Skip to content

Get Started with the Identity GraphQL APIs๐Ÿ”—

Important

Before proceeding, complete the API Authentication steps in order to obtain a working client_id and client_secret.

Regions

The URL to access XDR APIs may differ according to the region your environment is deployed in:

  • US1โ€” https://api.ctpx.secureworks.com
  • US2โ€” https://api.delta.taegis.secureworks.com
  • US3โ€” https://api.foxtrot.taegis.secureworks.com
  • EU1โ€” https://api.echo.taegis.secureworks.com
  • EU2โ€” https://api.golf.taegis.secureworks.com

The examples in this XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.

Once the credentials are created, you can use a tool like Apollo or Altair to explore the endpoints and available queries.

Identities API๐Ÿ”—

Identities API

Example Identities Query๐Ÿ”—

The following sample query finds identities that are dormant/stale by using stale: true as an input filter.

{
  identities(
    input: {
      offset: { offset: 0, limit: 25 }
      stale: true
      sortBy: DISPLAY_NAME
      sortOrder: DESC
    }
  ) {
    identities {      
      manager
      externalId
      displayName
      givenName
      surname
      status
      title
      department
      emails
      phoneNumbers
      userNames      
      legacyEntities
      createdAt
      ingestedAt
      lastUpdated
      employeeType
      hireDate
      leaveDate
      lastPasswordChangeAt
      isAdmin
      isGuest
      hasMfa
      hasPasswordlessMfa
      primaryMfaMethod
      mfaMethods
      lastActiveAt
      properties
      country
      region
      city
      zipCode
      officeLocation
      officeZipCode
      usageLocation
      icon
      tags     
      isCompromised
    }
    total
  }
}

Findings API๐Ÿ”—

Findings API

Example Findings Query๐Ÿ”—

The following sample query retrieves the list of findings and associated details. You can adjust the query by matching on status, category, and limits.

{
  findings(
    query: {
      categories: []
      confidenceRange: { min: 0, max: 1 }
      checks: []
      statuses: []
    }
    sorting: { sortBy: SEVERITY, sortOrder: DESC }
    paging: { limit: 50, offset: 0 }
  ) {
    total
    findings {
      id
      primaryReference {
        type
        displayName
      }
      otherReferences {
        type
        displayName
      }          
      severityLabel
      status
      statusCommentsUser   
      statusComments       
      firstSeen
      lastSeen
      lastModified
      closedAt
      check {
        title
        description
        risk
        details
        remediation
        category
        module
        tags
      }
      source {
        type
      }
    result
    }
  }
}

Credential Compromise API๐Ÿ”—

Credential Compromise API

Example Credential Compromise Query๐Ÿ”—

The following sample query retrieves the list of breaches.

{
  breaches(
    query: {}
    sorting: { sortBy: PUBLISH_DATE, sortOrder: DESC }
    paging: { limit: 100, offset: 0 }
  ) {
    total
    breaches {      
      date      
      domain
      username
      isActive
      plaintextPassword
      hashPassword
      publishDate
      identity {
        displayName
        title
        lastPasswordChangeAt
      }
      tenant {
        name
      }
      createdAt
      updatedAt
      inactiveAt
      maskedPassword
    }
  }
}

Next Steps๐Ÿ”—

For more information, see the following documentation: