Identity Findings GraphQL API๐
Query๐
Description: Public queries
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| findings | FindingsQueryResponse | Get a list of findings based on the query parameters. Restricted to the current tenant context. | query: FindingsQuery, sorting: FindingsSorting, paging: FindingsPaging |
| findingFacets | FindingFacetsResponse | Gets aggregated counts per facet for the findings based on the query parameters. Restricted to the current tenant context. | query: FindingsQuery |
| finding | Finding | Gets a specific finding by its id. Restricted to the current tenant context. | id: ID |
| findingHistory | FindingHistoryResponse | Gets a specific finding history by its id. Restricted to the current tenant context. | id: ID |
| checkFindingsCount | CheckFindingsCountResponse | Gets a list of checks along with the count of their findings based on the query parameters. Restricted to the current tenant context. The checks will be sorted by the cumulative severity of their findings. Will not include any checks that have no findings. | query: ChecksQuery, paging: FindingsPaging |
| checks | ChecksQueryResponse | Gets a list of checks based on the query parameters. | query: ChecksQuery, sorting: ChecksSorting, paging: FindingsPaging |
| check | Check | Gets a specific check by its id. | id: ID |
| checkHistory | CheckHistoryResponse | Gets a specific check history. | id: ID |
| findingOverallRisk | FindingOverallRisk | Gets an overall risk score for the current tenant for the given module and source. Is source is null, the overall risk for all sources will be returned. | module: CheckModule, source: FindingSourceInput |
| findingOverallRiskOverTime | FindingRiskOverTime | Gets an overall risk score over time for the current tenant for the given module and source. Is source is null, the overall risk for all sources will be returned. | module: CheckModule, timeRange: FindingRiskOverTimeInput, source: FindingSourceInput |
| findingsChanged | FindingsQueryResponse | Gets findings that have had a state change over a specified time range. | query: FindingsChangedInput, sorting: FindingsSorting, paging: FindingsPaging |
ID๐
Description: The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
Mutation๐
Description: Public mutations
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| setFindingStatus | Finding | Set the status of a finding by its id. Restricted to the current tenant context. | id: ID, status: FindingStatus, reason: String |
| ignoreCheck | Check | Marks a check as ignored for a given tenant. Any existing findings will be hidden and new findings will not be generated. | id: ID |
| unignoreCheck | Check | Removes the ignore status for a check for a given tenant. Any existing findings will be shown and new findings will be generated next time a check is run. | id: ID |
String๐
Description: The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
CheckModule๐
Description: The Taegis Module a check belongs to, such as VDR, Identity, XDR, etc.
Time๐
Description: A timestamp type.
Map๐
Description: A map type.
Int64๐
Description: A scalar for 64-bit integers.
ChecksSort๐
Description: Available fields on Checks for sorting.
FindingsSortOrder๐
Description: Sort order for checks.
ChecksSorting๐
Description: Parameters for sorting checks query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| sortBy | ChecksSort | What to sort results by. Default is by title. | |
| sortOrder | FindingsSortOrder | The order to sort results by. Default is ascending. |
ChecksQuery๐
Description: Parameters for filtering checks.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| modules | CheckModule | Restrict to checks that belong to these modules. If empty, all modules are included. | |
| tags | String | Restrict to checks that have these tags. If empty, all tags are included. | |
| categories | String | Restrict to checks that have these categories. If empty, all categories are included. | |
| allowDisabled | Boolean | If true, include checks that are disabled. | |
| publishedRange | FindingTimeRange | If specified, only include checks that were published in this time range. | |
| modifiedRange | FindingTimeRange | If specified, only include checks that were last modified in this time range. |
Boolean๐
Description: The Boolean scalar type represents true or false.
ChecksQueryResponse๐
Description: Response for a checks query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| total | Int64 | The total number of checks that match the query | |
| checks | Check | The checks that match the query |
FindingInternationalMessage๐
Description: A message in a specific language.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| language | String | The language of the message | |
| message | String | The template message in the specified language |
InputCheck๐
Description: Creation input for a check.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Unique identifier for the check. Must be UUID. | |
| module | CheckModule | The Taegis Module this check belongs to. | |
| titles | FindingInternationalMessage | Titles of the check for each supported language. At least one in en_US is required. | |
| descriptions | FindingInternationalMessage | Descriptions of the check for each supported language. At least one in en_US is required. | |
| details | FindingInternationalMessage | Details of the check for each supported language. Optional. | |
| risks | FindingInternationalMessage | Risks of the check for each supported language. Optional. | |
| remediations | FindingInternationalMessage | Remediation steps for the check in each supported language. At least one in en_US is required. | |
| defaultValue | String | If the check is a recommended value issue, this is the default value for that configuration. | |
| recommendedValue | String | If the check is a recommended value issue, this is the recommended value for that configuration. | |
| category | String | The category/type of the check. | |
| references | String | Any references to external documentation for the check. | |
| tags | String | Tags associated with the check. | |
| enabled | Boolean | If the check is enabled. | |
| autoResolutionDisabled | Boolean | Whether this check should have its findings automatically resolved if they are no longer detected in a scan. | |
| timeResolutionDays | Int64 | A time range, in days, to automatically resolve findings after. This is checked separately from the autoResolutionDisabled flag. | |
| version | String | Version of the check implementation. Must be of the following format: v0.0.0 |
Check๐
Description: A check that is performed against a tenants environment to generate findings.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Unique identifier for the check. | |
| module | CheckModule | The Taegis Module this check belongs to. | |
| title | String | Title of the check. | |
| description | String | Description of the check. | |
| details | String | Details of the check. Contain additional information, like technical details. Optional. | |
| risk | String | Risk explanation of the check. Optional. | |
| remediation | String | Remediation steps for the check. | |
| defaultValue | String | If the check is a recommended value issue, this is the default value for that configuration. | |
| recommendedValue | String | If the check is a recommended value issue, this is the recommended value for that configuration. | |
| category | String | The category/type of the check. | |
| references | String | Any references to external documentation for the check. | |
| tags | String | Tags associated with the check. | |
| enabled | Boolean | If the check is enabled. | |
| published | Time | When this check was first published to SecureWorks. | |
| lastModified | Time | When this check was last modified or updated with additional details. | |
| ignored | Boolean | Whether the check is ignored for the current tenant context. | |
| ignoredBy | TDRUser | Federated version of user who disabled the check. | |
| ignoredAt | Time | When the check was ignored. | |
| autoResolutionDisabled | Boolean | If true, findings belonging to this check will not automatically be resolved if they are no longer detected in a scan. This is useful for time and window based checks that may only detect a specific finding for a limited time. Findings for these checks should be manually resolved. | |
| timeResolutionDays | Int64 | A time range, in days, to automatically resolve findings after. This is only checked if autoResolutionDisabled is true. | |
| version | String | Version of the check implementation. |
CheckHistory๐
Description: Track changes on a check.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Check ID | |
| version | String | Version of the check implementation | |
| firstRanAt | Time | When the check was first ran | |
| lastRanAt | Time | When the check was last ran |
CheckHistoryResponse๐
Description: Response for a check history.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| total | Int64 | The total number of changes in the check history | |
| history | CheckHistory | The history for the requested finding |
FindingsPaging๐
Description: Paging input for queries.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| limit | Int64 | The number of findings to return | |
| offset | Int64 | The offset to start returning findings from |
FindingsSort๐
Description: Available fields on findings for sorting.
FindingsSorting๐
Description: Parameters for sorting findings query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| sortBy | FindingsSort | What to sort results by. Default is by severity. | |
| sortOrder | FindingsSortOrder | The order to sort results by. Default is descending. |
FindingsQuery๐
Description: Parameters for filtering findings.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| categories | String | Filters to findings that belong to at least one of these check categories. If empty, all checks are included. | |
| severityRange | FindingsFloatRange | DO NOT USE, will be ignored. This input has been left in place to not break existing sdks | |
| severityLabel | FindingSeverityLabel | Filters to findings that have at least one of these severities. | |
| confidenceRange | FindingsFloatRange | Filters to findings that have a confidence within this range. | |
| firstSeenRange | FindingTimeRange | Filters to findings that were first detected in this time range. If null, all findings are included. | |
| lastSeenRange | FindingTimeRange | Filters to findings that were last detected in this time range. If null, all findings are included. | |
| lastModifiedRange | FindingTimeRange | Filters to findings that were last modified in this time range. If null all findings are included. | |
| references | InputFindingsQueryReference | Filters to findings that have at least one of these references as their primary or other references. | |
| checks | ID | Filters to findings that belong to at least one of these checkIds. If empty, all checks are included. | |
| statuses | FindingStatus | Filters to findings that are in at least one of these statuses. If empty, all statuses are included. | |
| primaryReferenceName | String | Filters to findings that match primary reference name. If empty, all findings are included. | |
| search | String | Filters to findings that match text in some fields. If empty, all findings are included. | |
| sources | FindingSourceInput | Filters the findings to those that have one of these sources. If empty, all sources are included. If an entry is null, it will filter to findings with no source. | |
| derivedTypes | FindingReferenceDerivedType | Filters the findings to those that have at least one of the reference derived types. | |
| isNew | Boolean | Filters the findings that are or not new. If empty, all findings are included. |
InputFindingsQueryReference๐
Description: Parameters to filter findings by reference.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | String | The id for the reference | |
| derivedType | FindingReferenceDerivedType | Derived type of the reference |
FindingStringFacet๐
Description: An aggregation of counts for findings by some string value.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | String | The value of the facet | |
| count | Int64 | The count of findings that have this value |
FindingBoolFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | Boolean | The boolean value | |
| count | Int64 | The count of findings with this value |
FindingSourceFacet๐
Description: An aggregation of counts for findings by some source.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | FindingSource | The value of the facet. If null, represents null/empty source. | |
| count | Int64 | The count of findings that have this value. |
FindingStatusFacet๐
Description: An aggregation of counts for findings by status.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | FindingStatus | The value of the facet | |
| count | Int64 | The count of findings that have this value |
FindingFloatFacet๐
Description: An aggregation of counts for findings by some float value.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | Float | The value of the facet | |
| count | Int64 | The count of findings that have this value |
Float๐
Description: The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.
FindingSeverityFacet๐
Description: An aggregation of counts for findings by severity.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | FindingSeverityLabel | The value of the facet | |
| count | Int64 | The count of findings that have this value |
FindingCheckFacet๐
Description: An aggregation of counts for findings by check.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | Check | The check of the facet | |
| count | Int64 | The count of findings that have this value |
FindingDerivedTypeFacet๐
Description: An aggregation of counts for findings by derived type.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | FindingReferenceDerivedType | The value of the facet | |
| count | Int64 | The count of findings that have this value |
FindingFacetsResponse๐
Description: Aggregations of findings by different facets.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| categories | FindingStringFacet | Counts for categories. | |
| severityLabel | FindingSeverityFacet | Counts for confidence ranges. Each entry corresponds to a severity level. | |
| fullChecks | FindingCheckFacet | Count for findings by check model. | |
| checks | FindingStringFacet | DO NOT USE. Will always be empty. This has been deprecated and left here to not break old sdks. | |
| statuses | FindingStatusFacet | Counts for statuses. | |
| sources | FindingSourceFacet | Counts for sources. | |
| derivedTypes | FindingDerivedTypeFacet | Counts for derived types. | |
| isNew | FindingBoolFacet | Counts for is new. |
FindingsQueryResponse๐
Description: Response for a findings query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| total | Int64 | The total number of findings that match the query | |
| findings | Finding | The findings that match the query |
FindingsFloatRange๐
Description: A range input for a float value.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| min | Float | Minimum value for the range, inclusive | |
| max | Float | Maximum value for the range, inclusive |
FindingTimeRange๐
Description: A range input for a time value
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| start | Time | Start time for the range, inclusive | |
| end | Time | End time for the range, exclusive |
InputFinding๐
Description: Creation input for a finding.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| primaryReference | InputFindingReference | Primary reference this finding relates to. | |
| otherReferences | InputFindingReference | Other references this finding relates to. | |
| result | String | Check results associated with the finding. | |
| confidenceScore | Float | Confidence that the finding is accurate. 0.0 is the lowest confidence, 1.0 is the highest confidence. | |
| severity | Float | Severity of the finding. 0.0 is the lowest severity, 1.0 is the highest severity. | |
| checkId | ID | The check that this finding belongs to. | |
| checkVersion | String | The version of the check that was used to produce this finding. | |
| source | FindingSourceInput | The source of the finding. |
FindingReferenceLogicalType๐
Description: The logical type of a reference.
FindingReferenceDerivedType๐
Description: The derived type of a reference.
FindingReference๐
Description: A reference to an external object within a finding.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | String | The type of reference; e.g., Identity, Alert, Event, EntraConditionalAccessPolicy, etc. | |
| id | String | The id for the type. | |
| logicalType | FindingReferenceLogicalType | The logical type of the reference. | |
| derivedType | FindingReferenceDerivedType | The derived type of the reference. | |
| displayName | String | Optional display name for the reference. This is only populated for certain types of references. | |
| externalLink | String | Optional link to resource on an external system. This is only populated for certain types of references. |
InputFindingReference๐
Description: A reference to an external object within a finding.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | String | The type of reference; e.g., Identity, Alert, Event, EntraConditionalAccessPolicy, etc. | |
| id | String | The id for the type. | |
| derivedType | FindingReferenceDerivedType | Derived type of the reference. | |
| displayName | String | Optional display name for the reference. Changing this does not change the reference or its uniqueness. |
FindingSeverityLabel๐
Description: Severity levels for findings.
Finding๐
Description: A finding within a tenants environment that is associated with a check.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Unique single ID for this finding for direct lookups. This is a primary key but another primary key is represented by the primaryReference, checkId, and tenantId. | |
| primaryReference | FindingReference | Primary reference this finding relates to. | |
| otherReferences | FindingReference | Other references this finding relates to. | |
| tenantId | String | Tenant id the finding is associated with. | |
| result | String | Check results associated with the finding. | |
| confidenceScore | Float | Confidence that the finding is accurate. 0.0 is the lowest confidence, 1.0 is the highest confidence. | |
| severity | Float | Severity of the finding. 0.0 is the lowest severity, 1.0 is the highest severity. | |
| severityLabel | FindingSeverityLabel | The severity label for the finding. | |
| status | FindingStatus | Current status of the finding. | |
| statusComments | String | Comments about the status if specified. Generally only available on DISMISSED findings when the dismisser provides it. | |
| statusCommentsUser | ID | If the status comments were provided by a user, this is their user id. | |
| user | TDRUser | Federated version of the status comments user. | |
| firstSeen | Time | When this finding was first detected in the environment. | |
| lastSeen | Time | When this finding was last detected in the environment. | |
| lastModified | Time | When this finding state was last modified. | |
| closedAt | Time | When this finding was closed. | |
| check | Check | The check that this finding belongs to. | |
| source | FindingSource | If the finding is tagged with a source, this is the source. | |
| isNew | Boolean | If the finding is new. Valid for 7 days. False when the check is ran the first time. | |
| checkVersion | String | The version of the check that was used to produce the finding. |
FindingHistory๐
Description: Track changes on a finding.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | Int64 | Unique identifier for a finding history entry. | |
| findingId | ID | Finding that the history entry is for. | |
| tenantId | String | Tenant id the finding is associated with. | |
| oldStatus | FindingStatus | Status before the change. Null for the first entry. | |
| newStatus | FindingStatus | Status after the change. | |
| diff | Map | Diff of the NEW and OLD rows with the fields omitted. | |
| updatedBy | TDRUser | User that triggered the changes. Null when change made by the system. | |
| createdAt | Time | Timestamp when the history entry was created. |
FindingHistoryResponse๐
Description: Response for a finding history.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| total | Int64 | The total number of changes in the finding history | |
| history | FindingHistory | The history for the requested finding |
CheckFindingsCountResponse๐
Description: Response for checkFindingsCount query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| checks | FindingsByCheck | Checks and the count of their findings | |
| total | Int64 | The total number of checks that match the query |
FindingsByCheck๐
Description: A check and the count of its findings.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| check | Check | The check | |
| count | Int64 | The count of findings for the check | |
| severity | Float | The accumulated severity of all the findings for the check | |
| severityLabel | FindingSeverityLabel | The accumulated severity label of all the findings for the check |
FindingStatus๐
Description: State of a finding.
FindingRiskLabel๐
Description: Label for a risk score category.
FindingTimeWindowUnit๐
Description: Unit for time window sizes.
FindingRiskOverTimeInput๐
Description: Input for finding risk over time query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| windowUnit | FindingTimeWindowUnit | Unit for the time window size. | |
| windowSize | Int64 | The size of the window for each entry by; e.g., a unit of DAILY and scaleMultiplier of 7 would be a weekly window. | |
| timeRange | FindingTimeRange | The time range to query over. |
FindingRiskOverTime๐
Description: Risk score entries over the given time window.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| entries | FindingRiskTimeEntry | Risk score entries over the given time window | |
| module | CheckModule | Which module this risk is for |
FindingRiskTimeEntry๐
Description: A window of time and the risk score for that time window.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| intervalStart | Time | The start of the time window | |
| intervalEnd | Time | The end of the time window | |
| risk | Float | The average risk score for the time window | |
| label | FindingRiskLabel | The label for the risk score | |
| findingCount | Int64 | The max number of findings used to calculate the risk in the time window |
FindingSourceType๐
Description: Different types of sources for findings.
FindingSource๐
Description: Source of a finding, this represents a datasource the finding is derived from, such as an identity provider in IDR.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | FindingSourceType | The type of the source. | |
| id | String | The id of the source. | |
| resolved | ResolvedFindingSource | If the source is resolvable in graphql, this is the resolved source, such as an identity provider for IDP sources. |
ResolvedFindingSource๐
Description: Resolved source of a finding.
FindingSourceInput๐
Description: Input for a finding source.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | FindingSourceType | The type of the source | |
| id | String | The id of the source |
FindingOverallRisk๐
Description: Representation for overall risk of a tenant for a specific module.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| risk | Float | The overall risk score, from 0 to 1 | |
| module | CheckModule | Which module this risk is for | |
| label | FindingRiskLabel | Label for the overall risk | |
| findingCount | Int64 | Number of findings used to calculate the risk | |
| percentChange | Float | How much the risk score has changed over the past 7 risk score calculations | |
| calculatedAt | Time | When the risk score was calculated |
FindingsChangedInput๐
Description: Input for querying findings that have been changed over a specified time range.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| range | FindingTimeRange | The time range for which findings have changed over. | |
| sources | FindingSourceInput | Filters the findings to those that have one of these sources. If empty, all sources are included. If an entry is null, it will filter to findings with no source. |
TDRUser๐
Description: A Taegis user.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | The Taegis User ID |
IdentityProvider๐
Description: A configured identity provider that we are syncing identities against.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | The unique identifier for this identity provider within Taegis |