🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Getting Started with the Alerts GraphQL API

api guides


Important

Before proceeding, complete the API Authentication steps in order to obtain a working client_id and client_secret.

Regions

The URL to access Taegis™ XDR APIs may differ according to the region your environment is deployed in:

  • US1— https://api.ctpx.secureworks.com
  • US2— https://api.delta.taegis.secureworks.com
  • US3— https://api.foxtrot.taegis.secureworks.com
  • EU— https://api.echo.taegis.secureworks.com

The examples in this Taegis™ XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.

The Alerts GraphQL API provides two capabilities: Query Language Search and Alert Aggregation.

Search Alerts

The following example performs a search of alerts using the query language and returns a number of common fields of interest. This query example returns High/Critical alerts that were created within the earliest/latest timeframe that have not received feedback yet.

Note

All timestamps used in this example are UTC.

query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 10})
{
    alertsServiceSearch(in: $in)
    {
        reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
    }
}

Response

{
  "data": {
    "alertsServiceSearch": {
      "alerts": {
        "list": [
          {
            "attack_technique_ids": [
              "T1003",
              "T1096",
              "T1059",
              "T1202",
              "T1129",
              "T1086",
              "T1085"
            ],
            "entities": {
              "entities": [
                "computerName:OCTO-FILES",
                "fileName:powershell.exe",
                "fileName:rundll32.exe",
                "programMd5:c7645d43451c6d94d87f4d07bde59c89",
                "sensorHostId:YLdYO3s3ziBynTlgxrBb",
                "sensorId:YLdYO3s3ziBynTlgxrBb",
                "userName:lgiardino@embdtech.com"
              ],
              "relationships": [
                {
                  "from_entity": "fileName:rundll32.exe",
                  "relationship": "executedOn",
                  "to_entity": "sensorHostId:YLdYO3s3ziBynTlgxrBb"
                },
                {
                  "from_entity": "fileName:powershell.exe",
                  "relationship": "executes",
                  "to_entity": "fileName:rundll32.exe"
                },
                {
                  "from_entity": "computerName:OCTO-FILES",
                  "relationship": "is",
                  "to_entity": "sensorHostId:YLdYO3s3ziBynTlgxrBb"
                }
              ]
            },
            "id": "alert://priv:event-filter:11063:1630580463490:d30a7171-43a9-5d04-82bf-a25cc0948a8c",
            "investigation_ids": [],
            "metadata": {
              "confidence": 1,
              "created_at": {
                "seconds": 1630580464
              },
              "creator": {
                "detector": {
                  "detector_id": "app:event-filter",
                  "version": "v0.15.3"
                },
                "rule": {
                  "rule_id": "496ad330-7dc2-4009-b431-b792f7095ead",
                  "version": "sha1=18f594726b99b47b226a37a2e92ae1cff92d3166-1605731996"
                }
              },
              "description": "A process event associated with a dump file named after the Local Security Authority Subsystem Service (LSASS) process was identified. This activity may indicate that an adversary is attempting to obtain credentials stored within the memory of this process.\n\nExample:\n>COPY C:\\Users\\>username>\\Appdata\\Local\\Temp\\lsass.dmp C:\\Temp\\lsass.dmp\n\n\n",
              "engine": {
                "name": "app:event-filter"
              },
              "severity": 0.99,
              "title": "Memory Dump of the Local Security Authority Subsystem Service"
            },
            "resolution_reason": null,
            "sensor_types": [
              "ENDPOINT_CARBON_BLACK"
            ],
            "status": "OPEN",
            "suppressed": null,
            "suppression_rules": null,
            "tenant_id": "11063"
          }
          ],
        "total_results": 1
      },
      "reason": "success",
      "status": "OK"
    }
  }
}

Retrieve Alerts by ID

The following query can be used to retrieve an alert by ID.

query alertsServiceRetrieveAlertsById($in: GetByIDRequestInput = {iDs: ["alert://priv:stolen-user-credentials:11063:1630602244467:79015c9a-8d22-5c4e-a199-58afc0599aa5"]})
{
    alertsServiceRetrieveAlertsById(in: $in)
    {
        reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
    }
}

Response

{
  "data": {
    "alertsServiceRetrieveAlertsById": {
      "alerts": {
        "list": [
          {
            "id": "alert://priv:stolen-user-credentials:11063:1630602244467:79015c9a-8d22-5c4e-a199-58afc0599aa5",
            "investigation_ids": [],
            "metadata": {
              "confidence": 0.875,
              "created_at": {
                "seconds": 1630602247
              },
              "creator": {
                "detector": {
                  "detector_id": "app:detect:stolen-user-credentials",
                  "version": "1.2.21"
                },
                "rule": {
                  "rule_id": "db7a438b-56ed-5e84-b3de-02beb0e005fd",
                  "version": "sha1=fa8a2e8687319c0e68f4368adb078b35f6561ccf-1614872344"
                }
              },
              "description": "Time between the login events involved in this alert indicate an impossible amount of travel has occurred for user OctoAdmin",
              "engine": {
                "name": "app:detect:stolen-user-credentials"
              },
              "severity": 1,
              "title": "Detected suspected stolen user credential for user OctoAdmin"
            },
            "resolution_reason": null,
            "sensor_types": [],
            "status": "OPEN",
            "suppressed": null,
            "suppression_rules": null,
            "tenant_id": "11063"
          }
        ],
        "total_results": 1
      },
      "reason": "success",
      "status": "OK"
    }
  }
}

Resolve Alerts by ID

Use the following to resolve a list of Alerts by their id. This accepts a list of one or more alert IDs, the reason for resolving, and the resolution_status to label the alerts with.

mutation alertsServiceUpdateResolutionInfo($in: UpdateResolutionRequestInput = {alert_ids:["alert://priv:event-filter-ql:10261:1698256999403:12bc3fa1-5aae-579d-8c2b-6d3b7790b85f"], reason:"This is an alert for informational use only.", resolution_status:TRUE_POSITIVE_BENIGN, caller:ALERTS_V2})
{
    alertsServiceUpdateResolutionInfo(in: $in)
    {
        reason resolution_status
    }
}

Response

{
  "data": {
    "alertsServiceUpdateResolutionInfo": {
      "reason": "success",
      "resolution_status": "SUCCESS"
    }
  }
}

Aggregate Alert Data

Use the following query to retrieve alert aggregate counts by severity.

Note

This is similar to the deprecated alertsBySeverity query.

query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d | aggregate count by severity | head 10", limit: 1})
{
    alertsServiceSearch(in: $in)
    {
        status reason alerts { group_by { key value } total_results }
    }
}

Pagination

There are two primary methods of pagination. The first allows for retrieval of up to 10,000 alerts. The other allows for retrieval of up to 1,000,000 alerts.

Under 10k Alerts

query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 500, offset: 0})
{
    alertsServiceSearch(in: $in)
    {
        reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
    }
}

query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 500, offset: 500})
{
    alertsServiceSearch(in: $in)
    {
        reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
    }
}

Over 10k Alerts

You first do a search specifying the total number of alerts you need, which in this case is over 10k alerts. You will get back a search_id if there are more than 10k alerts. Then, you pass that search_id along with the original query, and without specifying a limit or offset to get subsequent pages. You reach the end of the result set once you do not get a search_id back anymore. The number of alerts returned after all pages have been fetched should match the total_results count returned on every response.

query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 50000})
{
    alertsServiceSearch(in: $in)
    {
        reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
    }
}

query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", search_id: "xrmG+yFjdKUrUaspvvAyHFdgO5KARwAlmxqEC7Lvmrw="})
{
    alertsServiceSearch(in: $in)
    {
        reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
    }
}

Next Steps

For more information, see the Alerts GraphQL API Documentation.

 

On this page: