BYOTI GraphQL API๐
Time๐
Description: Time is timestamp in RFC3339 format
Mutation๐
Description: Mutations for ingesting or modifying customer threat intelligence data
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| upsertSTIXDocuments | UpsertIndicatorsResponse | Mutation for adding or updating STIX documents as indicators | input: STIXDocumentInput |
| upsertIndicators | UpsertIndicatorsResponse | Mutation for adding or updating indicators | input: IndicatorInput |
| deleteIndicators | DeleteIndicatorResponse | Mutation for deleting indicators using CQL queries | query: String |
String๐
Description: The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Query๐
Description: Queries to support searching for customer threat intelligence data
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| searchIndicators | SearchIndicatorsResponse | Query to support searching for indicators using Taegis QL | input: SearchIndicatorsInput |
| getIndicators | SearchIndicatorsResponse | Query Indicators using the API. getIndicators will search and return indicators based on provided search parameters. If parameters are empty the query will return any indicators belonging to the caller up to the default of 100 per page | input: GetIndicatorsInput |
| paginateIndicators | SearchIndicatorsResponse | PaginateIndicators is similar to getIndicators but uses cursor based pagination | input: PaginateIndicatorsInput |
SearchIndicatorsInput๐
Description: Input to the SearchIndicators query
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| query | String | Taegis QL query used for searching indicators | |
| page | Int | Specify the page to fetch | |
| per_page | Int | Specify the count of indicators per page | |
| with_partner_tenants | Boolean | Include additional tenants belonging to the caller |
Int๐
Description: The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
Boolean๐
Description: The Boolean scalar type represents true or false.
STIXDocumentInput๐
Description: Represents a STIX document that's being used as an input to mutations
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | String | Current supported type is 'indicator' | |
| spec_version | String | Current supported version is '2.1' for stix indicators | |
| id | ID | Unique identifier from source, commonly the stix 'ID' | |
| created | Time | Ignored | |
| modified | Time | Ignored | |
| name | String | Name describing the indicator | |
| description | String | Description of the indicator | |
| pattern | String | Pattern is the STIX formatted indicator pattern | |
| pattern_type | String | Current supported pattern_type is 'stix' | |
| severity | Severity | Severity accepts INFO, LOW, MEDIUM, HIGH, or CRITICAL | |
| source_name | String | Name of the source providing the indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| reference_url | String | Reference URL points to a URL describing the indicator | |
| valid_from | Time | Valid_from sets the time an indicator should take effect |
ID๐
Description: The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
ObjectType๐
Description: ObjectType is the type of the indicator
Possible Values๐
- DOMAIN = "domain"
- HASH = "hash"
- IP = "ip"
- URL = "url"
ObjectSubtype๐
Description: Subtype of the indicator
Possible Values๐
- If ObjectType is IP:
- IPV4 = "ipv4"
- IPV6 = "ipv6"
- If ObjectType is HASH:
- MD5 = "md5"
- SHA1 = "sha1"
- SHA256 = "sha256"
Severity๐
Description: Defines values for indicating how severe an alert created by an indicator will be
Possible Values๐
- INFO = "INFO"
- LOW = "LOW"
- MEDIUM = "MEDIUM"
- HIGH = "HIGH"
- CRITICAL = "CRITICAL"
ByotiIndicator๐
Description: Representation of indicator stored in the API
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Internal ID of the indicator | |
| object_type | ObjectType | The type of the indicator as defined in the object_type enum | |
| object_subtype | ObjectSubtype | The subtype of the indicator as defined in the object_subtype enum | |
| name | String | A name describing the indicator | |
| description | String | Description of the indicator | |
| tenant_id | ID | ID of the tenant controlling the indicator record | |
| value | String | The raw indicator | |
| reference_url | String | External URL describing the indicator | |
| severity | Severity | One of the severity values in the severity enum | |
| source_name | String | The data source from where the indicator was retrieved | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| created_at | Time | Date/time when the indicator was created in the API | |
| updated_at | Time | Date/time when the indicator was updated in the API | |
| deleted_at | Time | Date/time when the indicator was deleted in the API |
ByotiRejectedIndicatorResponse๐
Description: Rejected indicator and reason for rejection
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | String | The raw indicator | |
| reason | String | Reason indicator was rejected |
UpsertIndicatorsResponse๐
Description: Response type for mutations responsible for creating or updating indicators
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| accepted_indicators | ByotiIndicator | Indicators accepted by the API | |
| rejected_indicators | ByotiRejectedIndicatorResponse | Indicators rejected by the API |
SearchIndicatorsResponse๐
Description: Response type for the SearchIndicators query
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| indicators | ByotiIndicator | A list of indicators returned in response to a query | |
| page | Int | Page number returned | |
| per_page | Int | Maximum count of indicator per page in this search | |
| offset | Int | Internal offset | |
| total_pages | Int | Total count of pages of results given the number of pages specified | |
| current_entries_returned | Int | Count of entries returned in this page | |
| total_entries_size | Int | Total count of entries that match the search criteria | |
| cursor | String | Use to paginate results |
GetIndicatorsInput๐
Description: Get indicators matching the fields provided
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| object_type | ObjectType | Filter indicators by object type | |
| updated_after | Time | Provide a timestamp to filter indicators returned by updated_at >= updated_after | |
| with_partner_tenants | Boolean | Include additional tenants belonging to the caller | |
| reference_url | String | Reference_url is the URL describing data about the indicator | |
| source_name | String | Source_name is the name of the source of the Indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| severity | Severity | Severity of the Indicator in the form INFO, LOW, MEDIUM, HIGH, or CRITICAL | |
| exclude_deleted | Boolean | Exclude deleted indicators | |
| page | Int | Specify the page to fetch | |
| per_page | Int | Specify the count of indicators per page |
PaginateIndicatorsInput๐
Description: Paginate indicators matching the fields provided
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| object_type | ObjectType | Filter indicators by object type | |
| updated_after | Time | Provide a timestamp to filter indicators returned by updated_at >= updated_after | |
| with_partner_tenants | Boolean | Include additional tenants belonging to the caller | |
| reference_url | String | Reference_url is the URL describing data about the indicator | |
| source_name | String | Source_name is the name of the source of the indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| severity | Severity | Severity of the Indicator in the form INFO, LOW, MEDIUM, HIGH, or CRITICAL | |
| exclude_deleted | Boolean | Exclude deleted indicators | |
| per_page | Int | Specify the page to fetch | |
| cursor | String | Cursor used to paginate through results. Should be empty on first request, and populated with value returned in response from then on |
IndicatorInput๐
Description: Used as input to the UpsertIndicators mutation
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| object_type | ObjectType | Current supported options: ip, hash, domain, url | |
| object_subtype | ObjectSubtype | Object_subtypes depend on the object_type | |
| name | String | A friendly name for the threat indicator | |
| description | String | Description of the indicator | |
| value | String | The indicator's value | |
| reference_url | String | Reference_url is the URL describing data about the indicator | |
| source_name | String | source_name is the name of the source of the Indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| severity | Severity | Severity of the Indicator in the form INFO, LOW, MEDIUM, HIGH, or CRITICAL |
DeleteIndicatorResponse๐
Description: Response type for the DeleteIndicators mutation
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| indicators | ByotiIndicator | List of indicators marked for deletion | |
| status | Boolean | Status true or false |