Investigations GraphQL API🔗
Node🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID |
ID🔗
Description: The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
Query🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationV2 | InvestigationV2 | investigationV2 gets a single Investigation. | arguments: InvestigationV2Arguments |
| investigationsV2 | InvestigationsV2 | investigationsV2 returns a list of investigations matching the provided arguments. | arguments: InvestigationsV2Arguments |
| investigationRule | InvestigationRule | investigationRule gets an auto-investigation rule | arguments: InvestigationRuleArguments |
| investigationRules | InvestigationRules | investigationRules returns a list of investigation rules matching the provided arguments. | arguments: InvestigationRulesArguments |
| investigationTemplate | InvestigationTemplate | investigationTemplate gets an auto-investigation template | arguments: InvestigationTemplateArguments |
| investigationTemplates | InvestigationTemplates | investigationTemplates returns a list of investigation templates matching the provided arguments. | arguments: InvestigationTemplatesArguments |
| exportInvestigationResources | InvestigationResourceExport | exportInvestigationResources returns a YAML string representation for auto-investigation resources (rules & templates). The returned string can be saved into a file and imported back into the system using importInvestigationResources. |
arguments: ExportInvestigationResourcesArguments |
| investigationV2Timeline | InvestigationV2Timeline | investigationV2Timeline returns an investigation timeline detailing the order of alerts, events and other actions taken in relation to an investigation. | arguments: InvestigationV2TimelineArguments |
| commentsV2 | CommentsV2 | commentsV2 returns all the comments for an investigation | arguments: CommentsV2Arguments |
| investigationV2Types | InvestigationV2Type | investigationV2Types returns the available investigation types for a given user and the current tenant's service level | |
| investigationV2Statuses | InvestigationV2Status | investigationStatuses returns the available investigation statuses for a given user and the current tenant's service level | arguments: InvestigationV2StatusesArguments |
| investigationFileV2 | InvestigationFileV2 | investigationFileV2 returns file details for a single file attached to an investigation based on the arguments provided. The result will also include a pre-signed download url. |
arguments: InvestigationFileV2Arguments |
| investigationFilesV2 | InvestigationFilesV2 | investigationFilesV2 returns file details for all files matching the arguments provided. The results will not include pre-signed download urls for each file metadata returned. |
arguments: InvestigationFilesV2Arguments |
| investigationsAggregation | InvestigationsAggregation | investigationsAggregation allows aggregating data for investigations. It cannot be used to fetch individual investigations or lists of investigations, only aggregate data. It should not be used by external clients and should only be called from the Taegis UI. Use of this endpoint is discouraged as it may be changed at any time without notice. |
arguments: InvestigationsAggregationArguments |
InvestigationsAggregationArguments🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| cql | String | The query to aggregate data for |
String🔗
Description: The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
InvestigationsAggregation🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| Aggregation | Map |
Mutation🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| createInvestigationV2 | InvestigationV2 | createInvestigationV2 creates new investigation with the provided arguments. | input: CreateInvestigationInput |
| updateInvestigationV2 | InvestigationV2 | updateInvestigationV2 updates an existing investigation. This is a PATCH style mutation, only fields that are send in the input will be updated. |
input: UpdateInvestigationV2Input |
| addEvidenceToInvestigation | AddEvidenceToInvestigationResult | addEvidenceToInvestigation will add more evidence to an existing investigation. Evidence added through this mutation will not be considered genesis evidence. The response will include the evidence that the service will attempt to add to the investigation. Adding evidence to investigations is an asynchronous operation. It will typically finish pretty quickly, but added alerts/events will may not show up in the returned investigation until the async job is fully complete. The processing status, that is found on the investigation type will reflect the state of the processing job. Once the status is set to 'SUCCESS' the background job is complete and requesting the investigation will return the related evidence. Adding, removing or updating evidence (closing an investigation) while other jobs are processing for a given investigation will cause the jobs to queue. Jobs will be worked through in the order they were received. |
input: AddEvidenceToInvestigationInput |
| removeEvidenceFromInvestigation | RemoveEvidenceFromInvestigationResult | removeEvidenceFromInvestigation will remove evidence from an existing investigation. The response will include the evidence that the service will attempt to remove from the investigation. Removing evidence from investigations is an asynchronous operation. It will typically finish pretty quickly, but removed alerts/events will can remain attached to the investigation until the async job is fully complete. The processing status, that is found on the investigation type will reflect the state of the processing job. Once the status is set to 'SUCCESS' the background job is complete and requesting the investigation will only return evidence that was not removed. Adding, removing or updating evidence (closing an investigation) while other jobs are processing for a given investigation will cause the jobs to queue. Jobs will be worked through in the order they were received. |
input: RemoveEvidenceFromInvestigationInput |
| closeInvestigation | InvestigationV2 | closeInvestigation will close an existing investigation. If the investigation has alerts attached to it, the alertsResolutionStatus field is required and alerts will be resolved based on the provided status. Once an investigation is closed, it can no longer be edited or have evidence added to it while in the closed state, it can only be archived. A closed investigation can be reopened if changes are needed after closing. Resolving evidence in an investigation is an asynchronous operation. It will typically finish pretty quickly, but resolving alerts will may not reflect the updated status until the async job is fully complete. The processing status, that is found on the investigation type will reflect the state of the processing job. Once the status is set to 'SUCCESS' the background job is complete and the alerts will have been updated. Adding, removing or updating evidence (closing an investigation) while other jobs are processing for a given investigation will cause the jobs to queue. Jobs will be worked through in the order they were received. |
input: CloseInvestigationInput |
| createInvestigationRule | InvestigationRule | createInvestigationRule accepts input to create a new auto-investigation rule. | input: CreateInvestigationRuleInput |
| updateInvestigationRule | InvestigationRule | updateInvestigationRule accepts input to update an existing auto-investigation rule. | input: UpdateInvestigationRuleInput |
| deleteInvestigationRule | InvestigationRule | deleteInvestigationRule removes an existing investigation rule. This is a hard delete. Data will not be recoverable. |
input: DeleteInvestigationRuleInput |
| createInvestigationTemplate | InvestigationTemplate | createInvestigationTemplate accepts input to create a new auto-investigation template. | input: CreateInvestigationTemplateInput |
| updateInvestigationTemplate | InvestigationTemplate | updateInvestigationTemplate accepts input to update an existing auto-investigation template. | input: UpdateInvestigationTemplateInput |
| deleteInvestigationTemplate | InvestigationTemplate | deleteInvestigationTemplate removes an existing investigation template. This is a hard delete. Data will not be recoverable. |
input: DeleteInvestigationTemplateInput |
| importInvestigationResources | InvestigationResource | importInvestigationResources will import investigation resources (rules & templates) from a YAML file. The input YAML structure can be retrieved from a YAML string exported from the exportInvestigationResources query. |
input: ImportInvestigationResourcesInput |
| addCommentToInvestigation | CommentV2 | addCommentToInvestigation adds a comment to an existing investigation. | input: AddCommentToInvestigationInput |
| updateInvestigationComment | CommentV2 | updateInvestigationComment updates an existing comment on an investigation. This is a PATCH style mutation, only fields that are send in the input will be updated. Only the user who created the comment can update it. Updating a comment and adding new @mentions will trigger new notifications but will not send notifications to @mentions that are already present in the comment. |
input: UpdateInvestigationCommentInput |
| deleteInvestigationComment | CommentV2 | deleteInvestigationComment removes an existing comment from an investigation. This is a hard delete. Data will not be recoverable. |
input: DeleteInvestigationCommentInput |
| archiveInvestigationV2 | InvestigationV2 | archiveInvestigationV2 archives an existing investigation. Only investigations that are closed can be archived. There may be some investigations that are archived but not in closed states, these are legacy investigations that were archived before the "closed" requirement was introduced. |
input: ArchiveInvestigationInput |
| unarchiveInvestigationV2 | InvestigationV2 | unarchiveInvestigationV2 unarchives an archived investigation. | input: UnarchiveInvestigationInput |
| archiveInvestigationsV2 | ArchivedInvestigations | archiveInvestigationsV2 archives a set of existing investigations. Only investigations that are closed can be archived. The response will include the ids of the investigations that were successfully archived and will not return errors for investigations that could not be archived. |
input: ArchiveInvestigationsInput |
| unarchiveInvestigationsV2 | UnarchivedInvestigations | unarchiveInvestigationsV2 unarchives a set of archived investigations. The response will include the ids of the investigations that were successfully unarchived and will not return errors for investigations that could not be unarchived. |
input: UnarchiveInvestigationsInput |
| initInvestigationFileUpload | InvestigationFileUpload | initInvestigationFileUpload initializes a file upload for an investigation. The response will include a pre-signed URL that can be used to upload a file to the investigation. |
input: InitInvestigationFileUploadInput |
| deleteInvestigationFile | InvestigationFileV2 | deleteInvestigationFile removes an existing file from an investigation. This is a hard delete. Data will not be recoverable. |
input: DeleteInvestigationFileInput |
CreateInvestigationInput🔗
Description: CreateInvestigationInput Describes the fields available for creating a new investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | InvestigationType | Type the investigation should be opened as Types are restricted to the available types for the current user and tenant service level. |
|
| priority | Int | Priority of the investigation. 1 - Low 2 - Medium 3 - High 4 - Critical |
|
| title | String | Title of the investigation. Max 256 characters anything over that will be trimmed. |
|
| tags | String | Tags used to help label the investigation | |
| keyFindings | String | KeyFindings are used to explain the details of the investigation | |
| status | InvestigationStatus | Status is used to describe the state of the investigation Statuses are restricted to the available statuses for the current user and tenant. Close statuses cannot be set here. |
|
| assigneeId | String | AssigneeId is used to set the user assigned to the investigation. The assignee must be a valid user, client, or @mention in the system. |
|
| alerts | String | Alerts is a list of alert IDs that should be attached to the investigation. Alerts added during the creation of an investigation are considered genesis evidence. |
|
| alertsSearchQuery | String | AlertsSearchQuery is a CQL query that can be used to attach alerts to the investigation. Only the first 50k alerts will be attached to the investigation. Alerts added via a search query during the investigation create will be considered genesis evidence. |
|
| events | String | Events is a list of event IDs that should be attached to the investigation. Events added during the creation of an investigation are considered genesis evidence. |
|
| searchQueries | String | SearchQueries are saved searches that should be used to open the investigation. Search queries added during the creation of an investigation are considered genesis evidence. Searches added here are not executed to attach evidence, this field is only used to attached saved searches to the investigation. |
|
| serviceDeskId | String | serviceDeskId is used to define an id that maps a 3rd party service desk to an investigation. This may be a url or other identifier that can be used to link the investigation to a service desk ticket. URL format: Provide the full URL to the service desk ticket and encode an additional parameter "id" into the url. IE: https://company.service-now.com//nav_to.do?uri=%2Fincident.do%3Fsys_id=3454676eadfedaf8e665370cbb350b&id=INC2345 |
|
| serviceDeskType | String | serviceDeskType is used to set the service desk type/identifier being used in relation to the service desk id. IE: SNOW, 4me This is free form text and is not validated. |
|
| ruleId | ID | ruleId is a field that is meant for internal I&R use only. Providing any value for it may result in failures and behaviour is undefined. | |
| templateId | ID | TemplateId is a field that is meant for internal I&R use only. Providing any value for it may result in failures and behaviour is undefined. |
Int🔗
Description: The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
UpdateInvestigationV2Input🔗
Description: UpdateInvestigationV2Input describes the fields available for updating an investigation. Optional fields that are not provided will not be updated.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | Id of the investigation to update | |
| type | InvestigationType | Type the investigation should be updated to. Types are restricted to the available types for the current user and tenant service level. |
|
| priority | Int | Priority to update the investigation. 1 - Low 2 - Medium 3 - High 4 - Critical |
|
| title | String | Title to update the investigation with | |
| tags | String | Tags used to help label the investigation Tags are not additive, the tags provided will replace the existing tags on the investigation. If you want to keep the existing tags, you must include them in the tags field. Not sending the tags field at all (null) will not update the tags. |
|
| keyFindings | String | KeyFindings are used to explain the details of the investigation | |
| status | InvestigationStatus | Status is used to update the state of the investigation Statuses are restricted to the available statuses for the current user and tenant. This supports non closed status only, closed status cannot be updated here. Investigations must be closed via the closeInvestigation mutation. Setting the status to AWAITING_ACTION will trigger a handoff if the assignee id changes, an email will be sent to the new assignee. |
|
| assigneeId | String | AssigneeId is used to update the user assigned to the investigation. The assignee must be a valid user, client, or @mention in the system. Updating the assignee id and setting the status to AWAITING_ACTION will trigger a handoff if the assignee id changes, an email will be sent to the new assignee. |
|
| serviceDeskId | String | serviceDeskId is used to update an id that maps a 3rd party service desk to an investigation. This may be a url or other identifier that can be used to link the investigation to a service desk ticket. URL format: Provide the full URL to the service desk ticket and encode an additional parameter "id" into the url. IE: https://company.service-now.com//nav_to.do?uri=%2Fincident.do%3Fsys_id=3454676eadfedaf8e665370cbb350b&id=INC2345 |
|
| serviceDeskType | String | serviceDeskType is used to update the service desk type/identifier being used in relation to the service desk id. IE: SNOW, 4me This is free form text and is not validated. |
CloseInvestigationInput🔗
Description: CloseInvestigationInput Describes the fields needed to close an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | investigation id | |
| status | InvestigationCloseStatus | investigation close status | |
| reason | String | reason is used to provide a short description on why the investigation is being closed | |
| alertsResolutionStatus | AlertResolutionStatus | alertsResolutionStatus is the status to set on alerts when closing an investigation. This is a required field for an investigation with alerts but is optional if the investigation has no alerts. |
AlertResolutionStatus🔗
Description: Enum of alert resolution statuses.
AddEvidenceToInvestigationInput🔗
Description: AddAlertsToInvestigationInput describes the fields needed to add evidence to an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | ID | investigation id to add the evidence to | |
| alerts | String | Alerts is a list of alert IDs that should be attached to the investigation | |
| alertsSearchQuery | String | AlertsSearchQuery is a CQL query that should be used to add alerts to the investigation | |
| events | String | Events is a list of event IDs that should be attached to the investigation | |
| searchQueries | String | SearchQueries are saved searches that should be attached to the investigation. Search queries added during the creation of an investigation are considered genesis evidence. Searches added here are not executed to attach evidence, this field is only used to attached saved searches to the investigation. |
RemoveEvidenceFromInvestigationInput🔗
Description: RemoveEvidenceFromInvestigationResult describes the fields needed to remove evidence from an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | ID | investigation id | |
| alerts | String | Alerts is a list of alert IDs that should be removed from the investigation | |
| events | String | Events is a list of event IDs that should be removed from the investigation | |
| assets | String | Assets is a list of asset IDs that should be removed from the investigation | |
| searchQueries | String | searchQueries is a list of search queries that should be removed from the investigation |
DeleteInvestigationRuleInput🔗
Description: DeleteInvestigationRuleInput Describes the fields available for deleting an existing investigation rule.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the rule to update |
ArchiveInvestigationInput🔗
Description: ArchiveInvestigationInput Describes the fields for archiving an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the investigation to archive |
UnarchiveInvestigationInput🔗
Description: UnarchiveInvestigationInput Describes the fields for unarchiving an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the investigation to unarchive |
ArchiveInvestigationsInput🔗
Description: ArchiveInvestigationsInput Describes the fields for bulk archiving existing investigations.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| ids | ID | IDs of the investigation to archive |
UnarchiveInvestigationsInput🔗
Description: UnarchiveInvestigationInput Describes the fields for bulk unarchiving existing investigations.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| ids | ID | IDs of the investigation to unarchive |
ArchivedInvestigations🔗
Description: ArchivedInvestigations Describes a set of investigations that have been archived.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| ids | ID | ids of the investigations that were successfully archived |
UnarchivedInvestigations🔗
Description: UnarchivedInvestigations Describes a set of investigations that have been unarchived.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| ids | ID | ids of the investigations that were successfully unarchived |
InvestigationV2🔗
Description: InvestigationV2 Describes a Taegis XDR investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the investigation (unique) | |
| shortId | String | shortId is a identifier for the investigation that is human readable Short ids are not guaranteed to be created in order though they typically will be. |
|
| title | String | Title of the investigation | |
| keyFindings | String | KeyFindings are used to explain the details of the investigation | |
| alertsEvidence | AlertEvidence | AlertsEvidence is a list of alert evidence attached to the investigation | |
| alertsEvidenceCount | Int | AlertsEvidenceCount is the count of alerts attached to the investigation | |
| assetsEvidence | AssetEvidence | AssetsEvidence is a list of asset evidence attached to the investigation | |
| assetsEvidenceCount | Int | AssetsEvidenceCount is the count of assets attached to the investigation | |
| eventsEvidence | EventEvidence | EventsEvidence is a list of event evidence attached to the investigation | |
| eventsEvidenceCount | Int | EventsEvidenceCount is the count of events attached to the investigation | |
| searchQueriesEvidence | SearchQueryEvidence | SearchQueriesEvidence is a list of search query evidence attached to the investigation | |
| searchQueriesEvidenceCount | Int | SearchQueriesEvidenceCount is the count of search queries attached to the investigation | |
| priority | Int | Priority of the investigation | |
| type | InvestigationType | Type of the investigation | |
| status | InvestigationStatus | Status is the current status of the investigation | |
| tags | String | Tags used to help label the investigation | |
| contributorIds | String | ContributorIds is a list of user ids that have contributed to the investigation | |
| contributorSubjects | Subject | ContributorSubjects is a federated list of subjects that have contributed to the investigation. This can be used to get the user information for the contributors. It is not guaranteed that all contributors will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| assigneeId | String | AssigneeId is the id of the user, client or group assigned to the investigation | |
| assigneeSubject | Subject | assigneeSubject is a federated field that can be used to get the user/client information for thee assignee. It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It will always be nil if the assignee id is set to be an @partner mention or @customer. It is not guaranteed that the assignee will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| tenantId | String | TenantId is the id of the tenant that the investigation belongs to | |
| tenant | TenantV4 | Tenant is a federated field that can be used to get the tenant information for the investigation. It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the tenant will be able to be resolved through federation. For example, if the federated service is down or the tenant was moved to another environment. |
|
| createdById | String | CreatedById is the id of the user that created the investigation | |
| createdBySubject | Subject | CreatedBySubject is a federated field that can be used to get the user information for the creator of the investigation. It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the createdBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| createdAt | Time | CreatedAt is the time the investigation was created This field will be updated if the investigation was originally created in a draft state and then promoted. |
|
| updatedById | String | UpdatedById is the id of the user that last updated the investigation | |
| updatedBySubject | Subject | UpdatedBySubject is a federated field that can be used to get the user information for the last user that updated the investigation. It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the updatedBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| updatedAt | Time | UpdatedAt is the time the investigation was last updated | |
| archivedAt | Time | ArchivedAt is the time the investigation was archived This field will only be set if the investigation is archived. It will be set back to nil if the investigation was unarchived. |
|
| closeReason | String | The reason provided by the user when closing an investigation. This field is only populated for investigations that have reached a 'Closed' status. |
|
| processingStatus | InvestigationProcessingStatus | processingStatus contains the current status of each evidence type that could be processed for the investigation | |
| commentsCount | InvestigationCommentsCount | commentsCount contains the count of comments for the investigation | |
| ruleId | ID | ruleId is the id of the rule that opened the investigation - should be only set if the investigation was opened by a rule | |
| serviceDeskId | String | serviceDeskId is an id that maps a 3rd party service desk to an investigation. Consumers of this field should be able to parse this field for a url to get the id parameter and use the value of that parameter as the display value. |
|
| serviceDeskType | String | serviceDeskType is the type/identifier being used in relation to the service desk id. IE: SNOW, 4me | |
| metrics | Metric | metrics contains data points that have been collected for this investigation, they will only be set if the investigation was opened by a partner and followed the traditional investigation flow. | |
| isCreatedByPartner | Boolean | isCreatedByPartner is a field that denotes if the investigation was created by the child tenants parent tenant or not. | |
| alerts | String | ||
| assets | String | ||
| events | String | ||
| contributorIDs | String | ||
| searchQueries | String | ||
| entitiesEvidence | EntityEvidence | ||
| entitiesEvidenceCount | Int | ||
| assignee | TDRUser | ||
| contributors | TDRUser | ||
| createdBy | TDRUser | ||
| updatedBy | TDRUser | ||
| metric | Metric |
Boolean🔗
Description: The Boolean scalar type represents true or false.
InvestigationsV2🔗
Description: InvestigationsV2 defines the paginated results of an investigation search.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigations | InvestigationV2 | List of the investigations that match the search criteria for the current page | |
| totalCount | Int | The total number of investigations that match the search criteria | |
| aggregatedCounts | AggregatedCounts | AggregatedCounts contains aggregate data (counts) for the entire set of investigations for the provided query (ignores pagination). Requesting this field may result in slower api response times for the query, Only request this field if absolutely necessary. Data is aggregated based on the query that was provided in the original request. |
|
| metrics | Metrics | Metrics contains aggregate data for the entire set of investigations for the provided query (ignores pagination) Requesting this field may result in slower api response times for the query, Only request this field if absolutely necessary. Data is calculated based on the query that was provided in the original request. |
AggregatedCounts🔗
Description: AggregatedCounts contains aggregate investigation count data for different fields of investigations
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| status | InvestigationStatusCount | status contains the count of investigations by status | |
| type | InvestigationTypeCount | type contains the count of investigations by type | |
| priority | InvestigationPriorityCount | priority contains the count of investigations by priority | |
| tenant | InvestigationTenantCount | tenant contains the count of investigations by tenant | |
| assignee | InvestigationAssigneeCount | assignee contains the count of investigations by assignee | |
| creator | InvestigationCreatorCount | creator contains the count of investigations by creator | |
| archivedCount | Int | openCount contains the count of open investigations |
InvestigationStatusCount🔗
Description: InvestigationStatusCount contains the count of investigations for a given status
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| status | InvestigationStatus | ||
| count | Int |
InvestigationPriorityCount🔗
Description: InvestigationPriorityCount contains the count of investigations for a given priority
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| priority | Int | ||
| count | Int |
InvestigationTypeCount🔗
Description: InvestigationTypeCount contains the count of investigations for a given type
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | InvestigationType | ||
| count | Int |
InvestigationTenantCount🔗
Description: InvestigationTenantCount contains the count of investigations for a given tenant
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| tenantId | String | ||
| count | Int | ||
| tenant | TenantV4 | Tenant is a federated field that can be used to get the tenant information for the count. It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the tenant will be able to be resolved through federation. For example, if the federated service is down or the tenant was moved to another environment. |
InvestigationCreatorCount🔗
Description: InvestigationCreatorCount contains the count of investigations for a given assignee
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| creatorId | String | ||
| subject | Subject | ||
| count | Int |
InvestigationAssigneeCount🔗
Description: InvestigationAssigneeCound contains the count of investigations for a given creator
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| assigneeId | String | ||
| subject | Subject | ||
| count | Int |
Metric🔗
Description: Metric describes the metrics for an individual investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| draftCreatedAt | Time | The timestamp denoting when an investigation was first created in a draft state. If it is not set, then the investigation was never in a draft state. |
|
| draftPromotedAt | Time | The timestamp denoting when an investigation moved from draft to any other state. | |
| timeToDraftPromotion | Int | The time in seconds between when the investigation was opened and when the draft was promoted. | |
| draftPromotedBy | String | The id of the user or client who promoted the investigation. | |
| handedOffAt | Time | The timestamp denoting when a partner notified a customer of an investigation. Only set if a Secureworks/Partner user or client sets an investigation to awaiting action with an assignee as a customer. |
|
| timeToHandOff | Int | The time in seconds between when the investigation was opened and when the hand off happened If the investigation was a draft this will be the seconds between draft promoted at and hand off. Only set if a Secureworks/Partner user or client sets an investigation to awaiting action with an assignee as a customer. |
|
| handedOffBy | String | The id of the user or client who handed off the investigation. Only set if a Secureworks/Partner user or client sets an investigation to awaiting action with an assignee as a customer. |
|
| acknowledgedAt | Time | The timestamp denoting when an investigation was first retrieved by a customer (must be a human) after a hand off. Only set if there was a hand off. |
|
| timeToAcknowledgement | Int | The time in seconds between when an investigation was handed off and acknowledged by a human. Only set if there was a hand off. |
|
| acknowledgedBy | String | The id of the user (must be a human) who acknowledged the investigation. Only set if there was a hand off. |
|
| resolvedAt | Time | The timestamp denoting when an investigation was closed after it had been handed off. Only set if there was a hand off and if the investigation was closed by a customer user/client. |
|
| timeToResolution | Int | The time in seconds between when an investigation was handed off and closed. Only set if there was a hand off and if the investigation was closed by a customer user/client. |
|
| resolvedBy | String | The id of the user or client who resolved the investigation. Only set if there was a hand off and if the investigation was closed by a customer user/client. |
Metrics🔗
Description: Metrics describes metrics for a set of investigations in aggregate.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| meanTimeToHandoff | Int | Mean Time To Handoff in seconds. | |
| meanTimeToAcknowledgement | Int | Mean Time To Acknowledgement in seconds. | |
| meanTimeToResolution | Int | Mean Time To Resolution in seconds. | |
| meanTimeToDraftPromotion | Int | Mean Time to Draft Promotion in seconds. |
AddEvidenceToInvestigationResult🔗
Description: AddAlertsToInvestigationInput describes the fields needed to add alerts to an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | ID | id of the investigation to add the evidence to | |
| alerts | String | Alerts is a list of alert IDs that should be attached to the investigation | |
| alertsSearchQuery | String | alertsSearchQuery is a CQL query that should be used to add alerts to the investigation | |
| events | String | Events is a list of event IDs that should be attached to the investigation | |
| searchQueries | String | SearchQueries are saved searches that should be attached to the investigation. Searches added here are not executed to attach evidence, this field is only used to attached saved searches to the investigation. |
RemoveEvidenceFromInvestigationResult🔗
Description: RemoveEvidenceFromInvestigationResult describes the fields needed to remove evidence from an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | ID | id of the investigation to remove the evidence from | |
| alerts | String | Alerts is a list of alert IDs that should be removed from the investigation | |
| events | String | Events is a list of event IDs that should be removed from the investigation | |
| assets | String | Assets is a list of asset IDs that should be removed from the investigation | |
| searchQueries | String | searchQueries is a list of search queries that should be removed from the investigation |
InvestigationTemplate🔗
Description: InvestigationTemplate contains a set of pre-defined set of attributes used to populate an investigation.
A template can be either be used to open a new investigation or applied to an existing investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the investigation template (unique) | |
| createdById | String | ID of the user that created the investigation template | |
| createdBySubject | Subject | createdBySubject is a federated field that can be used to get the user information for the creator of the investigation template It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the createdBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| createdAt | Time | createdAt is the time the investigation template was created | |
| updatedById | String | ID of the user that last updated the investigation template | |
| updatedBySubject | Subject | updatedBySubject is a federated field that can be used to get the user information for the last user that updated the investigation template It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the updatedBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| updatedAt | Time | updatedAt is the time the investigation template was last updated | |
| tenantId | String | ID of the tenant that the investigation template belongs to | |
| name | String | Name of the template | |
| title | String | Title of the template - when displaying the template visually, if this field is set, it should be used to represent the template and not the name | |
| description | String | Description of the template | |
| tags | String | Tags used to help label the template | |
| investigationType | String | Type of the investigation should be opened as | |
| investigationPriority | String | Priority of the investigation | |
| investigationTitle | String | Title of the investigation | |
| investigationTags | String | Tags used to help label the investigation | |
| investigationKeyFindings | String | keyFindings is a cel template that can be used to populate and explain the details of the investigation | |
| investigationKeyFindingsPrompts | String | keyFindingsPrompts are a set of cel templates that can be used to populate and explain the details of the investigation based on responses from OpenAI | |
| investigationAssignee | String | Assignee is used to set the user assigned to the investigation | |
| investigationAssigneeSubject | Subject | investigationAssigneeSubject is a federated field that can be used to get the user information for the assignee of the investigation template It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the assignee will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| investigationStatus | String | Initial status of the investigation | |
| createdBy | TDRUser | ||
| updatedBy | TDRUser | ||
| investigationAssigneeUser | TDRUser |
InvestigationTemplates🔗
Description: InvestigationTemplates defines the paginated results of an investigation template search.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| templates | InvestigationTemplate | List of the templates that match the search criteria for the current page | |
| totalCount | Int | The total number of templates that match the search criteria |
CreateInvestigationTemplateInput🔗
Description: CreateInvestigationTemplateInput Describes the fields used for creating a new investigation template.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| name | String | Name of the template to create. May only consist of letters, numbers and underscores. Once the name is set, it cannot be changed. |
|
| title | String | Title of the rule - can be changed later. | |
| description | String | Description of the template | |
| tags | String | Tags used to help label the template | |
| investigationType | String | Type of the investigation should be opened as Uses a String type and not the type enum to support templating with CEL. The final, rendered, value must be a valid InvestigationType however. |
|
| investigationPriority | String | Priority of the investigation Uses a String type and not an int to support templating with CEL. The final, rendered, value must be a valid (1-4) Int however. |
|
| investigationTitle | String | Title of the investigation | |
| investigationTags | String | Tags used to help label the investigation | |
| investigationKeyFindings | String | investigationKeyFindings is a CEL template that can be used to populate and explain the details of the investigation | |
| investigationKeyFindingsPrompts | String | investigationKeyFindingsPrompts are a set of CEL templates that can be used to populate and explain the details of the investigation based on responses from OpenAI | |
| investigationAssignee | String | Assignee is used to set the user assigned to the investigation | |
| investigationStatus | String | Status that the investigation should be opened with. Uses a String type and not the status enum to support templating with CEL. The final, rendered, value must be a valid InvestigationStatus however. |
UpdateInvestigationTemplateInput🔗
Description: UpdateInvestigationTemplateInput Describes the fields used for updating an existing investigation template.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the template to update | |
| title | String | Title to update the template with | |
| description | String | Description to update the template with | |
| tags | String | Tags that used to help label the template . Tags are not additive, the tags provided will replace the existing tags on the investigation. If you want to keep the existing tags, you must include them in the tags field. Not sending the tags field at all (null) will not update the tags. |
|
| investigationType | String | Type of the investigation should be opened as Uses a String type and not the type enum to support templating with CEL. The final, rendered, value must be a valid InvestigationType however. |
|
| investigationPriority | String | Priority of the investigation Uses a String type and not an int to support templating with CEL. The final, rendered, value must be a valid (1-4) Int however. |
|
| investigationTitle | String | Title of the investigation | |
| investigationTags | String | Tags used to help label the investigation | |
| investigationKeyFindings | String | investigationKeyFindings is a CEL template that can be used to populate and explain the details of the investigation | |
| investigationKeyFindingsPrompts | String | investigationKeyFindingsPrompts are a set of CEL templates that can be used to populate and explain the details of the investigation based on responses from OpenAI | |
| investigationAssignee | String | Assignee is used to set the user assigned to the investigation | |
| investigationStatus | String | Status that the investigation should be opened with. Uses a String type and not the status enum to support templating with CEL. The final, rendered, value must be a valid InvestigationStatus however. |
DeleteInvestigationTemplateInput🔗
Description: DeleteInvestigationTemplateInput defines the fields available for deleting an existing investigation template.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the template to delete |
InvestigationV2Arguments🔗
Description: InvestigationV2Arguments describes the parameters to search for an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID |
InvestigationsV2Arguments🔗
Description: InvestigationsV2Arguments describes the parameters for a search of investigations.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| cql | String | cql string to search for investigations | |
| page | Int | page of results to return - pages start on 1 | |
| perPage | Int | number of results per page - max 100 | |
| tenantServiceFilters | String | tenant service labels to search for | |
| orderBy | PaginationOrder | ||
| searchChildrenTenants | Boolean |
InvestigationTemplateArguments🔗
Description: InvestigationTemplateArguments describes the parameters to find an investigation template. Both id and name are unique identifiers for a template. At least one of the fields must be set, if both are set, both must match a template.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ||
| name | String |
InvestigationTemplatesArguments🔗
Description: InvestigationTemplatesArguments describes the parameters for a search of investigation templates.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| cql | String | cql string to search for templates | |
| page | Int | page of results to return - pages start on 1 | |
| perPage | Int | number of results per page - max 100 | |
| name | String | ||
| tags | String |
ExportInvestigationResourcesArguments🔗
Description: ExportInvestigationResourcesResult describes the fields needed to export investigation resources (rules/templates).
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| arguments | ExportInvestigationResourcesArgument |
ExportInvestigationResourcesArgument🔗
Description: ExportInvestigationResourcesArgument describes the parameters to find and export an investigation resource (rules/templates). Both id and name are unique identifiers for a template. At least one of the fields must be set, if both are set, both must match a template.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ||
| name | String | ||
| type | InvestigationResourceType | Type of the resource to export |
InvestigationRule🔗
Description: InvestigationRule contains the configuration for an auto-investigation rule.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the rule (unique) | |
| createdById | String | ID of the user that created the rule | |
| createdBySubject | Subject | createdBySubject is a federated field that can be used to get the user information for the creator of the investigation rule It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the createdBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| createdAt | Time | createdAt is the time the investigation rule was created | |
| updatedById | String | ID of the user that last updated the investigation rule | |
| updatedBySubject | Subject | updatedBySubject is a federated field that can be used to get the user information for the last user that updated the investigation rule It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the updatedBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| updatedAt | Time | updatedAt is the time the investigation rule was last updated | |
| tenantId | String | ID of the tenant that the investigation rule belongs to | |
| name | String | Name of the rule | |
| title | String | Title of the rule - when displaying the rule visually, if this field is set, it should be used to represent the rule and not the name | |
| description | String | Description of the rule | |
| tags | String | Tags used to help label the rule | |
| type | InvestigationRuleType | Type denotes the type of the rule and determines what is used to evaluate alerts | |
| order | Int | Order defines the order in which rules should be evaluated. The lower the number, the sooner the rule will be evaluated. Once a rule's filter has matched and been applied to an alert, the system stops trying to apply other rules. |
|
| state | InvestigationRuleState | State defines processing behavior for the rule | |
| filter | String | Alert filter expressed as a QL expression | |
| appendFilter | String | Optional filter that can define different alert constraints (i.e. broader) for appending vs creating | |
| appendComment | String | Optional comment that is expanded and a comment generated when an alert is appended to an existing non-draft investigation | |
| groupBy | String | Optional group by clause that adds additional matching alerts to an existing investigation | |
| groupCount | Int | Count is an optional specification of the number of required matches of the group by clause | |
| groupDuration | String | Duration specifies an optional period (as a string in format <int>[d|h|m|s]) to continue grouping alerts after a matching investigation is closed |
|
| groupExtendOnAppend | Boolean | Optional flag indicating if newly appended alerts should expand the set of entities/attributes used to group alerts, defaults to false | |
| searchQueries | String | Optional search queries used to populate additional alerts or events into a newly created investigation | |
| searchWindow | String | Optional search window specifies duration from the genesis alerts over which the search is evaluated | |
| tenantFilter | String | Setting to filter tenants based on attributes such as enabled services and/or same tenant as rule definition | |
| skipAlertPrioritization | Boolean | Setting to skip checking if the priority of the alert has been downgraded when evaluating alerts | |
| template | InvestigationTemplate | Template defining investigation content | |
| comment | String | ||
| excludeChildTenants | Boolean | ||
| createdBy | TDRUser | ||
| updatedBy | TDRUser |
CreateInvestigationRuleInput🔗
Description: CreateInvestigationRuleInput Describes the fields used for creating a new investigation rule.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| name | String | Name of the rule to create. May only consist of letters, numbers and underscores. Once the name is set, it cannot be changed. |
|
| title | String | Title of the rule - can be changed later. | |
| description | String | Description of the rule | |
| tags | String | Tags used to help label the rule | |
| type | InvestigationRuleType | Type denotes the type of the rule and determines how alerts are evaluated | |
| order | Int | Order defines the order in which rules should be evaluated. Duplicate order values are not allowed. Adding a rule with a duplicate order will insert the rule at the desired position and bump all rules greater than or equal to the inserted rule order up one. |
|
| state | InvestigationRuleState | State defines processing behavior for the rule | |
| filter | String | filter is a ql/cel expression that is used to match alerts to the rule | |
| appendFilter | String | appendFilter is an optional filter that can define different alert constraints (i.e. broader) for appending vs creating | |
| appendComment | String | appendComment is an optional comment that is expanded and a comment generated when an alert is appended to an existing non-draft investigation | |
| groupBy | String | groupBy by clause that adds additional matching alerts to an existing open investigation | |
| groupCount | Int | groupCount is an optional specification of the number of required matches of the group by clause | |
| groupDuration | String | groupDuration specifies an optional period (as a string in format <int>[h|m|s]) to continue grouping alerts after a matching investigation is closed |
|
| groupExtendOnAppend | Boolean | groupExtendOnAppend is an optional flag indicating if newly appended alerts should extend the set of entities/attributes used to group alerts, defaults to false | |
| searchQueries | String | searchQueries is an optional list of cql expressions used to populate additional alerts or events into a newly created investigation | |
| searchWindow | String | searchWindow is an optional duration from the genesis alerts over which the searchQueries are evaluated | |
| tenantFilter | String | tenantFilter can be used to filter tenants based on attributes such as enabled services and/or same tenant as rule definition | |
| skipAlertPrioritization | Boolean | skipAlertPrioritization can be used to skip checking if the priority of the alert has been downgraded when evaluating alerts | |
| templateId | ID | templateId is the id of the template the rule should use when it needs to open a new investigation | |
| responseData | JSONObject | ResponseData provides rule-specific context/configuration for playbooks. |
UpdateInvestigationRuleInput🔗
Description: UpdateInvestigationRuleInput Describes the fields available for updating an existing investigation rule.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the rule to update | |
| title | String | Title of the rule (changing this only affects the visual representation of the rule). | |
| description | String | Description of the rule | |
| tags | String | Tags used to help label the rule. Tags are not additive, the tags provided will replace the existing tags on the investigation. If you want to keep the existing tags, you must include them in the tags field. Not sending the tags field at all (null) will not update the tags. |
|
| order | Int | Order defines the order in which rules should be evaluated. Duplicate order values are not allowed. Adding a rule with a duplicate order will insert the rule at the desired position and bump all rules greater than or equal to the inserted rule order up one. |
|
| state | InvestigationRuleState | State defines processing behavior for the rule | |
| filter | String | filter is a ql/cel expression that is used to match alerts to the rule | |
| appendFilter | String | appendFilter is an optional filter that can define different alert constraints (i.e. broader) for appending vs creating | |
| appendComment | String | appendComment is an optional comment that is expanded and a comment generated when an alert is appended to an existing non-draft investigation | |
| groupBy | String | groupBy by clause that adds additional matching alerts to an existing open investigation | |
| groupCount | Int | groupCount is an optional specification of the number of required matches of the group by clause | |
| groupDuration | String | groupDuration specifies an optional period (as a string in format <int>[h|m|s]) to continue grouping alerts after a matching investigation is closed |
|
| groupExtendOnAppend | Boolean | groupExtendOnAppend is an optional flag indicating if newly appended alerts should extend the set of entities/attributes used to group alerts, defaults to false | |
| searchQueries | String | searchQueries is an optional list of cql expressions used to populate additional alerts or events into a newly created investigation | |
| searchWindow | String | searchWindow is an optional duration from the genesis alerts over which the searchQueries are evaluated | |
| tenantFilter | String | tenantFilter can be used to filter tenants based on attributes such as enabled services and/or same tenant as rule definition | |
| skipAlertPrioritization | Boolean | skipAlertPrioritization can be used to skip checking if the priority of the alert has been downgraded when evaluating alerts | |
| templateId | ID | templateId is the id of the template the rule should use when it needs to open a new investigation | |
| responseData | JSONObject | ResponseData provides rule-specific context/configuration for playbooks. |
InvestigationRules🔗
Description: InvestigationRules defines the paginated results of an investigation rule search.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| rules | InvestigationRule | ||
| totalCount | Int |
InvestigationRuleArguments🔗
Description: InvestigationRuleArguments describes the parameters to find an investigation rule. Both id and name are unique identifiers for a rule. At least one of the fields must be set, if both are set, both must match a rule.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ||
| name | String |
InvestigationRulesArguments🔗
Description: InvestigationRulesArguments describes the parameters for a search of investigation rules.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| cql | String | cql string to search for templates | |
| page | Int | page of results to return - pages start on 1 | |
| perPage | Int | number of results per page - max 100 | |
| name | String | ||
| tags | String |
InvestigationRuleState🔗
InvestigationStatus🔗
Description: InvestigationStatuses define the possible statuses for an investigation.
InvestigationCloseStatus🔗
Description: InvestigationCloseStatus defines the possible statuses for closing an investigation.
InvestigationV2StatusesArguments🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| currentStatus | InvestigationStatus | CurrentStatus is the current status of the investigation. If set, results will be filtered to only include the statuses that can be transitioned to from the current status. Primarily used for draft related statuses. |
InvestigationType🔗
Description: InvestigationType defines the possible types for an investigation.
InvestigationProcessingState🔗
Description: InvestigationProcessingState defines the possible states for processing an investigation evidence.
ExportInvestigationResourceInput🔗
Description: ExportInvestigationResourceInput describes the fields needed to export an investigation resource.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID |
ImportInvestigationResourcesInput🔗
Description: ImportInvestigationResourcesInput describes the fields needed to import investigation resources.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| file | Upload | File to upload |
InvestigationResourceExport🔗
Description: InvestigationResourceExport describes the fields needed to export an investigation resource.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| export | String | Export document |
InvestigationResource🔗
Description: The InvestigationResource union defines all types that implement an investigation resource.
InvestigationResourceType🔗
Description: InvestigationResourceType defines the possible types for an investigation resource.
InvestigationProcessingStatus🔗
Description: InvestigationProcessingStatus defines the possible evidence that can have processing states as well as the current state of the processing.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| assets | InvestigationProcessingState | ||
| events | InvestigationProcessingState | ||
| alerts | InvestigationProcessingState |
PaginationOrder🔗
Description: PaginationOrder defines the enums that can be used to order the results in ascending or descending order
InvestigationV2TimelineEntityType🔗
Description: InvestigationV2TimelineEntityType defines the possible types for an investigation timeline entity.
InvestigationRuleType🔗
Description: InvestigationRuleType defines the possible types for an investigation. The types are used to determine how alerts are evaluated.
InvestigationV2TimelineArguments🔗
Description: InvestigationV2TimelineArguments describes the parameters to get an investigation timeline.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | ID | ID of the investigation to get the timeline for | |
| createdAfter | String | createdAfter is a timestamp to filter the timeline entries to only those created after the given timestamp | |
| createdBefore | String | createdBefore is a timestamp to filter the timeline entries to only those created before the given timestamp | |
| orderBy | PaginationOrder | orderBy is the order to sort the timeline entries | |
| entityTypes | InvestigationV2TimelineEntityType | entityTypes is a list of entity types to filter the timeline entries to only those of the given types | |
| page | Int | page of results to return - pages start on 1 | |
| perPage | Int | number of results per page - max 1000 |
InvestigationV2Timeline🔗
Description: InvestigationV2Timeline defines the paginated results of an a investigation timeline request.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| entities | InvestigationV2TimelineEntity | List of the timeline entries that match the search criteria for the current page | |
| totalEntities | Int | The total number of timeline entries that match the search criteria |
InvestigationV2TimelineEntity🔗
Description: InvestigationV2TimelineEntity defines the fields for a single timeline entry in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the timeline entry (unique) | |
| investigationId | ID | ID of the investigation the timeline entry is associated with | |
| type | String | type is the type of the timeline entry - Event | Alert |
| tenantId | String | tenantId is the tenant id of the investigation the timeline is related to | |
| createdAt | Time | createdAt is the time the timeline entry was created | |
| resourceId | String | resourceId is the id of the resource in relation to audit timeline entities | |
| resourceCreatedAt | Time | resourceCreatedAt is the time the resource was created | |
| description | String | description is a short description of the timeline entry | |
| descriptor | String | descriptor is a small one-two words highlighting an aspect of the entry The audit type will not have a descriptor |
|
| subjectId | String | subjectId is the id of the user in relation to audit timeline entities | |
| subject | Subject | subject is a federated field that can be used to get the user information for the user in relation to audit timeline entities It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the user will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| isPartnerOnly | Boolean | isPartnerOnly denotes if the timeline entry is only visible to partner users | |
| user | TDRUser | ||
| entityId | String | ||
| timestamp | Time | ||
| userId | ID | ||
| userSubject | Subject |
AddCommentToInvestigationInput🔗
Description: AddCommentToInvestigationInput describes the fields needed to add a comment to an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | String | ID of the investigation to add the comment to | |
| comment | String | comment is the text of the comment to add to the investigation. It can contain @mentions to notify users of the comment. |
|
| isInternal | Boolean | isInternal marks the comment as internal and only visible to partner users Only partner users can create internal comments. |
UpdateInvestigationCommentInput🔗
Description: UpdateInvestigationCommentInput describes the fields needed to update a comment in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| commentId | String | ID of the comment to update | |
| comment | String | comment is the text of the comment to update | |
| markAsRead | Boolean | mark as read will mark the comment as read for the current user |
CommentV2🔗
Description: CommentV2 describes the fields for a comment in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the comment (unique) | |
| authorId | String | ID of the user that created the comment | |
| authorSubject | Subject | authorSubject is a federated field that can be used to get the user information for the author of the comment It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the author will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| createdAt | Time | createdAt is the time the comment was created | |
| updatedAt | Time | updatedAt is the time the comment was last updated | |
| comment | String | comment is the text of the comment | |
| investigationId | ID | investigationId is the id of the investigation the comment is associated with | |
| tenantId | String | tenantId is the tenant id of the investigation the comment is related to | |
| mentionsIds | String | mentionsIds is a list of user ids and group mentions that are mentioned in the comment | |
| mentionsSubjects | Subject | mentionsSubjects is a list of subjects that are mentioned in the comment It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the mentions will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| readByIds | String | readByIds is a list of user ids that have marked the comment as read | |
| readBySubjects | Subject | readBySubjects is a list of subjects that have marked the comment as read It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the readBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| isInternal | Boolean | isInternal denotes if the comment is internal and only visible to partner users | |
| author | TDRUser | ||
| mentionsUsers | TDRUser | ||
| readBy | TDRUser |
DeleteInvestigationCommentInput🔗
Description: DeleteInvestigationCommentInput describes the fields needed to delete a comment from an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| commentId | String |
CommentVisibilityFilter🔗
Description: CommentVisibilityFilter defines the possible filters for comments.
CommentsV2Arguments🔗
Description: CommentsV2Arguments describes the parameters to search for comments in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | String | ID of the investigation to get the comments for | |
| orderBy | PaginationOrder | orderBy is the order to sort the comments by their createdAt timestamp | |
| visibility | CommentVisibilityFilter | visibility is used to filter the comments by their visibility (isInternal) | |
| page | Int | page of results to return - pages start on 1 | |
| perPage | Int | number of results per page - max 100 |
CommentsV2🔗
Description: CommentsV2 defines the paginated results of a comments search.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| comments | CommentV2 | List of the comments that match the search criteria for the current page | |
| totalCount | Int | The total number of comments that match the search criteria |
InvestigationCommentsCount🔗
Description: InvestigationCommentsCount defines the total and unread comment counts for an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| total | Int | ||
| unread | Int |
AlertEvidence🔗
Description: AlertEvidence describes the fields for alert evidence in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the evidence entry (unique) | |
| investigationId | ID | ID of the investigation the evidence is related to | |
| tenantId | String | Tenant id of the investigation/evidence | |
| createdAt | Time | Timestamp of when the evidence was added to the investigation | |
| createdBy | String | Id of the user or client that added the evidence. If the evidence was added by the sync process where it was derived from other evidence that was added, this field will be set to the service account that added the evidence. |
|
| alertId | String | Alert id | |
| isGenesis | Boolean | IsGenesis is a flag that denotes if the evidence was used to initially open the investigation |
EventEvidence🔗
Description: EventEvidence describes the fields for event evidence in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the evidence entry (unique) | |
| investigationId | ID | ID of the investigation the evidence is related to | |
| tenantId | String | Tenant id of the investigation/evidence | |
| createdAt | Time | Timestamp of when the evidence was added to the investigation | |
| createdBy | String | Id of the user or client that added the evidence. If the evidence was added by the sync process where it was derived from other evidence that was added, this field will be set to the service account that added the evidence. |
|
| eventId | String | Event id | |
| isGenesis | Boolean | IsGenesis is a flag that denotes if the evidence was used to initially open the investigation |
AssetEvidence🔗
Description: AssetEvidence describes the fields for asset evidence in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the evidence entry (unique) | |
| investigationId | ID | ID of the investigation the evidence is related to | |
| tenantId | String | Tenant id of the investigation/evidence | |
| createdAt | Time | Timestamp of when the evidence was added to the investigation | |
| createdBy | String | Id of the user or client that added the evidence. If the evidence was added by the sync process where it was derived from other evidence that was added, this field will be set to the service account that added the evidence. |
|
| assetId | String | Asset id |
EntityEvidence🔗
Description: Deprecated: No replacement. Call the entity api
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ||
| investigationId | ID | ||
| tenantId | String | ||
| createdAt | Time | ||
| createdBy | String | ||
| entityId | String |
SearchQueryEvidence🔗
Description: SearchQueryEvidence describes the fields for search query evidence in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the evidence entry (unique) | |
| investigationId | ID | ID of the investigation the evidence is related to | |
| tenantId | String | Tenant id of the investigation/evidence | |
| createdAt | Time | Timestamp of when the evidence was added to the investigation | |
| createdBy | String | Id of the user or client that added the evidence. If the evidence was added by the sync process where it was derived from other evidence that was added, this field will be set to the service account that added the evidence. |
|
| searchQuery | String | Search query | |
| isGenesis | Boolean | IsGenesis is a flag that denotes if the evidence was used to initially open the investigation |
InvestigationV2Type🔗
Description: InvestigationV2Type defines an investigation type
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| type | InvestigationType | Investigation Type | |
| description | String | Description of the investigation type |
InvestigationV2Status🔗
Description: InvestigationV2Status defines an investigation status
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| status | InvestigationStatus | Investigation status |
InvestigationFileV2🔗
Description: InvestigationFileV2 defines the fields for a file in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | ID of the file (unique) | |
| investigationId | ID | ID of the investigation the file is related to | |
| tenantId | String | Tenant id of the investigation/file | |
| createdAt | Time | Timestamp of when the file was added to the investigation | |
| updatedAt | Time | Timestamp of when the file was last updated | |
| deletedAt | Time | Timestamp of when the file was deleted | |
| uploadedById | String | uploadedById is the id of the user that initialized the file upload | |
| uploadedBySubject | Subject | uploadedBySubject is a federated field that can be used to get the user information for the user that initialized the file upload It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the uploadedBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| deletedById | String | deletedById is the id of the user that deleted the file | |
| deletedBySubject | Subject | deletedBySubject is a federated field that can be used to get the user information for the user that deleted the file It is a convenience field that will be nil if the api does not think the field can be rendered through federation. It is not guaranteed that the deletedBy will be able to be resolved through federation. For example, if the federated service is down or the subject was delete. |
|
| name | String | Name of the file | |
| path | String | location of the file | |
| size | Int | size of the file | |
| status | String | current upload status of the file | |
| metadata | InvestigationFileMeta | additional metadata about the file | |
| downloadURL | String | Signed download url of the file. Will be null if the file is deleted or if more than one file is requested in a single query. |
|
| uploadedBy | TDRUser | ||
| deletedBy | TDRUser |
InvestigationFileMeta🔗
Description: InvestigationFileMeta defines additional metadata for a file in an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| contentType | String | content type of the file | |
| contentMD5 | String | md5 hash of the file |
InitInvestigationFileUploadInput🔗
Description: InitInvestigationFileUploadInput describes the fields needed to initialize a file upload for an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| investigationId | ID | ID of the investigation to upload the file to | |
| name | String | Name of the file | |
| size | Int | Expected size of the file | |
| contentType | String | expected content type of the file |
InvestigationFileUpload🔗
Description: InitInvestigationFileUpload is the response to initializing a file upload for an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| file | InvestigationFileV2 | file contains metadata about the file we expect to be uploaded to the presignedUrl | |
| presignedUrl | String | presignedUrl is the url to upload the file to |
InvestigationFileV2Arguments🔗
Description: InvestigationFileV2Arguments describes the parameters to get a file attached to an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| fileId | ID |
InvestigationFilesV2🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| files | InvestigationFileV2 | ||
| totalCount | Int |
InvestigationFilesV2Arguments🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| cql | String | cql string to search for files | |
| page | Int | page of results to return - pages start on 1 | |
| perPage | Int | number of results per page - max 100 | |
| investigationId | ID |
DeleteInvestigationFileInput🔗
Description: DeleteInvestigationFileInput describes the fields needed to delete a file from an investigation.
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| fileId | ID |
TenantV4🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID |
Subject🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID |
TDRUser🔗
Fields🔗
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID |
Time🔗
Description: The default Time implementation for this library.
Upload🔗
Description: File upload contents
JSONObject🔗
Description: JSON payload
Map🔗
Description: The default Map implementation for this library