SecureWorks Taegis™ XDR offers superior detection, unmatched response and an open platform built from the ground up to integrate market-leading technologies and deliver the highest ROI.
This document provides information about the Taegis XDR Connector, which facilitates automated interactions, with a Taegis XDR server using FortiSOAR™ playbooks. Add the Taegis XDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Taegis XDR.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-taegis-xdr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Taegis XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Client ID | Specify the Client ID as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Client Secret | Specify the Client Secret as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Environment | Specify the Environment to utilize SecureWorks Taegis XDR. Server URL changes with change in Environment. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts with Common Fields of Interests based on the filter query and other input parameters specified. | get_alerts Investigation |
| Get Assets | Retrieves a list of assets based on the filter asset state, order, and other input parameters specified. | get_assets Investigation |
| Get Endpoint | Retrieves a RedCloak endpoint info based on the endpoint ID specified. | get_endpoint Investigation |
| Get Investigations | Retrieves a list of investigations filter asset state, CQL Query, and other input parameters specified. | get_investigations Investigation |
| Get Investigations Alerts | Retrieves a list of alerts associated with an investigation based on the investigation ID and other input parameters specified. | get_investigations_alerts Investigation |
| Get Playbook Execution | Retrieves the state of a playbook execution based on the playbook execution ID specified. | get_investigations_alerts Investigation |
| Get User by ID | Retrieves the state of a playbook execution based on the user and tenant ID specified. | get_user_by_id Investigation |
| Isolate Assets | Isolates the asset based on the Asset ID and the isolation reason specified. | isolate_assets Investigation |
| Update Alert Status | Adds a resolution status or modifies an existing resolution status based on the alert IDs and other input parameters specified. | update_alert_status Investigation |
| Update Investigation | Updates investigation fields based on the investigation ID and other input parameters specified. | update_investigation Investigation |
| Parameter | Description |
|---|---|
| CQL Query | Specify the CQL query to run when searching for alerts. By default, it queries for alerts which are in OPEN state, have severity High/Critical, and were created within 1 Day. For more information on CQL query refer to Apache CQL documentation |
| Limit | Specify the number of alerts to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Alerts": [
{
"id": "",
"metadata": {
"title": "",
"description": "",
"severity": ""
},
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the fetched assets. You can select from the following options:
|
| Order By | Select the criteria by which to order the assets. You can select from the following options:
|
| Order Direction | Select the order in which the assets are listed. You can select from the following options:
|
| Only Most Recent | Select this option to fetch only those assets which were created within the last 24 hours. |
| Limit | Specify the number of assets to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Assets": [
{
"id": "",
"ingestTime": "",
"createdAt": "",
"updatedAt": "",
"deletedAt": "",
"biosSerial": "",
"firstDiskSerial": "",
"systemVolumeSerial": "",
"sensorVersion": "",
"endpointPlatform": "",
"hostnames": "",
"architecture": "",
"osFamily": "",
"osVersion": "",
"osDistributor": "",
"osRelease": "",
"systemType": "",
"osCodename": "",
"kernelRelease": "",
"kernelVersion": "",
"tags": [
{
"key": "",
"tag": ""
}
],
"endpointType": "",
"hostId": "",
"sensorId": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the endpoint ID for which to fetch SecureWorks RedCloak™ endpoint information. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"assetEndpointInfo": {
"hostId": "",
"hostName": "",
"actualIsolationStatus": "",
"allowedDomain": "",
"desiredIsolationStatus": "",
"firstConnectTime": "",
"moduleHealth": {
"enabled": "",
"lastRunningTime": "",
"moduleDisplayName": ""
},
"lastConnectAddress": "",
"lastConnectTime": "",
"sensorVersion": ""
}
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the investigations. You can select from the following options:
|
| Query | Specify the CQL query to run when searching for investigations. By default, it runs the query type in ('Security Investigation'). For more information on CQL query refer to Apache CQL documentation |
| Order by Field | Select the criteria by which to order the investigations. You can select from the following options:
|
| Order Direction | Select the criteria by which to order the investigations. You can select from the following options:
|
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Investigations": [
{
"archived_at": "",
"created_at": "",
"description": "",
"id": "",
"key_findings": "",
"priority": "",
"service_desk_id": "",
"service_desk_type": "",
"status": "",
"alerts2": [],
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the Investigation ID whose list of alerts you want to fetch. |
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationAlerts": [
{
"id": "",
"description": "",
"message": "",
"severity": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Playbook Execution ID | Specify the playbook execution ID whose state you want to fetch. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"PlaybookExecution": {
"createdAt": "",
"executionTime": "",
"id": "",
"inputs": {
"alert": {
"message": ""
}
},
"instance": {
"name": "",
"playbook": {
"name": ""
}
},
"outputs": "",
"state": "",
"updatedAt": ""
}
}
}
| Parameter | Description |
|---|---|
| User ID | Specify the user ID whose details you want to fetch. |
| Tenant ID | Specify the tenant ID of which the specified user is a member. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Users": [
{
"email": "",
"family_name": "",
"given_name": "",
"status": "",
"user_id": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the ID of the Asset which you want to isolate. |
| Reason of Isolation | Specify a reason for isolation of the specified asset. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AssetIsolation": {
"id": ""
}
}
}
| Parameter | Description |
|---|---|
| Alert IDs | Specify the IDs of the alerts as comma-separated values whose resolution status you want to update. |
| Resolution Status | Specify the resolution status you want to apply to specified alerts. |
| Reason of Status Change | Specify a reason for updating the status of specified assets. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AlertStatusUpdate": {
"reason": "",
"resolution_status": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation whose fields you want to update. |
| Description of Investigation | Specify a description to update for the specified investigation. |
| Key Findings | Specify the key findings to update for the specified investigation. |
| Investigation's Priority | Specify the priority of the investigation in the range 1-5 to update in the specified investigation. |
| Investigation's Status | Select the status of Investigation. You can select from following options:
|
| Assignee ID | Specify The ID of the user to whom this investigation is to be assigned. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationUpdate": {
"id": ""
}
}
}
The Sample - Taegis XDR - 1.0.0 playbook collection comes bundled with the Taegis XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Taegis XDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
SecureWorks Taegis™ XDR offers superior detection, unmatched response and an open platform built from the ground up to integrate market-leading technologies and deliver the highest ROI.
This document provides information about the Taegis XDR Connector, which facilitates automated interactions, with a Taegis XDR server using FortiSOAR™ playbooks. Add the Taegis XDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Taegis XDR.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-taegis-xdr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Taegis XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Client ID | Specify the Client ID as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Client Secret | Specify the Client Secret as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Environment | Specify the Environment to utilize SecureWorks Taegis XDR. Server URL changes with change in Environment. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts with Common Fields of Interests based on the filter query and other input parameters specified. | get_alerts Investigation |
| Get Assets | Retrieves a list of assets based on the filter asset state, order, and other input parameters specified. | get_assets Investigation |
| Get Endpoint | Retrieves a RedCloak endpoint info based on the endpoint ID specified. | get_endpoint Investigation |
| Get Investigations | Retrieves a list of investigations filter asset state, CQL Query, and other input parameters specified. | get_investigations Investigation |
| Get Investigations Alerts | Retrieves a list of alerts associated with an investigation based on the investigation ID and other input parameters specified. | get_investigations_alerts Investigation |
| Get Playbook Execution | Retrieves the state of a playbook execution based on the playbook execution ID specified. | get_investigations_alerts Investigation |
| Get User by ID | Retrieves the state of a playbook execution based on the user and tenant ID specified. | get_user_by_id Investigation |
| Isolate Assets | Isolates the asset based on the Asset ID and the isolation reason specified. | isolate_assets Investigation |
| Update Alert Status | Adds a resolution status or modifies an existing resolution status based on the alert IDs and other input parameters specified. | update_alert_status Investigation |
| Update Investigation | Updates investigation fields based on the investigation ID and other input parameters specified. | update_investigation Investigation |
| Parameter | Description |
|---|---|
| CQL Query | Specify the CQL query to run when searching for alerts. By default, it queries for alerts which are in OPEN state, have severity High/Critical, and were created within 1 Day. For more information on CQL query refer to Apache CQL documentation |
| Limit | Specify the number of alerts to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Alerts": [
{
"id": "",
"metadata": {
"title": "",
"description": "",
"severity": ""
},
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the fetched assets. You can select from the following options:
|
| Order By | Select the criteria by which to order the assets. You can select from the following options:
|
| Order Direction | Select the order in which the assets are listed. You can select from the following options:
|
| Only Most Recent | Select this option to fetch only those assets which were created within the last 24 hours. |
| Limit | Specify the number of assets to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Assets": [
{
"id": "",
"ingestTime": "",
"createdAt": "",
"updatedAt": "",
"deletedAt": "",
"biosSerial": "",
"firstDiskSerial": "",
"systemVolumeSerial": "",
"sensorVersion": "",
"endpointPlatform": "",
"hostnames": "",
"architecture": "",
"osFamily": "",
"osVersion": "",
"osDistributor": "",
"osRelease": "",
"systemType": "",
"osCodename": "",
"kernelRelease": "",
"kernelVersion": "",
"tags": [
{
"key": "",
"tag": ""
}
],
"endpointType": "",
"hostId": "",
"sensorId": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the endpoint ID for which to fetch SecureWorks RedCloak™ endpoint information. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"assetEndpointInfo": {
"hostId": "",
"hostName": "",
"actualIsolationStatus": "",
"allowedDomain": "",
"desiredIsolationStatus": "",
"firstConnectTime": "",
"moduleHealth": {
"enabled": "",
"lastRunningTime": "",
"moduleDisplayName": ""
},
"lastConnectAddress": "",
"lastConnectTime": "",
"sensorVersion": ""
}
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the investigations. You can select from the following options:
|
| Query | Specify the CQL query to run when searching for investigations. By default, it runs the query type in ('Security Investigation'). For more information on CQL query refer to Apache CQL documentation |
| Order by Field | Select the criteria by which to order the investigations. You can select from the following options:
|
| Order Direction | Select the criteria by which to order the investigations. You can select from the following options:
|
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Investigations": [
{
"archived_at": "",
"created_at": "",
"description": "",
"id": "",
"key_findings": "",
"priority": "",
"service_desk_id": "",
"service_desk_type": "",
"status": "",
"alerts2": [],
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the Investigation ID whose list of alerts you want to fetch. |
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationAlerts": [
{
"id": "",
"description": "",
"message": "",
"severity": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Playbook Execution ID | Specify the playbook execution ID whose state you want to fetch. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"PlaybookExecution": {
"createdAt": "",
"executionTime": "",
"id": "",
"inputs": {
"alert": {
"message": ""
}
},
"instance": {
"name": "",
"playbook": {
"name": ""
}
},
"outputs": "",
"state": "",
"updatedAt": ""
}
}
}
| Parameter | Description |
|---|---|
| User ID | Specify the user ID whose details you want to fetch. |
| Tenant ID | Specify the tenant ID of which the specified user is a member. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Users": [
{
"email": "",
"family_name": "",
"given_name": "",
"status": "",
"user_id": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the ID of the Asset which you want to isolate. |
| Reason of Isolation | Specify a reason for isolation of the specified asset. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AssetIsolation": {
"id": ""
}
}
}
| Parameter | Description |
|---|---|
| Alert IDs | Specify the IDs of the alerts as comma-separated values whose resolution status you want to update. |
| Resolution Status | Specify the resolution status you want to apply to specified alerts. |
| Reason of Status Change | Specify a reason for updating the status of specified assets. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AlertStatusUpdate": {
"reason": "",
"resolution_status": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation whose fields you want to update. |
| Description of Investigation | Specify a description to update for the specified investigation. |
| Key Findings | Specify the key findings to update for the specified investigation. |
| Investigation's Priority | Specify the priority of the investigation in the range 1-5 to update in the specified investigation. |
| Investigation's Status | Select the status of Investigation. You can select from following options:
|
| Assignee ID | Specify The ID of the user to whom this investigation is to be assigned. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationUpdate": {
"id": ""
}
}
}
The Sample - Taegis XDR - 1.0.0 playbook collection comes bundled with the Taegis XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Taegis XDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.