos Key Distribution Center (KDC) which validates the user’s authentication request (the 4769 call).
KeyAndValues ⫘
Field ⫘
key Type: String ⫘
Field ⫘
values Type: [String!] ⫘
KeyValuePairsIndexed ⫘
Field ⫘
record Type: [KeyValueRecordIndexed!] ⫘
KeyValueRecordIndexed ⫘
Field ⫘
key Type: String ⫘
Field ⫘
value Type: String ⫘
LoginFailureDetail ⫘
Field ⫘
host Type: String ⫘
Host causing authentication failures.
Field ⫘
user Type: String ⫘
User authentication failures are occurring against.
Field ⫘
source_address Type: String ⫘
Source IP Address that authentication attempts are originating from.
Field ⫘
target_address Type: String ⫘
Destination IP Address that authentication attempts are being sent to.
Field ⫘
successful_auth_event Type: String ⫘
Reference ID to sample of successful authentication.
Field ⫘
failed_auth_event Type: String ⫘
Reference ID to sample of failed authentication.
LogonAnomaly ⫘
Field ⫘
feature_value Type: String ⫘
Field ⫘
feature_frequency_in_org Type: Float ⫘
Field ⫘
feature_frequency_in_user Type: Float ⫘
Field ⫘
approximate_count_in_user Type: Int ⫘
Field ⫘
min_allowed_user_percentage Type: Float ⫘
Field ⫘
min_allowed_org_percentage Type: Float ⫘
MatchDetails ⫘
Field ⫘
list_name Type: String ⫘
IOC List Name
Field ⫘
reason Type: String ⫘
Details about the IOC List.
Field ⫘
attacks Type: [String!] ⫘
MITRE ATT&CK Techniques associated with list.
MitreAttackDetails ⫘
Details for the Mitre ATT&CK technique associated with the alert.
Field ⫘
technique_id Type: String ⫘
Field ⫘
technique Type: String ⫘
Field ⫘
tactics Type: [String!] ⫘
Field ⫘
type Type: String ⫘
Field ⫘
description Type: String ⫘
Field ⫘
platform Type: [String!] ⫘
Field ⫘
system_requirements Type: [String!] ⫘
Field ⫘
url Type: String ⫘
Field ⫘
data_sources Type: [String!] ⫘
Field ⫘
defence_bypassed Type: [String!] ⫘
Field ⫘
contributors Type: [String!] ⫘
Field ⫘
version Type: String ⫘
NetworkConnection ⫘
Field ⫘
source_ip Type: String ⫘
Field ⫘
destination_ip Type: String ⫘
Observation ⫘
Field ⫘
id Type: ID! ⫘
PasswordSprayAffectedUser ⫘
Field ⫘
target_user_name Type: String ⫘
Field ⫘
target_domain_name Type: String ⫘
Field ⫘
user_had_auth_success Type: Boolean ⫘
PasswordSprayDetail ⫘
Field ⫘
source_address Type: String ⫘
IP Address performing authentication attempts.
Field ⫘
num_auth_failures Type: Int ⫘
Count of authentication failures observed.
Field ⫘
num_auth_successes Type: Int ⫘
Count of successful authentications observed.
Field ⫘
all_affected_users Type: [PasswordSprayAffectedUser!] ⫘
List of usernames with failed or successful logins.
RareProgramRareIpDetail ⫘
Field ⫘
host Type: String ⫘
Host executing observed programs and connections.
Field ⫘
programs Type: [String!] ⫘
List of rare programs.
Field ⫘
connections Type: [NetworkConnection!] ⫘
List of rare network connections. Note that network connections are not explicitly correlated to the rare program executed.
Reference ⫘
Field ⫘
type Type: String ⫘
Field ⫘
url Type: String ⫘
Field ⫘
description Type: String ⫘
ReferenceDetail ⫘
Field ⫘
reference Type: Reference ⫘
Relationship ⫘
Relationships between entities contained in the alert.
Field ⫘
from_entity Type: String ⫘
Field ⫘
to_entity Type: String ⫘
Field ⫘
relationship Type: String ⫘
Field ⫘
type Type: String ⫘
ResolutionMetadata ⫘
Field ⫘
id Type: String ⫘
Field ⫘
user_id Type: String ⫘
Field ⫘
timestamp Type: Timestamp ⫘
Field ⫘
status Type: ResolutionStatus ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
num_alerts_affected Type: Int ⫘
SeverityUpdate ⫘
Field ⫘
id Type: String ⫘
Field ⫘
severity Type: Float ⫘
Field ⫘
changed_at Type: Timestamp ⫘
StolenCredsTravelFeatures ⫘
Travel features for Stolen Credentials Detector.
Field ⫘
accurate_geo Type: Boolean ⫘
Geolocation data is considered accurate.
Field ⫘
foreign_travel Type: Boolean ⫘
Did this travel cross international borders?
Field ⫘
long_distance_travel Type: Boolean ⫘
Did this travel occur over a long distance?
Field ⫘
travel_hours Type: Float ⫘
How many travel hours occurred between the two login locations.
Field ⫘
travel_km_min Type: Float ⫘
Minimum distance travelled between two points, and the radius of accuracy from geolocation data (GeographicIp.radius) is used to calculate this distance.
Field ⫘
travel_km_h_min Type: Float ⫘
Travel speed in km/hr. Min here denotes the speed calculated based on minimum distance; based on the radius of accuracy from geolocation data (GeographicIp.radius).
Field ⫘
travel_speed_impossible Type: Boolean ⫘
Is the travel speed impossible?
Field ⫘
username Type: String ⫘
The user who logged in from both locations.
Field ⫘
current_location Type: GeographicIp ⫘
Second location user logged in from. The user travelled to this location.
Field ⫘
prior_location Type: GeographicIp ⫘
First location user logged in from. The user travels from this location.
StolenCredsTrustFeatures ⫘
Trust features for Stolen Credentials Detector. These are used to set priority of the alert.
Field ⫘
network_unknown_asn Type: Boolean ⫘
When true
, the detector has not seen this ASN before across all tenants.
Field ⫘
network_unknown_ip Type: Boolean ⫘
When true
, the detector has not seen this IP before across all tenants.
Field ⫘
user_unknown_ip Type: Boolean ⫘
When true
, the detector has not seen this IP before for this username.
Field ⫘
user_unknown_asn Type: Boolean ⫘
When true
, the detector has not seen this ASN before for this username.
Field ⫘
prior_event_time_sec Type: Int ⫘
Login time in seconds for the first login.
Field ⫘
current_event_time_sec Type: Int ⫘
Login time in seconds for the second login.
Field ⫘
prior_event_id Type: String ⫘
Reference ID of the first login.
Field ⫘
current_event_id Type: String ⫘
Reference ID of the second login.
Field ⫘
username Type: String ⫘
The user who logged in from both locations.
Field ⫘
location Type: GeographicIp ⫘
Geographic location of the second login.
Subscription ⫘
Field ⫘
alertsServiceBulkResolutionProcessor Type: BulkResolutionResponse ⫘
Add a resolution or modify an existing resolution for multiple alerts selected with a CQL query.
Arguments ⫘
in Type: BulkResolutionRequestInput ⫘
TacticGraphDetail ⫘
Field ⫘
graph_id Type: String ⫘
Field ⫘
events Type: [KeyAndValues!] ⫘
TenantAlertsToTriage ⫘
Field ⫘
tenantID Type: String ⫘
Field ⫘
tenantName Type: String ⫘
Field ⫘
claimedBy Type: [String!] ⫘
Field ⫘
oldestAlert Type: Timestamp ⫘
Field ⫘
critical Type: Int ⫘
Field ⫘
high Type: Int ⫘
Field ⫘
medium Type: Int ⫘
Field ⫘
low Type: Int ⫘
Field ⫘
info Type: Int ⫘
Field ⫘
endpointsAffected Type: Int ⫘
Field ⫘
endpointsTotal Type: Int ⫘
Field ⫘
openInvestigations Type: Int ⫘
Field ⫘
services Type: [String!] ⫘
ThirdPartyDetail ⫘
Available third party details of alert.
Field ⫘
generic Type: GenericDetail ⫘
Timestamp ⫘
Field ⫘
seconds Type: Int! ⫘
Field ⫘
nanos Type: Int! ⫘
TriageDashboardOutput ⫘
Field ⫘
tenantTriage Type: [TenantAlertsToTriage!] ⫘
Field ⫘
totalResults Type: Int ⫘
Field ⫘
nextOffset Type: Int ⫘
UpdateInvestigationResponse ⫘
Internal Type
Field ⫘
id Type: String ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
status Type: ResponseStatus ⫘
Field ⫘
events Type: [String!] ⫘
Field ⫘
assets Type: [String!] ⫘
Field ⫘
access_vector_info Type: [AlertsInvestigationInfo!] ⫘
UpdateResolutionResponse ⫘
Response for an alertsServiceUpdateResolutionInfo mutation.
Field ⫘
reason Type: String ⫘
Field ⫘
resolution_status Type: ResponseStatus ⫘
UserLogonBaseline ⫘
Field ⫘
feature_value Type: String ⫘
Field ⫘
feature_frequency_in_org Type: Float ⫘
Field ⫘
feature_frequency_in_user Type: Float ⫘
Field ⫘
approximate_count_in_user Type: Int ⫘
Field ⫘
days_in_baseline Type: Int ⫘
Number of days baseline was established
WatchlistMatches ⫘
Details about the watchlist that produced the alert.
Field ⫘
entity Type: String ⫘
Entity matching the Indicator of Compromise.
Field ⫘
details Type: [MatchDetails!] ⫘
IOC Watchlist details.
WhoisSimple ⫘
Domain WHOIS Information
Field ⫘
domainName Type: String ⫘
WHOIS information was fetched for this domain.
Field ⫘
registrarName Type: String ⫘
Field ⫘
contactEmail Type: String ⫘
Field ⫘
whoisServer Type: String ⫘
Field ⫘
nameServers Type: String ⫘
Field ⫘
createdDate Type: String ⫘
Field ⫘
updatedDate Type: String ⫘
Field ⫘
expiresDate Type: String ⫘
Field ⫘
standardRegCreatedDate Type: String ⫘
Field ⫘
standardRegUpdatedDate Type: String ⫘
Field ⫘
standardRegExpiresDate Type: String ⫘
Field ⫘
status Type: String ⫘
Field ⫘
audit_auditUpdatedDate Type: String ⫘
Field ⫘
registrant_email Type: String ⫘
Field ⫘
registrant_name Type: String ⫘
Field ⫘
registrant_organization Type: String ⫘
Field ⫘
registrant_street1 Type: String ⫘
Field ⫘
registrant_street2 Type: String ⫘
Field ⫘
registrant_street3 Type: String ⫘
Field ⫘
registrant_street4 Type: String ⫘
Field ⫘
registrant_city Type: String ⫘
Field ⫘
registrant_state Type: String ⫘
Field ⫘
registrant_postalCode Type: String ⫘
Field ⫘
registrant_country Type: String ⫘
Field ⫘
registrant_fax Type: String ⫘
Field ⫘
registrant_faxExt Type: String ⫘
Field ⫘
registrant_telephone Type: String ⫘
Field ⫘
registrant_telephoneExt Type: String ⫘
Field ⫘
administrativeContact_email Type: String ⫘
Field ⫘
administrativeContact_name Type: String ⫘
Field ⫘
administrativeContact_organization Type: String ⫘
Field ⫘
administrativeContact_street1 Type: String ⫘
Field ⫘
administrativeContact_street2 Type: String ⫘
Field ⫘
administrativeContact_street3 Type: String ⫘
Field ⫘
administrativeContact_street4 Type: String ⫘
Field ⫘
administrativeContact_city Type: String ⫘
Field ⫘
administrativeContact_state Type: String ⫘
Field ⫘
administrativeContact_postalCode Type: String ⫘
Field ⫘
administrativeContact_country Type: String ⫘
Field ⫘
administrativeContact_fax Type: String ⫘
Field ⫘
administrativeContact_faxExt Type: String ⫘
Field ⫘
administrativeContact_telephone Type: String ⫘
Field ⫘
administrativeContact_telephoneExt Type: String ⫘
Field ⫘
reg_created_date_usec Type: Int ⫘
Field ⫘
reg_updated_date_usec Type: Int ⫘
Field ⫘
reg_expires_date_usec Type: Int ⫘
Inputs ⫘
AccountCompromiseDetectorDetailInput ⫘
Field ⫘
user_name Type: String ⫘
AggregateAlertsBySeverityInputInput ⫘
Field ⫘
group_by Type: AggregateAlertsBySeverityInput_GroupBy ⫘
Field ⫘
limit Type: Int ⫘
Field ⫘
earliest Type: TimestampInput ⫘
Field ⫘
latest Type: TimestampInput ⫘
Field ⫘
excluded_severities Type: [AlertsSeverity!] ⫘
Field ⫘
filter_custom_alerts Type: Boolean ⫘
AlertPriorityInput ⫘
Field ⫘
value Type: Float ⫘
Field ⫘
prioritizer Type: String ⫘
Field ⫘
version Type: String ⫘
Field ⫘
model_name Type: String ⫘
Field ⫘
model_version Type: String ⫘
Field ⫘
evidence Type: [String!] ⫘
Field ⫘
applied_time Type: TimestampInput ⫘
AlertRuleReferenceInput ⫘
Field ⫘
id Type: String ⫘
Field ⫘
version Type: String ⫘
AuthScanDetailInput ⫘
Field ⫘
total_attempts Type: Int ⫘
Field ⫘
successful_logon_attempts Type: [AuthScanLogonAttemptInput!] ⫘
Field ⫘
failed_logon_attempts Type: [AuthScanLogonAttemptInput!] ⫘
AuthScanLogonAttemptInput ⫘
Field ⫘
target_user_name Type: String ⫘
Field ⫘
has_logon_success Type: Boolean ⫘
Field ⫘
num_attempts Type: Int ⫘
BruteForceAuthInput ⫘
Field ⫘
win_event_id Type: String ⫘
Field ⫘
action Type: String ⫘
Field ⫘
domain Type: String ⫘
Field ⫘
target_username Type: String ⫘
Field ⫘
event_timestamp Type: Int ⫘
Field ⫘
resource_record_identifier Type: String ⫘
BruteForceDetailsInput ⫘
Field ⫘
num_auth_failures Type: Int ⫘
Field ⫘
num_auth_successes Type: Int ⫘
Field ⫘
last_successful_auth Type: BruteForceAuthInput ⫘
Field ⫘
most_recent_auths_failures Type: [BruteForceAuthInput!] ⫘
BulkInvestigationsRequestInput ⫘
Field ⫘
query Type: String ⫘
Taegis XDR Query Language query
Field ⫘
investigation_id Type: String ⫘
Field ⫘
genesis_alerts Type: [String!] ⫘
DEPRECATED: Used to flag specific alerts as the genesis of the investigation.
Field ⫘
alerts Type: [String!] ⫘
List of Alert IDs
Field ⫘
tenant Type: String ⫘
BulkResolutionRequestInput ⫘
Field ⫘
query Type: String ⫘
Taegis XDR Query Language query
Field ⫘
resolution_status Type: ResolutionStatus ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
caller Type: CallerInformation ⫘
Field ⫘
requested_at Type: TimestampInput ⫘
Field ⫘
user_id Type: String ⫘
Field ⫘
tenant Type: String ⫘
EntityMetadataInput ⫘
Field ⫘
entity Type: String ⫘
Field ⫘
label Type: String ⫘
EvictRequestInput ⫘
Field ⫘
search_id Type: String ⫘
GeoSummary_CountryInput ⫘
Field ⫘
geoname_id Type: Int ⫘
Field ⫘
iso_code Type: String ⫘
Field ⫘
code Type: String ⫘
Field ⫘
confidence Type: Int ⫘
GetByIDRequestInput ⫘
Field ⫘
iDs Type: [String!] ⫘
ImprobableLogonDetailInput ⫘
Field ⫘
user Type: String ⫘
Field ⫘
source_address Type: String ⫘
Field ⫘
feature_name Type: ImprobableLogonDetail_FeatureName ⫘
Field ⫘
logon_anomaly Type: LogonAnomalyInput ⫘
Field ⫘
user_logon_baselines Type: [UserLogonBaselineInput!] ⫘
KerberoastingInput ⫘
Field ⫘
user Type: String ⫘
Field ⫘
user_baseline Type: Int ⫘
Field ⫘
user_avg_requests Type: Float ⫘
Field ⫘
user_max_requests Type: Int ⫘
Field ⫘
total_spns Type: Int ⫘
Field ⫘
suspicious_num_requests Type: Int ⫘
Field ⫘
percentage_accessed Type: Float ⫘
Field ⫘
spns_accessed Type: [String!] ⫘
Field ⫘
source_address Type: String ⫘
Field ⫘
hostname Type: String ⫘
KeyAndValuesInput ⫘
Field ⫘
key Type: String ⫘
Field ⫘
values Type: [String!] ⫘
LogonAnomalyInput ⫘
Field ⫘
feature_value Type: String ⫘
Field ⫘
feature_frequency_in_org Type: Float ⫘
Field ⫘
feature_frequency_in_user Type: Float ⫘
Field ⫘
approximate_count_in_user Type: Int ⫘
Field ⫘
min_allowed_user_percentage Type: Float ⫘
Field ⫘
min_allowed_org_percentage Type: Float ⫘
MatchDetailsInput ⫘
Field ⫘
list_name Type: String ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
attacks Type: [String!] ⫘
PasswordSprayAffectedUserInput ⫘
Field ⫘
target_user_name Type: String ⫘
Field ⫘
target_domain_name Type: String ⫘
Field ⫘
user_had_auth_success Type: Boolean ⫘
PasswordSprayDetailInput ⫘
Field ⫘
source_address Type: String ⫘
Field ⫘
num_auth_failures Type: Int ⫘
Field ⫘
num_auth_successes Type: Int ⫘
Field ⫘
all_affected_users Type: [PasswordSprayAffectedUserInput!] ⫘
PollRequestInput ⫘
Field ⫘
search_id Type: String ⫘
Field ⫘
part_id Type: Int ⫘
ResolutionMetadataInput ⫘
Field ⫘
id Type: String ⫘
Field ⫘
user_id Type: String ⫘
Field ⫘
timestamp Type: TimestampInput ⫘
Field ⫘
status Type: ResolutionStatus ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
num_alerts_affected Type: Int ⫘
SearchRequestInput ⫘
Field ⫘
cql_query Type: String ⫘
Taegis XDR Query Language query
Field ⫘
offset Type: Int ⫘
Result set returned from this offset + limit requested. If your query has 500 total_results
and you want the last 100; use offset:400 limit:100
Field ⫘
limit Type: Int ⫘
Result set limit. Note: limits larger than 10000 are broken into multiple parts. Additional parts can be fetched by search_id
.
SeverityUpdateInput ⫘
Field ⫘
id Type: String ⫘
Field ⫘
severity Type: Float ⫘
Field ⫘
changed_at Type: TimestampInput ⫘
TacticGraphDetailInput ⫘
Details from Tactic Graphs Detector. This contains the tactic observed and the related events it was observed in.
Field ⫘
graph_id Type: String ⫘
Field ⫘
events Type: [KeyAndValuesInput!] ⫘
TimestampInput ⫘
Field ⫘
seconds Type: Int ⫘
Epoch Time in seconds
Field ⫘
nanos Type: Int ⫘
Epoch Time in nano-seconds
TriageDashboardInputInput ⫘
Field ⫘
key Type: String ⫘
Field ⫘
serviceFilters Type: [String!] ⫘
Field ⫘
showClaimed Type: Boolean ⫘
Field ⫘
offset Type: Int ⫘
Field ⫘
limit Type: Int ⫘
UpdateInvestigationRequestInput ⫘
Field ⫘
investigation_id Type: String ⫘
Field ⫘
genesis_alerts Type: [String!] ⫘
DEPRECATED: was used to flag specific alerts as the genesis of the investigation.
Field ⫘
alerts Type: [String!] ⫘
Field ⫘
tenant Type: String ⫘
Field ⫘
operation Type: InvestigationOperation ⫘
Field ⫘
caller Type: CallerInformation ⫘
Field ⫘
requested_at Type: TimestampInput ⫘
Field ⫘
user_id Type: String ⫘
UpdateResolutionRequestInput ⫘
Field ⫘
alert_ids Type: [String!] ⫘
Field ⫘
resolution_status Type: ResolutionStatus ⫘
Field ⫘
reason Type: String ⫘
Field ⫘
caller Type: CallerInformation ⫘
Field ⫘
requested_at Type: TimestampInput ⫘
Field ⫘
user_id Type: String ⫘
Field ⫘
tenant Type: String ⫘
UserLogonBaselineInput ⫘
Field ⫘
feature_value Type: String ⫘
Field ⫘
feature_frequency_in_org Type: Float ⫘
Field ⫘
feature_frequency_in_user Type: Float ⫘
Field ⫘
approximate_count_in_user Type: Int ⫘
Field ⫘
days_in_baseline Type: Int ⫘
WatchlistMatchesInput ⫘
Field ⫘
entity Type: String ⫘
Field ⫘
details Type: [MatchDetailsInput!] ⫘
Enums ⫘
AggregateAlertsBySeverityInput_GroupBy ⫘
Fields that can be grouped by in an AggregateAlertsBySeverity query.
DOMAIN
WATCHLIST
HOSTNAME
DETECTOR
USER
AlertsSeverity ⫘
Enum of alert severity levels.
INFO
LOW
MEDIUM
HIGH
CRITICAL
CallerInformation ⫘
Internal Type
UNKNOWN
ALERTS_V1
ALERTS_V2
ImprobableLogonDetail_FeatureName ⫘
UNKNOWN
COUNTRY
CITY
ASN
InvestigationOperation ⫘
Type of investigation operation; either update or delete.
UPDATE
DELETE
Origin ⫘
Alert origin
INTERNAL
CUSTOMER
EXTERNAL
RPCResponseStatus ⫘
Internal Type
OK
INVALID_REQUEST
TRANSACTION_ERROR
ResolutionStatus ⫘
Enum of alert resolution statuses.
OPEN
TRUE_POSITIVE_BENIGN
TRUE_POSITIVE_MALICIOUS
FALSE_POSITIVE
NOT_ACTIONABLE
OTHER
SUPPRESSED
ResponseStatus ⫘
Status of alerts operations.
SUCCESS
FAILED
Visibility ⫘
DEPLOYED
RESEARCH
Scalars ⫘
Boolean ⫘
The Boolean
scalar type represents true
or false
.
Float ⫘
The Float
scalar type represents signed double-precision fractional values as specified by IEEE 754.
ID ⫘
The ID
scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4"
) or integer (such as 4
) input value will be accepted as an ID.
Int ⫘
The Int
scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
String ⫘
The String
scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Interfaces ⫘
Node ⫘
Field ⫘
id Type: ID! ⫘