☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Types Schema

ExternalURI ⫘

ExternalURI references an external resource for a given event. This may be the source of an event, research or other information that is outside of TDR.

Normalized Field	Type	Parser Field	Description
uri	string	uri$	Identifies the resource. This may be a web url, UUID or other string that uniquely identifies a single event in another resource.
description	string	description$	Contains a short description of what `uri` references.

FileHash ⫘

Normalized Field	Type	Parser Field
md5	string	md5$
sha1	string	sha1$
sha256	string	sha256$
sha512	string	sha512$

GeoSummary ⫘

GeoSummary provides a succinct summary of geographical facts associated with a given point-radius

Normalized Field	Type	Parser Field
location	GeoSummary.Location	location$
city	GeoSummary.City	city$
continent	GeoSummary.Continent	continent$
country	GeoSummary.Country	country$
asn	GeoSummary.ASN	asn$

GeoSummary.ASN ⫘

for more info on ASNs see: https://en.wikipedia.org/wiki/Autonomous_system_(Internet){: target="_blank"}

Normalized Field	Type	Parser Field	Description
autonomous_system_no	uint32	autonomousSystemNo$	The autonomous system number associated with the IP address.
autonomous_system_org	string	autonomousSystemOrg$	The organization associated with the registered autonomous system number for the IP address.

GeoSummary.City ⫘

Normalized Field	Type	Parser Field	Description
geoname_id	uint32	geonameId$	A unique identifier for the city as specified by GeoNames
locale_names	KeyValuePairsIndexed		A map from locale codes, such as "en", to the localized names for the feature.
name	string	name$	The name of the City
confidence	uint32	confidence$	Range from 0 to 99, with 0 representing least confidence in data sources and 99 representing total confidence in data sources.

GeoSummary.City.NamesEntry ⫘

Normalized Field	Type	Parser Field	Description
key	string	key$
value	string	value$

GeoSummary.Continent ⫘

Normalized Field	Type	Parser Field	Description
geoname_id	uint32	geonameId$	A unique identifier for the city as specified by GeoNames [http://www.geonames.org/]{: target="_blank"}
code	string	code$	A two-character code for the continent associated with the IP address. The possible codes are: AF – Africa AN – Antarctica AS – Asia EU – Europe NA – North America OC – Oceania SA – South America

GeoSummary.Country ⫘

Normalized Field	Type	Parser Field	Description
geoname_id	uint32	geonameId$	A unique identifier for the city as specified by GeoNames
iso_code	string	isoCode$	A two-character ISO 3166-1 country code for the country associated with the IP address.
code	string	code$	A three-letter ISO 3166-1 alpha-3 country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3{: target="_blank"}
confidence	uint32	confidence$	Range from 0 to 99, with 0 representing least confidence in data sources and 99 representing total confidence in data sources.

GeoSummary.Location ⫘

Normalized Field	Type	Parser Field	Description
radius	uint32	radius$	The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the IP address.
latitude	float	latitude$	The approximate latitude and longitude of the postal code, city, subdivision or country associated with the IP address.**
longitude	float	longitude$
us_metro_code	uint32	usMetroCode$	The metro code associated with the IP address. These are only available for IP addresses in the US.
timezone	string	timezone$	The time zone associated with location, as specified by the IANA Time Zone Database, e.g., "America/New_York".
gmt_offset	sint32	gmtOffset$	The offset from GMT associated with `timezone`

KeyAndValues ⫘

Normalized Field	Type	Parser Field	Description
key	string	key$
values	repeated string	values$

KeyValuePairsIndexed ⫘

Normalized Field	Type	Parser Field	Description
record	repeated KeyValueRecordIndexed	record$

KeyValueRecordIndexed ⫘

Normalized Field	Type	Parser Field	Description
key	string	key$	Name of object such as 'filename'
value	string	value$	Value of object such as 'important.docx'

ProcessCorrelationID ⫘

ProcessCorrelationID identifies a unique process

Normalized Field	Type	Parser Field	Description
pid	string		Identifies the id of the process
timewindow	string		This is an opaque value that makes a process unique that we need because Windows can reuse process IDs. This value is constructed from the create_time of the process, but it should be treated as an opaque value. Please do not try to convert this value to a time or infer any other meaning. If you wish, you may rely on the fact that newer processes have higher time_window values than older processes (e.g., you may sort by `time_window`).

TimeFidelity ⫘

Name	Number	Description
UNDEFINED	0	unused but required for proto3
SECOND	1
MILLI	2	10^-3 seconds
MICRO	3	10^-6 seconds
NANO	4	10^-9 seconds

Enrichments ⫘

Normalized Field	Type	Parser Field	Description
attack_technique_ids	string	repeated	List of MITRE Attack Technique IDs
rule_id_to_techniques	KeyAndValues	repeated	if there is more than one state, it is to be assume that the states are or'ed together