SecureWorks Taegis™ XDR offers superior detection, unmatched response and an open platform built from the ground up to integrate market-leading technologies and deliver the highest ROI.
This document provides information about the Taegis XDR Connector, which facilitates automated interactions, with a Taegis XDR server using FortiSOAR™ playbooks. Add the Taegis XDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Taegis XDR.
Connector Version: 1.2.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Taegis XDR Connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-taegis-xdr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Taegis XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Client ID | Specify the Client ID as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Client Secret | Specify the Client Secret as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Environment | Specify the Environment to utilize SecureWorks Taegis XDR. Server URL changes with change in Environment. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts with Common Fields of Interests based on the filter query and other input parameters specified. | get_alerts Investigation |
| Get Assets | Retrieves a list of assets based on the filter asset state, order, and other input parameters specified. | get_assets Investigation |
| Get Endpoint | Retrieves a RedCloak endpoint info based on the endpoint ID specified. | get_endpoint Investigation |
| Get Investigations | Retrieves a list of investigations filter asset state, CQL Query, and other input parameters specified. | get_investigations Investigation |
| Get Investigations Alerts | Retrieves a list of alerts associated with an investigation based on the investigation ID and other input parameters specified. | get_investigations_alerts Investigation |
| Get Playbook Execution | Retrieves the state of a playbook execution based on the playbook execution ID specified. | get_investigations_alerts Investigation |
| Get User by ID | Retrieves the state of a playbook execution based on the user and tenant ID specified. | get_user_by_id Investigation |
| Isolate Assets | Isolates the asset based on the Asset ID and the isolation reason specified. | isolate_assets Investigation |
| Update Alert Status | Adds a resolution status or modifies an existing resolution status based on the alert IDs and other input parameters specified. | update_alert_status Investigation |
| Update Investigation | Updates investigation fields based on the investigation ID and other input parameters specified. | update_investigation Investigation |
| Create Investigation | Creates investigation fields based on the descriptions of investigations and other input parameters specified. | create_investigation Investigation |
| Unarchive Investigation | Unarchives investigation based on the investigation ID specified. | unarchive_investigation Investigation |
| Add Alerts to Investigation | Adds Alert to an existing investigation based on the investigation ID. | add_alerts_to_investigation Investigation |
| Add Events to Investigation | Adds Events to an existing investigation based on the investigation ID. | add_events_to_investigation Investigation |
| Create Comment | Create a new comment in the activity log for investigation | create_comment Investigation |
| Execute Playbook | Execute playbook in Taegis XDR system according to Playbook ID and supplied parameters | execute_playbook Investigation |
| Parameter | Description |
|---|---|
| CQL Query | Specify the CQL query to run when searching for alerts. By default, it queries for alerts which are in OPEN state, have severity High/Critical, and were created within 1 Day. For more information on CQL query refer to Apache CQL documentation |
| Limit | Specify the number of alerts to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Alerts": [
{
"id": "",
"metadata": {
"title": "",
"description": "",
"severity": ""
},
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the fetched assets. You can select from the following options:
|
| Order By | Select the criteria by which to order the assets. You can select from the following options:
|
| Order Direction | Select the order in which the assets are listed. You can select from the following options:
|
| Only Most Recent | Select this option to fetch only those assets which were created within the last 24 hours. |
| Limit | Specify the number of assets to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Assets": [
{
"id": "",
"ingestTime": "",
"createdAt": "",
"updatedAt": "",
"deletedAt": "",
"biosSerial": "",
"firstDiskSerial": "",
"systemVolumeSerial": "",
"sensorVersion": "",
"endpointPlatform": "",
"hostnames": "",
"architecture": "",
"osFamily": "",
"osVersion": "",
"osDistributor": "",
"osRelease": "",
"systemType": "",
"osCodename": "",
"kernelRelease": "",
"kernelVersion": "",
"tags": [
{
"key": "",
"tag": ""
}
],
"endpointType": "",
"hostId": "",
"sensorId": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the endpoint ID for which to fetch SecureWorks RedCloak™ endpoint information. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"assetEndpointInfo": {
"hostId": "",
"hostName": "",
"actualIsolationStatus": "",
"allowedDomain": "",
"desiredIsolationStatus": "",
"firstConnectTime": "",
"moduleHealth": {
"enabled": "",
"lastRunningTime": "",
"moduleDisplayName": ""
},
"lastConnectAddress": "",
"lastConnectTime": "",
"sensorVersion": ""
}
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the investigations. You can select from the following options:
|
| Query | Specify the CQL query to run when searching for investigations. By default, it runs the query type in ('Security Investigation'). For more information on CQL query refer to Apache CQL documentation |
| Order by Field | Select the criteria by which to order the investigations. You can select from the following options:
|
| Order Direction | Select the criteria by which to order the investigations. You can select from the following options:
|
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Investigations": [
{
"archived_at": "",
"created_at": "",
"description": "",
"id": "",
"key_findings": "",
"priority": "",
"service_desk_id": "",
"service_desk_type": "",
"status": "",
"alerts2": [],
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the Investigation ID whose list of alerts you want to fetch. |
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationAlerts": [
{
"id": "",
"description": "",
"message": "",
"severity": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Playbook Execution ID | Specify the playbook execution ID whose state you want to fetch. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"PlaybookExecution": {
"createdAt": "",
"executionTime": "",
"id": "",
"inputs": {
"alert": {
"message": ""
}
},
"instance": {
"name": "",
"playbook": {
"name": ""
}
},
"outputs": "",
"state": "",
"updatedAt": ""
}
}
}
| Parameter | Description |
|---|---|
| User ID | Specify the user ID whose details you want to fetch. |
| Tenant ID | Specify the tenant ID of which the specified user is a member. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Users": [
{
"email": "",
"family_name": "",
"given_name": "",
"status": "",
"user_id": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the ID of the Asset which you want to isolate. |
| Reason of Isolation | Specify a reason for isolation of the specified asset. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AssetIsolation": {
"id": ""
}
}
}
| Parameter | Description |
|---|---|
| Alert IDs | Specify the IDs of the alerts as comma-separated values whose resolution status you want to update. |
| Resolution Status | Specify the resolution status you want to apply to specified alerts. |
| Reason of Status Change | Specify a reason for updating the status of specified assets. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AlertStatusUpdate": {
"reason": "",
"resolution_status": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation whose fields you want to update. |
| Description of Investigation | Specify a description to update for the specified investigation. |
| Key Findings | Specify the key findings to update for the specified investigation. |
| Investigation's Priority | Specify the priority of the investigation, in the range 1-5, to update in the specified investigation. |
| Investigation's Status | Select the status of Investigation. You can select from following options:
|
| Assignee ID | Specify the ID of the user to whom this investigation is to be assigned. |
The output contains the following populated JSON schema:
{
"data": {
"updateInvestigation": {
"id": "",
"tenant_id": "",
"tags": [],
"alerts": [],
"events": [],
"assets": [],
"auth_credentials": [],
"key_findings": "",
"description": "",
"created_at": "",
"updated_at": "",
"created_by": "",
"status": "",
"contributors": [],
"service_desk_id": "",
"service_desk_type": "",
"assignee_id": "",
"assignee": "",
"priority": "",
"type": "",
"closeReason": "",
"alerts_count": "",
"events_count": "",
"rn": "",
"shortId": ""
}
}
}
| Parameter | Description |
|---|---|
| Description of Investigation | Specify a description to add to the investigation being created. |
| Key Findings | Specify the key findings to add to the investigation being created. |
| Investigation's Priority | Specify the priority of the investigation, in the range 1-5, to set for the investigation being created. |
| Investigation's Status | Select the status of the investigation being created. You can choose from the following options:
|
| Assignee ID | Specify The ID of the user to assign the investigation being created. |
| Alert ID | Specify the ID of the alert to add to the investigation being created. |
The output contains the following populated JSON schema:
{
"data": {
"createInvestigation": {
"id": "",
"rn": "",
"tags": [],
"type": "",
"alerts": [],
"assets": [],
"events": [],
"status": "",
"shortId": "",
"assignee": "",
"priority": "",
"tenant_id": "",
"created_at": "",
"created_by": "",
"updated_at": "",
"assignee_id": "",
"closeReason": "",
"description": "",
"alerts_count": "",
"contributors": [],
"events_count": "",
"key_findings": "",
"service_desk_id": "",
"auth_credentials": [],
"service_desk_type": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation which you want to unarchive. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"UnarchivedInvestigation": {
"id": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation to which to add the specified alert. |
| Alert ID | Specify the ID of the alert to add to this investigation. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationEvidenceUpdate": {
"investigationId": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation to which to add the specified event. |
| Event ID | Specify the ID of the event to add to this investigation. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationEvidenceUpdate": {
"investigationId": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation in which the specified comment is to be added. |
| Comment | Specify a comment to add to this investigation. |
The output contains the following populated JSON schema:
{
"data": {
"addCommentToInvestigation": {
"id": "",
"author": "",
"comment": "",
"authorId": "",
"tenantId": "",
"createdAt": "",
"readByIds": [],
"updatedAt": "",
"isInternal": "",
"mentionsIds": [],
"investigationId": ""
}
}
}
| Parameter | Description |
|---|---|
| Playbook ID | Specify the ID of the playbook to be executed. |
| JSON Parameters | Specify the inputs, as a JSON object, to pass for the playbook execution. |
The output contains the following populated JSON schema:
{
"data": {
"executePlaybookInstance": {
"id": "",
"runId": "",
"state": "",
"inputs": {},
"tenant": "",
"outputs": "",
"createdAt": "",
"createdBy": "",
"updatedAt": "",
"updatedBy": ""
}
}
}
The Sample - Taegis XDR - 1.1.0 playbook collection comes bundled with the Taegis XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Taegis XDR connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection is overwritten during the connector upgrade and deleted during connector uninstall.
SecureWorks Taegis™ XDR offers superior detection, unmatched response and an open platform built from the ground up to integrate market-leading technologies and deliver the highest ROI.
This document provides information about the Taegis XDR Connector, which facilitates automated interactions, with a Taegis XDR server using FortiSOAR™ playbooks. Add the Taegis XDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Taegis XDR.
Connector Version: 1.2.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Taegis XDR Connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-taegis-xdr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Taegis XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Client ID | Specify the Client ID as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Client Secret | Specify the Client Secret as described in the Taegis Documentation. https://docs.ctpx.secureworks.com/apis/api_authenticate/ |
| Environment | Specify the Environment to utilize SecureWorks Taegis XDR. Server URL changes with change in Environment. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts with Common Fields of Interests based on the filter query and other input parameters specified. | get_alerts Investigation |
| Get Assets | Retrieves a list of assets based on the filter asset state, order, and other input parameters specified. | get_assets Investigation |
| Get Endpoint | Retrieves a RedCloak endpoint info based on the endpoint ID specified. | get_endpoint Investigation |
| Get Investigations | Retrieves a list of investigations filter asset state, CQL Query, and other input parameters specified. | get_investigations Investigation |
| Get Investigations Alerts | Retrieves a list of alerts associated with an investigation based on the investigation ID and other input parameters specified. | get_investigations_alerts Investigation |
| Get Playbook Execution | Retrieves the state of a playbook execution based on the playbook execution ID specified. | get_investigations_alerts Investigation |
| Get User by ID | Retrieves the state of a playbook execution based on the user and tenant ID specified. | get_user_by_id Investigation |
| Isolate Assets | Isolates the asset based on the Asset ID and the isolation reason specified. | isolate_assets Investigation |
| Update Alert Status | Adds a resolution status or modifies an existing resolution status based on the alert IDs and other input parameters specified. | update_alert_status Investigation |
| Update Investigation | Updates investigation fields based on the investigation ID and other input parameters specified. | update_investigation Investigation |
| Create Investigation | Creates investigation fields based on the descriptions of investigations and other input parameters specified. | create_investigation Investigation |
| Unarchive Investigation | Unarchives investigation based on the investigation ID specified. | unarchive_investigation Investigation |
| Add Alerts to Investigation | Adds Alert to an existing investigation based on the investigation ID. | add_alerts_to_investigation Investigation |
| Add Events to Investigation | Adds Events to an existing investigation based on the investigation ID. | add_events_to_investigation Investigation |
| Create Comment | Create a new comment in the activity log for investigation | create_comment Investigation |
| Execute Playbook | Execute playbook in Taegis XDR system according to Playbook ID and supplied parameters | execute_playbook Investigation |
| Parameter | Description |
|---|---|
| CQL Query | Specify the CQL query to run when searching for alerts. By default, it queries for alerts which are in OPEN state, have severity High/Critical, and were created within 1 Day. For more information on CQL query refer to Apache CQL documentation |
| Limit | Specify the number of alerts to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Alerts": [
{
"id": "",
"metadata": {
"title": "",
"description": "",
"severity": ""
},
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the fetched assets. You can select from the following options:
|
| Order By | Select the criteria by which to order the assets. You can select from the following options:
|
| Order Direction | Select the order in which the assets are listed. You can select from the following options:
|
| Only Most Recent | Select this option to fetch only those assets which were created within the last 24 hours. |
| Limit | Specify the number of assets to be shown per page. |
| Offset | Specify the number of records to skip when retrieving the result set. For example, if your query has 500 total_results and you want the last 100 results, set Offset to 400. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Assets": [
{
"id": "",
"ingestTime": "",
"createdAt": "",
"updatedAt": "",
"deletedAt": "",
"biosSerial": "",
"firstDiskSerial": "",
"systemVolumeSerial": "",
"sensorVersion": "",
"endpointPlatform": "",
"hostnames": "",
"architecture": "",
"osFamily": "",
"osVersion": "",
"osDistributor": "",
"osRelease": "",
"systemType": "",
"osCodename": "",
"kernelRelease": "",
"kernelVersion": "",
"tags": [
{
"key": "",
"tag": ""
}
],
"endpointType": "",
"hostId": "",
"sensorId": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the endpoint ID for which to fetch SecureWorks RedCloak™ endpoint information. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"assetEndpointInfo": {
"hostId": "",
"hostName": "",
"actualIsolationStatus": "",
"allowedDomain": "",
"desiredIsolationStatus": "",
"firstConnectTime": "",
"moduleHealth": {
"enabled": "",
"lastRunningTime": "",
"moduleDisplayName": ""
},
"lastConnectAddress": "",
"lastConnectTime": "",
"sensorVersion": ""
}
}
}
| Parameter | Description |
|---|---|
| Filter Asset State | Select the asset state to filter the investigations. You can select from the following options:
|
| Query | Specify the CQL query to run when searching for investigations. By default, it runs the query type in ('Security Investigation'). For more information on CQL query refer to Apache CQL documentation |
| Order by Field | Select the criteria by which to order the investigations. You can select from the following options:
|
| Order Direction | Select the criteria by which to order the investigations. You can select from the following options:
|
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Investigations": [
{
"archived_at": "",
"created_at": "",
"description": "",
"id": "",
"key_findings": "",
"priority": "",
"service_desk_id": "",
"service_desk_type": "",
"status": "",
"alerts2": [],
"url": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the Investigation ID whose list of alerts you want to fetch. |
| Page | Specify the page number from which you want to fetch the investigations. |
| Per Page | Specify the number of investigations to be shown per page. You can specify a maximum value of 100. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationAlerts": [
{
"id": "",
"description": "",
"message": "",
"severity": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Playbook Execution ID | Specify the playbook execution ID whose state you want to fetch. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"PlaybookExecution": {
"createdAt": "",
"executionTime": "",
"id": "",
"inputs": {
"alert": {
"message": ""
}
},
"instance": {
"name": "",
"playbook": {
"name": ""
}
},
"outputs": "",
"state": "",
"updatedAt": ""
}
}
}
| Parameter | Description |
|---|---|
| User ID | Specify the user ID whose details you want to fetch. |
| Tenant ID | Specify the tenant ID of which the specified user is a member. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"Users": [
{
"email": "",
"family_name": "",
"given_name": "",
"status": "",
"user_id": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the ID of the Asset which you want to isolate. |
| Reason of Isolation | Specify a reason for isolation of the specified asset. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AssetIsolation": {
"id": ""
}
}
}
| Parameter | Description |
|---|---|
| Alert IDs | Specify the IDs of the alerts as comma-separated values whose resolution status you want to update. |
| Resolution Status | Specify the resolution status you want to apply to specified alerts. |
| Reason of Status Change | Specify a reason for updating the status of specified assets. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"AlertStatusUpdate": {
"reason": "",
"resolution_status": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation whose fields you want to update. |
| Description of Investigation | Specify a description to update for the specified investigation. |
| Key Findings | Specify the key findings to update for the specified investigation. |
| Investigation's Priority | Specify the priority of the investigation, in the range 1-5, to update in the specified investigation. |
| Investigation's Status | Select the status of Investigation. You can select from following options:
|
| Assignee ID | Specify the ID of the user to whom this investigation is to be assigned. |
The output contains the following populated JSON schema:
{
"data": {
"updateInvestigation": {
"id": "",
"tenant_id": "",
"tags": [],
"alerts": [],
"events": [],
"assets": [],
"auth_credentials": [],
"key_findings": "",
"description": "",
"created_at": "",
"updated_at": "",
"created_by": "",
"status": "",
"contributors": [],
"service_desk_id": "",
"service_desk_type": "",
"assignee_id": "",
"assignee": "",
"priority": "",
"type": "",
"closeReason": "",
"alerts_count": "",
"events_count": "",
"rn": "",
"shortId": ""
}
}
}
| Parameter | Description |
|---|---|
| Description of Investigation | Specify a description to add to the investigation being created. |
| Key Findings | Specify the key findings to add to the investigation being created. |
| Investigation's Priority | Specify the priority of the investigation, in the range 1-5, to set for the investigation being created. |
| Investigation's Status | Select the status of the investigation being created. You can choose from the following options:
|
| Assignee ID | Specify The ID of the user to assign the investigation being created. |
| Alert ID | Specify the ID of the alert to add to the investigation being created. |
The output contains the following populated JSON schema:
{
"data": {
"createInvestigation": {
"id": "",
"rn": "",
"tags": [],
"type": "",
"alerts": [],
"assets": [],
"events": [],
"status": "",
"shortId": "",
"assignee": "",
"priority": "",
"tenant_id": "",
"created_at": "",
"created_by": "",
"updated_at": "",
"assignee_id": "",
"closeReason": "",
"description": "",
"alerts_count": "",
"contributors": [],
"events_count": "",
"key_findings": "",
"service_desk_id": "",
"auth_credentials": [],
"service_desk_type": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation which you want to unarchive. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"UnarchivedInvestigation": {
"id": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation to which to add the specified alert. |
| Alert ID | Specify the ID of the alert to add to this investigation. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationEvidenceUpdate": {
"investigationId": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation to which to add the specified event. |
| Event ID | Specify the ID of the event to add to this investigation. |
The output contains the following populated JSON schema:
{
"TaegisXDR": {
"InvestigationEvidenceUpdate": {
"investigationId": ""
}
}
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID of the investigation in which the specified comment is to be added. |
| Comment | Specify a comment to add to this investigation. |
The output contains the following populated JSON schema:
{
"data": {
"addCommentToInvestigation": {
"id": "",
"author": "",
"comment": "",
"authorId": "",
"tenantId": "",
"createdAt": "",
"readByIds": [],
"updatedAt": "",
"isInternal": "",
"mentionsIds": [],
"investigationId": ""
}
}
}
| Parameter | Description |
|---|---|
| Playbook ID | Specify the ID of the playbook to be executed. |
| JSON Parameters | Specify the inputs, as a JSON object, to pass for the playbook execution. |
The output contains the following populated JSON schema:
{
"data": {
"executePlaybookInstance": {
"id": "",
"runId": "",
"state": "",
"inputs": {},
"tenant": "",
"outputs": "",
"createdAt": "",
"createdBy": "",
"updatedAt": "",
"updatedBy": ""
}
}
}
The Sample - Taegis XDR - 1.1.0 playbook collection comes bundled with the Taegis XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Taegis XDR connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection is overwritten during the connector upgrade and deleted during connector uninstall.