Skip to content

Get Started with the Countermeasures API🔗

Important

Before proceeding, complete the API Authentication steps in order to obtain a working client_id and client_secret.

Regions

The URL to access XDR APIs may differ according to the region your environment is deployed in:

  • US1— https://api.ctpx.secureworks.com
  • US2— https://api.delta.taegis.secureworks.com
  • US3— https://api.foxtrot.taegis.secureworks.com
  • EU1— https://api.echo.taegis.secureworks.com
  • EU2— https://api.golf.taegis.secureworks.com

The examples in this XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.

The countermeasure API allows you to automatically download the Secureworks Counter Threat Unit™ (CTU) Countermeasures as documented in CTU Network Countermeasures.

Endpoints🔗

The following endpoints can be accessed using the Secureworks® Taegis™ XDR Countermeasures API to retrieve CTU information:

  • / — Returns rulesets. Example: https://api.ctpx.secureworks.com/intel-requester/
  • /ti-list — Returns all Threat Indicator List versions released by the CTU. Example: https://api.ctpx.secureworks.com/intel-requester/ti-list
  • /ti-list/latest — Returns only the latest versions of Threat Indicator Lists released by the CTU. Example: https://api.ctpx.secureworks.com/intel-requester/ti-list/latest

By default, the results from these endpoints are not url escaped. If you need to display these results in a web page, please use the query parameter ?html=true.

MSS vs Raw Lists🔗

CTU indicator lists are available in two types: MSS and Raw:

  • MSS lists have been filtered to only include indicators appropriate for detection. All indicators are triaged against a number of sources to ensure that noisy, false-positive-prone indicators are not included in these lists. These lists can be applied to security infrastructure for blocking and alerting at the customer's discretion.
  • Raw lists include all observed indicators, even those not suitable for detection and alerting. These lists may be suitable for supporting threat hunting and incident response activities, but are not suitable for applying to security infrastructure for blocking and alerting. For example, if a malware sample is observed leveraging GitHub as a command and control repository, it will be included in the Raw list but is not a good indicator to apply to security infrastructure.

Available Lists🔗

The following lists are available, each with Domain and IP versions, and Raw and MSS:

  • CTU Botnet Indicators: These lists include indicators from our automated tracking of numerous malware families. These indicators are generally fresh and high-fidelity, and the MSS lists are appropriate for automated blocking and alerting.
  • CTU Threat Group Indicators: These lists include indicators from CTU research, which includes original research and indicators from customer incidents. These indicators are first-party observations, but they may include older observations that are no longer malicious. Customers can apply the MSS lists at their discretion depending on their risk tolerance.
  • Third Party Threat Group Indicators: These lists include select indicators published by third parties. Secureworks does not validate these indicators, and the observations may be older. Customers can apply the MSS lists at their discretion depending on their risk tolerance.

Downloading the Lists🔗

The TI List API Endpoint at /ti-list/latest returns MSS/filtered lists by default. This is the best set of indicators for most use cases. If you need all the lists or only raw lists, please use the filter query parameter.

Important

Raw lists are not appropriate for blocking and alerting and should only be used to provide additional context.

  • ?filter=raw => raw lists
  • ?filter=all => all lists
  • omit the query param or ?filter=mss for MSS lists