Getting Started with the Investigations GraphQL API
Important
Before proceeding, complete the API Authentication steps in order to obtain a working client_id
and client_secret
.
Regions
The URL to access XDR APIs may differ according to the region your environment is deployed in:
- US1—
https://api.ctpx.secureworks.com
- US2—
https://api.delta.taegis.secureworks.com
- US3—
https://api.foxtrot.taegis.secureworks.com
- EU—
https://api.echo.taegis.secureworks.com
The examples in this XDR API documentation use https://api.ctpx.secureworks.com
throughout. If you are in a different region substitute appropriately.
Query Investigations ⫘
query investigationsSearch($page: Int = 1, $perPage: Int = 3, $query: String = "type in ('Security Investigation')", $filterText: String, $orderByField: OrderFieldInput, $orderDirection: OrderDirectionInput)
{
investigationsSearch(page: $page, perPage: $perPage, query: $query, filterText: $filterText, orderByField: $orderByField, orderDirection: $orderDirection)
{
totalCount investigations { search_queries { id } first_notified_at notified_at transition_state { handed_off acknowledge_time resolved_at_least_once handoff_time initial_handoff_time resolution_time initial_resolution_time acknowledged initial_acknowledge_time acknowledged_at_least_once resolved handed_off_at_least_once } tenant_id description contributors genesis_events { id } events_count alerts2 { id } assignee { id email family_name name tenants { id name } status email_normalized user_id given_name email_verified roles } service_desk_type updated_at investigationType assets_count genesis_events_count alerts_count assignee_id tags created_by_scwx created_at created_by_partner activity_logs { id target comment tenant_id investigation_id description user_id created_at type updated_at } auth_credentials type events { id } assignee_user { id } rn deleted_at alerts { id } processing_status { events alerts assets } first_notified_at_scwx archived_at service_desk_id status genesis_alerts_count files_count created_by_user { id } priority assets { id } contributed_users { id } id created_by genesis_alerts { id } access_vectors { id name investigation_id mitre_info { data_sources tactics technique description platform technique_id system_requirements defence_bypassed contributors url version type } created_at updated_at } comments_count { parent_id unread parent_type total } latest_activity genesis_alerts2 { id } shortId key_findings }
}
}
Create an Investigation ⫘
mutation createInvestigation($investigation: InvestigationInput! = { description: "testing", status: "Open", contributors: [], key_findings: "", tags: [], genesis_alerts: [], genesis_events: [], alerts: [], events: [], auth_credentials: [] })
{
createInvestigation(investigation: $investigation)
{
id tenant_id tags auth_credentials key_findings description created_at updated_at notified_at first_notified_at first_notified_at_scwx created_by status contributors service_desk_id service_desk_type assignee_id latest_activity archived_at deleted_at created_by_scwx created_by_partner investigationType priority type genesis_alerts_count genesis_events_count alerts_count events_count assets_count files_count rn shortId genesis_alerts { id } genesis_alerts2 { id } genesis_events { id } alerts { id } alerts2 { id } events { id } assets { id } search_queries { id } activity_logs { id target comment tenant_id investigation_id description user_id created_at type updated_at } created_by_user { id } contributed_users { id } assignee_user { id } assignee { id email family_name name tenants { id name } status email_normalized user_id given_name email_verified roles } access_vectors { id name investigation_id mitre_info { data_sources tactics technique description platform technique_id system_requirements defence_bypassed contributors url version type } created_at updated_at } transition_state { handed_off acknowledge_time resolved_at_least_once handoff_time initial_handoff_time resolution_time initial_resolution_time acknowledged initial_acknowledge_time acknowledged_at_least_once resolved handed_off_at_least_once } processing_status { events alerts assets } comments_count { parent_id unread parent_type total }
}
}
investigationsAdvancedSearch
Query Examples ⫘
investigationsAdvancedSearch(cql: "from investigations created_at > '2021-03-22T18:13:45.531Z' status='Open'")
investigationsAdvancedSearch(cql: "from investigations EARLIEST='2022-06-21' LATEST='2022-06-22 and archived_at is not null' | aggregate count by 1440m, type")
investigationsAdvancedSearch(cql: "from investigations EARLIEST = '2021-03-22T18:13:45.531Z' LATEST = '2021-07-06T18:13:45.531Z' | aggregate count by type")
investigationsAdvancedSearch(cql: "from investigations EARLIEST = '2021-03-22T18:13:45.531Z' LATEST = '2021-07-06T18:13:45.531Z' | aggregate count by 1d")
investigationsAdvancedSearch(cql: "from investigations EARLIEST = '2021-03-22T18:13:45.531Z' LATEST = '2021-07-06T18:13:45.531Z' | aggregate count by 1d, type")
Available Fields ⫘
CQL query fields available in investigationsSearch
and investigationsAdvancedSearch
include the following:
-
id
— String -
tenant_id
— String -
tags
— String -
genesis_alerts
— String -
genesis_events
— String -
alerts
— String -
events
— String -
assets
— String -
auth_credentials
— String -
search_queries
— String -
key_findings
— String -
description
— String -
created_at
— TimestampSecs -
updated_at
— TimestampSecs -
notified_at
— TimestampSecs -
archived_at
— String -
service_desk_id
— String -
service_desk_type
— String -
assignee_id
— String -
status
— String -
created_by
— String -
contributors
— String -
created_by_scwx
— Boolean -
created_by_partner
— Boolean -
type
— String -
priority
— Number -
closeReason
— String
Next Steps ⫘
For more information, see the Investigations GraphQL API Documentation.