Important
This version of the Investigations API is now deprecated; use Investigations v2 GraphQL API instead.
Query ⫘
Taegis™ XDR uses GraphQL queries, which can either be a read (Query) or a write (Mutation) operation. A GraphQL query is used to read or fetch values; mutations write or post values. Responses are provided in a JSON format.
Field ⫘
node Type: Node ⫘
Arguments ⫘
id Type: ID! ⫘
Field ⫘
investigationSummary Type: InvestigationSummary! ⫘
Get summary of investigations (tag and counts for each tag).
Field ⫘
investigation Type: Investigation ⫘
Get an investigation by id.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
investigations Type: Investigation! ⫘
Get investigations for the list of ids.
Arguments ⫘
investigation_ids Type: ID! ⫘
Field ⫘
allInvestigations Type: Investigation! ⫘
DEPRECATED. Replaced by investigationsSearch.
Get all investigations. Max perPage
Value is 100. If requesting over 100, only the first 100 are returned.
! Note Use investigationsSearch for better investigations query experience.
Arguments ⫘
status Type: String ⫘
page Type: Int ⫘
perPage Type: Int ⫘
createdAfter Type: String ⫘
createdBefore Type: String ⫘
updatedAfter Type: String ⫘
updatedBefore Type: String ⫘
orderByField Type: OrderFieldInput ⫘
orderDirection Type: OrderDirectionInput ⫘
isDeleted Type: Boolean ⫘
hideThreatHuntingInvestigations Type: Boolean ⫘
Field ⫘
investigationCountOverTime Type: Count! ⫘
Get the number of investigations created during a given time frame. Can optionally pass in a desired transition_status (handoff, acknowledge, resolution).
Arguments ⫘
transition_status Type: String ⫘
after Type: Time ⫘
before Type: Time ⫘
Field ⫘
meanTimeSummaryOverPeriod Type: TimeSummaryForGroup! ⫘
Get the average times it took to hand off, acknowledge, and resolve all investigations over the course of the period.
Arguments ⫘
after Type: Time ⫘
before Type: Time ⫘
includeThreatHuntTypes Type: Boolean ⫘
Field ⫘
investigationAssets Type: InvestigationAssetOutput! ⫘
Get investigation assets by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
page Type: Int ⫘
perPage Type: Int ⫘
Field ⫘
investigationEvents Type: InvestigationEventOutput! ⫘
Get investigation events by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
page Type: Int ⫘
perPage Type: Int ⫘
Field ⫘
investigationAlerts Type: InvestigationAlertOutput! ⫘
DEPRECATED. Use Investigation query or or alerts2 search query (paginated) to get alerts by investigation id.
Get investigation alerts by investigation id
! Note Use Investigation query or alerts2 search query (paginated) to get alerts by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
page Type: Int ⫘
perPage Type: Int ⫘
filterQuery Type: String ⫘
orderByField Type: String ⫘
orderDirection Type: OrderDirection ⫘
Field ⫘
investigationGenesisEvents Type: Event! ⫘
Get investigation genesis events by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
investigationGenesisAlerts Type: Alert! ⫘
Get investigation genesis alerts by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
investigationAuthCredentials Type: String! ⫘
Get investigation auth credentials by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
investigationSearchQueries Type: SearchQuery! ⫘
Get investigation search queries by investigation id.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
investigationsBulkEventsAlerts Type: InvestigationBulkResponse! ⫘
Get investigations by querying a string on events/alerts/genesis events/genesis alerts fields.
Arguments ⫘
queryStrings Type: String! ⫘
Field ⫘
investigationsBulkUpdateAlerts Type: String ⫘
Updates Investigation Alerts and Investigation information from Alerts; that is, across access vectors.
Field ⫘
investigationStatusSummary Type: SummaryGroup! ⫘
Get summary of investigations and status filtered by updated_at
.
Arguments ⫘
updatedAfter Type: String ⫘
updatedBefore Type: String ⫘
Field ⫘
investigationsSearch Type: InvestigationsOutput! ⫘
Investigations Search
Query fields accept a CQL string (non aggregations). Use filterText
for free text search.
Max perPage
value is 100. If requesting over 100, only the first 100 are returned.
Arguments ⫘
page Type: Int ⫘
perPage Type: Int ⫘
query Type: String ⫘
filterText Type: String ⫘
orderByField Type: OrderFieldInput ⫘
orderDirection Type: OrderDirectionInput ⫘
Field ⫘
investigationsAdvancedSearch Type: Map! ⫘
Investigations Advanced Search can perform aggregations/sorting/filtering on investigations using CQL.
Arguments ⫘
cql Type: String! ⫘
Field ⫘
investigationProcessingStatus Type: InvestigationProcessingResponse ⫘
Get investigation processing status by id.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
getFalsePositives Type: Map! ⫘
MDR - false positives widget.
Arguments ⫘
after Type: Time! ⫘
before Type: Time! ⫘
Field ⫘
investigationsCount Type: Int! ⫘
Get aggregated investigations counts based on CQL query.
Arguments ⫘
query Type: String ⫘
Field ⫘
investigationsStatusCount Type: InvestigationStatusCountResponse! ⫘
Get aggregated investigations status counts.
Field ⫘
exportInvestigationsSearch Type: InvestigationsExportOutput! ⫘
Export Investigations Search Raw Content
Max perPage
value is 100. If requesting over 100, only the first 100 are returned.
Arguments ⫘
page Type: Int ⫘
perPage Type: Int ⫘
query Type: String ⫘
filterText Type: String ⫘
orderByField Type: OrderFieldInput ⫘
orderDirection Type: OrderDirectionInput ⫘
Field ⫘
investigationFile Type: InvestigationFile! ⫘
Get investigation file details.
Arguments ⫘
file_id Type: ID! ⫘
Field ⫘
investigationFiles Type: InvestigationFile! ⫘
Get investigation files details.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
downloadInvestigationFile Type: String! ⫘
Presigned URL to Download investigation file.
Arguments ⫘
investigation_id Type: ID! ⫘
file_id Type: ID! ⫘
Field ⫘
investigationsBySession Type: Investigation] ⫘
DEPRECATED. Use investigationsSearch instead.
Get investigations by multi-tenant session.
Max perPage
Value is 100. If requesting over 100, only the first 100 are returned.
! Note Use investigationsSearch instead.
Arguments ⫘
session_id Type: String! ⫘
page Type: Int ⫘
perPage Type: Int ⫘
Field ⫘
getHandoffInvestigations Type: InvestigationsOutput! ⫘
Return list of Investigations which are handed off at least once during the specified dates and status.
Max perPage
value is 100. If requesting over 100, only the first 100 are returned.
Arguments ⫘
page Type: Int ⫘
perPage Type: Int ⫘
createdAfter Type: String ⫘
createdBefore Type: String ⫘
includeThreatHuntTypesOnly Type: Boolean ⫘
excludeThreatHuntTypes Type: Boolean ⫘
Field ⫘
investigationTypes Type: InvestigationKeyValuePair! ⫘
Return investigation types list based on user.
Field ⫘
investigationStatusList Type: InvestigationKeyValuePair! ⫘
Return investigation status static list.
Field ⫘
investigationPriorityList Type: InvestigationKeyValuePair! ⫘
Return investigation priority static list.
Field ⫘
investigationTimeline Type: InvestigationTimeline! ⫘
Return investigation timeline.
Arguments ⫘
arguments Type: InvestigationTimelineArguments! ⫘
Field ⫘
investigationEntities Type: InvestigationEntities! ⫘
Get an investigation by id.
Arguments ⫘
arguments Type: InvestigationEntitiesArguments! ⫘
Mutation ⫘
Mutations in GraphQL enable you to modify data. For the Taegis™ XDR Investigations GraphQL API, mutations allow you to create alerts and input information into alerts. For more information on GraphQL mutations see Mutation and Input Types.
Field ⫘
createInvestigation Type: Investigation ⫘
Create new investigation.
Arguments ⫘
investigation Type: InvestigationInput! ⫘
Field ⫘
updateInvestigation Type: Investigation ⫘
Update investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
investigation Type: UpdateInvestigationInput! ⫘
Field ⫘
archiveInvestigation Type: Investigation ⫘
Archive investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
bulkArchiveInvestigations Type: ID! ⫘
Bulk Archive Investigations.
Arguments ⫘
ids Type: ID! ⫘
Field ⫘
unArchiveInvestigation Type: Investigation ⫘
UnArchive Investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
bulkUnArchiveInvestigations Type: ID! ⫘
Bulk UnArchive Investigations.
Arguments ⫘
ids Type: ID! ⫘
Field ⫘
createActivityLogForInvestigation Type: ActivityLog ⫘
Create a new activity log for investigation
DEPRECATED
Not Supported - Use audit logs
Arguments ⫘
investigation_id Type: ID! ⫘
activityLog Type: ActivityLogInput! ⫘
Field ⫘
addAssetsToInvestigation Type: Investigation ⫘
Add assets to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
assets Type: String! ⫘
Field ⫘
addEventsToInvestigation Type: Investigation ⫘
Add events to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
events Type: String! ⫘
Field ⫘
addAlertsToInvestigation Type: Investigation ⫘
Add alerts to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
alerts Type: String! ⫘
Field ⫘
addGenesisEventsToInvestigation Type: Investigation ⫘
Add genesis events to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
genesis_events Type: String! ⫘
Field ⫘
addGenesisAlertsToInvestigation Type: Investigation ⫘
Add genesis alerts to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
genesis_alerts Type: String! ⫘
Field ⫘
addAuthCredentialsToInvestigation Type: Investigation ⫘
Add auth credentials to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
auth_credentials Type: String! ⫘
Field ⫘
addSearchQueriesToInvestigation Type: Investigation ⫘
Add search queries to investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
search_queries Type: String! ⫘
Field ⫘
addAccessVector Type: AccessVector! ⫘
Access vectors.
Arguments ⫘
investigation_id Type: ID! ⫘
vectorName Type: String! ⫘
created_at Type: Time ⫘
updated_at Type: Time ⫘
Field ⫘
removeAccessVector Type: AccessVector! ⫘
Arguments ⫘
id Type: ID! ⫘
Field ⫘
removeAssetsFromInvestigation Type: Investigation ⫘
Remove assets from an investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
assets Type: String! ⫘
Field ⫘
removeEventsFromInvestigation Type: Investigation ⫘
Remove events from an investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
events Type: String! ⫘
Field ⫘
removeAlertsFromInvestigation Type: Investigation ⫘
Remove alerts from an investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
alerts Type: String! ⫘
Field ⫘
removeSearchQueriesFromInvestigation Type: Investigation ⫘
Remove search queries from an investigation.
Arguments ⫘
investigation_id Type: ID! ⫘
search_queries Type: String! ⫘
Field ⫘
addBulkAlertsToInvestigation Type: Investigation ⫘
Bulk add alerts to an investigation using a restdb search query.
Arguments ⫘
investigation_id Type: ID ⫘
new_investigation Type: InvestigationInput ⫘
search_query Type: String! ⫘
Field ⫘
addBulkAlerts2ToInvestigation Type: Investigation ⫘
Bulk add alerts2 to a new investigation using a cql query.
Arguments ⫘
new_investigation Type: InvestigationInput! ⫘
cql Type: String! ⫘
Field ⫘
addBulkAlerts2ToExistingInvestigation Type: Investigation ⫘
Bulk add alerts2 to an existing investigation using a cql query.
Arguments ⫘
investigation_id Type: ID! ⫘
cql Type: String! ⫘
Field ⫘
reProcessInvestigationBackgroundJob Type: InvestigationProcessingResponse ⫘
Reprocess investigation background job by id.
Arguments ⫘
investigation_id Type: ID! ⫘
process_only_events Type: Boolean ⫘
Field ⫘
deleteInvestigation Type: ID! ⫘
Hard delete an investigation. This is supported only in development environments.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
acknowledgeInvestigation Type: ID! ⫘
Update state_transitions table to acknowledge if current state is handoff without changing the investigation itself.
Arguments ⫘
investigation_id Type: ID! ⫘
Field ⫘
fileUpload Type: InvestigationFile! ⫘
Upload a file for an investigation.
Arguments ⫘
input Type: FileUploadInput! ⫘
Field ⫘
deleteFile Type: Boolean! ⫘
Delete investigation files from S3 bucket.
Arguments ⫘
investigation_id Type: ID! ⫘
file_id Type: ID! ⫘
Field ⫘
initFileUpload Type: FileUploadResponse! ⫘
Initialize file upload to get a presigned URL to upload a file.
Arguments ⫘
input Type: FileUploadRequest! ⫘
Field ⫘
updateFileStatus Type: InvestigationFile! ⫘
Update the investigation file status.
Arguments ⫘
investigation_id Type: ID! ⫘
file_id Type: ID! ⫘
status Type: String! ⫘
Objects ⫘
AccessVector ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
investigation_id Type: ID! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
updated_at Type: Time! ⫘
Field ⫘
mitre_info Type: MitreAttackInfo ⫘
ActivityLog ⫘
Stores details of an investigation activity (Create/Update, etc.).
DEPRECATED. Use audit logs.
Field ⫘
id Type: ID! ⫘
Field ⫘
created_at Type: Time ⫘
Field ⫘
updated_at Type: Time ⫘
Field ⫘
tenant_id Type: String! ⫘
Field ⫘
user_id Type: String! ⫘
Field ⫘
description Type: String! ⫘
Field ⫘
type Type: String! ⫘
Field ⫘
comment Type: String! ⫘
Field ⫘
target Type: String! ⫘
Field ⫘
investigation_id Type: ID! ⫘
Alert ⫘
Used by Nautilus to resolve the Red Cloak TDR alert model.
Field ⫘
id Type: ID! ⫘
Alert2 ⫘
Used by Nautilus to resolve the Red Cloak TDR alertv2 model.
Field ⫘
id Type: ID! ⫘
AlertEvidence ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
tenantId Type: String! ⫘
Field ⫘
createdAt Type: Time! ⫘
Field ⫘
createdBy Type: String ⫘
Field ⫘
alertId Type: String! ⫘
Field ⫘
isGenesis Type: Boolean! ⫘
Asset ⫘
Used by Nautilus to resolve the Red Cloak TDR asset model.
Field ⫘
id Type: ID! ⫘
AssetEvidence ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
tenantId Type: String! ⫘
Field ⫘
createdAt Type: Time! ⫘
Field ⫘
createdBy Type: String ⫘
Field ⫘
assetId Type: String! ⫘
Assignee ⫘
Describes the assignee of an investigation.
Field ⫘
id Type: ID! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
roles Type: String! ⫘
Field ⫘
status Type: String! ⫘
Field ⫘
user_id Type: String ⫘
Field ⫘
email Type: String ⫘
Field ⫘
email_verified Type: Boolean ⫘
DEPRECATED
Do not use, is never available or true.
Field ⫘
email_normalized Type: String ⫘
DEPRECATED
Do not use, is not available.
Field ⫘
family_name Type: String ⫘
Field ⫘
given_name Type: String ⫘
Field ⫘
tenants Type: Tenant ⫘
Count ⫘
Represents a int
count of a given object.
Field ⫘
count Type: Int! ⫘
Event ⫘
Resolves the Red Cloak TDR event model.
Field ⫘
id Type: ID! ⫘
EventEvidence ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
tenantId Type: String! ⫘
Field ⫘
createdAt Type: Time! ⫘
Field ⫘
createdBy Type: String ⫘
Field ⫘
eventId Type: String! ⫘
Field ⫘
isGenesis Type: Boolean! ⫘
FileUploadResponse ⫘
Field ⫘
investigationFile Type: InvestigationFile! ⫘
Field ⫘
presignedUrl Type: String! ⫘
IndividualTimeSummary ⫘
Represents the amounts of time it took before an investigation transitioned into the handoff, acknowledge, and resolution states.
Field ⫘
time_to_handoff Type: Int ⫘
Field ⫘
time_to_acknowledge Type: Int ⫘
Field ⫘
time_to_resolution Type: Int ⫘
Field ⫘
is_closed Type: Boolean! ⫘
Field ⫘
investigation Type: Investigation! ⫘
Investigation ⫘
Describes a Red Cloak TDR investigation.
Field ⫘
id Type: ID! ⫘
Field ⫘
tenant_id Type: String! ⫘
Field ⫘
tags Type: String! ⫘
Field ⫘
genesis_alerts Type: Alert! ⫘
Field ⫘
genesis_alerts2 Type: Alert2! ⫘
Field ⫘
genesis_events Type: Event! ⫘
Field ⫘
alerts Type: Alert! ⫘
Field ⫘
alerts2 Type: Alert2! ⫘
Field ⫘
events Type: Event! ⫘
Field ⫘
assets Type: Asset! ⫘
Field ⫘
search_queries Type: SearchQuery! ⫘
Field ⫘
auth_credentials Type: String! ⫘
Field ⫘
key_findings Type: String! ⫘
Field ⫘
description Type: String! ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
updated_at Type: Time! ⫘
Field ⫘
notified_at Type: Time ⫘
Field ⫘
first_notified_at Type: Time ⫘
Field ⫘
first_notified_at_scwx Type: Time ⫘
Field ⫘
activity_logs Type: ActivityLog! ⫘
DEPRECATED.
Not Supported - Use audit logs.
Field ⫘
created_by Type: String ⫘
Field ⫘
created_by_user Type: TDRUser ⫘
Retrieves the TDRUser
object for the user that created the investigation.
Field ⫘
status Type: String! ⫘
Field ⫘
contributors Type: String! ⫘
Field ⫘
contributed_users Type: TDRUser! ⫘
Retrieves user data for users that have contributed to the investigation.
Field ⫘
service_desk_id Type: String ⫘
Field ⫘
service_desk_type Type: String ⫘
Field ⫘
assignee_id Type: String ⫘
Field ⫘
assignee_user Type: TDRUser ⫘
Retrieves the TDRUser
object for the user that is assigned to the investigation.
Field ⫘
assignee Type: Assignee ⫘
assignee is deprecated, use assignee_user.
DEPRECATED
No longer supported
Field ⫘
latest_activity Type: String! ⫘
Field ⫘
access_vectors Type: AccessVector! ⫘
Field ⫘
transition_state Type: TransitionState ⫘
Field ⫘
archived_at Type: Time ⫘
Field ⫘
deleted_at Type: Time ⫘
Field ⫘
created_by_scwx Type: Boolean! ⫘
Field ⫘
created_by_partner Type: Boolean! ⫘
Field ⫘
draft_promoted_at Type: Time ⫘
Field ⫘
investigationType Type: String ⫘
Field ⫘
processing_status Type: InvestigationProcessingResponse ⫘
Field ⫘
priority Type: Int ⫘
Field ⫘
type Type: String ⫘
Field ⫘
genesis_alerts_count Type: Int ⫘
Field ⫘
genesis_events_count Type: Int ⫘
Field ⫘
alerts_count Type: Int ⫘
Field ⫘
events_count Type: Int ⫘
Field ⫘
assets_count Type: Int ⫘
Field ⫘
files_count Type: Int ⫘
Field ⫘
comments_count Type: ParentCount ⫘
Field ⫘
rn Type: RN! ⫘
Field ⫘
shortId Type: String! ⫘
shortId is a shorter, more readable, id. There is no guarantee that it will be sequential or unique, but the service does its best to achieve this.
Field ⫘
alertsEvidence Type: AlertEvidence! ⫘
Field ⫘
assetsEvidence Type: AssetEvidence! ⫘
Field ⫘
eventsEvidence Type: EventEvidence! ⫘
Field ⫘
closeReason Type: String ⫘
The reason provided by the user when closing an investigation. This field is only populated for investigations that have reached a Closed status.
InvestigationAlertOutput ⫘
Field ⫘
alerts Type: Alert! ⫘
Field ⫘
alerts2 Type: Alert2! ⫘
Field ⫘
totalCount Type: Int ⫘
InvestigationAssetOutput ⫘
Field ⫘
assets Type: Asset! ⫘
Field ⫘
totalCount Type: Int ⫘
InvestigationBulkResponse ⫘
Used to return an array of investigations for a specific query.
Field ⫘
query Type: String! ⫘
Field ⫘
investigations Type: Investigation! ⫘
InvestigationEntities ⫘
Field ⫘
entities Type: InvestigationEntity! ⫘
InvestigationEntity ⫘
Field ⫘
type Type: String! ⫘
Field ⫘
value Type: String! ⫘
Field ⫘
rn Type: RN! ⫘
InvestigationEventOutput ⫘
Field ⫘
events Type: Event! ⫘
Field ⫘
totalCount Type: Int ⫘
InvestigationFile ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
investigation_id Type: ID! ⫘
Field ⫘
tenant_id Type: String! ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
updated_at Type: Time! ⫘
Field ⫘
deleted_at Type: Time ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
path Type: String ⫘
Field ⫘
size Type: Int! ⫘
Field ⫘
status Type: String! ⫘
Field ⫘
uploaded_by Type: String! ⫘
Field ⫘
deleted_by Type: String ⫘
Field ⫘
additional_metadata Type: Map ⫘
InvestigationInfo ⫘
Describes a small subset of investigation information.
Field ⫘
id Type: String! ⫘
Field ⫘
genesis_alerts Type: String! ⫘
Field ⫘
alerts Type: String! ⫘
Field ⫘
tenant Type: String! ⫘
InvestigationKeyValuePair ⫘
Field ⫘
key Type: String! ⫘
Field ⫘
value Type: String! ⫘
Field ⫘
description Type: String! ⫘
InvestigationProcessingResponse ⫘
Field ⫘
assets Type: InvestigationProcessingState ⫘
Field ⫘
events Type: InvestigationProcessingState ⫘
Field ⫘
alerts Type: InvestigationProcessingState ⫘
InvestigationStatusCountResponse ⫘
Field ⫘
open Type: Int! ⫘
Field ⫘
closed Type: Int! ⫘
Field ⫘
active Type: Int! ⫘
Field ⫘
awaiting_action Type: Int! ⫘
Field ⫘
suspended Type: Int! ⫘
Field ⫘
total Type: Int! ⫘
InvestigationSummary ⫘
Provides a count of investigations per tag.
Field ⫘
tag Type: String! ⫘
Field ⫘
count Type: Int! ⫘
InvestigationTimeline ⫘
Field ⫘
entities Type: InvestigationTimelineEntity! ⫘
Field ⫘
totalEntities Type: Int ⫘
InvestigationTimelineEntity ⫘
Field ⫘
type Type: String! ⫘
Field ⫘
id Type: String! ⫘
Field ⫘
subtype Type: String! ⫘
Field ⫘
document Type: Map! ⫘
Field ⫘
creationTimestamp Type: Time! ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
tenantId Type: String! ⫘
Investigations ⫘
An array of InvestigationInfo
objects.
Field ⫘
investigations Type: InvestigationInfo! ⫘
InvestigationsExportOutput ⫘
Field ⫘
columnDef Type: String! ⫘
Field ⫘
rows Type: String! ⫘
Field ⫘
totalCount Type: Int ⫘
InvestigationsOutput ⫘
Field ⫘
investigations Type: Investigation! ⫘
Field ⫘
totalCount Type: Int ⫘
MitreAttackInfo ⫘
Describes fields related to MitreAttack information for an alert.
Field ⫘
technique_id Type: String! ⫘
Field ⫘
technique Type: String! ⫘
Field ⫘
tactics Type: String! ⫘
Field ⫘
type Type: String! ⫘
Field ⫘
description Type: String! ⫘
Field ⫘
platform Type: String! ⫘
Field ⫘
system_requirements Type: String! ⫘
Field ⫘
url Type: String! ⫘
Field ⫘
data_sources Type: String! ⫘
Field ⫘
defence_bypassed Type: String! ⫘
Field ⫘
contributors Type: String! ⫘
Field ⫘
version Type: String! ⫘
ParentCount ⫘
Represents total and unread comment counts for an investigation.
Field ⫘
parent_id Type: String! ⫘
Field ⫘
parent_type Type: String! ⫘
Field ⫘
total Type: Int! ⫘
Field ⫘
unread Type: Int! ⫘
SearchQuery ⫘
Represents a saved search query id.
Field ⫘
id Type: ID! ⫘
SummaryGroup ⫘
Describes the summary of investigations by status filtered by date.
Field ⫘
status Type: String! ⫘
Field ⫘
count Type: Int! ⫘
Field ⫘
date Type: String! ⫘
TDRUser ⫘
Used by Nautilus to resolve the Red Cloak TDR user model.
Field ⫘
id Type: ID! ⫘
Tenant ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
name Type: String ⫘
TimeSummaryForGroup ⫘
Used by MeanTimeSummaryOverPeriod query to represent the average times it took to hand off, acknowledge, and resolve all investigations over the course of the period.
Field ⫘
mean_time_to_handoff Type: Int! ⫘
Field ⫘
mean_time_to_acknowledge Type: Int! ⫘
Field ⫘
mean_time_to_resolution Type: Int! ⫘
Field ⫘
time_summaries Type: IndividualTimeSummary! ⫘
TransitionState ⫘
Represent both the initial transitions (if they exist) and the current state (handed off, acknowledged, resolved) of an investigation.
Field ⫘
handed_off_at_least_once Type: Boolean! ⫘
Field ⫘
initial_handoff_time Type: Time ⫘
Field ⫘
acknowledged_at_least_once Type: Boolean! ⫘
Field ⫘
initial_acknowledge_time Type: Time ⫘
Field ⫘
resolved_at_least_once Type: Boolean! ⫘
Field ⫘
initial_resolution_time Type: Time ⫘
Field ⫘
handed_off Type: Boolean! ⫘
Field ⫘
handoff_time Type: Time ⫘
Field ⫘
acknowledged Type: Boolean! ⫘
Field ⫘
acknowledge_time Type: Time ⫘
Field ⫘
resolved Type: Boolean! ⫘
Field ⫘
resolution_time Type: Time ⫘
TransitionSummary ⫘
Used by HandedOff/Acknowledged/ResolvedInvestigations query to represent an investigation's most recent transition time and time spent in each state.
Field ⫘
transition_time Type: Time! ⫘
Field ⫘
time_summary Type: IndividualTimeSummary! ⫘
Inputs ⫘
ActivityLogInput ⫘
Describes the fields available for creating a new Activity Log.
Field ⫘
description Type: String! ⫘
Field ⫘
type Type: String! ⫘
Field ⫘
comment Type: String! ⫘
Field ⫘
target Type: String! ⫘
FileUploadInput ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
file Type: Upload! ⫘
FileUploadRequest ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
size Type: Int! ⫘
Field ⫘
contentType Type: String! ⫘
InvestigationEntitiesArguments ⫘
Field ⫘
investigationId Type: ID! ⫘
InvestigationInput ⫘
Describes the fields available for creating a new investigation.
Field ⫘
tags Type: String! ⫘
Field ⫘
genesis_alerts Type: String! ⫘
Field ⫘
genesis_events Type: String! ⫘
Field ⫘
alerts Type: String! ⫘
Field ⫘
events Type: String! ⫘
Field ⫘
assets Type: String! ⫘
Field ⫘
auth_credentials Type: String! ⫘
Field ⫘
search_queries Type: String! ⫘
Field ⫘
key_findings Type: String ⫘
Field ⫘
description Type: String! ⫘
Field ⫘
notified_at Type: Time ⫘
Field ⫘
created_by Type: String ⫘
Field ⫘
status Type: String ⫘
Field ⫘
contributors Type: String! ⫘
Field ⫘
service_desk_id Type: String ⫘
Field ⫘
service_desk_type Type: String ⫘
Field ⫘
assignee_id Type: String ⫘
Field ⫘
notes Type: String ⫘
Field ⫘
priority Type: Int ⫘
Field ⫘
type Type: String ⫘
InvestigationTimelineArguments ⫘
Field ⫘
investigationId Type: ID! ⫘
Field ⫘
page Type: Int ⫘
Field ⫘
perPage Type: Int ⫘
Field ⫘
createdAfter Type: String ⫘
Field ⫘
createdBefore Type: String ⫘
Field ⫘
orderBy Type: OrderDirectionInput ⫘
Field ⫘
entityFilters Type: InvestigationTimelineEntityFilters ⫘
InvestigationTimelineEntityFilters ⫘
Field ⫘
entities Type: InvestigationTimelineEntityType! ⫘
Field ⫘
entityTypes Type: String! ⫘
UpdateInvestigationInput ⫘
Describes the fields available for updating an investigation.
Field ⫘
tags Type: String ⫘
Field ⫘
genesis_alerts Type: String ⫘
Field ⫘
genesis_events Type: String ⫘
Field ⫘
alerts Type: String ⫘
Field ⫘
events Type: String ⫘
Field ⫘
assets Type: String ⫘
Field ⫘
auth_credentials Type: String ⫘
Field ⫘
search_queries Type: String ⫘
Field ⫘
key_findings Type: String ⫘
Field ⫘
description Type: String ⫘
Field ⫘
notified_at Type: Time ⫘
Field ⫘
created_by Type: String ⫘
Field ⫘
status Type: String ⫘
Field ⫘
contributors Type: String ⫘
Field ⫘
service_desk_id Type: String ⫘
Field ⫘
service_desk_type Type: String ⫘
Field ⫘
assignee_id Type: String ⫘
Field ⫘
notes Type: String ⫘
Field ⫘
acknowledgment Type: Boolean ⫘
Field ⫘
priority Type: Int ⫘
Field ⫘
type Type: String ⫘
Field ⫘
comment_event Type: Map ⫘
For internal use only.
Enums ⫘
InvestigationProcessingState ⫘
SUCCESS
FAILED
RUNNING
InvestigationTimelineEntityType ⫘
ALERT
EVENT
AUDIT
NOTE
OrderDirection ⫘
asc
desc
OrderDirectionInput ⫘
Describes the order direction available for the order field of the AllInvestigations
query.
asc
desc
OrderFieldInput ⫘
Describes the enums available for the ordering of the AllInvestigations
query.
id
tenant_id
tags
genesis_alerts
genesis_events
alerts
events
assets
auth_credentials
key_findings
description
created_at
updated_at
notified_at
created_by
status
contributors
service_desk_id
service_desk_type
all_alerts
all_events
short_id
priority
type
Scalars ⫘
Boolean ⫘
The Boolean
scalar type represents true
or false
.
ID ⫘
The ID
scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4"
) or integer (such as 4
) input value will be accepted as an ID.
Int ⫘
The Int
scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
Map ⫘
The default Map implementation for this library.
RN ⫘
The default resource name implementation for this library.
String ⫘
The String
scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Time ⫘
The default Time implementation for this library.
Uint64 ⫘
Uint64
is a custom scalar type that represents an unsigned 64 bit integer.
Upload ⫘
The default Upload implementation for this library.
Interfaces ⫘
Node ⫘
Field ⫘
id Type: ID! ⫘