api guides
Alerts GraphQL API
Map
Float32
Node
Fields
Field
Type
Description
Arguments
id ID
ID
Description : The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
Fields
Field
Type
Description
Arguments
geoname_id Int
iso_code String
code String
confidence Int
Int
Description : The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
String
Description : The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Fields
Field
Type
Description
Arguments
key String
values String
Fields
Field
Type
Description
Arguments
group_by AggregateAlertsBySeverityInput_GroupBy
limit Int
earliest TimestampInput
latest TimestampInput
excluded_severities AlertsSeverity
filter_custom_alerts Boolean
tenant_service_filters String
Filters alerts so that they only belong to the current tenant or child tenants with particular services associated with them
Boolean
Description : The Boolean scalar type represents true or false.
Fields
Field
Type
Description
Arguments
value Float
prioritizer String
version String
model_name String
model_version String
evidence String
applied_time TimestampInput
Float
Description : The Float scalar type represents signed double-precision fractional values as specified by IEEE 754 .
Fields
Field
Type
Description
Arguments
id String
version String
Fields
Field
Type
Description
Arguments
query String
Taegis XDR Query Language query
investigation_id String
genesis_alerts String
DEPRECATED: Used to flag specific alerts as the genesis of the investigation.
alerts String
List of Alert IDs
tenant String
Fields
Field
Type
Description
Arguments
query String
Taegis XDR Query Language query
resolution_status ResolutionStatus
reason String
caller CallerInformation
requested_at TimestampInput
user_id String
tenant String
Fields
Field
Type
Description
Arguments
entity String
label String
Fields
Field
Type
Description
Arguments
search_id String
Fields
Field
Type
Description
Arguments
iDs String
Fields
Field
Type
Description
Arguments
search_id String
part_id Int
DEPRECATED: part id is advanced transparently with each new call. not needed.
Fields
Field
Type
Description
Arguments
id String
user_id String
Legacy user ID
timestamp TimestampInput
status ResolutionStatus
reason String
num_alerts_affected Int
uuid_user_id String
Provider independent user ID
Fields
Field
Type
Description
Arguments
ql_query String
Taegis Query Language (QL) query
tenant_service_filters String
Filters alerts on tenants that have the specified services.
Fields
Field
Type
Description
Arguments
cql_query String
Taegis XDR Query Language query
offset Int
Result set returned from this offset + limit requested. If your query has 500 total_results and you want the last 100; use offset:400 limit:100
limit Int
Result set limit. Note: limits larger than 10000 are broken into multiple parts. Additional parts can be fetched by search_id.
search_id String
Next page reference returned with the last search response. If this is passed, offset and limit are ignored. Preferred way to paginate over large result sets as it is faster and more consistent.
metadata Map
Allows the caller to include metadata that is stored with the received query.
tenant_service_filters String
Filters alerts on tenants that have the specified services.
Fields
Field
Type
Description
Arguments
id String
severity Float32
changed_at TimestampInput
Fields
Field
Type
Description
Arguments
seconds Int
Epoch Time in seconds
nanos Int
Epoch Time in nano-seconds
Fields
Field
Type
Description
Arguments
investigation_id String
genesis_alerts String
DEPRECATED: was used to flag specific alerts as the genesis of the investigation.
alerts String
tenant String
operation InvestigationOperation
caller CallerInformation
requested_at TimestampInput
user_id String
Legacy user ID
uuid_user_id String
Provider independent user ID
Fields
Field
Type
Description
Arguments
alert_ids String
resolution_status ResolutionStatus
reason String
caller CallerInformation
requested_at TimestampInput
user_id String
Legacy user ID
uuid_user_id String
Provider independent user ID
tenant String
UpdateThreatScoreEntry
Fields
Field
Type
Description
Arguments
alert_id String
threat_score Float32
Optional. Overrides the threat score to update for this one alert only.
Fields
Field
Type
Description
Arguments
alert_ids UpdateThreatScoreEntry
threat_score Float32
Default threat score to apply to the given alerts
Fields
Field
Type
Description
Arguments
user_name String
Fields
Field
Type
Description
Arguments
total_attempts Int
successful_logon_attempts AuthScanLogonAttemptInput
failed_logon_attempts AuthScanLogonAttemptInput
Fields
Field
Type
Description
Arguments
target_user_name String
has_logon_success Boolean
num_attempts Int
Fields
Field
Type
Description
Arguments
win_event_id String
action String
domain String
target_username String
event_timestamp Int
resource_record_identifier String
Fields
Field
Type
Description
Arguments
num_auth_failures Int
num_auth_successes Int
last_successful_auth BruteForceAuthInput
most_recent_auths_failures BruteForceAuthInput
Fields
Field
Type
Description
Arguments
user String
source_address String
feature_name ImprobableLogonDetail_FeatureName
logon_anomaly LogonAnomalyInput
user_logon_baselines UserLogonBaselineInput
Fields
Field
Type
Description
Arguments
user String
user_baseline Int
user_avg_requests Float
user_max_requests Int
total_spns Int
suspicious_num_requests Int
percentage_accessed Float
spns_accessed String
source_address String
hostname String
Fields
Field
Type
Description
Arguments
feature_value String
feature_frequency_in_org Float
feature_frequency_in_user Float
approximate_count_in_user Int
min_allowed_user_percentage Float
min_allowed_org_percentage Float
Fields
Field
Type
Description
Arguments
list_name String
reason String
attacks String
Fields
Field
Type
Description
Arguments
target_user_name String
target_domain_name String
user_had_auth_success Boolean
Fields
Field
Type
Description
Arguments
source_address String
num_auth_failures Int
num_auth_successes Int
all_affected_users PasswordSprayAffectedUserInput
Description : Details from Tactic Graphs Detector. This contains the tactic observed and the related events it was observed in.
Fields
Field
Type
Description
Arguments
graph_id String
events KeyAndValuesInput
Fields
Field
Type
Description
Arguments
feature_value String
feature_frequency_in_org Float
feature_frequency_in_user Float
approximate_count_in_user Int
days_in_baseline Int
Fields
Field
Type
Description
Arguments
entity String
details MatchDetailsInput
GeoSummary
Fields
Field
Type
Description
Arguments
location GeoSummary_Location
city GeoSummary_City
continent GeoSummary_Continent
country GeoSummary_Country
asn GeoSummary_ASN
GeoSummary_ASN
Fields
Field
Type
Description
Arguments
autonomous_system_no Int
autonomous_system_org String
GeoSummary_City
Fields
Field
Type
Description
Arguments
geoname_id Int
locale_names KeyValuePairsIndexed
name String
confidence Int
GeoSummary_Continent
Fields
Field
Type
Description
Arguments
geoname_id Int
code String
GeoSummary_Country
Fields
Field
Type
Description
Arguments
geoname_id Int
iso_code String
code String
confidence Int
GeoSummary_Location
Fields
Field
Type
Description
Arguments
radius Int
latitude Float
longitude Float
us_metro_code Int
timezone String
gmt_offset Int
metro_code Int
KeyAndValues
Fields
Field
Type
Description
Arguments
key String
values String
KeyValuePairsIndexed
Fields
Field
Type
Description
Arguments
record KeyValueRecordIndexed
KeyValueRecordIndexed
Fields
Field
Type
Description
Arguments
key String
value String
AggregationKeys
Fields
Field
Type
Description
Arguments
key String
value String
AggregationResponse
Fields
Field
Type
Description
Arguments
key String
DEPRECATED. Use keys instead
value Float
keys AggregationKeys
TenantV4
Fields
Field
Type
Description
Arguments
id ID
Alert2
Description : Base schema for an alert.
Fields
Field
Type
Description
Arguments
id ID
group_key String
Alert group key
metadata AlertsMetadata
Alert metadata
visibility Visibility
attack_technique_ids String
List of attack technique IDs
tenant_id String
Tenant ID associated with alert
tenant TenantV4
Tenant associated with alert
parent_tenant_id String
Parent Tenant ID of the tenant associated with this alert
suppressed Boolean
Was this rule suppressed. True or false
suppression_rules AlertRuleReference
Suppression rules associated wiht alert
alerting_rules AlertRuleReference
Rules associated with alert
status ResolutionStatus
Alert resolution status
resolution_reason String
Alert resolution reason
resolution_history ResolutionMetadata
severity_history SeverityUpdate
tuning_history TuningUpdate
Tuning history will contain the rule id of the tuning rule, the field being tuned and the value it was tuned to.
tags String
List of tags associated to alert
sensor_types String
Sensor types associated with alert
entities EntityRelationships
All entities that are associated with an alert
key_entities EntityMetadata
source_entities StructuredEntity
All source entities that are associated with an alert
target_entities StructuredEntity
All target entities that are associated with an alert
event_ids AuxiliaryEvent
All event IDs that are associated with an alert
observation_ids Observation
All observation IDs that are associated with an alert
investigation_ids Investigation
All investigation IDs that are associated with an alert
collection_ids Collection
enrichment_details EnrichmentDetail
Specific detectors may provide additional context to explain why the alert triggered or information to help an analyst review the alert.
third_party_details ThirdPartyDetail
Alert third party details
reference_details ReferenceDetail
List of detailed alert references provided by detector or watchlist rule
priority AlertPriority
threat_score Float32
events_metadata AlertEventMetadata
AlertPriority
Fields
Field
Type
Description
Arguments
value Float
prioritizer String
version String
model_name String
model_version String
evidence String
applied_time Timestamp
Description : AlertEventMetadata includes metadata about contributing events
Fields
Field
Type
Description
Arguments
updated_at Timestamp
The timestamp of this alert events metadata update
began_at Timestamp
The timestamp of the first event contributing to an alert; replaces metadata.began_at
ended_at Timestamp
The timestamp of the latest event contributing to an alert; replaces metadata.ended_at
first_event_id String
The first event_id contributing to an alert
last_event_id String
The most recent event_id contributing to an alert
total_events Int
The total number of events contributing to an alert
AlertRuleReference
Fields
Field
Type
Description
Arguments
id String
version String
AlertsAggregateResponse
Fields
Field
Type
Description
Arguments
aggregation AlertsAggregateResponse_AlertsAggregation
AlertsAggregateResponse_AlertsAggregation
Fields
Field
Type
Description
Arguments
key String
count Int
severities AlertsAggregateResponse_AlertsAggregation_Severity
AlertsAggregateResponse_AlertsAggregation_Severity
Fields
Field
Type
Description
Arguments
info Int
low Int
medium Int
high Int
critical Int
AlertsInvestigationInfo
Fields
Field
Type
Description
Arguments
alert_resource_id String
initial_access_vector_info InitialAccessVectorInfo
AlertsList
Description : List of alerts and associated request metadata.
Fields
Field
Type
Description
Arguments
list Alert2
List of Alert types
total_results Int
Total results available for request
next_offset Int
previous_offset Int
last_offset Int
first_offset Int
total_parts Int
Total parts of the result set
part Int
Part number of returned result set
group_by AggregationResponse
Aggregation response, if the initial request included an aggregation
Description : Alert metadata information
Fields
Field
Type
Description
Arguments
creator Creator
Alert creator
engine Engine
Alert engine
severity Float32
Alert severity - can be from 0 - 1
severity_updated_at Timestamp
confidence Float32
Alert confidence - can be from 0 - 1
title String
Alert title - limit of 1024 characters, may be automatically truncated
full_title String
If the Alert title is truncated, the complete title. Otherwise empty.
description String
Alert description
began_at Timestamp
When the behavior associated with the alert began at
ended_at Timestamp
When the behavior associated with the alert ended at
created_at Timestamp
When the alert was created
inserted_at Timestamp
When the alert was inserted into the database; this should be very close in time to created_at
updated_at Timestamp
Last time alert was updated; feedback, investigations
first_seen_at Timestamp
When the events triggering the alert were first seen. This is set by specific ingests based on data provided by the data source.
first_investigated_at Timestamp
When the alert first had an investigation associated with it
first_resolved_at Timestamp
When the alert was first resolved
origin Origin
Who created the event which generated this alert
read_only Boolean
Whether the alert is read only or not
AlertsResponse
Fields
Field
Type
Description
Arguments
status RPCResponseStatus
reason String
alerts AlertsList
search_id String
Search ID can be used to request additional parts for search results containing more than 10k requested results
queryId String
Is the unique identifier within the search system for the query that generated this response
AlertsCountByTenantResponseItem
Fields
Field
Type
Description
Arguments
count Int
Number of alerts for this tenant
tenant TenantV4
AlertsCountByTenantResponse
Fields
Field
Type
Description
Arguments
items AlertsCountByTenantResponseItem
Every item represents a tenant and the number of alerts it has
BulkInvestigationsResponse
Fields
Field
Type
Description
Arguments
id String
reason String
status ResponseStatus
events String
assets String
access_vector_info AlertsInvestigationInfo
BulkResolutionResponse
Fields
Field
Type
Description
Arguments
reason String
resolution_status ResponseStatus
total_hits Int
total_done Int
total_failed Int
is_complete Boolean
CreateAlertsResponse
Fields
Field
Type
Description
Arguments
status RPCResponseStatus
iDs String
reason String
DeleteAlertsResponse
Description : Internal Type
Fields
Field
Type
Description
Arguments
status RPCResponseStatus
reason String
Fields
Field
Type
Description
Arguments
entity String
label String
Properties
StructuredEntity
Fields
Field
Type
Description
Arguments
id String
perspective EntityPerspective
identifiers String
properties Properties
EntityAuthDomain
Fields
Field
Type
Description
Arguments
property_type String
auth_domain String
EntityCertificate
Fields
Field
Type
Description
Arguments
property_type String
cert_issuer String
cert_serial_number String
cert_issuer_c String
cert_issuer_cn String
cert_issuer_e String
cert_issuer_l String
cert_issuer_o String
cert_issuer_order String
cert_issuer_ou String
cert_issuer_s String
cert_ja3 String
cert_ja3s String
cert_subject String
cert_subject_c String
cert_subject_cn String
cert_subject_e String
cert_subject_l String
cert_subject_o String
cert_subject_order String
cert_subject_ou String
cert_subject_s String
cert_valid_from String
cert_valid_through String
EntityCloudObject
Fields
Field
Type
Description
Arguments
property_type String
cloud_object_bucket String
cloud_object_key String
cloud_object_prefix String
EntityCloudResource
Fields
Field
Type
Description
Arguments
property_type String
cloud_resource_account_id String
cloud_resource_id String
cloud_resource_type String
EntityCloudUser
Fields
Field
Type
Description
Arguments
property_type String
cloud_user_id String
cloud_user_name String
cloud_user_type String
EntityDnsServer
Fields
Field
Type
Description
Arguments
property_type String
host_id String
ip_address String
ip_address_type String
ip_classification String
EntityDomainName
Fields
Field
Type
Description
Arguments
property_type String
domain_name String
EntityEmail
Fields
Field
Type
Description
Arguments
property_type String
email_message_id String
email_message_size Int
email_quarantine_reason String
reply_to_email_address String
vendor_alert_url String
vendor_email_spam_score Int
EntityEmailAddress
Fields
Field
Type
Description
Arguments
property_type String
email_address String
EntityFile
Fields
Field
Type
Description
Arguments
property_type String
file_name String
file_path String
host_id String
email_attachment_sandbox_status String
file_create_time Int
file_group_owner String
file_modified_time Int
file_owner String
file_size Int
file_type String
file_type_detected String
EntityFileHash
Fields
Field
Type
Description
Arguments
property_type String
hash_type String
hash_value String
EntityFunction
Fields
Field
Type
Description
Arguments
property_type String
function_name String
host_id String
EntityHost
Fields
Field
Type
Description
Arguments
property_type String
computer_name String
host_id String
hostname String
hostname_fqdn String
mac_address String
os String
os_arch String
vendor_agent_device_id String
vendor_agent_device_score Int
EntityIpAddress
Fields
Field
Type
Description
Arguments
property_type String
host_id String
ip_address String
asn Int
hostname String
ip_address_type String
ip_classification String
is_nat_ip Boolean
ip_geo_auto_system_org String
ip_geo_city_name String
ip_geo_continent_code String
ip_geo_country_code String
ip_geo_country_geoname_id Int
ip_geo_latitude Float
ip_geo_longitude Float
EntityProcess
Fields
Field
Type
Description
Arguments
property_type String
process_correlation_id String
process_id String
process_name String
process_uuid String
host_id String
process_create_time Int
process_image_path String
process_is_admin Boolean
EntityRegistryKey
Fields
Field
Type
Description
Arguments
property_type String
host_id String
registry_path String
EntityScheduledTask
Fields
Field
Type
Description
Arguments
property_type String
host_id String
task_name String
EntityScript
Fields
Field
Type
Description
Arguments
property_type String
hash_value String
host_id String
script_name String
interpreter String
is_truncated Boolean
EntityService
Fields
Field
Type
Description
Arguments
property_type String
host_id String
service_dll String
service_main String
service_name String
service_start_type Int
service_type Int
EntityTaskAction
Fields
Field
Type
Description
Arguments
property_type String
host_id String
task_action_id String
task_action_path String
task_action_args String
task_action_class_id String
task_action_type String
task_action_working_directory String
EntityUser
Fields
Field
Type
Description
Arguments
property_type String
auth_domain String
computer_name String
domain_name String
group String
host_id String
user_id String
user_name String
cloud_user_type String
original_user_name String
user_is_admin Boolean
EntityUrl
Fields
Field
Type
Description
Arguments
property_type String
full_url String
uri_scheme String
uri_host String
uri_path String
uri_query String
uri_fragment String
uri_port String
uri_userinfo String
EvictResponse
Description : Response from an alertsServiceEvict mutation.
Fields
Field
Type
Description
Arguments
status ResponseStatus
InitialAccessVectorInfo
Fields
Field
Type
Description
Arguments
created_at Timestamp
updated_at Timestamp
investigation_ids String
tenant_id String
name String
Fields
Field
Type
Description
Arguments
id String
user_id String
Legacy user ID
timestamp Timestamp
status ResolutionStatus
reason String
num_alerts_affected Int
uuid_user_id String
Provider independent user ID
SeverityUpdate
Fields
Field
Type
Description
Arguments
id String
severity Float32
changed_at Timestamp
TuningUpdate
Fields
Field
Type
Description
Arguments
id String
field_name String
severity_value Float32
origin_value Origin
suppressed_value Boolean
changed_at Timestamp
Timestamp
Fields
Field
Type
Description
Arguments
seconds Int
nanos Int
UpdateInvestigationResponse
Description : Internal Type
Fields
Field
Type
Description
Arguments
id String
reason String
status ResponseStatus
events String
assets String
access_vector_info AlertsInvestigationInfo
UpdateResolutionResponse
Description : Response for an alertsServiceUpdateResolutionInfo mutation.
Fields
Field
Type
Description
Arguments
reason String
resolution_status ResponseStatus
UpdateThreatScoreResponse
Fields
Field
Type
Description
Arguments
status ResponseStatus
AccountCompromiseDetectorDetail
Fields
Field
Type
Description
Arguments
user_name String
FileAnalysisDetail
Fields
Field
Type
Description
Arguments
matched_yara_rule MatchedYaraRule
MatchedYaraRule
Fields
Field
Type
Description
Arguments
rule_name String
rule_description String
classification String
confidence Float32
severity Float32
rule_created_date Timestamp
attack_technique_ids String
vid String
AuthScanDetail
Fields
Field
Type
Description
Arguments
total_attempts Int
Total successful or failed logins
successful_logon_attempts AuthScanLogonAttempt
failed_logon_attempts AuthScanLogonAttempt
AuthScanLogonAttempt
Fields
Field
Type
Description
Arguments
target_user_name String
User attempting login
has_logon_success Boolean
DEPRECATED. See list in successful_logon_attempts
num_attempts Int
Number of login attempts
BruteForceAuth
Fields
Field
Type
Description
Arguments
win_event_id String
action String
domain String
target_username String
event_timestamp Int
resource_record_identifier String
BruteForceDetails
Fields
Field
Type
Description
Arguments
num_auth_failures Int
num_auth_successes Int
last_successful_auth BruteForceAuth
most_recent_auths_failures BruteForceAuth
BusinessEmailCompromiseDetail
Fields
Field
Type
Description
Arguments
source_address String
source_address_geo_summary GeoSummary
user_name String
CreationRule
Fields
Field
Type
Description
Arguments
rule_id String
version String
Creator
Description : The Detector that created the alert.
Fields
Field
Type
Description
Arguments
detector Detector
rule CreationRule
DDosIpAddressOccurrenceCount
Fields
Field
Type
Description
Arguments
ip_address String
count Int
DDosIpCount
Fields
Field
Type
Description
Arguments
date Timestamp
count Int
DDosSourceIpCountDetail
Fields
Field
Type
Description
Arguments
hour_partition String
Detector compares historical netflow data occuring within this hour.
sensor_id String
ID of Sensor providing netflow data.
host_id String
Endpoint Host ID
event_observable_count Int
The number of unique source IPs observed in the device’s network connections in the current hour.
event_observable_count_std_dev Float
A comparison of the current count of unique source IPs to the Base Mean.
baseline_observable_count_std_dev Float
The variability, or spread, of the number of unique source IPs for this reporting device. A low standard deviation means the count of unique sources is consistent over time (a tall bell curve). A high standard deviation means the count varies greatly over time (a short bell curve).
baseline_observable_count_mean Float
The average number of unique source IPs, counted on an hourly basis, observed in the historical data for this reporting device.
baseline_observable_count_median Int
The midpoint value for the range of unique source IPs counted in the historical data for this reporting device.
baseline_num_days Int
The number of historical days considered in this alert. Days in which the device did not report connections are not included.
analytic_observable_std_dev_threshold Float
The minimum value for Standard Deviation Above Mean, which must be at least the value of the Standard Deviation Threshold in order to trigger an alert.
analytic_observable_min_count Int
The minimum number of unique source IPs that must be observed in the current hour in order to trigger an alert. Source IP Addresses is always at least this number.
analytic_time_threshold Int
Threshold time limit for detector to observe netflow activity.
historical_ip_counts DDosIpCount
Historical count of unique source IPs per hour window.
top_destination_ips DDosIpAddressOccurrenceCount
Top Destination IPs by occurence.
Detector
Description : Information about the Detector that is associated with alert.
Fields
Field
Type
Description
Arguments
detector_id String
detector_name String
version String
DnsExfilEnrichment
Fields
Field
Type
Description
Arguments
num_queries Int
Estimated count of the number of DNS requests made by the host.
Engine
Description : Alert engine
Fields
Field
Type
Description
Arguments
name String
version String
EnrichmentDetail
Description : Specific detectors can provide additional context to help explain why it generated to alert or information to help an analyst review the alert.
Fields
Field
Type
Description
Arguments
geo_ip GeographicIp
Geolocation for IP Addresses.
whois WhoisSimple
WHOIS info for domain.
dns_exfil DnsExfilEnrichment
Suspicious DNS Activity Detector
ddos_source_ip DDosSourceIpCountDetail
DDoS Source IP Count Detector
login_failure LoginFailureDetail
Login Failure Detector
rare_program_rare_ip RareProgramRareIpDetail
Rare Program to Rare IP Detector
travel_features StolenCredsTravelFeatures
Stolen Credentials Detector - Travel features; speed of travel, distance travelled.
trust_features StolenCredsTrustFeatures
Stolen Credentials Detector - Trust features, unknown ASN, IP Address, Country across all tenants or username.
tactic_graph_detail TacticGraphDetail
Tactic Graphs Detector
mitre_attack_info MitreAttackDetails
MITRE ATT&CK Technique Detail
watchlist_matches WatchlistMatches
IOC Watchlist Detectors - IP/Domain/Filehash
kerberoasting Kerberoasting
Kerberoasting Detector
brute_force_detail BruteForceDetails
Brute Force Details Detector
password_spray_detail PasswordSprayDetail
Password Spray Detector
improbable_logon_detail ImprobableLogonDetail
Account Compromise Detector - Improbable Logon based on Baseline
auth_scan_detail AuthScanDetail
Auth Scan Detector
hands_on_keyboard_details HandsOnKeyboardDetails
Hands On Keyboard Detector
business_email_compromise BusinessEmailCompromiseDetail
Business Email Compromise Detector
account_compromise_detector_detail AccountCompromiseDetectorDetail
file_analysis_detail FileAnalysisDetail
File Analysis Pipeline
generic GenericDetail
Generic Detail Objects. These can be provided by any detector, but are commonly used for data from external sources of alerts.
EntityRelationships
Description : List of Entity Relationships extracted from the alert’s associated events.
Fields
Field
Type
Description
Arguments
entities String
List of entities. Entities are formatted as <type>:<value>.
relationships Relationship
How entities are related based on events associated to the alert.
GenericDetail
Fields
Field
Type
Description
Arguments
name String
External source providing this data.
generic KeyValuePairsIndexed
Key value pairs that were indexed.
GeographicIp
Description : IP Address Geolocation data. This is populated at time of alert generation.
Fields
Field
Type
Description
Arguments
ip_address String
latitude Float
Relative Geographic Latitude of IP Address.
longitude Float
Relative Geographic Longitude of IP Address.
radius Float
IP Address Geolocation Accurate within this radius of the lat/long.
geohash String
https://en.wikipedia.org/wiki/Geohash.
country_code_iso String
Country ISO code of the Geolocation.
asn Int
Autonomous System Number of IP Address.
HandsOnKeyboardDetails
Fields
Field
Type
Description
Arguments
matched_process HandsOnKeyboardDetails_MatchedProcess
total_num_events Int
matched_num_events Int
num_admin_events Int
common_parent_image_path String
host_id String
username String
HandsOnKeyboardDetails_Commandline
Fields
Field
Type
Description
Arguments
commandline String
matched_features String
HandsOnKeyboardDetails_Image
Fields
Field
Type
Description
Arguments
image_path String
matched_features String
HandsOnKeyboardDetails_MatchedProcess
Fields
Field
Type
Description
Arguments
process_resource_id String
image HandsOnKeyboardDetails_Image
commandline HandsOnKeyboardDetails_Commandline
num_matched_features Int
event_time_sec Int
score Float
severity String
ImprobableLogonDetail
Fields
Field
Type
Description
Arguments
user String
source_address String
feature_name ImprobableLogonDetail_FeatureName
logon_anomaly LogonAnomaly
user_logon_baselines UserLogonBaseline
Kerberoasting
Fields
Field
Type
Description
Arguments
user String
User perpetrating the kerberoasting attack. This is the username performing the requests.
user_baseline Int
Number of days where the user made weakly encrypted (RC4, etc.) Ticket Granting Service (TGS) requests.
user_avg_requests Float
The average daily number of weakly encrypted Ticket Granting Service Requests this user generated in their baseline profile.
user_max_requests Int
The maximum daily number of weakly encrypted Ticket Granting Service Requests this user generated in their baseline profile.
total_spns Int
Total number of Service Principal Names found in the tenant’s historical data.
suspicious_num_requests Int
Count of weakly encrypted Ticket Granting Service Requests made by the user.
percentage_accessed Float
The percentage of the tenant’s total Service Principal Names that were accessed during the suspicious session.
spns_accessed String
The list of exact names of the Service Principal Names that were accessed during the suspicious session.
source_address String
TGS service tickets requested by this IP Address.
hostname String
The Kerberos Key Distribution Center (KDC) which validates the user’s authentication request (the 4769 call).
LoginFailureDetail
Fields
Field
Type
Description
Arguments
host String
Host causing authentication failures.
user String
User authentication failures are occurring against.
source_address String
Source IP Address that authentication attempts are originating from.
target_address String
Destination IP Address that authentication attempts are being sent to.
successful_auth_event String
Reference ID to sample of successful authentication.
failed_auth_event String
Reference ID to sample of failed authentication.
LogonAnomaly
Fields
Field
Type
Description
Arguments
feature_value String
feature_frequency_in_org Float
feature_frequency_in_user Float
approximate_count_in_user Int
min_allowed_user_percentage Float
min_allowed_org_percentage Float
MatchDetails
Fields
Field
Type
Description
Arguments
list_name String
IOC List Name
reason String
Details about the IOC List.
attacks String
MITRE ATT&CK Techniques associated with list.
MitreAttackDetails
Description : Details for the Mitre ATT&CK technique associated with the alert.
Fields
Field
Type
Description
Arguments
technique_id String
technique String
tactics String
type String
description String
platform String
system_requirements String
url String
data_sources String
defence_bypassed String
contributors String
version String
NetworkConnection
Fields
Field
Type
Description
Arguments
source_ip String
destination_ip String
PasswordSprayAffectedUser
Fields
Field
Type
Description
Arguments
target_user_name String
target_domain_name String
user_had_auth_success Boolean
PasswordSprayDetail
Fields
Field
Type
Description
Arguments
source_address String
IP Address performing authentication attempts.
num_auth_failures Int
Count of authentication failures observed.
num_auth_successes Int
Count of successful authentications observed.
all_affected_users PasswordSprayAffectedUser
List of usernames with failed or successful logins.
RareProgramRareIpDetail
Fields
Field
Type
Description
Arguments
host String
Host executing observed programs and connections.
programs String
List of rare programs.
connections NetworkConnection
List of rare network connections. Note that network connections are not explicitly correlated to the rare program executed.
Reference
Fields
Field
Type
Description
Arguments
type String
url String
description String
ReferenceDetail
Fields
Field
Type
Description
Arguments
reference Reference
Relationship
Description : Relationships between entities contained in the alert.
Fields
Field
Type
Description
Arguments
from_entity String
to_entity String
relationship String
type String
StolenCredsTravelFeatures
Description : Travel features for Stolen Credentials Detector.
Fields
Field
Type
Description
Arguments
accurate_geo Boolean
Geolocation data is considered accurate.
foreign_travel Boolean
Did this travel cross international borders?
long_distance_travel Boolean
Did this travel occur over a long distance?
travel_hours Float
How many travel hours occurred between the two login locations.
travel_km_min Float
Minimum distance travelled between two points, and the radius of accuracy from geolocation data (GeographicIp.radius) is used to calculate this distance.
travel_km_h_min Float
Travel speed in km/hr. Min here denotes the speed calculated based on minimum distance; based on the radius of accuracy from geolocation data (GeographicIp.radius).
travel_speed_impossible Boolean
Is the travel speed impossible?
username String
The user who logged in from both locations.
current_location GeographicIp
Second location user logged in from. The user travelled to this location.
prior_location GeographicIp
First location user logged in from. The user travels from this location.
StolenCredsTrustFeatures
Description : Trust features for Stolen Credentials Detector. These are used to set priority of the alert.
Fields
Field
Type
Description
Arguments
network_unknown_asn Boolean
When true, the detector has not seen this ASN before across all tenants.
network_unknown_ip Boolean
When true, the detector has not seen this IP before across all tenants.
user_unknown_ip Boolean
When true, the detector has not seen this IP before for this username.
user_unknown_asn Boolean
When true, the detector has not seen this ASN before for this username.
prior_event_time_sec Int
Login time in seconds for the first login.
current_event_time_sec Int
Login time in seconds for the second login.
prior_event_id String
Reference ID of the first login.
current_event_id String
Reference ID of the second login.
username String
The user who logged in from both locations.
location GeographicIp
Geographic location of the second login.
TacticGraphDetail
Fields
Field
Type
Description
Arguments
graph_id String
events KeyAndValues
ThirdPartyDetail
Description : Available third party details of alert.
Fields
Field
Type
Description
Arguments
generic GenericDetail
UserLogonBaseline
Fields
Field
Type
Description
Arguments
feature_value String
feature_frequency_in_org Float
feature_frequency_in_user Float
approximate_count_in_user Int
days_in_baseline Int
Number of days baseline was established
WatchlistMatches
Description : Details about the watchlist that produced the alert.
Fields
Field
Type
Description
Arguments
entity String
Entity matching the Indicator of Compromise.
details MatchDetails
IOC Watchlist details.
WhoisSimple
Description : Domain WHOIS Information
Fields
Field
Type
Description
Arguments
domainName String
WHOIS information was fetched for this domain.
registrarName String
contactEmail String
whoisServer String
nameServers String
createdDate String
updatedDate String
expiresDate String
standardRegCreatedDate String
standardRegUpdatedDate String
standardRegExpiresDate String
status String
Audit_auditUpdatedDate String
registrant_email String
registrant_name String
registrant_organization String
registrant_street1 String
registrant_street2 String
registrant_street3 String
registrant_street4 String
registrant_city String
registrant_state String
registrant_postalCode String
registrant_country String
registrant_fax String
registrant_faxExt String
registrant_telephone String
registrant_telephoneExt String
administrativeContact_email String
administrativeContact_name String
administrativeContact_organization String
administrativeContact_street1 String
administrativeContact_street2 String
administrativeContact_street3 String
administrativeContact_street4 String
administrativeContact_city String
administrativeContact_state String
administrativeContact_postalCode String
administrativeContact_country String
administrativeContact_fax String
administrativeContact_faxExt String
administrativeContact_telephone String
administrativeContact_telephoneExt String
reg_created_date_usec Int
reg_updated_date_usec Int
reg_expires_date_usec Int
Description : Fields that can be grouped by in an AggregateAlertsBySeverity query.
AlertsSeverity
Description : Enum of alert severity levels.
Description : Internal Type
InvestigationOperation
Description : Type of investigation operation; either update or delete.
ResolutionStatus
Description : Enum of alert resolution statuses.
ResponseStatus
Description : Status of alerts operations.
ImprobableLogonDetail_FeatureName
Origin
Description : Alert origin
EntityPerspective
Description : Perspective of the entity
RPCResponseStatus
Description : Internal Type
Visibility
Mutation
Fields
Field
Type
Description
Arguments
alertsServiceUpdateInvestigationInfo UpdateInvestigationResponse
in: UpdateInvestigationRequestInput
alertsServiceUpdateResolutionInfo UpdateResolutionResponse
Add a resolution or modify an existing resolution for a give list of alert IDs.
in: UpdateResolutionRequestInput
alertsServiceBulkInvestigationsProcessor BulkInvestigationsResponse
Bulk add alerts to an existing investigation by providing either a query or list of alert IDs. If a query is provided, then all alerts matching the query will be added to the investigation.
in: BulkInvestigationsRequestInput
alertsServiceEvict EvictResponse
DEPRECATED: Does not do anything other than to return OK. No replacement necessary.
in: EvictRequestInput
alertsServiceUpdateThreatScore UpdateThreatScoreResponse
Update threat score for a give list of alert IDs.
in: UpdateThreatScoreRequestInput
Query
Description : The Taegis Alerts API is based on GraphQL, which can either be a read (Query) or a write (Mutation) operation. A GraphQL query is used to read or fetch values. Mutations write or post values. Responses are provided in a JSON format.
Fields
Field
Type
Description
Arguments
alertsServiceRetrieveAlertsById AlertsResponse
Provide a list of Alert IDs to retrieve each alert’s detail.
in: GetByIDRequestInput
alertsServiceRetrieveAlertsByHost AlertsResponse
Provide a list of Host IDs to retrieve alert details about each alert that contains those hosts.
in: GetByIDRequestInput
alertsServiceRetrieveAlertsByEntity AlertsResponse
Provide a list of entities to retrieve alert details about each alert that contains those entities.
in: GetByIDRequestInput
alertsServiceRetrieveAlertsByGroupKey AlertsResponse
Provide a list of entities to retrieve alert details about each alert that contains the group_key. This is used by the service to aid in alert deduplication. This would not commonly be used by a tenant of XDR.
in: GetByIDRequestInput
alertsCountByTenant AlertsCountByTenantResponse
Returns the count of alerts per tenant. Allows a CQL query, but any aggregation or pipe will be ignored.
in: AlertsCountByTenantInput
alertsServiceSearch AlertsResponse
Search alerts using Query Language. This is the same query language provided in Advanced Search page in Taegis XDR.
in: SearchRequestInput
alertsServicePoll AlertsResponse
Poll for results for a specific search_id.
in: PollRequestInput
alertsServiceAggregateAlertsBySeverity AlertsAggregateResponse
Pull alert severity aggregates based on group_by parameters: domain, watchlist, hostname, detector, user.
in: AggregateAlertsBySeverityInputInput
node Node
id: ID
Subscription
Fields
Field
Type
Description
Arguments
alertsServiceBulkResolutionProcessor BulkResolutionResponse
Add a resolution or modify an existing resolution for multiple alerts selected with a CQL query.
in: BulkResolutionRequestInput
AuxiliaryEvent
Description : Used by Nautilus to resolve the Red Cloak TDR asset model.
Fields
Field
Type
Description
Arguments
id ID
Investigation
Description : Used by Nautilus to resolve the Red Cloak TDR asset model.
Fields
Field
Type
Description
Arguments
id ID
GenesisAlertsFlag String
Collection
Description : Used by Nautilus to resolve the Red Cloak TDR asset model.
Fields
Field
Type
Description
Arguments
id ID
Observation
Description : Used by Nautilus to resolve the Red Cloak TDR asset model.
Fields
Field
Type
Description
Arguments
id ID