Skip to main content

TaegisXDR v2

This Integration is part of the Secureworks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

Configure Taegis XDR in Cortex#

ParameterDescriptionRequired
Taegis EnvironmentThe environment to utilizeTrue
Client IDClient ID as described in the Taegis DocumentationTrue
Client SecretClient Secret as described in the Taegis DocumentationTrue
Use system proxy settingsDefines whether the system proxy is used or notFalse
Fetch Incident TypeThe type of incident to fetch from Taegis (Alerts or Investigations)True
Include Assets in FetchWhen using the Investigations fetch type, should assets be included? This can cause API failures or latency and should only be enabled if necessaryFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

taegis-add-evidence-to-investigation#

Base Command#

!taegis-add-evidence-to-investigation

Inputs#

Argument NameDescriptionRequired
idThe investigation id to updateTrue
alertsA list of alert IDs to add to an investigationFalse
eventsA list of event IDs to add to an investigationFalse
alert_queryA Taegis CQL query for alerts to add to the investigationFalse

At least one of the inputs alerts, events, or alert_query MUST be defined

Command Example#

`!taegis-add-evidence-to-investigation` id=c207ca4c-8a78-4408-a056-49f05d6eb77d alerts="alert://priv:crowdstrike:11772:1677742145475:07e2d9cc-0a04-55ec-890a-97f39d63698e"

Context Example#

{
"TaegisXDR": {
"InvestigationEvidenceUpdate": {
"investigationId": "c207ca4c-8a78-4408-a056-49f05d6eb77d"
}
}
}

taegis-archive-investigation#

Base Command#

!taegis-archive-investigation

Inputs#

Argument NameDescriptionRequired
idThe investigation id to archiveTrue

Command Example#

!taegis-archive-investigation id=c207ca4c-8a78-4408-a056-49f05d6eb77d

Context Example#

{
"TaegisXDR": {
"ArchivedInvestigation": {
"id": "c207ca4c-8a78-4408-a056-49f05d6eb77d"
}
}
}

taegis-create-comment#

Base Command#

!taegis-create-comment

Inputs#

Argument NameDescriptionRequired
commentThe comment string to add to the investigationTrue
idThe investigation ID to add the comment toTrue

Command Example#

!taegis-create-comment comment="This is a test comment" id="219da0ee-8642-4363-827c-8a6fbd479082"

Context Example#

{
"TaegisXDR": {
"CommentCreate": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-create-investigation#

Base Command#

!taegis-create-investigation

Inputs#

Argument NameDescriptionRequired
titleThe subject or description of the investigationTrue
priorityThe priority for the investigiation [Default: 3]False
statusThe status for the investigation [Default: OPEN]False
alertsA list of alert IDs to add to the investigation [Default: []]False
keyFindingsThe Key Findings for the investigationFalse
typeThe investigation type [Default: SECURITY_INVESTIGATION]False
assigneeIdThe assignee for the investigation [Default: @secureworks]False
serviceDeskIdA 3rd party ticket number for tracking purposesFalse
serviceDeskTypeThe type of 3rd party ticket numberFalse
tagsA list of tags to add to the investigation [Default: []]False

Command Example#

!taegis-create-investigation priority=1 title="XSOAR Created Investigation"

Context Example#

{
"TaegisXDR": {
"Investigation": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-create-sharelink#

Base Command#

!taegis-create-sharelink

Inputs#

Argument NameDescriptionRequired
idThe ID of the Taegis element to create a sharelink toTrue
typeThe type of Taegis element to create a sharelink withTrue

Command Example#

!taegis-create-sharelink type=investigationId id=219da0ee-8642-4363-827c-8a6fbd479082

Context Example#

{
"TaegisXDR": {
"ShareLink": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4",
"url": "https://ctpx.secureworks.com/share/593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-execute-playbook#

Base Command#

!taegis-execute-playbook

Inputs#

Argument NameDescriptionRequired
idPlaybook instance ID to executeTrue
inputsJSON object of inputs to pass into the playbook executionFalse

Command Example#

!taegis-execute-playbook id=UGxheWJvb2tJbnN0YW5jZTphZDNmNzBlZi1mN2U0LTQ0OWYtODJiMi1hYWQwMjQzZTA2NTg=
!taegis-execute-playbook id=UGxheWJvb2tJbnN0YW5jZTphZDNmNzBlZi1mN2U0LTQ0OWYtODJiMi1hYWQwMjQzZTA2NTg= inputs=`{'myvar': 'myval'}`

Context Example#

{
"id": "UGxheWJvb2tFeGVjdXRpb246NGYwZDZiNGQtNWNiZS00NDkxLTg3YzYtMDZkNjkxYzMwMTg4"
}

taegis-fetch-alerts#

Base Command#

!taegis-fetch-alerts

Input#

Argument NameDescriptionDefaultRequired
idsA list of alerts by IDs936c1cc1-db8f-430c-837c-1c914fcca35aFalse
limitNumber of results to when ids is not defined10False
offsetThe result to start from when ids is not defined0False
cql_queryThe query to utilize when searching for Alertsfrom alert severity >= 0.6 and status='OPEN'False

Command Examples#

!taegis-fetch-alerts ids=`["6594e97f-a898-5b28-82b2-ea03293cdaa1"]`

Context Example#

{
"TaegisXDR": {
"Alerts": [
{
"id": "c4f33b53-eaba-47ac-8272-199af0f7935b",
"metadata": {
"title": "Test Alert",
"description": "This is a test alert",
"severity": 0.5,
},
"url": "https://ctpx.secureworks.com/alerts/c4f33b53-eaba-47ac-8272-199af0f7935b"
}
]
}
}

taegis-fetch-assets#

Base Command#

!taegis-fetch-assets

Input#

Argument NameDescriptionDefaultRequired
page0False
page_size10False
endpoint_typeFalse
host_idID of the asset to fetche43b545a-580a-4047-b489-4338c1cc4ba1False
hostnameFalse
investigation_idFalse
ip_addressFalse
mac_addressFalse
os_familyFalse
os_versionFalse
sensor_versionFalse
usernameFalse

Command Examples#

!taegis-fetch-assets
!taegis-fetch-assets page=1 page_size=5
!taegis-fetch-assets hostname=MyHostname01
!taegis-fetch-assets host_id=e43b545a-580a-4047-b489-4338c1cc4ba1

Context Example#

{
"TaegisXDR": {
"Assets": [
{
"id": "",
"ingestTime": "",
"createdAt": "",
"updatedAt": "",
"deletedAt": "",
"biosSerial": "",
"firstDiskSerial": "",
"systemVolumeSerial": "",
"sensorVersion": "",
"endpointPlatform": "",
"hostnames": [{"id": ", "hostname": ""],
"architecture": "",
"osFamily": "",
"osVersion": "",
"osDistributor": "",
"osRelease": "",
"systemType": "",
"osCodename": "",
"kernelRelease": "",
"kernelVersion": "",
"tags": [ "key": "", "tag": ""],
"endpointType": "",
"hostId": "",
"sensorId": "",
}
]
}
}

taegis-fetch-comment#

Base Command#

!taegis-fetch-comment

Inputs#

Argument NameDescriptionRequired
idThe ID of the comment to fetchTrue

Command Example#

!taegis-fetch-comment id=ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f

Context Example#

{
"TaegisXDR": {
"Comment": {
"author_user": {
"email_normalized": "myuser@email.com",
"given_name": "John",
"family_name": "Smith",
"id": "auth0|000000000000000000000001",
},
"id": "ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f",
"comment": "This is a comment in an investigation",
"created_at": "2022-01-01T13:04:57.17234Z",
"deleted_at": None,
"modified_at": None,
"parent_id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"parent_type": "investigation",
}
}
}

taegis-fetch-comments#

Base Command#

!taegis-create-comments

Inputs#

Argument NameDescriptionRequired
idThe investigation ID to fetch comments forTrue
pageSearch page number [Default: 0]False
page_sizeNumber of results per page [Default: 10]False
order_directionThe order direction [Default: DESCENDING]False

Command Example#

!taegis-fetch-comments id=c2e09554-833e-41a1-bc9d-8160aec0d70d

Context Example#

{
"TaegisXDR": {
"Comments": [
{
"author_user": {
"email_normalized": "myuser@email.com",
"given_name": "John",
"family_name": "Smith",
"id": "auth0|000000000000000000000001",
},
"id": "ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f",
"comment": "This is a comment in an investigation",
"created_at": "2022-01-01T13:04:57.17234Z",
"deleted_at": None,
"modified_at": None,
"parent_id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"parent_type": "investigation",
},
{
"author_user": {
"email_normalized": "myuser@email.com",
"given_name": "John",
"family_name": "Smith",
"id": "auth0|000000000000000000000001",
},
"id": "ff9ca818-4749-4ccb-883a-2ccc6f6c1234",
"comment": "This is another comment",
"created_at": "2022-01-02T13:04:57.17234Z",
"deleted_at": None,
"modified_at": None,
"parent_id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"parent_type": "investigation",
}
]
}
}

taegis-fetch-endpoint#

Base Command#

!taegis-fetch-endpoint

Inputs#

Argument NameDescriptionRequired
idEndpoint ID to fetchTrue

Command Example#

!taegis-fetch-endpoint id=ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f

Context Example#

{
"TaegisXDR": {
"assetEndpointInfo": {
"hostId": "",
"hostName": "",
"actualIsolationStatus": "",
"allowedDomain": "",
"desiredIsolationStatus": "",
"firstConnectTime": "",
"moduleHealth": {
"enabled": ""
"lastRunningTime": "",
"moduleDisplayName": "",
}
"lastConnectAddress": "",
"lastConnectTime": "",
"sensorVersion": ""
}
}
}

taegis-fetch-investigation#

Base Command#

!taegis-fetch-investigation

Inputs#

Argument NameDescriptionRequired
idInvestigation ID to lookupFalse
queryIf not using ID, the query to utilize when searching investigations [Default: deleted_at is null]False
pageSearch page number [Default: 0]False
page_sizeNumber of results per page [Default: 10]False
order_byThe field to order results by [Default: created_at]False
order_directionThe order direction [Default: DESCENDING]False

Command Example#

!taegis-fetch-investigation id=936c1cc1-db8f-430c-837c-1c914fcca35a

Context Example#

{
"TaegisXDR": {
"Investigations": [
{
"archived_at": None,
"created_at": "2022-02-02T13:53:35Z",
"description": "Test Investigation",
"id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"key_findings": "",
"priority": 2,
"service_desk_id": "",
"service_desk_type": "",
"status": "Open",
"alerts2": [],
"url": "https://ctpx.secureworks.com/investigations/c2e09554-833e-41a1-bc9d-8160aec0d70d",
}
]
}
}

taegis-fetch-investigation-alerts#

Base Command#

!taegis-fetch-investigation-alerts

Inputs#

Argument NameDescriptionRequired
idInvestigation ID to lookupTrue
pageSearch page number [Default: 0]False
page_sizeNumber of results per page [Default: 10]False

Command Example#

!taegis-fetch-investigation-alerts id=936c1cc1-db8f-430c-837c-1c914fcca35a

Context Example#

{
"TaegisXDR": {
"InvestigationAlerts": [
{
"id": "c4f33b53-eaba-47ac-8272-199af0f7935b",
"description": "Test Alert",
"message": "This is a test alert",
"severity": 0.5,
}
]
}
}

taegis-fetch-playbook-execution#

Base Command#

!taegis-fetch-playbook-execution

Inputs#

Argument NameDescriptionRequired
idPlaybook execution ID to fetchTrue

Command Example#

!taegis-fetch-playbook-execution id=UGxheWJvb2tFeGVjdXRpb246NGYwZDZiNGQtNWNiZS00NDkxLTg3YzYtMDZkNjkxYzMwMTg4

Context Example#

{
"TaegisXDR": {
"PlaybookExecution": {
"createdAt": "2022-01-01T13:51:24Z",
"executionTime": 1442,
"id": "UGxheWJvb2tFeGVjdXRpb246NGYwZDZiNGQtNWNiZS00NDkxLTg3YzYtMDZkNjkxYzMwMTg4",
"inputs": {
"alert": {
"message": "Test Alert",
}
},
"instance": {
"name": "Test Alert Instance",
"playbook": {
"name": "Taegis.PagerDutyAlertEvent"
}
},
"outputs": "d6b65662-c1da-4109-8553-c5664918c952",
"state": "Completed",
"updatedAt": "2022-01-01T13:51:31Z"
}
}
}

taegis-fetch-users#

Base Command#

!taegis-fetch-users

Inputs#

Argument NameDescriptionRequired
idThe id of the user, in auth0 formatFalse
emailThe email of the userFalse
statusThe users to find based on statusFalse
pageFalse
page_sizeFalse

Command Example#

!taegis-fetch-users id="auth0|123456"

Context Example#

{
"TaegisXDR": {
"Users": [
{
"email": "myuser@email.com",
"family_name": "Smith",
"given_name": "John",
"status": "Registered",
"user_id": "auth0|123456"
}
]
}
}

taegis-isolate-asset#

Base Command#

!taegis-isolate-asset

Input#

Argument NameDescriptionDefaultRequired
idID of the asset to isolatee43b545a-580a-4047-b489-4338c1cc4ba1True
reasonThe reason for the isolationSee ticket 12345True

Command Examples#

!taegis-isolate-asset id="e43b545a-580a-4047-b489-4338c1cc4ba1" reason="See ticket 12345"

Context Example#

{
"TaegisXDR": {
"AssetIsolation": {
"id": "e43b545a-580a-4047-b489-4338c1cc4ba1"
}
}
}

taegis-update-alert-status#

Base Command#

!taegis-update-alert-status

Input#

Argument NameDescriptionDefaultRequired
idsA comma-separated list of alerts by IDsalert://priv:crowdstrike:11772:1666269058114:59284e28-4ec8-542b-a4a1-452c3688bc1aTrue
statusThe status to update the alert(s) withFALSE_POSITIVETrue
reasonA comment/reason for the alert status updateSee ticket 13245False
Permitted Status Values#
  • FALSE_POSITIVE
  • NOT_ACTIONABLE
  • OPEN
  • TRUE_POSITIVE_BENIGN
  • TRUE_POSITIVE_MALICIOUS
  • OTHER

Command Examples#

!taegis-update-alert-status ids="alert://priv:crowdstrike:11772:1677742145475:07e2d9cc-0a04-55ec-890a-97f39d63698e" status=NOT_ACTIONABLE reason="Test Reason"

Context Example#

{
"TaegisXDR": {
"AlertStatusUpdate": {
"reason": "feedback updates successfully applied",
"resolution_status": "SUCCESS"
}
}
}

taegis-update-comment#

Base Command#

!taegis-update-comment

Inputs#

Argument NameDescriptionRequired
commentThe comment string to add to the investigationTrue
idThe comment ID to updateTrue

Command Example#

!taegis-update-comment id="ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f" comment="Newly updated comment"

Context Example#

{
"TaegisXDR": {
"CommentUpdate": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-update-investigation#

Base Command#

!taegis-update-investigation

Inputs#

Argument NameDescriptionRequired
idInvestigation ID to updateTrue
titleThe title of the investigationFalse
keyFindingsThe investigation Key FindingsFalse
prioirityThe priority of the Investigation (1-5)False
statusThe current status of the InvestigationFalse
assigneeIdThe id of a user to assign, in `auth012345` format
serviceDeskIdA 3rd party ticket number for tracking purposesFalse
serviceDeskTypeThe type of 3rd party ticket numberFalse
tagsA list of tags to add to the investigation [Default: []]False

Note: At least 1 of the above inputs (in addition to id) must be defined

Permitted Status Values#
  • Active
  • Awaiting Action
  • Closed: Authorized Activity
  • Closed: Confirmed Security Incident
  • Closed: False Positive Alert
  • Closed: Inconclusive
  • Closed: Informational
  • Closed: Not Vulnerable
  • Closed: Threat Mitigated
  • Open
  • Suspended

Command Example#

!taegis-update-investigation id="936c1cc1-db8f-430c-837c-1c914fcca35a" priority=3 status="OPEN"

Context Example#

{
"TaegisXDR": {
"InvestigationUpdate": {
"id": "c2e09554-833e-41a1-bc9d-8160aec0d70d"
}
}
}

taegis-unarchive-investigation#

Base Command#

!taegis-unarchive-investigation

Inputs#

Argument NameDescriptionRequired
idThe investigation id to unarchiveTrue

Command Example#

!taegis-unarchive-investigation id=c207ca4c-8a78-4408-a056-49f05d6eb77d

Context Example#

{
"TaegisXDR": {
"UnarchivedInvestigation": {
"id": "c207ca4c-8a78-4408-a056-49f05d6eb77d"
}
}
}