Alerts GraphQL APIの利用を開始する🔗
重要
先にAPI認証の手順を完了し、動作するclient_idとclient_secretを取得してください。
地域
XDR APIにアクセスするためのURLは、お客様の環境が展開されているリージョンによって異なる場合があります。
- US1—
https://api.ctpx.secureworks.com - US2—
https://api.delta.taegis.secureworks.com - US3—
https://api.foxtrot.taegis.secureworks.com - EU—
https://api.echo.taegis.secureworks.com
このXDR APIドキュメントの例では、https://api.ctpx.secureworks.com を使用しています。別のリージョンをご利用の場合は、適切なURLに置き換えてください。
注意
Taegis XDRでは、Alerts および Investigations という用語が、最近 検出 および ケース に変更されました。SophosとTaegisテクノロジーのプラットフォーム統合作業が進行中のため、引き続き旧用語が参照されている場合があります。詳細については、Taegis用語の更新をご覧ください。
Alerts GraphQL APIは、クエリ言語検索とアラート集計の2つの機能を提供します。
アラートの検索🔗
次の例は、クエリ言語を使用してアラートを検索し、関心のある一般的なフィールドを返します。このクエリ例は、最も早い/遅い期間内に作成され、まだフィードバックが付与されていないHigh/Criticalアラートを返します。
注意
この例で使用されているすべてのタイムスタンプはUTCです。
query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 10})
{
alertsServiceSearch(in: $in)
{
reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
}
}
レスポンス🔗
{
"data": {
"alertsServiceSearch": {
"alerts": {
"list": [
{
"attack_technique_ids": [
"T1003",
"T1096",
"T1059",
"T1202",
"T1129",
"T1086",
"T1085"
],
"entities": {
"entities": [
"computerName:OCTO-FILES",
"fileName:powershell.exe",
"fileName:rundll32.exe",
"programMd5:c7645d43451c6d94d87f4d07bde59c89",
"sensorHostId:YLdYO3s3ziBynTlgxrBb",
"sensorId:YLdYO3s3ziBynTlgxrBb",
"userName:lgiardino@embdtech.com"
],
"relationships": [
{
"from_entity": "fileName:rundll32.exe",
"relationship": "executedOn",
"to_entity": "sensorHostId:YLdYO3s3ziBynTlgxrBb"
},
{
"from_entity": "fileName:powershell.exe",
"relationship": "executes",
"to_entity": "fileName:rundll32.exe"
},
{
"from_entity": "computerName:OCTO-FILES",
"relationship": "is",
"to_entity": "sensorHostId:YLdYO3s3ziBynTlgxrBb"
}
]
},
"id": "alert://priv:event-filter:11063:1630580463490:d30a7171-43a9-5d04-82bf-a25cc0948a8c",
"investigation_ids": [],
"metadata": {
"confidence": 1,
"created_at": {
"seconds": 1630580464
},
"creator": {
"detector": {
"detector_id": "app:event-filter",
"version": "v0.15.3"
},
"rule": {
"rule_id": "496ad330-7dc2-4009-b431-b792f7095ead",
"version": "sha1=18f594726b99b47b226a37a2e92ae1cff92d3166-1605731996"
}
},
"description": "A process event associated with a dump file named after the Local Security Authority Subsystem Service (LSASS) process was identified. This activity may indicate that an adversary is attempting to obtain credentials stored within the memory of this process.\n\nExample:\n>COPY C:\\Users\\>username>\\Appdata\\Local\\Temp\\lsass.dmp C:\\Temp\\lsass.dmp\n\n\n",
"engine": {
"name": "app:event-filter"
},
"severity": 0.99,
"title": "Memory Dump of the Local Security Authority Subsystem Service"
},
"resolution_reason": null,
"sensor_types": [
"ENDPOINT_CARBON_BLACK"
],
"status": "OPEN",
"suppressed": null,
"suppression_rules": null,
"tenant_id": "11063"
}
],
"total_results": 1
},
"reason": "success",
"status": "OK"
}
}
}
IDによるアラートの取得🔗
次のクエリを使用して、IDでアラートを取得できます。
query alertsServiceRetrieveAlertsById($in: GetByIDRequestInput = {iDs: ["alert://priv:stolen-user-credentials:11063:1630602244467:79015c9a-8d22-5c4e-a199-58afc0599aa5"]})
{
alertsServiceRetrieveAlertsById(in: $in)
{
reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
}
}
レスポンス🔗
{
"data": {
"alertsServiceRetrieveAlertsById": {
"alerts": {
"list": [
{
"id": "alert://priv:stolen-user-credentials:11063:1630602244467:79015c9a-8d22-5c4e-a199-58afc0599aa5",
"investigation_ids": [],
"metadata": {
"confidence": 0.875,
"created_at": {
"seconds": 1630602247
},
"creator": {
"detector": {
"detector_id": "app:detect:stolen-user-credentials",
"version": "1.2.21"
},
"rule": {
"rule_id": "db7a438b-56ed-5e84-b3de-02beb0e005fd",
"version": "sha1=fa8a2e8687319c0e68f4368adb078b35f6561ccf-1614872344"
}
},
"description": "Time between the login events involved in this alert indicate an impossible amount of travel has occurred for user OctoAdmin",
"engine": {
"name": "app:detect:stolen-user-credentials"
},
"severity": 1,
"title": "Detected suspected stolen user credential for user OctoAdmin"
},
"resolution_reason": null,
"sensor_types": [],
"status": "OPEN",
"suppressed": null,
"suppression_rules": null,
"tenant_id": "11063"
}
],
"total_results": 1
},
"reason": "success",
"status": "OK"
}
}
}
IDによるアラートの解決🔗
次の例を使用して、IDのリストでアラートを解決します。これは、1つ以上のアラートID、解決理由、およびアラートに付与する解決ステータスを受け付けます。
mutation alertsServiceUpdateResolutionInfo($in: UpdateResolutionRequestInput = {alert_ids:["alert://priv:event-filter-ql:10261:1698256999403:12bc3fa1-5aae-579d-8c2b-6d3b7790b85f"], reason:"This is an alert for informational use only.", resolution_status:TRUE_POSITIVE_BENIGN, caller:ALERTS_V2})
{
alertsServiceUpdateResolutionInfo(in: $in)
{
reason resolution_status
}
}
レスポンス🔗
{
"data": {
"alertsServiceUpdateResolutionInfo": {
"reason": "success",
"resolution_status": "SUCCESS"
}
}
}
アラートデータの集計🔗
次のクエリを使用して、重大度ごとのアラート集計数を取得します。
注意
これは非推奨となったalertsBySeverityクエリと類似しています。
query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d | aggregate count by severity | head 10", limit: 1})
{
alertsServiceSearch(in: $in)
{
status reason alerts { group_by { key value } total_results }
}
}
ページネーション🔗
ページネーションには主に2つの方法があります。1つ目は最大10,000件のアラートを取得する方法、もう1つは最大1,000,000件のアラートを取得する方法です。
10,000件未満のアラート🔗
query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 500, offset: 0})
{
alertsServiceSearch(in: $in)
{
reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
}
}
query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 500, offset: 500})
{
alertsServiceSearch(in: $in)
{
reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
}
}
10,000件を超えるアラート🔗
まず、必要なアラート総数(この場合は10,000件を超える)を指定して検索を行います。10,000件を超えるアラートがある場合、search_idが返されます。その後、元のクエリとともにsearch_idを指定し、limitやoffsetを指定せずに次のページを取得します。search_idが返されなくなった時点で結果セットの最後に到達します。すべてのページを取得した後に返されるアラートの合計数は、各レスポンスで返されるtotal_resultsの値と一致するはずです。
query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", limit: 50000})
{
alertsServiceSearch(in: $in)
{
reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
}
}
query alertsServiceSearch($in: SearchRequestInput = {cql_query: "FROM alert WHERE severity >= 0.6 AND status = 'OPEN' EARLIEST=-1d", search_id: "xrmG+yFjdKUrUaspvvAyHFdgO5KARwAlmxqEC7Lvmrw="})
{
alertsServiceSearch(in: $in)
{
reason search_id status alerts { previous_offset total_results first_offset group_by { key value } last_offset next_offset total_parts list { resolution_reason third_party_details { generic { generic { record { key value } } name } } id parent_tenant_id metadata { confidence began_at { seconds nanos } full_title title severity_updated_at { seconds nanos } first_seen_at { seconds nanos } created_at { seconds nanos } inserted_at { seconds nanos } first_investigated_at { seconds nanos } description updated_at { seconds nanos } engine { version name } origin first_resolved_at { seconds nanos } creator { rule { version rule_id } detector { detector_id detector_name version } } ended_at { seconds nanos } severity } severity_history { id changed_at { seconds nanos } severity } enrichment_details { travel_features { prior_location { radius country_code_iso asn geohash ip_address longitude latitude } current_location { radius country_code_iso asn geohash ip_address longitude latitude } accurate_geo travel_speed_impossible long_distance_travel travel_km_min travel_hours foreign_travel travel_km_h_min username } account_compromise_detector_detail { user_name } whois { registrarName registrant_country administrativeContact_street1 registrant_street1 standardRegUpdatedDate registrant_faxExt administrativeContact_postalCode registrant_street2 administrativeContact_state administrativeContact_telephoneExt administrativeContact_street3 reg_created_date_usec registrant_state registrant_city administrativeContact_faxExt whoisServer contactEmail nameServers standardRegExpiresDate createdDate administrativeContact_email standardRegCreatedDate Audit_auditUpdatedDate registrant_postalCode reg_updated_date_usec expiresDate administrativeContact_telephone updatedDate administrativeContact_name registrant_telephoneExt administrativeContact_organization registrant_name domainName registrant_telephone administrativeContact_country registrant_organization registrant_street3 reg_expires_date_usec administrativeContact_street2 registrant_fax registrant_email status administrativeContact_fax registrant_street4 administrativeContact_street4 administrativeContact_city } mitre_attack_info { technique_id version technique url system_requirements contributors data_sources description defence_bypassed tactics type platform } trust_features { current_event_time_sec location { radius country_code_iso asn geohash ip_address longitude latitude } user_unknown_asn prior_event_time_sec network_unknown_asn user_unknown_ip current_event_id network_unknown_ip prior_event_id username } improbable_logon_detail { user_logon_baselines { feature_value days_in_baseline feature_frequency_in_org approximate_count_in_user feature_frequency_in_user } logon_anomaly { min_allowed_org_percentage feature_value feature_frequency_in_org min_allowed_user_percentage approximate_count_in_user feature_frequency_in_user } user feature_name source_address } auth_scan_detail { failed_logon_attempts { has_logon_success target_user_name num_attempts } total_attempts successful_logon_attempts { has_logon_success target_user_name num_attempts } } kerberoasting { suspicious_num_requests user_baseline total_spns user_avg_requests percentage_accessed hostname spns_accessed user_max_requests user source_address } geo_ip { radius country_code_iso asn geohash ip_address longitude latitude } watchlist_matches { details { reason attacks list_name } entity } login_failure { host target_address failed_auth_event user successful_auth_event source_address } rare_program_rare_ip { host connections { source_ip destination_ip } programs } password_spray_detail { num_auth_failures num_auth_successes all_affected_users { target_user_name target_domain_name user_had_auth_success } source_address } hands_on_keyboard_details { host_id num_admin_events total_num_events matched_num_events common_parent_image_path matched_process { process_resource_id score event_time_sec image { image_path matched_features } num_matched_features commandline { matched_features commandline } severity } username } generic { generic { record { key value } } name } dns_exfil { num_queries } tactic_graph_detail { graph_id events { key values } } brute_force_detail { most_recent_auths_failures { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_successes last_successful_auth { resource_record_identifier action win_event_id domain event_timestamp target_username } num_auth_failures } ddos_source_ip { host_id sensor_id top_destination_ips { count ip_address } analytic_observable_min_count event_observable_count historical_ip_counts { date { seconds nanos } count } event_observable_count_std_dev baseline_observable_count_std_dev baseline_observable_count_mean analytic_time_threshold analytic_observable_std_dev_threshold hour_partition baseline_num_days baseline_observable_count_median } business_email_compromise { source_address_geo_summary { city { confidence name locale_names { record { key value } } geoname_id } location { radius metro_code timezone longitude us_metro_code gmt_offset latitude } asn { autonomous_system_org autonomous_system_no } country { confidence code iso_code geoname_id } continent { code geoname_id } } user_name source_address } } priority { version model_version model_name applied_time { seconds nanos } value prioritizer evidence } sensor_types events_metadata { began_at { seconds nanos } first_event_id last_event_id updated_at { seconds nanos } total_events ended_at { seconds nanos } } reference_details { reference { description url type } } group_key entities { relationships { to_entity relationship from_entity type } entities } event_ids { id } tags suppressed resolution_history { user_id timestamp { seconds nanos } id num_alerts_affected reason status } tenant_id key_entities { entity label } observation_ids { id } visibility suppression_rules { id version } alerting_rules { id version } collection_ids { id } status attack_technique_ids investigation_ids { id GenesisAlertsFlag } } part }
}
}
次のステップ🔗
詳細については、Alerts GraphQL APIドキュメントを参照してください。