BYOTI GraphQL API🔗
Time🔗
Description: Time is timestamp in RFC3339 format
Mutation🔗
Description: Mutations for ingesting or modifying customer threat intelligence data
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| upsertSTIXDocuments | UpsertIndicatorsResponse | Mutation for adding or updating STIX documents as indicators | input: STIXDocumentInput |
| upsertIndicators | UpsertIndicatorsResponse | Mutation for adding or updating indicators | input: IndicatorInput |
| deleteIndicators | DeleteIndicatorResponse | Mutation for deleting indicators using CQL queries | query: String |
String🔗
Description: The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Query🔗
Description: Queries to support searching for customer threat intelligence data
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| searchIndicators | SearchIndicatorsResponse | Query to support searching for indicators using Taegis QL | input: SearchIndicatorsInput |
| getIndicators | SearchIndicatorsResponse | Query Indicators using the API. getIndicators will search and return indicators based on provided search parameters. If parameters are empty the query will return any indicators belonging to the caller up to the default of 100 per page | input: GetIndicatorsInput |
| paginateIndicators | SearchIndicatorsResponse | PaginateIndicators is similar to getIndicators but uses cursor based pagination | input: PaginateIndicatorsInput |
SearchIndicatorsInput🔗
Description: Input to the SearchIndicators query
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| query | String | Taegis QL query used for searching indicators | |
| page | Int | Specify the page to fetch | |
| per_page | Int | Specify the count of indicators per page | |
| with_partner_tenants | Boolean | Include additional tenants belonging to the caller |
Int🔗
Description: The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
Boolean🔗
Description: The Boolean scalar type represents true or false.
STIXDocumentInput🔗
Description: Represents a STIX document that's being used as an input to mutations
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | String | Current supported type is 'indicator' | |
| spec_version | String | Current supported version is '2.1' for stix indicators | |
| id | ID | Unique identifier from source, commonly the stix 'ID' | |
| created | Time | Ignored | |
| modified | Time | Ignored | |
| name | String | Name describing the indicator | |
| description | String | Description of the indicator | |
| pattern | String | Pattern is the STIX formatted indicator pattern | |
| pattern_type | String | Current supported pattern_type is 'stix' | |
| severity | Severity | Severity accepts INFO, LOW, MEDIUM, HIGH, or CRITICAL | |
| source_name | String | Name of the source providing the indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| reference_url | String | Reference URL points to a URL describing the indicator | |
| valid_from | Time | Valid_from sets the time an indicator should take effect |
ID🔗
Description: The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
ObjectType🔗
Description: ObjectType is the type of the indicator
Possible Values🔗
- DOMAIN = "domain"
- HASH = "hash"
- IP = "ip"
- URL = "url"
ObjectSubtype🔗
Description: Subtype of the indicator
Possible Values🔗
- If ObjectType is IP:
- IPV4 = "ipv4"
- IPV6 = "ipv6"
- If ObjectType is HASH:
- MD5 = "md5"
- SHA1 = "sha1"
- SHA256 = "sha256"
Severity🔗
Description: Defines values for indicating how severe an alert created by an indicator will be
Possible Values🔗
- INFO = "INFO"
- LOW = "LOW"
- MEDIUM = "MEDIUM"
- HIGH = "HIGH"
- CRITICAL = "CRITICAL"
ByotiIndicator🔗
Description: Representation of indicator stored in the API
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Internal ID of the indicator | |
| object_type | ObjectType | The type of the indicator as defined in the object_type enum | |
| object_subtype | ObjectSubtype | The subtype of the indicator as defined in the object_subtype enum | |
| name | String | A name describing the indicator | |
| description | String | Description of the indicator | |
| tenant_id | ID | ID of the tenant controlling the indicator record | |
| value | String | The raw indicator | |
| reference_url | String | External URL describing the indicator | |
| severity | Severity | One of the severity values in the severity enum | |
| source_name | String | The data source from where the indicator was retrieved | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| created_at | Time | Date/time when the indicator was created in the API | |
| updated_at | Time | Date/time when the indicator was updated in the API | |
| deleted_at | Time | Date/time when the indicator was deleted in the API |
ByotiRejectedIndicatorResponse🔗
Description: Rejected indicator and reason for rejection
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | String | The raw indicator | |
| reason | String | Reason indicator was rejected |
UpsertIndicatorsResponse🔗
Description: Response type for mutations responsible for creating or updating indicators
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| accepted_indicators | ByotiIndicator | Indicators accepted by the API | |
| rejected_indicators | ByotiRejectedIndicatorResponse | Indicators rejected by the API |
SearchIndicatorsResponse🔗
Description: Response type for the SearchIndicators query
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| indicators | ByotiIndicator | A list of indicators returned in response to a query | |
| page | Int | Page number returned | |
| per_page | Int | Maximum count of indicator per page in this search | |
| offset | Int | Internal offset | |
| total_pages | Int | Total count of pages of results given the number of pages specified | |
| current_entries_returned | Int | Count of entries returned in this page | |
| total_entries_size | Int | Total count of entries that match the search criteria | |
| cursor | String | Use to paginate results |
GetIndicatorsInput🔗
Description: Get indicators matching the fields provided
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| object_type | ObjectType | Filter indicators by object type | |
| updated_after | Time | Provide a timestamp to filter indicators returned by updated_at >= updated_after | |
| with_partner_tenants | Boolean | Include additional tenants belonging to the caller | |
| reference_url | String | Reference_url is the URL describing data about the indicator | |
| source_name | String | Source_name is the name of the source of the Indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| severity | Severity | Severity of the Indicator in the form INFO, LOW, MEDIUM, HIGH, or CRITICAL | |
| exclude_deleted | Boolean | Exclude deleted indicators | |
| page | Int | Specify the page to fetch | |
| per_page | Int | Specify the count of indicators per page |
PaginateIndicatorsInput🔗
Description: Paginate indicators matching the fields provided
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| object_type | ObjectType | Filter indicators by object type | |
| updated_after | Time | Provide a timestamp to filter indicators returned by updated_at >= updated_after | |
| with_partner_tenants | Boolean | Include additional tenants belonging to the caller | |
| reference_url | String | Reference_url is the URL describing data about the indicator | |
| source_name | String | Source_name is the name of the source of the Indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| severity | Severity | Severity of the Indicator in the form INFO, LOW, MEDIUM, HIGH, or CRITICAL | |
| exclude_deleted | Boolean | Exclude deleted indicators | |
| per_page | Int | Specify the page to fetch | |
| cursor | String | Cursor used to paginate through results. Should be empty on first request, and populated with value returned in response from then on |
IndicatorInput🔗
Description: Used as input to the UpsertIndicators mutation
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| object_type | ObjectType | Current supported options: ip, hash, domain, url | |
| object_subtype | ObjectSubtype | Object_subtypes depend on the object_type | |
| name | String | A friendly name for the threat indicator | |
| description | String | Description of the indicator | |
| value | String | The indicator's value | |
| reference_url | String | Reference_url is the URL describing data about the indicator | |
| source_name | String | source_name is the name of the source of the Indicator | |
| integration_id | Int | The ID of the integration that ingested the indicator | |
| severity | Severity | Severity of the Indicator in the form INFO, LOW, MEDIUM, HIGH, or CRITICAL |
DeleteIndicatorResponse🔗
Description: Response type for the DeleteIndicators mutation
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| indicators | ByotiIndicator | List of indicators marked for deletion | |
| status | Boolean | Status true or false |