Skip to main content

TaegisXDR

This Integration is part of the Secureworks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Configure Taegis XDR on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Taegis XDR

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Taegis EnvironmentThe environment to utilizeTrue
    Client IDClient ID as described in the Taegis DocumentationTrue
    Client SecretClient Secret as described in the Taegis DocumentationTrue
    Use system proxy settingsDefines whether the system proxy is used or notFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

taegis-archive-investigation#

Base Command#

!taegis-archive-investigation

Inputs#

Argument NameDescriptionRequired
idThe investigation id to archiveTrue

Command Example#

!taegis-archive-investigation id=c207ca4c-8a78-4408-a056-49f05d6eb77d

Context Example#

{
"TaegisXDR": {
"ArchivedInvestigation": {
"id": "c207ca4c-8a78-4408-a056-49f05d6eb77d"
}
}
}

taegis-create-comment#

Base Command#

!taegis-create-comment

Inputs#

Argument NameDescriptionRequired
commentThe comment string to add to the investigationTrue
parent_idThe investigation ID to add the comment toTrue

Command Example#

!taegis-create-comment comment="This is a test comment" parent_id="219da0ee-8642-4363-827c-8a6fbd479082"

Context Example#

{
"TaegisXDR": {
"CommentCreate": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-create-investigation#

Base Command#

!taegis-create-investigation

Inputs#

Argument NameDescriptionRequired
descriptionThe subject or description of the investigationTrue
priorityThe priority for the investigiation [Default: 3]False

Command Example#

!taegis-create-investigation priority=1 description="XSOAR Created Investigation"

Context Example#

{
"TaegisXDR": {
"Investigation": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-execute-playbook#

Base Command#

!taegis-execute-playbook

Inputs#

Argument NameDescriptionRequired
idPlaybook instance ID to executeTrue
inputsJSON object of inputs to pass into the playbook executionFalse

Command Example#

!taegis-execute-playbook id=UGxheWJvb2tJbnN0YW5jZTphZDNmNzBlZi1mN2U0LTQ0OWYtODJiMi1hYWQwMjQzZTA2NTg=
!taegis-execute-playbook id=UGxheWJvb2tJbnN0YW5jZTphZDNmNzBlZi1mN2U0LTQ0OWYtODJiMi1hYWQwMjQzZTA2NTg= inputs=`{'myvar': 'myval'}`

Context Example#

{
"id": "UGxheWJvb2tFeGVjdXRpb246NGYwZDZiNGQtNWNiZS00NDkxLTg3YzYtMDZkNjkxYzMwMTg4"
}

taegis-fetch-alerts#

Base Command#

!taegis-fetch-alerts

Input#

Argument NameDescriptionDefaultRequired
idsA list of alerts by IDs936c1cc1-db8f-430c-837c-1c914fcca35aFalse
limitNumber of results to when ids is not defined10False
offsetThe result to start from when ids is not defined0False
cql_queryThe query to utilize when searching for Alertsfrom alert severity >= 0.6 and status='OPEN'False

Command Examples#

!taegis-fetch-alerts ids=`["6594e97f-a898-5b28-82b2-ea03293cdaa1"]`

Context Example#

{
"TaegisXDR": {
"Alerts": [
{
"id": "c4f33b53-eaba-47ac-8272-199af0f7935b",
"metadata": {
"title": "Test Alert",
"description": "This is a test alert",
"severity": 0.5,
}
}
]
}
}

taegis-fetch-comment#

Base Command#

!taegis-create-comment

Inputs#

Argument NameDescriptionRequired
idThe ID of the comment to fetchTrue

Command Example#

!taegis-fetch-comment id=ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f

Context Example#

{
"TaegisXDR": {
"Comment": {
"author_user": {
"email_normalized": "myuser@email.com",
"given_name": "John",
"family_name": "Smith",
"id": "auth0|000000000000000000000001",
},
"id": "ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f",
"comment": "This is a comment in an investigation",
"created_at": "2022-01-01T13:04:57.17234Z",
"deleted_at": None,
"modified_at": None,
"parent_id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"parent_type": "investigation",
}
}
}

taegis-fetch-comments#

Base Command#

!taegis-create-comments

Inputs#

Argument NameDescriptionRequired
parent_idThe investigation ID to fetch comments forTrue

Command Example#

!taegis-fetch-comments parent_id=c2e09554-833e-41a1-bc9d-8160aec0d70d

Context Example#

{
"TaegisXDR": {
"Comments": [
{
"author_user": {
"email_normalized": "myuser@email.com",
"given_name": "John",
"family_name": "Smith",
"id": "auth0|000000000000000000000001",
},
"id": "ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f",
"comment": "This is a comment in an investigation",
"created_at": "2022-01-01T13:04:57.17234Z",
"deleted_at": None,
"modified_at": None,
"parent_id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"parent_type": "investigation",
},
{
"author_user": {
"email_normalized": "myuser@email.com",
"given_name": "John",
"family_name": "Smith",
"id": "auth0|000000000000000000000001",
},
"id": "ff9ca818-4749-4ccb-883a-2ccc6f6c1234",
"comment": "This is another comment",
"created_at": "2022-01-02T13:04:57.17234Z",
"deleted_at": None,
"modified_at": None,
"parent_id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"parent_type": "investigation",
}
]
}
}

taegis-fetch-investigation#

Base Command#

!taegis-fetch-investigation

Inputs#

Argument NameDescriptionRequired
idInvestigation ID to lookupTrue

Command Example#

!taegis-fetch-investigation id=936c1cc1-db8f-430c-837c-1c914fcca35a

Context Example#

{
"TaegisXDR": {
"Investigations": [
{
"archived_at": None,
"created_at": "2022-02-02T13:53:35Z",
"description": "Test Investigation",
"id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"key_findings": "",
"priority": 2,
"service_desk_id": "",
"service_desk_type": "",
"status": "Open",
"alerts2": [],
"url": "https://ctpx.secureworks.com/investigations/c2e09554-833e-41a1-bc9d-8160aec0d70d",
}
]
}
}

taegis-fetch-investigation-alerts#

Base Command#

!taegis-fetch-investigation-alerts

Inputs#

Argument NameDescriptionRequired
idInvestigation ID to lookupTrue

Command Example#

!taegis-fetch-investigation-alerts id=936c1cc1-db8f-430c-837c-1c914fcca35a

Context Example#

{
"TaegisXDR": {
"InvestigationAlerts": [
{
"id": "c4f33b53-eaba-47ac-8272-199af0f7935b",
"description": "Test Alert",
"message": "This is a test alert",
"severity": 0.5,
}
]
}
}

taegis-fetch-investigations#

Base Command#

!taegis-fetch-investigations

Inputs#

Argument NameDescriptionRequired
pageFalse
page_sizeFalse

Command Example#

!taegis-fetch-investigations

Context Example#

{
"TaegisXDR": {
"Investigations": [
{
"description": "Test Investigation",
"id": "c2e09554-833e-41a1-bc9d-8160aec0d70d",
"key_findings": "",
"priority": 2,
"service_desk_id": "",
"service_desk_type": "",
"status": "Open"
}
]
}
}

taegis-fetch-playbook-execution#

Base Command#

!taegis-fetch-playbook-execution

Inputs#

Argument NameDescriptionRequired
idPlaybook execution ID to fetchTrue

Command Example#

!taegis-fetch-playbook-execution id=UGxheWJvb2tFeGVjdXRpb246NGYwZDZiNGQtNWNiZS00NDkxLTg3YzYtMDZkNjkxYzMwMTg4

Context Example#

{
"TaegisXDR": {
"PlaybookExecution": {
"createdAt": "2022-01-01T13:51:24Z",
"executionTime": 1442,
"id": "UGxheWJvb2tFeGVjdXRpb246NGYwZDZiNGQtNWNiZS00NDkxLTg3YzYtMDZkNjkxYzMwMTg4",
"inputs": {
"alert": {
"message": "Test Alert",
}
},
"instance": {
"name": "Test Alert Instance",
"playbook": {
"name": "Taegis.PagerDutyAlertEvent"
}
},
"outputs": "d6b65662-c1da-4109-8553-c5664918c952",
"state": "Completed",
"updatedAt": "2022-01-01T13:51:31Z"
}
}
}

taegis-fetch-users#

Base Command#

!taegis-fetch-users

Inputs#

Argument NameDescriptionRequired
idThe id of the user, in auth0 formatFalse
emailThe email of the userFalse
statusThe users to find based on statusFalse
pageFalse
page_sizeFalse

Command Example#

!taegis-fetch-users id="auth0|123456"

Context Example#

{
"TaegisXDR": {
"Users": [
{
"email": "myuser@email.com",
"family_name": "Smith",
"given_name": "John",
"status": "Registered",
"user_id": "auth0|123456"
}
]
}
}

taegis-update-comment#

Base Command#

!taegis-update-comment

Inputs#

Argument NameDescriptionRequired
commentThe comment string to add to the investigationTrue
idThe comment ID to updateTrue

Command Example#

!taegis-update-comment id="ff9ca818-4749-4ccb-883a-2ccc6f6c9e0f" comment="Newly updated comment"

Context Example#

{
"TaegisXDR": {
"CommentUpdate": {
"id": "593fa115-abad-4a52-9fc4-2ec403a8a1e4"
}
}
}

taegis-update-investigation#

Base Command#

!taegis-update-investigation

Inputs#

Argument NameDescriptionRequired
idInvestigation ID to updateTrue
key_findingsFalse
prioirityThe priority of the Investigation (1-5)False
service_desk_idAn ID or ticket # to relate to an InvestigationFalse
service_desk_typeThe type of id related to an investigation (e.g. Jira)False
statusThe current status of the InvestigationFalse
assignee_idThe id of a user to assign, in `auth012345` format

Note: At least 1 of the above inputs (in addition to id) must be defined

Permitted Status Values#
  • Active
  • Awaiting Action
  • Closed: Authorized Activity
  • Closed: Confirmed Security Incident
  • Closed: False Positive Alert
  • Closed: Inconclusive
  • Closed: Informational
  • Closed: Not Vulnerable
  • Closed: Threat Mitigated
  • Open
  • Suspended

Command Example#

!taegis-update-investigation id="936c1cc1-db8f-430c-837c-1c914fcca35a" priority=3 status="Open" service_desk_id="XDR-1234" service_desk_type="Jira"

Context Example#

{
"TaegisXDR": {
"InvestigationUpdate": {
"id": "c2e09554-833e-41a1-bc9d-8160aec0d70d"
}
}
}

taegis-unarchive-investigation#

Base Command#

!taegis-unarchive-investigation

Inputs#

Argument NameDescriptionRequired
idThe investigation id to unarchiveTrue

Command Example#

!taegis-unarchive-investigation id=c207ca4c-8a78-4408-a056-49f05d6eb77d

Context Example#

{
"TaegisXDR": {
"UnarchivedInvestigation": {
"id": "c207ca4c-8a78-4408-a056-49f05d6eb77d"
}
}
}