Getting Started with the Audits GraphQL API
Important
Before proceeding, complete the API Authentication steps in order to obtain a working client_id and client_secret.
Regions
The URL to access XDR APIs may differ according to the region your environment is deployed in:
- US1—
https://api.ctpx.secureworks.com - US2—
https://api.delta.taegis.secureworks.com - US3—
https://api.foxtrot.taegis.secureworks.com - EU—
https://api.echo.taegis.secureworks.com
The examples in this XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.
Note
At this time, the Secureworks® Taegis™ XDR Audits API is read-only. There are currently no mutations available that allow you to send or push data.
You can use the audit API to query audit log entries that were created by the internal services. All available Audits API endpoints can be found in the Audits GraphQL API reference.
Query Audits ⫘
query allAudits($allAuditsInput: AllAuditsInput = {offset: 0, limit: 1})
{
allAudits(allAuditsInput: $allAuditsInput)
{
totalResults relation offset limit audits { id logType application requestType username email token source targetRn action timestamp eventName eventDesc tenantId traceId metadata responseCode url headers requestParams beforeState afterState extras ccdpStatus }
}
}
Search Audits ⫘
query searchAudits($auditSearchInput: AuditSearchInput! = {offset: 0, limit: 1, email: "name@your-domain.com", application: "alerts"})
{
searchAudits(auditSearchInput: $auditSearchInput)
{
totalResults relation offset limit audits { id logType application requestType username email token source targetRn action timestamp eventName eventDesc tenantId traceId metadata responseCode url headers requestParams beforeState afterState extras ccdpStatus }
}
}
Next Steps ⫘
For more information, see the Audits GraphQL API Documentation.