🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Getting Started with the Investigations GraphQL API

api guides


Important

Before proceeding, complete the API Authentication steps in order to obtain a working client_id and client_secret.

Regions

The URL to access Taegis™ XDR APIs may differ according to the region your environment is deployed in:

  • US1— https://api.ctpx.secureworks.com
  • US2— https://api.delta.taegis.secureworks.com
  • US3— https://api.foxtrot.taegis.secureworks.com
  • EU— https://api.echo.taegis.secureworks.com

The examples in this Taegis™ XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.

Query Investigations

query investigationsSearch($page: Int = 1, $perPage: Int = 3, $query: String = "type in ('Security Investigation')", $filterText: String, $orderByField: OrderFieldInput, $orderDirection: OrderDirectionInput)
{
    investigationsSearch(page: $page, perPage: $perPage, query: $query, filterText: $filterText, orderByField: $orderByField, orderDirection: $orderDirection)
    {
        totalCount investigations { search_queries { id } first_notified_at notified_at transition_state { handed_off acknowledge_time resolved_at_least_once handoff_time initial_handoff_time resolution_time initial_resolution_time acknowledged initial_acknowledge_time acknowledged_at_least_once resolved handed_off_at_least_once } tenant_id description contributors genesis_events { id } events_count alerts2 { id } assignee { id email family_name name tenants { id name } status email_normalized user_id given_name email_verified roles } service_desk_type updated_at investigationType assets_count genesis_events_count alerts_count assignee_id tags created_by_scwx created_at created_by_partner activity_logs { id target comment tenant_id investigation_id description user_id created_at type updated_at } auth_credentials type events { id } assignee_user { id } rn deleted_at alerts { id } processing_status { events alerts assets } first_notified_at_scwx archived_at service_desk_id status genesis_alerts_count files_count created_by_user { id } priority assets { id } contributed_users { id } id created_by genesis_alerts { id } access_vectors { id name investigation_id mitre_info { data_sources tactics technique description platform technique_id system_requirements defence_bypassed contributors url version type } created_at updated_at } comments_count { parent_id unread parent_type total } latest_activity genesis_alerts2 { id } shortId key_findings }
    }
}

Create an Investigation

mutation createInvestigation($investigation: InvestigationInput! = { description: "testing", status: "Open", contributors: [], key_findings: "", tags: [], genesis_alerts: [], genesis_events: [], alerts: [], events: [], auth_credentials: [] })
{
    createInvestigation(investigation: $investigation)
    {
        id tenant_id tags auth_credentials key_findings description created_at updated_at notified_at first_notified_at first_notified_at_scwx created_by status contributors service_desk_id service_desk_type assignee_id latest_activity archived_at deleted_at created_by_scwx created_by_partner investigationType priority type genesis_alerts_count genesis_events_count alerts_count events_count assets_count files_count rn shortId genesis_alerts { id } genesis_alerts2 { id } genesis_events { id } alerts { id } alerts2 { id } events { id } assets { id } search_queries { id } activity_logs { id target comment tenant_id investigation_id description user_id created_at type updated_at } created_by_user { id } contributed_users { id } assignee_user { id } assignee { id email family_name name tenants { id name } status email_normalized user_id given_name email_verified roles } access_vectors { id name investigation_id mitre_info { data_sources tactics technique description platform technique_id system_requirements defence_bypassed contributors url version type } created_at updated_at } transition_state { handed_off acknowledge_time resolved_at_least_once handoff_time initial_handoff_time resolution_time initial_resolution_time acknowledged initial_acknowledge_time acknowledged_at_least_once resolved handed_off_at_least_once } processing_status { events alerts assets } comments_count { parent_id unread parent_type total }
    }
}

investigationsAdvancedSearch Query Examples

investigationsAdvancedSearch(cql: "from investigations created_at > '2021-03-22T18:13:45.531Z'  status='Open'")

investigationsAdvancedSearch(cql: "from investigations  EARLIEST='2022-06-21' LATEST='2022-06-22 and archived_at is not null' | aggregate count by 1440m, type")

investigationsAdvancedSearch(cql: "from investigations EARLIEST = '2021-03-22T18:13:45.531Z' LATEST = '2021-07-06T18:13:45.531Z' | aggregate count by type")

investigationsAdvancedSearch(cql: "from investigations EARLIEST = '2021-03-22T18:13:45.531Z' LATEST = '2021-07-06T18:13:45.531Z' | aggregate count by 1d")

investigationsAdvancedSearch(cql: "from investigations EARLIEST = '2021-03-22T18:13:45.531Z' LATEST = '2021-07-06T18:13:45.531Z' | aggregate count by 1d, type")

Available Fields

CQL query fields available in investigationsSearch and investigationsAdvancedSearch include the following:

Next Steps

For more information, see the Investigations GraphQL API Documentation.

 

On this page: