Secureworks Taegis XDR
Secureworks Taegis XDR is a cloud-based app to detect, prevent, and respond to advanced threats with comprehensive threat intelligence. It enables security analysts to detect advanced threats and collaborate on investigations using actions to retrieve threat intelligence and other investigation data.
App Vendor: Secureworks
App Category: Analytics & SIEM
Connector Version: 1.1.0
API Version: 1.0.0
About App
Secureworks Taegis XDR is a cloud-based app to detect, prevent, and respond to advanced threats with comprehensive threat intelligence. It enables security analysts to detect advanced threats and collaborate on investigations using actions to retrieve threat intelligence and other investigation data.
Secureworks Taegis app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Fetch Threat Intel List | This action retrieves a list of threat intel indicators available for download. |
Get Alert Details | This action retrieves the details of alerts. |
Get All Alerts | This action retrieves the alerts. |
Get Threat Intel for Indicator | This action retrieves the details of a threat intel indicator. |
List Investigations | This action retrieves a list of investigations. |
Resolve Alert | This action resolves alerts. |
Generic Action | This is a generic action. |
Configuration Parameters
The following configuration parameters are required for the Secureworks Taegis app to communicate with the Secureworks Taegis enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. | Text | Required | |
Client ID | Enter the client ID. | Text | Required | |
Client Secret | Enter the client secret. | Password | Required | |
Tenant ID | Enter the tenant ID. | Text | Required |
Action: Fetch Threat Intel List
This action retrieves a list of threat intel indicators.
Action Input Parameters
This action does not require any action input parameter.
Action: Get Alert Details
This action retrieves the details of alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert IDs | Enter the alert IDs to retrieve their details. Example: $LIST[alert://priv:stolen-user-credentials:11063:163060xx44467:790xxc9a-7d22-5xx4e-a199-58afc0xx99aa7] | List | Required |
Example Request
[
{
"alert_ids": [
"alert://priv:stolen-user-credentials:11063:163060xx44467:79xx5c9a-8d22-xx4e-a199-58axx0599aa5"
]
}
]Action: Get All Alerts
This action retrieves the alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CQL query | Enter a query to retrieve alerts. Example: "from alert severity >= 0.7" | Text | Required | |
Limit | Enter the maximum number of alerts to be retrieved. Example: 25 | Integer | Optional | Default value: 10 |
Offset | Enter the offset value. Example: 0 | Integer | Optional | Default value: 0 |
Example Request
[
{
"cql_query": "from alert severity >= 0.7"
}
]Action: Get Threat Intel for Indicator
This action retrieves the details of a threat intel indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator ID | Enter the ID of an indicator to retrieve its details. Example: "vitl.tk" | Text | Required |
Example Request
[
{
"indicator_id": "vitl.tk"
}
]Action: List Investigations
This action retrieves a list of investigations.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query. Example: "earliest='2020-06-21' latest='2022-06-22'" | Text | Required | |
Offset | Enter the offset value. Example: 0 | Integer | Optional | Default value: 0 |
Limit | Enter the number of investigations to be retrieved per page. Example: 25 | Integer | Optional | Default value: 100 |
Example Request
[
{
"query": "earliest='2020-06-21' latest='2022-06-22'"
}
]Action: Resolve Alert
This action resolves alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert IDs | Enter the alert IDs to resolve alerts. Example: $LIST[alert://priv:stolen-user-credentials:11063:1630xx2244467:79xx5c9a-8d22-5x4e-a199-58afxx599aa5] | List | Required | |
Reason | Enter a message to resolve an alert. Example: "spam" | Text | Required | |
Resolution Status | Enter the resolution status. Example: "false_positive" | Text | Required | Allowed values:
|
Caller | Enter the caller. Example: "alerts_v2" | Text | Required | Allowed values:
|
Example Request
[
{
"caller": "unknown",
"reason": "spam",
"alert_ids": [
"alert://priv:stolen-user-credentials:11563:163xx02244467:79015c9a-8d22-5c4e-a199-58afcxx99aa5"
],
"resolution_status": "false_positive"
}
]Action: Generic Action
This is a generic action to be performed in Secureworks Taegis XDR.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint. | Text | Optional | Default value: graphql |
Method | Enter the method such as GET, PUT, POST, or DELETE. Example: "GET" | Text | Optional | Default value: POST |
Headers | Enter additional headers if required to fetch the required data. Example: $DICT{'Accept-type': 'application/json'} | Key Value | Optional | |
JSON Data | Enter the JSON payload for this query. Example: {'query':cql_query} | Key Value | Optional |
Example Request
[
{
"endpoint":"graphql",
"method":"get"
}
]