API Reference

name String
Client name to filter for. This will use SQL 'like' matching
clientIDs [String]
Filters for client_ids, will use the SQL 'in' filter
tenantID ID
Filter clients by tenant ID. This is useful only for scwx* role requesters. Tenant requesters will automatically have results filtered for their tenants
roleIDs [ID]
Role IDs assigned to users
tenantIDs [ID]
Tenant IDs associated with role assignments
page Int
Pagination start page, page 1 is the beginning
perPage Int
Pagination page size. Page size of -1 (default) indicates no pagination

Return Value

[Client!]!
Search Clients

Clients Mutations

createClient

Create a new client (SCWX (tenant 5000) clients are disallowed)

Parameters

name String!

Return Value

NewClient
Create a new client (SCWX (tenant 5000) clients are disallowed)

rotateClientSecret

Generate a new secret for an existing client

Parameters

id ID!

Return Value

NewClient
Generate a new secret for an existing client

deleteClient

Delete a client

Parameters

id ID!

Return Value

Client
Delete a client

Clients Output Types

Client

Fields

id ID!
name String!
client_id String!
roles String!
role_assignments [ClientRoleAssignment]
tenant_id ID!
created_at Time!
updated_at Time!
environment String!

ClientRoleAssignment

Fields

id ID!
tenant_id ID!
role_id ID!
role_name String

Clients Scalar Types

ClientsAuthzAction

Possible Values

create
read
search
update
delete
assignInternal

Connectors Queries

node

Parameters

id ID!

Possible Return Values

ConnectorCategory
ConnectorCategory is a grouping/categorization of available connectors (e.g. IP reputation services, DNS lookup, etc)
ConnectorAction
ConnectorAction declares a method or activity that can be called on a connector and its corresponding input and output
ConnectionMethod
ConnectionMethod references a service that implements connectors of a specific connection method (e.g. http, grpc, graphql)
Connector
Connector is an entry in catalog of available connectors (e.g. service now connector based on generic http connector service)
ConnectorVersion
ConnectorVersion contains the versioned attributes of a connector interface
DeletedObject
Connection
Connection is a per-tenant configuration of a connector/actions

connectorCategory

Parameters

connectorCategoryId ID
connectorCategoryName String

Return Value

ConnectorCategory

connectorCategories

Parameters

arguments ConnectorCategoriesArguments

Return Value

[ConnectorCategory!]!

connectionMethod

Parameters

connectionMethodId ID
connectionMethodName String

Return Value

ConnectionMethod

connector

Parameters

connectorId ID
connectorName String

Return Value

Connector

connectors

Parameters

connectorNames [String!]
connectionMethodIds IDs
connectorVersionIds IDs
connectorInterfaceIds IDs
connectorCategoryIds IDs
tags Tags

Return Value

[Connector!]!

connectorVersion

Parameters

arguments ConnectorVersionArguments!

Return Value

ConnectorVersion

connectorVersions

Parameters

arguments ConnectorVersionsArguments!

Return Value

[ConnectorVersion!]!

connections

Parameters

connectionIds IDs
connectorIds IDs
connectorVersionIds IDs
connectorInterfaceIds IDs
connectorCategoryIds IDs
tags Tags

Return Value

[Connection!]!

connectorExport

Parameters

arguments ConnectorExportArguments!

Return Value

ConnectorExport

Connectors Mutations

defineConnectionMethod

Define new connection method

Parameters

connectionMethod ConnectionMethodInput!

Return Value

ConnectionMethod
Define new connection method

removeConnectionMethod

Remove connection method

Parameters

connectorMethodId ID!

Return Value

ConnectionMethod
Remove connection method

createConnector

Create new connector

Parameters

input CreateConnectorInput!

Return Value

Connector
Create new connector

updateConnector

Update connector definition

Parameters

input UpdateConnectorInput!

Return Value

Connector
Update connector definition

deleteConnector

Delete connector

Parameters

input DeleteConnectorInput!

Return Value

Connector
Delete connector

cloneConnector

Clone connector

Parameters

input CloneConnectorInput!

Return Value

Connector
Clone connector

importConnector

Import a connector

Parameters

input ImportConnectorInput!

Return Value

Connector
Import a connector

createConnectorVersion

Creates a new connector version in draft mode

Parameters

connectorId ID!
input CreateConnectorVersionInput!

Return Value

ConnectorVersion
Creates a new connector version in draft mode

updateConnectorVersion

Update an existing draft connector version

Parameters

input UpdateConnectorVersionInput!

Return Value

ConnectorVersion
Update an existing draft connector version

publishConnectorVersion

Publishing a connector version makes it immutable and sets it as current head

Parameters

input PublishConnectorVersionInput!

Return Value

ConnectorVersion
Publishing a connector version makes it immutable and sets it as current head

deleteConnectorVersion

Deleting a connector version is not supported after a version is published

Parameters

input DeleteConnectorVersionInput!

Return Value

ConnectorVersion
Deleting a connector version is not supported after a version is published

createConnection

Create new connection

Parameters

connectorId ID!
connection ConnectionInput!

Return Value

Connection
Create new connection

updateConnection

Update connection

Parameters

connectionId ID!
connection ConnectionInput!

Return Value

Connection
Update connection

deleteConnection

Delete connection

Parameters

connectionId ID!

Return Value

Connection
Delete connection

validateConnection

Validate an existing connection

Parameters

connectionId ID!

Return Value

Connection
Validate an existing connection

validateConnectionInput

Validate new connection

Parameters

connectorId ID!
connection ConnectionInput!

Return Value

Connector
Validate new connection

executeConnectionAction

Execute an action

Parameters

connectionId ID!
actionName String!
inputs Any

Return Value

Any
Execute an action

testConnectorAction

Test a connector action

Parameters

input TestConnectorActionInput!

Return Value

Any
Test a connector action

executeConnectorAction

Execute a connector action

Parameters

name String!
inputs Any

Return Value

Any
Execute a connector action

Connectors Subscriptions

connectorCreated

Parameters

connectorMethodIds IDs
allTenants Boolean!

Return Value

Connector!

connectorUpdated

Parameters

connectorMethodIds IDs
allTenants Boolean!

Return Value

Connector!

connectorDeleted

Parameters

connectorMethodIds IDs
allTenants Boolean!

Return Value

DeletedObject!

connectionCreated

Parameters

connectorMethodIds IDs
connectorIds IDs
allTenants Boolean!

Return Value

Connection!

connectionUpdated

Parameters

connectorMethodIds IDs
connectorIds IDs
allTenants Boolean!

Return Value

Connection!

connectionDeleted

Parameters

connectorMethodIds IDs
connectorIds IDs
allTenants Boolean!

Return Value

DeletedObject!

Connectors Output Types

Connection

Connection is a per-tenant configuration of a connector/actions

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
lastUpdatedBy String!
name String!
description String
connector Connector!
version ConnectorVersion
versionFollow SemVer!
versionStrategy ConnectionVersionStrategy
tags [String!]
authType AuthType!
authUrl String
config JSONObject
credentials JSONObject
sequence Int
rateLimit ConnectionRateLimit

ConnectionMethod

ConnectionMethod references a service that implements connectors of a specific connection method (e.g. http, grpc, graphql)

Fields

id ID!
createdAt Time!
updatedAt Time!
name String!
description String
parameters JSONSchema
graphqlUrl String!
connectors [Connector!]

Connector

Connector is an entry in catalog of available connectors (e.g. service now connector based on generic http connector service)

Fields

id ID!
name String!
createdAt Time!
createdBy String!
updatedAt Time!
lastUpdatedBy String!
sequence Int
tenant String
icon String
tags [String!]
categories [ConnectorCategory!]!
connections [Connection!]
method ConnectionMethod!
head ConnectorVersion!
versions [ConnectorVersion!]!

ConnectorAction

ConnectorAction declares a method or activity that can be called on a connector and its corresponding input and output

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
lastUpdatedBy String!
name String!
version ConnectorVersion
description String
inputs JSONSchema
outputs JSONSchema
config JSONObject

ConnectorCategory

ConnectorCategory is a grouping/categorization of available connectors (e.g. IP reputation services, DNS lookup, etc)

Fields

id ID!
name String!
description String
createdAt Time!
updatedAt Time!
tags [String!]

ConnectorRateLimit

Fields

defaultInterval String
defaultLimit Int
maxInterval String
maxLimit Int
minInterval String
minLimit Int

ConnectorVersion

ConnectorVersion contains the versioned attributes of a connector interface

Fields

id ID!
version SemVer
createdAt Time!
createdBy String!
updatedAt Time!
lastUpdatedBy String!
published Time
publishedBy String
connector Connector!
name String!
title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
metadata JSONObject
connections [Connection!]
parameters JSONSchema
actions [ConnectorAction!]!
authTypes [AuthType!]!
authenticate ConnectorAction
validate ConnectorAction
vendorName String
vendorProduct String
vendorVersion String
rateLimit ConnectorRateLimit

DeletedObject

Fields

id ID!
createdAt Time!
updatedAt Time!
deletedAt Time!
createdBy String!
lastUpdatedBy String
name String!
description String
tags [String!]
sequence Int

Connectors Input Types

CloneConnectorInput

Fields

name String!
connectorId ID!
versionId ID!

ConnectionAPIKeyAuth

Fields

param String!
value String!
header String!

ConnectionClientCertificateAuth

Fields

certificate String!
privateKey String!
privateKeyPassword String

ConnectionCredentialsInput

Fields

rawAuth ConnectionRawAuth
basicAuth ConnectionBasicAuth
apiKeyAuth ConnectionAPIKeyAuth
clientCredentialsAuth ConnectionOAuth2ClientCredsAuth
clientCertificateAuth ConnectionClientCertificateAuth
ownerPasswordCredentialsAuth ConnectionOAuth2PasswordCredsAuth
authCodeAuth ConnectionOAuth2AuthCodeAuth

ConnectionInput

ConnectionInput defines the mutable fields of a connection

Fields

name String!
description String
tags Tags
config JSONObject
credentials JSONObject
authType AuthType
authUrl String
version ID
versionStrategy ConnectionVersionStrategy
versionFollow SemVer
rateLimit ConnectionRateLimitInput

ConnectionMethodInput

ConnectionMethodInput defines the fields required to register a new connection method

Fields

name String!
description String
url String!
parameters JSONSchema
tags Tags

ConnectionOAuth2AuthCodeAuth

Fields

clientId String!
clientSecret String!
scopes [String!]
authCode String!

ConnectionOAuth2ClientCredsAuth

Fields

clientId String!
clientSecret String!
scopes [String!]

ConnectionOAuth2PasswordCredsAuth

Fields

clientId String!
clientSecret String!
scopes [String!]
Username String!
Password String!

ConnectorActionInput

ConnectorActionInput defines the mutable fields of a connector action declaration

Fields

name String!
description String
inputs JSONSchema
outputs JSONSchema
config JSONObject

ConnectorCategoriesArguments

ConnectorCategoriesArguments defines the filters and options for listing connectorCategories

Fields

connectorCategoryNames [String!]
connectorCategoryIds IDs

ConnectorRateLimitInput

Fields

defaultInterval String!
defaultLimit Int!
maxInterval String!
maxLimit Int!
minInterval String!
minLimit Int!

ConnectorVersionArguments

ConnectorVersionArguments defines the filters and options for listing connectorVersions

Fields

connectorVersionName String
connectorVersionId ID

ConnectorVersionsArguments

ConnectorVersionsArguments defines the filters and options for listing connectorVersions

Fields

connectorVersionNames [String!]
connectorVersionIds IDs

CreateConnectorInput

ConnectorInput defines the fields required to create a connector

Fields

name String!
tags Tags
icon String
categories IDs
method ID!
version CreateConnectorVersionInput!

CreateConnectorVersionInput

CreateConnectorVersionInput defines the versioned fields of a connector

Fields

title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
vendorName String
vendorProduct String
vendorVersion String
metadata JSONObject
parameters JSONSchema
actions [ConnectorActionInput!]
authTypes [AuthType!]!
version SemVer
rateLimit ConnectorRateLimitInput

DeleteConnectorInput

DeleteConnectorInput defines the mutable metadata fields of a connector

Fields

connectorId ID!

TestConnectorActionInput

Fields

connection ConnectionInput!
connectionMethodName String!
action ConnectorActionInput!
inputs Any

UpdateConnectorInput

UpdateConnectorInput defines the mutable metadata fields of a connector

Fields

connectorId ID!
tags Tags
icon String
categories IDs
head ID

UpdateConnectorVersionInput

UpdateConnectorVersionInput defines the versioned fields of a connector

Fields

connectorVersionId ID!
title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
vendorName String
vendorProduct String
vendorVersion String
metadata JSONObject
parameters JSONSchema
actions [ConnectorActionInput!]
authTypes [AuthType!]
version SemVer
rateLimit ConnectorRateLimitInput

Connectors Scalar Types

AuthType

Enumeration of supported auth types

Possible Values

None
Platform
Raw
Basic
APIKey
ClientCerts
OAuthClientCreds
OAuthPassword
OAuthAuthCode
OAuthJWT
Custom

ConnectionVersionStrategy

ConnectionVersionStrategy determines how the connection is upgraded when new versions are published

Possible Values

Fixed
FollowHead
FollowMinorVersion
FollowMajorVersion

Events Queries

events

Resolves events by ID

Parameters

ids [ID!]!

Return Value

[Event]!
Resolves events by ID

eventQuery

Returns query status by ID

Parameters

id ID!

Return Value

EventQuery
Returns query status by ID

eventQueries

Provides a catalog of cached queries

Parameters

metadata JSONObject

Return Value

[EventQuery!]!
Provides a catalog of cached queries

Events Subscriptions

eventPage

Returns the next logical page of results for each of the event types covered by the query

Parameters

id ID!

Return Value

EventQueryResults!
Returns the next logical page of results for each of the event types covered by the query

eventQuery

Evaluates a query string and returns results for the first page of each event type covered by the query

Parameters

query String!
metadata JSONObject
options EventQueryOptions

Return Value

EventQueryResults!
Evaluates a query string and returns results for the first page of each event type covered by the query

Events Output Types

EventQuery

EventQuery defines the overall query status and metadata

Fields

id ID!
query String!
status String!
reasons [EventQueryResult!]
submitted Time!
expires Time!
completed Time
earliest Time
latest Time
types [String!]
metadata JSONObject
user EventUser
progress [EventQueryProgress!]

EventQueryProgress

EventQueryProgress provides basic metrics about query progress

Fields

type String
The event type
totalRows Int
The total rows available as the result of the search. For the Athena backend this is always the same as the maxRowsPerQuery, for Arcana it is the total rows that matched the search criteria (but could be capped for other reasons)
totalRowsIsLowerBound Boolean
Flag that indicates whether or not the total rows is actually a lower bound (e.g. the actual number of results count be higher). Indicates that we have *atLeast* TotalRows that match the search query
resultsTruncated Boolean
Flag that indicates whether the results were truncated (there are more results available but we only returned a portion of them)

EventQueryResult

EventQueryResult returns query status and if available a page of results for a specific event type

Fields

id ID!
type String!
backend String!
status String!
reason String
submitted Time!
completed Time
expires Time
facets JSONObject
rows [JSONObject]
progress EventQueryProgress

EventQueryResults

EventQueryResults contains overall query status and optionally results for a specific event type

Fields

query EventQuery!
result EventQueryResult
next ID
if present points to the next logical page of results across all event types covered by the query
prev ID
if present points to the prev page of results

EventUser

EventUser is the user that submitted query

Fields

name String
role String
email String

Events Input Types

EventQueryOptions

EventQueryOptions provides ability to override default query behavior

Fields

timestampAscending Boolean
reverses default timestamp order of descending
pageSize Int
change default page size up to 1K max
maxRows Int
change default number of rows requested up to 100K max
skipCache Boolean
dont use cached results
aggregationOff Boolean
disable aggregation operations

Events Scalar Types

Investigations Queries

node

Parameters

id ID!

Possible Return Values

Event
Used by Nautilus to resolve the Red Cloak TDR event model.
Alert
Used by Nautilus to resolve the Red Cloak TDR alert model.
Alert2
Used by Nautilus to resolve the Red Cloak TDR alertv2 model.
Asset
Used by Nautilus to resolve the Red Cloak TDR asset model.
TDRUser
Used by Nautilus to resolve the Red Cloak TDR user model.
Investigation
Describes a Red Cloak TDR investigation.

investigationSummary

Get summary of investigations (tag and counts for each tag)

Parameters

No parameters.

Return Value

[InvestigationSummary!]!
Get summary of investigations (tag and counts for each tag)

investigation

Get an investigation by id

Parameters

investigation_id ID!

Return Value

Investigation
Get an investigation by id

investigations

Get investigations for the list of ids

Parameters

investigation_ids [ID!]

Return Value

[Investigation!]!
Get investigations for the list of ids

allInvestigations

Get all investigations

Parameters

status [String]
page Int
perPage Int
createdAfter String
createdBefore String
updatedAfter String
updatedBefore String
orderByField OrderFieldInput
orderDirection OrderDirectionInput
isDeleted Boolean
hideThreatHuntingInvestigations Boolean

Return Value

[Investigation!]!
Get all investigations

investigationCountOverTime

Get the number of investigations created during a given time frame. Can optionslly pass in a desired 'transition_status' (handoff, acknowledge, resolution)

Parameters

transition_status String
after Time
before Time

Return Value

Count!
Get the number of investigations created during a given time frame. Can optionslly pass in a desired 'transition_status' (handoff, acknowledge, resolution)

meanTimeSummaryOverPeriod

Get the average times it took to hand off, acknowledge, and resolve all investigations over the course of the period

Parameters

after Time
before Time
includeThreatHuntTypes Boolean

Return Value

TimeSummaryForGroup!
Get the average times it took to hand off, acknowledge, and resolve all investigations over the course of the period

investigationAssets

Get investigation assets by investigation id

Parameters

investigation_id ID!
page Int
perPage Int

Return Value

InvestigationAssetOutput!
Get investigation assets by investigation id

investigationEvents

Get investigation events by investigation id

Parameters

investigation_id ID!
page Int
perPage Int

Return Value

InvestigationEventOutput!
Get investigation events by investigation id

investigationAlerts

Get investigation alerts by investigation id

Parameters

investigation_id ID!
page Int
perPage Int
filterQuery String
orderByField String
orderDirection OrderDirection

Return Value

InvestigationAlertOutput!
Get investigation alerts by investigation id

investigationGenesisEvents

Get investigation genesis events by investigation id

Parameters

investigation_id ID!

Return Value

[Event!]!
Get investigation genesis events by investigation id

investigationGenesisAlerts

Get investigation genesis alerts by investigation id

Parameters

investigation_id ID!

Return Value

[Alert!]!
Get investigation genesis alerts by investigation id

investigationAuthCredentials

Get investigation auth credentials by investigation id

Parameters

investigation_id ID!

Return Value

[String!]!
Get investigation auth credentials by investigation id

investigationSearchQueries

Get investigation search queries by investigation id

Parameters

investigation_id ID!

Return Value

[SearchQuery!]!
Get investigation search queries by investigation id

investigationsBulkEventsAlerts

Get investigations by quering a string on events/alerts/genesis events/genesis alerts fields

Parameters

queryStrings [String!]!

Return Value

[InvestigationBulkResponse!]!
Get investigations by quering a string on events/alerts/genesis events/genesis alerts fields

investigationsBulkUpdateAlerts

Updates Investigation Alerts and Investigation information from Alerts (ie Access Vectors)

Parameters

No parameters.

Return Value

String
Updates Investigation Alerts and Investigation information from Alerts (ie Access Vectors)

investigationStatusSummary

Get summary of investigations and status filtered by updated_at

Parameters

updatedAfter String
updatedBefore String

Return Value

[SummaryGroup!]!
Get summary of investigations and status filtered by updated_at

investigationsSearch

Investigations Search. query fields accepts CQL string (non aggregations). Use filterText for free text search

Parameters

page Int
perPage Int
query String
filterText String
orderByField OrderFieldInput
orderDirection OrderDirectionInput

Return Value

InvestigationsOutput!
Investigations Search. query fields accepts CQL string (non aggregations). Use filterText for free text search

investigationsAdvancedSearch

Investigations Advanced Search can perform aggregations/sorting/filtering on investigations using CQL

Parameters

cql String!

Return Value

[Map!]!
Investigations Advanced Search can perform aggregations/sorting/filtering on investigations using CQL

investigationProcessingStatus

Get investigation processing status by id

Parameters

investigation_id ID!

Return Value

InvestigationProcessingResponse
Get investigation processing status by id

getFalsePositives

MDR - false positives widget

Parameters

after Time!
before Time!

Return Value

Map!
MDR - false positives widget

investigationsCount

Get aggregated investigations counts based on CQL query

Parameters

query String

Return Value

Int!
Get aggregated investigations counts based on CQL query

investigationsStatusCount

Get aggregated investigations status counts

Parameters

No parameters.

Return Value

InvestigationStatusCountResponse!
Get aggregated investigations status counts

exportInvestigationsSearch

Export investigations Search Raw Content

Parameters

page Int
perPage Int
query String
filterText String
orderByField OrderFieldInput
orderDirection OrderDirectionInput

Return Value

InvestigationsExportOutput!
Export investigations Search Raw Content

investigationFile

Get investigation file details

Parameters

file_id ID!

Return Value

InvestigationFile!
Get investigation file details

investigationFiles

Get investigation files details

Parameters

investigation_id ID!

Return Value

[InvestigationFile!]!
Get investigation files details

downloadInvestigationFile

Presigned URK to Download investigation file

Parameters

investigation_id ID!
file_id ID!

Return Value

String!
Presigned URK to Download investigation file

investigationsBySession

Get investigations by multi-tenant session

Parameters

session_id String!
page Int
perPage Int

Return Value

[Investigation]
Get investigations by multi-tenant session

getHandoffInvestigations

Return list of Investigations which are handed off atleast once for the the given dates and status

Parameters

page Int
perPage Int
createdAfter String
createdBefore String
includeThreatHuntTypesOnly Boolean
excludeThreatHuntTypes Boolean

Return Value

InvestigationsOutput!
Return list of Investigations which are handed off atleast once for the the given dates and status

investigationTypes

Return investigation types list based on user

Parameters

No parameters.

Return Value

[InvestigationKeyValuePair!]!
Return investigation types list based on user

investigationStatusList

Return investigation status static list

Parameters

No parameters.

Return Value

[InvestigationKeyValuePair!]!
Return investigation status static list

investigationPriorityList

Return investigation priority static list

Parameters

No parameters.

Return Value

[InvestigationKeyValuePair!]!
Return investigation priority static list

Investigations Mutations

createInvestigation

Create new investigation

Parameters

investigation InvestigationInput!

Return Value

Investigation
Create new investigation

updateInvestigation

Update investigation

Parameters

investigation_id ID!
investigation UpdateInvestigationInput!

Return Value

Investigation
Update investigation

archiveInvestigation

Archive investigation

Parameters

investigation_id ID!

Return Value

Investigation
Archive investigation

bulkArchiveInvestigations

Bulk Archive Investigations

Parameters

ids [ID!]!

Return Value

[ID!]
Bulk Archive Investigations

unArchiveInvestigation

UnArchive Investigation

Parameters

investigation_id ID!

Return Value

Investigation
UnArchive Investigation

bulkUnArchiveInvestigations

Bulk UnArchive Investigations

Parameters

ids [ID!]!

Return Value

[ID!]
Bulk UnArchive Investigations

createActivityLogForInvestigation

Create a new activity log for investigation

Parameters

investigation_id ID!
activityLog ActivityLogInput!

Return Value

ActivityLog
Create a new activity log for investigation

addAssetsToInvestigation

Add assets to investigation

Parameters

investigation_id ID!
assets [String!]!

Return Value

Investigation
Add assets to investigation

addEventsToInvestigation

Add events to investigation

Parameters

investigation_id ID!
events [String!]!

Return Value

Investigation
Add events to investigation

addAlertsToInvestigation

Add alerts to investigation

Parameters

investigation_id ID!
alerts [String!]!

Return Value

Investigation
Add alerts to investigation

addGenesisEventsToInvestigation

Add genesis events to investigation

Parameters

investigation_id ID!
genesis_events [String!]!

Return Value

Investigation
Add genesis events to investigation

addGenesisAlertsToInvestigation

Add genesis alerts to investigation

Parameters

investigation_id ID!
genesis_alerts [String!]!

Return Value

Investigation
Add genesis alerts to investigation

addAuthCredentialsToInvestigation

Add auth credentials to investigation

Parameters

investigation_id ID!
auth_credentials [String!]!

Return Value

Investigation
Add auth credentials to investigation

addSearchQueriesToInvestigation

Add search queries to investigation

Parameters

investigation_id ID!
search_queries [String!]!

Return Value

Investigation
Add search queries to investigation

addAccessVector

Access Vectors

Parameters

investigation_id ID!
vectorName String!
created_at Time
updated_at Time

Return Value

AccessVector!
Access Vectors

removeAssetsFromInvestigation

Remove assets from investigation

Parameters

investigation_id ID!
assets [String!]!

Return Value

Investigation
Remove assets from investigation

removeEventsFromInvestigation

Remove events from investigation

Parameters

investigation_id ID!
events [String!]!

Return Value

Investigation
Remove events from investigation

removeAlertsFromInvestigation

Remove alerts from investigation

Parameters

investigation_id ID!
alerts [String!]!

Return Value

Investigation
Remove alerts from investigation

removeSearchQueriesFromInvestigation

Remove search queries from investigation

Parameters

investigation_id ID!
search_queries [String!]!

Return Value

Investigation
Remove search queries from investigation

addBulkAlertsToInvestigation

Bulk add alerts to an investigation using restdb search query

Parameters

investigation_id ID
new_investigation InvestigationInput
search_query String!

Return Value

Investigation
Bulk add alerts to an investigation using restdb search query

addBulkAlerts2ToInvestigation

Bulk add alerts2 to an new investigation using cql query

Parameters

new_investigation InvestigationInput!
cql String!

Return Value

Investigation
Bulk add alerts2 to an new investigation using cql query

addBulkAlerts2ToExistingInvestigation

Bulk add alerts2 to an existing investigation using cql query

Parameters

investigation_id ID!
cql String!

Return Value

Investigation
Bulk add alerts2 to an existing investigation using cql query

reProcessInvestigationBackgroundJob

Reprocess investigation background job by id

Parameters

investigation_id ID!

Return Value

InvestigationProcessingResponse
Reprocess investigation background job by id

deleteInvestigation

Hard delete of investigation (Supported only in development environments)

Parameters

investigation_id ID!

Return Value

ID!
Hard delete of investigation (Supported only in development environments)

acknowledgeInvestigation

Update state_transitions table to acknowledge if current state is handoff, without changing the investigation itself

Parameters

investigation_id ID!

Return Value

ID!
Update state_transitions table to acknowledge if current state is handoff, without changing the investigation itself

fileUpload

Upload File for an investigation

Parameters

input FileUploadInput!

Return Value

InvestigationFile!
Upload File for an investigation

deleteFile

Delete investigation files from S3 bucket

Parameters

investigation_id ID!
file_id ID!

Return Value

Boolean!
Delete investigation files from S3 bucket

Investigations Output Types

AccessVector

Fields

id ID!
investigation_id ID!
name String!
created_at Time!
updated_at Time!
mitre_info MitreAttackInfo

ActivityLog

Stores details of an investigation activity (Create/Update, etc.).

Fields

id ID!
created_at Time
updated_at Time
tenant_id String!
user_id String!
description String!
type String!
comment String!
target String!
investigation_id ID!

Alert

Used by Nautilus to resolve the Red Cloak TDR alert model.

Fields

id ID!

Alert2

Used by Nautilus to resolve the Red Cloak TDR alertv2 model.

Fields

id ID!

AlertData

Describes a Red Cloak TDR alert.

Fields

domain String!
message String!
domain_registration_date Timestamp
timestamp Timestamp
source_ip String!
source_port Int!
destination_ip String!
destination_port Int!
attack_categories [String!]!
attack_categories_info [MitreAttackInfo]
username String!
password String!
raw_event String!
alert_extra_data_url String!
blacklist_name String!
blacklist_reason String!

AlertReferenceData

Contains a description and URL for an alert.

Fields

description String!
url String!

AlertSourceData

Contains the source information for an alert.

Fields

uuid String!
origin String!
source_event String!
event_snippet String!

Asset

Used by Nautilus to resolve the Red Cloak TDR asset model.

Fields

id ID!

Assignee

Describes the assignee of an investigation.

Fields

id ID!
name String!
roles [String!]!
status String!
user_id String
email String
email_verified Boolean
email_normalized String
family_name String
given_name String
tenants [Tenant]

Count

Represents a int count of a given object.

Fields

count Int!

EthernetAddress

Describes an asset ethernet address.

Fields

id ID!
created_at Time!
updated_at Time!
host_id String!
mac String!

Event

Used by Nautilus to resolve the Red Cloak TDR event model.

Fields

id ID!

Hostname

Describes an asset <code>hostname</code>.

Fields

id ID!
created_at Time!
updated_at Time!
host_id String!
hostname String!

IndividualTimeSummary

Represents the amounts of time it took before an investigation transitioned into the handoff, acknowledge, and resolution states.

Fields

time_to_handoff Int
time_to_acknowledge Int
time_to_resolution Int
is_closed Boolean!
investigation Investigation!

Investigation

Describes a Red Cloak TDR investigation.

Fields

id ID!
tenant_id String!
tags [String!]!
genesis_alerts [Alert!]!
genesis_alerts2 [Alert2!]
genesis_events [Event!]!
alerts [Alert!]!
alerts2 [Alert2!]
events [Event!]!
assets [Asset!]!
search_queries [SearchQuery!]!
auth_credentials [String!]!
key_findings String!
description String!
created_at Time!
updated_at Time!
notified_at Time
activity_logs [ActivityLog!]!
created_by String
created_by_user TDRUser
Retrieves the `TDRUser` object for the user that created the investigation.
status String!
contributors [String!]!
service_desk_id String
service_desk_type String
assignee_id String
assignee_user TDRUser
Retrieves the `TDRUser` object for the user that is assigned to the investigation.
assignee Assignee
latest_activity String!
access_vectors [AccessVector!]
transition_state TransitionState
archived_at Time
deleted_at Time
created_by_scwx Boolean!
investigationType String
processing_status InvestigationProcessingResponse
priority Int
type String
genesis_alerts_count Int
genesis_events_count Int
alerts_count Int
events_count Int
assets_count Int
files_count Int
comments_count ParentCount

InvestigationAlertOutput

Fields

alerts [Alert!]!
alerts2 [Alert2!]
totalCount Int

InvestigationBulkResponse

Used to return an array of investigations for a specific query.

Fields

query String!
investigations [Investigation!]!

InvestigationFile

Fields

id ID!
investigation_id ID!
tenant_id String!
created_at Time!
updated_at Time!
deleted_at Time
name String!
path String
size Int!
status String!
uploaded_by String!
deleted_by String
additional_metadata Map

InvestigationInfo

Describes a small subset of investigation information.

Fields

id String!
genesis_alerts [String!]!
alerts [String!]!
tenant String!

InvestigationKeyValuePair

Fields

key String!
value String!
description String!

InvestigationProcessingResponse

InvestigationStatusCountResponse

Fields

open Int!
closed Int!
active Int!
awaiting_action Int!
suspended Int!
total Int!

InvestigationSummary

Provides a count of investigations per tag.

Fields

tag String!
count Int!

Investigations

An array of <code>InvestigationInfo</code> objects.

Fields

investigations [InvestigationInfo!]!

InvestigationsExportOutput

Fields

columnDef [String!]!
rows [[String!]!]!
totalCount Int

InvestigationsOutput

Fields

investigations [Investigation!]!
totalCount Int

IpAddress

Describes an asset IP Address.

Fields

id ID!
created_at Time!
updated_at Time!
ip String!
host_id String!

MitreAttackInfo

Describes fields related to MitreAttack information for an alert.

Fields

technique_id String!
technique String!
tactics [String!]
type String!
description String!
platform [String!]!
system_requirements [String!]!
url String!
data_sources [String!]!
defence_bypassed [String!]!
contributors [String!]!
version String!

ParentCount

Represents total and unread comment counts for an investigation.

Fields

parent_id String!
parent_type String!
total Int!
unread Int!

RankData

Describes rank data for an alert.

Fields

rank_score Float!
ranker String!
ranker_version String!
ranker_model_version String!

SearchQuery

Represents a saved search query id

Fields

id ID!

SummaryGroup

Describes the summary of investigations by status filtered by date.

Fields

status String!
count Int!
date String!

TDRUser

Used by Nautilus to resolve the Red Cloak TDR user model.

Fields

id ID!

TenantContextResponseState

Containes the labels and audit logs of a response .

Fields

label_id String!
label_name String!
audit_log [UserResponseState]

TenantContextResponseStateMap

Contains the context response state and name.

Fields

name String!
tenant_context_response_state TenantContextResponseState

TenantResponseState

Contains a source, data and labels for a tenant response.

Fields

source_id String!
data_id String!
labels [TenantContextResponseStateMap]

TimeSummaryForGroup

Used by MeanTimeSummaryOverPeriod query to represent the average times it took to hand off, acknowledge, and resolve all investigations over the course of the period.

Fields

mean_time_to_handoff Int!
mean_time_to_acknowledge Int!
mean_time_to_resolution Int!
time_summaries [IndividualTimeSummary!]!

Timestamp

Describes time in seconds and nanoseconds.

Fields

seconds Int!
nanos Int!

TransitionState

Represent both the initial transitions (if they exist) and the current state (handed off, acknowledged, resolved) of an investigation.

Fields

handed_off_at_least_once Boolean!
initial_handoff_time Time
acknowledged_at_least_once Boolean!
initial_acknowledge_time Time
resolved_at_least_once Boolean!
initial_resolution_time Time
handed_off Boolean!
handoff_time Time
acknowledged Boolean!
acknowledge_time Time
resolved Boolean!
resolution_time Time

TransitionSummary

Used by HandedOff/Acknowledged/ResolvedInvestigations query to represent an investigations most recent transition time and time spent in each state.

Fields

transition_time Time!
time_summary IndividualTimeSummary!

User

Describes a user of an asset.

Fields

id ID!
created_at Time!
updated_at Time!
host_id String!
username String!

UserResponseState

Contains the user information for a response.

Fields

responseId String!
label_id String!
label_name String!
user_id String!
created_at Timestamp
updated_at Timestamp
deleted_at Timestamp
create_time_usec Int!
delete_time_usec Int!

Investigations Input Types

ActivityLogInput

Describes the fields available for creating a new Activity Log.

Fields

description String!
type String!
comment String!
target String!

InvestigationInput

Describes the fields available for creating a new investigation.

Fields

tags [String!]
genesis_alerts [String!]
genesis_events [String!]
alerts [String!]
events [String!]
assets [String!]
auth_credentials [String!]
search_queries [String!]
key_findings String
description String!
notified_at Time
created_by String
status String
contributors [String!]
service_desk_id String
service_desk_type String
assignee_id String
notes String
priority Int
type String

UpdateInvestigationInput

Describes the fields available for updating an investigation.

Fields

tags [String]
genesis_alerts [String]
genesis_events [String]
alerts [String]
events [String]
assets [String]
auth_credentials [String]
search_queries [String]
key_findings String
description String
notified_at Time
created_by String
status String
contributors [String]
service_desk_id String
service_desk_type String
assignee_id String
notes String
acknowledgment Boolean
priority Int
type String

Investigations Scalar Types

Map

The default Map implementation for this library

OrderDirectionInput

Describes the order direction available for the order field of the <code>AllInvestigations</code> query.

Possible Values

asc
desc

OrderFieldInput

Describes the enums available for the ordering of the <code>AllInvestigations</code> query.

Possible Values

id
tenant_id
tags
genesis_alerts
genesis_events
alerts
events
assets
auth_credentials
key_findings
description
created_at
updated_at
notified_at
created_by
status
contributors
service_desk_id
service_desk_type
all_alerts
all_events
priority
type

Time

The default Time implementation for this library.

Uint64

`Uint64` is a custom scalar type that represents an unsigned 64 bit integer.

Upload

The default Upload implementation for this library

Playbooks Queries

node

Parameters

id ID!

Possible Return Values

ConnectorCategory
ConnectorCategory is a grouping/categorization of available connectors/playbooks (e.g. IP reputation services, DNS lookup, etc)
ConnectorInterface
ConnectorInterface defines an abstract interface (set of actions) that could be implemented by multiple connectors
ConnectorVersion
ConnectorVersion contains the versioned attributes of a connector interface
Connector
Connector is an entry in catalog of available connectors (e.g. service now connector based on generic http connector service)
Connection
Connection is a per-tenant configuration of a connector/actions
PlaybookTriggerType
PlaybookTriggerType defines an available triggering mechanism
PlaybookTrigger
PlaybookTrigger defines a set of attributes common to different trigger types
PlaybookInterface
PlaybookInterface defines a contract that can be implemented by one ore more playbooks
PlaybookInterfaceVersion
PlaybookInterfaceVersion maintains a change record of the playbook interface.
Playbook
Playbook is an entry in catalog of available playbooks
PlaybookVersion
PlaybookVersion maintains a change record of the playbook definition. Multiple versions of a playbook could be in use concurrently
PlaybookInstance
PlaybookInstance defines the configuration of a playbook in a user account
PlaybookExecution
PlaybookExecution represents the state of a current playbook execution
PlaybookExecutionLog
PlaybookExecutionLog represents a log entry from an executed playbook with it's children and status logs attached
DeletedObject

playbookVersion

Parameters

arguments PlaybookVersionArguments!

Return Value

PlaybookVersion

playbookInstances

Parameters

playbookId ID
tags Tags
connections IDs

Return Value

[PlaybookInstance!]

playbookExecution

Parameters

playbookExecutionId ID!

Return Value

PlaybookExecution

playbookExecutions

Parameters

playbookInstanceId ID!
pagination Pagination

Return Value

PlaybookExecutions

playbookExecutionsV2

Parameters

arguments PlaybookExecutionsV2Arguments!

Return Value

PlaybookExecutionsV2

playbookExecutionLogs

Parameters

playbookExecutionId ID!

Return Value

[PlaybookExecutionLog]

playbookTriggers

Parameters

playbookTriggerTypeIds IDs!

Return Value

[PlaybookTrigger!]

playbookTriggerType

Parameters

playbookTriggerTypeId ID
playbookTriggerTypeName String

Return Value

PlaybookTriggerType

playbookExport

Parameters

arguments PlaybookExportArguments!

Return Value

PlaybookExport

playbookQuery

Parameters

query String!
database String!
options QueryOptions

Return Value

[PlaybookStatistics]!

playbookInterface

Parameters

arguments PlaybookInterfaceArguments!

Return Value

PlaybookInterface

playbookInterfaceVersion

Parameters

arguments PlaybookInterfaceVersionArguments!

Return Value

PlaybookInterfaceVersion

playbookInterfaceVersions

Parameters

arguments PlaybookInterfaceVersionsArguments!

Return Value

[PlaybookInterfaceVersion!]!

playbooksImplementingInterface

Parameters

arguments PlaybooksImplementingArguments!

Return Value

[Playbook!]!

Playbooks Mutations

createPlaybook

Create new playbook

Parameters

input CreatePlaybookInput!

Return Value

Playbook
Create new playbook

clonePlaybook

Clone an existing playbook

Parameters

input ClonePlaybookInput!

Return Value

Playbook
Clone an existing playbook

updatePlaybook

Update playbook

Parameters

input UpdatePlaybookInput!

Return Value

Playbook
Update playbook

deletePlaybook

Delete playbook

Parameters

input DeletePlaybookInput!

Return Value

Playbook
Delete playbook

importPlaybookV2

Import Playbook from file

Parameters

input ImportPlaybookInput!

Return Value

Playbook
Import Playbook from file

importPlaybookResource

Import Playbook Resource from file

Parameters

input ImportPlaybookInput!

Return Value

PlaybookResource
Import Playbook Resource from file

executePlaybook

Execute playbook with supplied parameters

Parameters

playbookId ID!
parameters JSONObject

Return Value

PlaybookExecution
Execute playbook with supplied parameters

createPlaybookVersion

Creates a new playbook version in draft mode

Parameters

playbookId ID!
input CreatePlaybookVersionInput!

Return Value

PlaybookVersion
Creates a new playbook version in draft mode

updatePlaybookVersion

Update an existing draft playbook version

Parameters

input UpdatePlaybookVersionInput!

Return Value

PlaybookVersion
Update an existing draft playbook version

publishPlaybookVersion

Publishing a playbook version makes it immutable and sets it as the current head Deleting a published playbook version is not supported"

Parameters

input PublishPlaybookVersionInput!

Return Value

PlaybookVersion
Publishing a playbook version makes it immutable and sets it as the current head Deleting a published playbook version is not supported"

deletePlaybookVersion

Deletes the specified draft playbook version

Parameters

input DeletePlaybookVersionInput!

Return Value

PlaybookVersion
Deletes the specified draft playbook version

createPlaybookInstance

Create new playbook instance

Parameters

playbookId ID!
instance PlaybookInstanceInput!

Return Value

PlaybookInstance
Create new playbook instance

updatePlaybookInstance

Update playbook instance

Parameters

playbookInstanceId ID!
instance PlaybookInstanceInput!

Return Value

PlaybookInstance
Update playbook instance

deletePlaybookInstance

Delete playbook instance

Parameters

playbookInstanceId ID!

Return Value

PlaybookInstance
Delete playbook instance

setPlaybookInstanceState

Enabled/disable playbook instance

Parameters

playbookInstanceId ID!
enabled Boolean!

Return Value

PlaybookInstance
Enabled/disable playbook instance

createPlaybookExecution

Log playbook trigger / execution status

Parameters

input PlaybookExecutionInput!

Return Value

PlaybookExecution
Log playbook trigger / execution status

executePlaybookInstance

Execute playbook instance

Parameters

playbookInstanceId ID!
parameters JSONObject

Return Value

PlaybookExecution
Execute playbook instance

playbookValidate

Validate Playbook or just the DSL

Parameters

arguments PlaybookValidationArguments!

Return Value

[PlaybookValidationError]!
Validate Playbook or just the DSL

playbookValidateDSL

Parameters

arguments PlaybookValidationArguments!

Return Value

[PlaybookValidationError]!

createPlaybookInterfaceVersion

Create PlaybookInterfaceVersion

Parameters

playbookInterfaceId ID!
input CreatePlaybookInterfaceVersionInput!

Return Value

PlaybookInterfaceVersion
Create PlaybookInterfaceVersion

updatePlaybookInterfaceVersion

Update PlaybookInterfaceVersion

Parameters

input UpdatePlaybookInterfaceVersionInput!

Return Value

PlaybookInterfaceVersion
Update PlaybookInterfaceVersion

deletePlaybookInterfaceVersion

Deletes the specified playbook interface version

Parameters

input DeletePlaybookInterfaceVersionInput!

Return Value

PlaybookInterfaceVersion
Deletes the specified playbook interface version

publishPlaybookInterfaceVersion

Publish a Playbook Interface Version

Parameters

input PublishPlaybookInterfaceVersionInput!

Return Value

PlaybookInterfaceVersion
Publish a Playbook Interface Version

createPlaybookInterface

Create new playbook interface

Parameters

input CreatePlaybookInterfaceInput!

Return Value

PlaybookInterface
Create new playbook interface

updatePlaybookInterface

Update playbook interface

Parameters

input UpdatePlaybookInterfaceInput!

Return Value

PlaybookInterface
Update playbook interface

deletePlaybookInterface

Delete the specified playbook interface

Parameters

input DeletePlaybookInterfaceInput!

Return Value

PlaybookInterface
Delete the specified playbook interface

Playbooks Subscriptions

Playbooks Output Types

Connection

Connection is a per-tenant configuration of a connector/actions

Fields

id ID!

Connector

Connector is an entry in catalog of available connectors (e.g. service now connector based on generic http connector service)

Fields

id ID!

ConnectorCategory

ConnectorCategory is a grouping/categorization of available connectors/playbooks (e.g. IP reputation services, DNS lookup, etc)

Fields

id ID!

ConnectorInterface

ConnectorInterface defines an abstract interface (set of actions) that could be implemented by multiple connectors

Fields

id ID!

ConnectorVersion

ConnectorVersion contains the versioned attributes of a connector interface

Fields

id ID!

DeletedObject

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
description String
tags [String!]
sequence Int

PageInfo

Fields

endCursor String
hasNextPage Boolean!
startCursor String
hasPreviousPage Boolean!

Playbook

Playbook is an entry in catalog of available playbooks

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
tags [String!]
icon String
tenant String
head PlaybookVersion!
versions [PlaybookVersion!]!
instances [PlaybookInstance!]!
categories [ConnectorCategory!]!
title String
description String
requires [ConnectorInterface!]!
sequence Int

PlaybookEvent

PlaybookEvents represents a trace event withing the execution of the workflow

Fields

id Int
object PlaybookObject!
state PlaybookState!
name String
timestamp Time!
inputs JSONObject
outputs Any
reason String
attempt Int

PlaybookExecution

PlaybookExecution represents the state of a current playbook execution

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
createdByEmail String
state PlaybookState
tenant String!
instance PlaybookInstance!
version PlaybookVersion
inputs JSONObject
outputs Any
runId String!
events [PlaybookEvent!]!
executionTime Int

PlaybookExecutionLog

PlaybookExecutionLog represents a log entry from an executed playbook with it's children and status logs attached

Fields

id ID!
taskID Float
parentID Float
message JSONObject
children Any
statusLogs Any

PlaybookExecutions

PlaybookExecutions represents a list of executions along with other metadata like pagination

Fields

executions [PlaybookExecution]!
nodes [PlaybookExecution]!
totalCount Int!

PlaybookExecutionsV2

Fields

totalCount Int!
playbookExecutions [PlaybookExecution]!
pageInfo PageInfo!

PlaybookInstance

PlaybookInstance defines the configuration of a playbook in a user account

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
description String
tags [String!]
tenant String
playbook Playbook!
version PlaybookVersion
versionStrategy PlaybookVersionStrategy
trigger PlaybookTrigger
enabled Boolean!
inputs JSONObject
retries PlaybookRetries
connections [Connection!]!
interfaces [PlaybookInterfaceInstance!]!
versionLock String!
sequence Int

PlaybookInterface

PlaybookInterface defines a contract that can be implemented by one ore more playbooks

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
tenant String
tags [String!]
head PlaybookInterfaceVersion!
versions [PlaybookInterfaceVersion!]!

PlaybookInterfaceInstance

Fields

interface PlaybookInterface!
version PlaybookInterfaceVersion!
playbook PlaybookVersion!
connections [Connection!]!

PlaybookInterfaceVersion

PlaybookInterfaceVersion maintains a change record of the playbook interface.

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
version SemVer
published Time
publishedBy String
interface PlaybookInterface!
title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
inputs JSONSchema
outputs JSONSchema

PlaybookRetries

Fields

initialInterval Int
maximumInterval Int
backoffCoefficient Float
maximumRetries Int
maximumDuration Int
InitialInterval Int
MaximumInterval Int
BackoffCoefficient Float
MaximumRetries Int
MaximumDuration Int

PlaybookStatistics

Playbook Statistics

Fields

table String
columns [String!]
rows Any

PlaybookTrigger

PlaybookTrigger defines a set of attributes common to different trigger types

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
description String
tenant String!
type PlaybookTriggerType!
config JSONObject!
instance PlaybookInstance!

PlaybookTriggerType

PlaybookTriggerType defines an available triggering mechanism

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String!
description String
parameters JSONSchema

PlaybookVersion

PlaybookVersion maintains a change record of the playbook definition. Multiple versions of a playbook could be in use concurrently

Fields

id ID!
createdAt Time!
createdBy String!
updatedAt Time!
updatedBy String!
name String
version SemVer
published Time
publishedBy String
playbook Playbook!
instances [PlaybookInstance!]!
title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
connectors [ConnectorVersion!]!
playbooks [PlaybookVersion!]!
interfaces [PlaybookInterfaceVersion!]!
inputs JSONSchema
outputs JSONSchema
dslSource String
implements PlaybookInterface
dsl JSONObject

TenantContext

Fields

id String!
name String!
rccID [String!]!
ctpID [String!]!

Playbooks Input Types

ClonePlaybookInput

ClonePlaybookInput defines the fields required to clone a playbook

Fields

name String!
playbookId ID!
versionId ID!
isGlobal Boolean

CreatePlaybookInput

CreatePlaybookInput defines the playbook fields that are required and/or avaliable on creation of a playbook

Fields

name String!
tags Tags
icon String
categories IDs
version CreatePlaybookVersionInput!
isGlobal Boolean

CreatePlaybookInterfaceInput

CreatePlaybookInterfaceInput defines the fields needed to create a playbook interface

Fields

name String!
tags [String!]
icon String
version CreatePlaybookInterfaceVersionInput!

CreatePlaybookInterfaceVersionInput

CreatePlaybookInterfaceVersionInput defines the fields used to create a playbook interface version

Fields

title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
inputs JSONSchema
outputs JSONSchema
version SemVer

CreatePlaybookVersionInput

CreatePlaybookVersionInput defines the fields used to create a playbook version

Fields

title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
connectors IDs
playbooks IDs
inputs JSONSchema
outputs JSONSchema
dsl YAMLObject
version SemVer
implements ID
requires IDs

DeletePlaybookInput

DeletePlaybookInput defines the fields required to delete a playbook

Fields

playbookId ID!

DeletePlaybookInterfaceInput

DeletePlaybookInterfaceInput defines the fields needed to delete a playbook interface

Fields

playbookInterfaceId ID!

DeletePlaybookInterfaceVersionInput

DeletePlaybookInterfaceVersionInput defines the fields needed to delete a playbook interface version

Fields

playbookInterfaceVersionId ID!

DeletePlaybookVersionInput

DeletePlaybookVersionInput defines the fields needed to delete a playbook version

Fields

playbookVersionId ID!

Pagination

Pagination defines the options for requesting specific pages and the number of results per page

Fields

page Int
perPage Int

PlaybookArguments define the fields available to lookup a single playbook. At least one of playbookId or playbookName must be set. If both are set, then both the id and name must match an existing playbook.

Fields

playbookId ID
playbookName String

PlaybookExecutionInput

PlaybookExecutionInput allows for an external trigger to create a playbook execution to record errors evaluating filter conditions

Fields

playbookInstanceId ID!
state PlaybookState
inputs JSONObject
logs [PlaybookExecutionLogInput!]

PlaybookExecutionLogInput

PlaybookExecutionLogInput defines logs to be recorded

Fields

level PlaybookExecutionLogLevel!
message String!
fields JSONObject
error String

PlaybookExecutionsV2Arguments

Fields

first Int
Returns the first n results (used for forward traversal)
after String
Used to get the next page of results in conjunction with first; after the endCursor of the current page (used for forward traversal)
last Int
Returns the last n results of a previous page when used in conjunction with before (used for backwards traversal)
before String
Used to get the previous page of results; before the startCursor of the current page (used for backwards traversal)
sortBy PlaybookExecutionsSort
orderBy PaginationOrder
playbookInstanceId ID
playbookVersionId ID
state PlaybookState
createdAtFrom Time
createdAtTo Time
updatedAtFrom Time
updatedAtTo Time

PlaybookExportArguments

Fields

playbookId ID
name String

PlaybookInstanceInput

PlaybookInstanceInput defines the mutable fields of a playbook instance

Fields

name String!
description String
tags Tags
versionStrategy PlaybookVersionStrategy
The desired strategy that should be followed when a playbook is updated or a new version is published. This field should be treated as if it was required (subsequent api versions will require it) but if not provided, it will default FollowMajorVersion or the existing strategy for the instance.
fixedVersion ID
version ID
The desired playbook version the instance should use. If not provided, it will default to the current head version of the playbook. If the versionStrategy is set to fixed, the version will not automatically update; for all other strategies, the version will automatically update based on the selected strategy when new playbooks are published.
trigger PlaybookTriggerInput!
enabled Boolean!
inputs JSONObject
connections IDs
interfaces [PlaybookInterfaceInstanceInput!]

PlaybookInterfaceArguments

PlaybookInterfaceArguments define the fields to lookup a single PlaybookInterface. At least one of playbookInterfaceId or playbookInterfaceName must be set. If both are set, then both the id and name must match an existing PlaybookInterface.

Fields

playbookInterfaceId ID
playbookInterfaceName String

PlaybookInterfaceInstanceInput

Fields

interface ID!
version ID!
playbook ID!
connections IDs

PlaybookInterfaceVersionArguments

PlaybookInterfaceVersionArguments define the fields to lookup a single PlaybookInterfaceVersion. At least one of playbookInterfaceVersionId or playbookInterfaceVersionName must be set. If both are set, then both the id and name must match an existing PlaybookInterfaceVersion.

Fields

playbookInterfaceVersionId ID
playbookInterfaceVersionName String

PlaybookInterfaceVersionsArguments

PlaybookInterfaceVersionsArguments defines the fields to lookup a list of PlaybookInterfaceVersions. All parameters are optional. If the playbookInterfaceID is provided, it will match all PlaybookInterfaceVersions that match that PlaybookInterface ID. If the playbookInterfaceVersionNames is provided, then the names of the PlaybookInterfaceVersions or the PlaybookInterfaces must match this list. While both parematers can be suppled, in most cases only one of the parameters is typically used.

Fields

playbookInterfaceId ID
playbookInterfaceVersionNames [String!]

PlaybookTriggerInput

Fields

name String!
description String
tags Tags
typeId ID!
config JSONObject!

PlaybookValidationArguments

Fields

file Upload
yaml String

PlaybookVersionArguments

PlaybookVersionArguments define the fields available to lookup a single playbook. At least one of playbookVersionId or playbookVersionName must be set. If both are set, then both the id and name must match an existing playbook.

Fields

playbookVersionId ID
playbookVersionName String

PlaybooksImplementingArguments

Fields

playbookInterfaceIDs [ID!]
playbookInterfaceNames [String!]

PublishPlaybookInterfaceVersionInput

PublishPlaybookInterfaceVersionInput defines the fields required to publish a playbook interface version

Fields

playbookInterfaceVersionId ID!
version SemVer!

PublishPlaybookVersionInput

PublishPlaybookVersionInput defines the fields required to publish a playbook version

Fields

playbookVersionId ID!
version SemVer!

QueryOptions

QueryOptions provides the ability to override default query behavior

Fields

timestampAscending Boolean
reversed default timestamp order of descending
maxRows Int

UpdatePlaybookInput

UpdatePlaybookInput defines the fields required and the mutable fields that can be used to update a playbook.

Fields

playbookId ID!
tags [String!]
icon String
categories IDs
head ID

UpdatePlaybookInterfaceInput

UpdatePlaybookInterfaceInput defines the fields needed to update a playbook interface

Fields

interfaceId ID!
tags [String!]
icon String
head ID

UpdatePlaybookInterfaceVersionInput

UpdatePlaybookInterfaceVersionInput defines the fields used to update a playbook interface version

Fields

interfaceVersionId ID!
title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
inputs JSONSchema
outputs JSONSchema
version SemVer

UpdatePlaybookVersionInput

UpdatePlaybookVersionInput defines the mutable fields of a playbook version

Fields

playbookVersionId ID!
title String
description String
documentation String
changeNotes String
changeNotesMarkdown String
connectors IDs
playbooks IDs
inputs JSONSchema
outputs JSONSchema
dsl YAMLObject
version SemVer
implements ID
requires IDs

Playbooks Scalar Types

Any

interface

IDs

list of IDs

JSONObject

JSON payload

JSONSchema

JSON schema

PaginationOrder

Possible Values

ASCENDING
Orders the resulting page in ascending order
DESCENDING
Orders the resulting page in descending order

PlaybookExecutionLogLevel

Possible Values

Debug
Info
Warn
Error

PlaybookExecutionsSort

Possible Values

createdAt
Sorts the resulting page by the createdAt field
updatedAt
Sorts the resulting page by the updatedAt field

PlaybookObject

Possible Values

Workflow
Decision
Action

PlaybookState

Possible Values

Scheduled
Started
Completed
Failed
TimedOut

PlaybookVersionStrategy

PlaybookVersionStrategy determines how an instance is upgraded when new versions are published

Possible Values

Fixed
FollowMinorVersion
FollowMajorVersion
FollowHeadVersion

SemVer

Semantic Version

Time

Time implementation for this library.

Upload

File to upload

YAMLObject

YAML payload

Playbooks Interfaces

Node

Fields

id ID!

Implementations

Threat Intel Queries

node

Parameters

id ID!

Possible Return Values

List

threatPublication

Retreives a publication by ID.

Parameters

ID String!

Return Value

ThreatPublication!
Retreives a publication by ID.

threatPublications

Searches publications for text.

Parameters

text String!

Return Value

[ThreatPublication]
Searches publications for text.

threatLatestPublications

Gets the latest publications from an offset with a size.

Parameters

from Int!
size Int!

Return Value

[ThreatPublication]
Gets the latest publications from an offset with a size.

threatObjectById

Gets an object by `id`, `name` or `sharing_id`.

Parameters

id String!
objectType ThreatObjectType!

Return Value

ThreatResult
Gets an object by `id`, `name` or `sharing_id`.

threatIdentitiesByConfidence

Gets identities by confidence score.

Parameters

confidence Int!

Return Value

[ThreatResult]
Gets identities by confidence score.

threatObjectsRelated

Checks if a relationship between source and target exists.

Parameters

sourceID String!
targetID String!

Return Value

Boolean!
Checks if a relationship between source and target exists.

threatGetRelated

Gets relationship(s) between source and target(s).

Parameters

sourceID String!

Return Value

[ThreatResult]
Gets relationship(s) between source and target(s).

threatWatchlist

Gets a watchlist by type. All results are considered **high confidence**.

Parameters

type ThreatParentType!

Return Value

[ThreatRelationship]
Gets a watchlist by type. All results are considered **high confidence**.

threatIndicatorPublications

Gets publications related to indicators.

Parameters

ID String!

Return Value

[ThreatReport]
Gets publications related to indicators.

threatIndicatorIntelligence

Retrieves all intelligence associated with an indicator.

Parameters

ID String!

Return Value

ThreatIndicatorIntelligence
Retrieves all intelligence associated with an indicator.

threatRelationship

Gets relationship by `id`.

Parameters

ID String!

Return Value

ThreatRelationship
Gets relationship by `id`.

threatIdentity

Gets identity by `id`.

Parameters

ID String!

Return Value

ThreatIdentity
Gets identity by `id`.

threatMalware

Gets malware by `id`.

Parameters

ID String!

Return Value

ThreatMalware
Gets malware by `id`.

threatIdentities

Gets identities by confidence score.

Parameters

confidence Int

Return Value

[ThreatIdentity]
Gets identities by confidence score.

threatVidIntelligence

Retrieves all intelligence associated with a `VID`.

Parameters

vid String!

Return Value

ThreatVidIntelligence
Retrieves all intelligence associated with a `VID`.

threatIndicatorsIntelligence

Retrieves all intelligence associated with a list of indicators.

Parameters

ID [String!]

Return Value

[ThreatIndicatorIntelligence]
Retrieves all intelligence associated with a list of indicators.

lists

Retrieves Custom Lists for the respective tenant

Parameters

arguments ListsArguments!

Return Value

Lists!
Retrieves Custom Lists for the respective tenant

list

Retrieves a custom list by ID

Parameters

id String!
arguments ListsArguments!

Return Value

List
Retrieves a custom list by ID

listItemsByTag

Retrieves list items that contains the specified tag (case sensitive)

Parameters

tag String!
arguments ListsArguments!

Return Value

ListItems
Retrieves list items that contains the specified tag (case sensitive)

listItemsByName

Retrieves list items by indicator name

Parameters

name String!
arguments ListsArguments!

Return Value

ListItems
Retrieves list items by indicator name

Threat Intel Mutations

indicator

Parameters

id String!

Return Value

ThreatIndicator

createList

Parameters

input CreateListInput!

Return Value

List!

deleteList

Parameters

input DeleteListInput!

Return Value

Boolean!

restoreList

Parameters

input DeleteListInput!

Return Value

Boolean!

Threat Intel Output Types

List

Fields

id ID!
name String!
description String
download_url String
owner ListOwner!
item_count Int
global Boolean!
internal Boolean!
confidence Int
severity Int
tags [String]
items [ListItem!]
list_action ListAction!
created_at Time!
modified_at Time!
age_at Time
deleted_at Time

ListInfo

Fields

list_id String!
list_item_count Int!
list_name String!
list_action ListAction!

ListItem

Fields

id ID!
reference_id String
name String!
description String
item_type ItemType!
confidence Int
severity Int
tags [String]
created_at Time!
modified_at Time!
age_at Time
deleted_at Time

ListItemToList

Fields

listID String!
listName String!
listItem ListItem

ListItems

Fields

listItemMap [ListItemToList]

ListOwner

Fields

id ID!
tenant_id String!
created_at Time!
modified_at Time!
age_at Time
deleted_at Time

Lists

Fields

list_info [ListInfo!]

ThreatAdvisory

Represents a CTU threat advisory report.

Fields

id ID!
Name String
Content String
CreatedAt Time
PublicationDate Time
TLP String
Reference String
ReportID String

ThreatAnalysis

Represents a threat analysis report.

Fields

id String!
Name String
Content String
CreatedAt Time
PublicationDate Time
TLP String
Reference String
ReportID String

ThreatDNSInfo

Contains relevant DNS information when it is available.

Fields

Domain String
Hostname String
Subdomain String
Tld String

ThreatGroup

Represents a _threat group_.

Fields

type ThreatObjectType!
spec_version String!
id String!
sharing_id String!
name String!
Objectives [String]
Aliases [String]
Tools [String]
Motivation [String]
IntendedEffect [String]
TargetSectors [String]
Description String
ActiveSince Time
LastKnownActivity Time
tags [String]

ThreatGroupRelationship

Fields

group ThreatGroup
relationship ThreatRelationship

ThreatHashes

Represents a set of hashes for threat objects.

Fields

MD5 String!
SHA256 String!

ThreatIdentity

Commonly represents a source of threat data.

Fields

type ThreatObjectType!
spec_version String!
id String!
sharing_id String!
name String!
description String
created Time
modified Time
roles [String]
identity_class ThreatIdentityClass
sectors [ThreatIndustrySectors]
contact_information String
natural_key String
download_URL String!
internal Boolean!
confidence Int
reason [String]
label String
tags [String]

ThreatIdentityRelationship

Fields

identity ThreatIdentity
relationship ThreatRelationship

ThreatIndicator

Represents an indicator of compromise.

Fields

type ThreatObjectType!
spec_version String!
id String!
sharing_id String!
name String!
description String
created Time
modified Time
indicator_types [ThreatIndicatorType]
pattern String
pattern_type ThreatPatternType
pattern_version String
mitre_attack_categories [String]
valid_from Time
valid_until Time
kill_chain_phases [ThreatKillChainPhase]
score Int
original_indicator String
indicator_class ThreatIndicatorClass
ipv4 String
label String
dns ThreatDNSInfo
whois ThreatWhois
url_info ThreatURLInfo
tags [String]
location ThreatLocation

ThreatIndicatorIntelligence

Fields

indicator ThreatIndicator!
identities [ThreatIdentityRelationship]
reports [ThreatReportRelationship]
malware [ThreatMalwareRelationship]
groups [ThreatGroupRelationship]

ThreatKillChainPhase

`ThreatKillChainPhase` represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Fields

kill_chain_name String
phase_name String

ThreatLocation

`ThreatLocation` provides geolocation longitude and latitude coordinates as an indicator. Provided when available.

Fields

Longitude Float
Latitude Float

ThreatMalware

Provides available information about malware.

Fields

type ThreatObjectType!
spec_version String!
id String!
sharing_id String!
name String!
description String
created Time
modified Time
malware_types [ThreatMalwareType]
family String
aliases [String]
kill_chain_phases [ThreatKillChainPhase]
first_seen Time
last_seen Time
operating_system_refs [String]
architecture_execution_envs [ThreatArchitectureExecutionEnvs]
implementation_languages [ThreatImplementationLanguages]
capabilities [ThreatCapabilities]
sample_refs [String]
label String
tags [String]
public_summary String
solution String
technical_details String

ThreatMalwareRelationship

Fields

malware ThreatMalware
relationship ThreatRelationship

ThreatPublication

Represents a publication about a threat.

Fields

id ID!
Type String
Name String
Description String
Published Time
Content String
TLP String
VID String
ReportID String
Reference String
Category String

ThreatRelationship

Represents the relationship between objects in the system.

Fields

type ThreatObjectType!
spec_version String!
id String!
sharing_id String!
source_sharing_id String!
target_sharing_id String!
created Time
modified Time
description String
src_desc String
tgt_desc String
mitre_attack_categories [String]
relationship_type ThreatRelationshipType!
source_ref String!
target_ref String!
confidence Int
indicator_class ThreatIndicatorClass
label String
tags [String]
start_time Time
stop_time Time
source_internal Boolean!
reference String

ThreatReport

Fields

type ThreatObjectType!
spec_version String!
id ID!
name String
description String
created Time
modified Time
published Time
object_refs [String]
content String
sharing_id String!
tags [String]

ThreatReportRelationship

Fields

report ThreatReport
relationship ThreatRelationship

ThreatSwid

`ThreatSwid` represents an internal SWID structure. !!! Important For future use. Not currently implemented.

Fields

Id String
Author String
CreatedAt Time
EngineGroupName String
FileName String
Priority Int
PriorityValue String
Revision Int
Swid Int
SwidName String
Text String

ThreatTip

Represents a **CTU TIPS** report.

Fields

ID String!
Name String!
Active Boolean
Content String!
CreatedAt Time
UpdatedAt Time
Reference String

ThreatURLInfo

Contains the parsed components of a URL when it is available.

Fields

Query String
Scheme String
Port String
Path String
RequestURI String

ThreatVid

Fields

ID String
Name String
Swids [ThreatSwid]
ThreatAnalyses [ThreatAnalysis]
ThreatGroups [ThreatGroup]

ThreatVidIntelligence

Fields

reports [ThreatReportRelationship]
malware [ThreatMalwareRelationship]
groups [ThreatGroupRelationship]

ThreatWhois

Provides any available **whois** information about an indicator.

Fields

DomainName String
RegistrarName String
ContactEmail String
WhoisServer String
NameServers String
CreatedDate String
UpdatedDate String
ExpiresDate String
StandardRegCreatedDate String
StandardRegUpdatedDate String
StandardRegExpiresDate String
Status String
AuditAuditUpdatedDate String
RegistrantEmail String
RegistrantName String
RegistrantOrganization String
RegistrantStreet1 String
RegistrantCity String
RegistrantState String
RegistrantPostalCode String
RegistrantCountry String
RegistrantFax String
RegistrantTelephone String
AdministrativeContactEmail String
AdministrativeContactName String
AdministrativeContactOrganization String
AdministrativeContactStreet1 String
AdministrativeContactCity String
AdministrativeContactState String
AdministrativeContactPostalCode String
AdministrativeContactCountry String
AdministrativeContactFax String
AdministrativeContactTelephone String

Threat Intel Input Types

CreateListInput

Fields

name String!
description String
download_url String
items [ListItemInput!]
list_action ListAction!
confidence Int!
severity Int!
tags [String]

DeleteListInput

Fields

id ID!

ListItemInput

Fields

reference_id String
name String!
description String
item_type ItemType!
confidence Int!
severity Int!
tags [String]

ListsArguments

Fields

global Boolean
page Int
perPage Int
orderBy OrderByOptions

ThreatGroupInput

Fields

name String!
Objectives [String]
Aliases [String]
Tools [String]
Motivation [String]
IntendedEffect [String]
TargetSectors [String]
Description String
ActiveSince Time
LastKnownActivity Time
tags [String]

ThreatHashesInput

Fields

MD5 String!
SHA256 String!

ThreatIdentityInput

Fields

name String!
description String
roles [String]
identity_class ThreatIdentityClass
sectors [ThreatIndustrySectors]
contact_information String
natural_key String
download_URL String!
internal Boolean
confidence Int!
reason [String]

ThreatIndicatorInput

Fields

name String
description String
indicator_types [ThreatIndicatorType]
pattern String
pattern_type ThreatPatternType
pattern_version String
valid_from Time
valid_until Time
kill_chain_phases [ThreatKillChainPhaseInput]
score Int

ThreatKillChainPhaseInput

Fields

kill_chain_name String
phase_name String

ThreatRelationshipInput

Fields

type ThreatObjectType!
source_sharing_id String!
target_sharing_id String!
description String
src_desc String
tgt_desc String
mitre_attack_categories [String]
relationship_type ThreatRelationshipType!
source_ref String!
target_ref String!
confidence Int
indicator_class ThreatIndicatorClass
tags [String]
source_internal Boolean!
reference String
start_time Time
stop_time Time

ThreatReportInput

Fields

id ID!
name String
description String
created Time
modified Time
published Time
object_refs [String]
content String
tags [String]

ThreatSwidInput

Fields

Id String
Author String
CreatedAt Time
EngineGroupName String
FileName String
Priority Int
PriorityValue String
Revision Int
Swid Int
SwidName String
Text String

Threat Intel Scalar Types

ItemType

Possible Values

user
certificate
asset
domain
ipv4
ipv6
cidr
url
md5
sha256
sha1
unknown

ListAction

Possible Values

allow
block
warn

OrderByOptions

Possible Values

asc
desc

ThreatArchitectureExecutionEnvs

ThreatArchitectureExecutionEnvs !!! Important For future use. Not currently implemented.

Possible Values

alpha
arm
ia_64
mips
powerpc
sparc
x86
x86_64

ThreatCapabilities

Defines the capabilites of a threat. !!! Important For future use. Not currently implemented.

Possible Values

accesses_remote_machines
anti_debugging
anti_disassembly
anti_emulation
anti_memory_forensics
anti_sandbox
anti_vm
captures_input_peripherals
captures_output_peripherals
captures_system_state_data
cleans_traces_of_infection
commits_fraud
communicates_with_c2
compromises_data_availability
compromises_data_integrity
compromises_system_availability
controls_local_machine
degrades_security_software
degrades_system_updates
determines_c2_server
emails_spam
escalates_privileges
evades_av
exfiltrates_data
fingerprints_host
hides_artifacts
hides_executing_code
infects_files
infects_remote_machines
installs_other_components
persists_after_system_reboot
prevents_artifact_access
prevents_artifact_deletion
probes_network_environment
self_modifies
steals_authentication_credentials
violates_system_operational_integrity

ThreatIdentityClass

`ThreatIdentityClass` describes the type of entity that the Identity represents: whether it describes an organization, group, individual, or class.

Possible Values

individual
group
system
organization
class
unspecified

ThreatImplementationLanguages

ThreatImplementationLanguages !!! Important For future use. Not currently implemented.

Possible Values

applescript
bash
c
c_plus_plus
c_sharp
go
java
javascript
lua
objective_c
perl
php
powershell
python
ruby
scala
swift
typescript
visual_basic
x86_32
x86_64

ThreatIndicatorClass

Describes the specific class of the indicator.

Possible Values

ipv4
ipv6
cidr
url
domain
md5
sha256
sha1
unknown

ThreatIndicatorType

`ThreatIndicatorType` is an open vocabulary used to categorize **Indicators**. It is intended to be high-level to promote consistent practices. Indicator types should not be used to capture information that can be better captured from related _Malware_ or _Attack Pattern_ objects. !!! Note It is better to link an **Indicator** to a _Malware_ object.

Possible Values

anomalous_activity
anonymization
benign
compromised
malicious_activity
attribution
unknown

ThreatIndustrySectors

Describes industrial and commercial sectors.

Possible Values

agriculture
aerospace
automotive
chemical
commercial
communications
construction
defense
education
energy
entertainment
financial_services
emergency_services
government_local
government_national
government_public_services
government_regional
healthcare
hospitality_leisure
infrastructure_dams
infrastructure_nuclear
infrastructure_water
insurance
manufacturing
mining
non_profit
pharmaceuticals
retail
technology
telecommunications
transportation
utilities

ThreatMalwareType

Defines the types of malware.

Possible Values

adware
backdoor
bot
bootkit
ddos
downloader
dropper
exploit_kit
irc_botnet
keylogger
ransomware
remote_access_trojan
resource_exploitation
rogue_security_software
rootkit
screen_capture
spyware
trojan
unknown
virus
webshell
wiper
worm

ThreatObjectType

Defines the _type_ of object.

Possible Values

indicator
identity
relationship
malware
intrusionset
report

ThreatParentType

Describes the indicator type as a generic.

Possible Values

IP
DOMAIN
FILE

ThreatPatternType

`ThreatPatternType` is a non-exhaustive, open vocabulary that covers common pattern languages and is intended to characterize the pattern language that the indicator pattern is expressed in.

Possible Values

stix
pcre
sigma
snort
suricata
yara

ThreatRelationshipType

Declares the relationship types that are possible.

Possible Values

targets
uses
attributed_to
compromises
originates_from
investigates
mitigates
remediates
located_at
impersonates
based_on
communicates_with
consists_of
controls
delivers
has
hosts
beacons_to
exfiltrates_to
owns
indicates
authored_by
downloads
drops
exploits
variant_of
characterizes
analysis_of
static_analysis_of
dynamic_analysis_of
lists
listed_on
related_to
indirect

API Reference

Assets Queries

node

Parameters

id ID!

Possible Return Values

tag

Parameters

id ID!

Return Value

asset

Parameters

id ID!

Return Value

assetsByTag

Parameters

tags [String!]!

Return Value

allUniqueTags

Parameters

Return Value

[String!]!

assetEndpointInfo

Parameters

id ID!

Return Value

assetEndpointInfoV2

Parameters

id ID!

Return Value

allAssets

Parameters

offset Int

limit Int

order_by AssetsOrderByInput

order_direction AssetsOrderDirectionInput

filter_asset_state AssetStateFilter

only_most_recent Boolean

Return Value

allAssetsExport

Parameters

offset Int

limit Int

Return Value

assetCount

Parameters

endpoint_type AgentType

Return Value

assetCountGroupByEndpointType

Parameters

Return Value

allAssetsCount

Parameters

Return Value

assetsByIds

Parameters

ids [ID!]

Return Value

assetsByHostIds

Parameters

hostIds [String!]

Return Value

assetsByIpAddresses

Parameters

ipAddresses [String!]

Return Value

allAssetHistories

Parameters

offset Int

limit Int

Return Value

assetRedCloakHistories

Parameters

id ID!

offset Int

limit Int

Return Value

searchAssets

Parameters

offset Int