naftiko: 1.0.0-alpha2 info: label: Secureworks Taegis Threat Detection and Response description: Unified threat detection and response capability for the Secureworks Taegis XDR platform. Enables SOC analysts and security engineers to query alerts, manage investigations, monitor endpoint assets, and enrich findings with threat intelligence across the entire Taegis security telemetry pipeline. tags: - XDR - Threat Detection - Incident Response - Security Operations - Cybersecurity - MDR created: '2026-05-02' modified: '2026-05-06' binds: - namespace: env keys: TAEGIS_CLIENT_ID: TAEGIS_CLIENT_ID TAEGIS_CLIENT_SECRET: TAEGIS_CLIENT_SECRET capability: consumes: - type: http namespace: taegis-xdr baseUri: https://api.ctpx.secureworks.com description: Secureworks Taegis XDR GraphQL API authentication: type: bearer token: '{{TAEGIS_ACCESS_TOKEN}}' resources: - name: graphql path: /graphql description: Taegis XDR GraphQL endpoint operations: - name: query-alerts method: POST description: Query alerts from the Taegis XDR platform body: type: json data: query: '{{tools.query}}' variables: '{{tools.variables}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: query-investigations method: POST description: Query investigations in the Taegis XDR platform body: type: json data: query: '{{tools.query}}' variables: '{{tools.variables}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: query-endpoint-assets method: POST description: Query endpoint asset inventory body: type: json data: query: '{{tools.query}}' variables: '{{tools.variables}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: query-threat-intelligence method: POST description: Query threat intelligence indicators body: type: json data: query: '{{tools.query}}' variables: '{{tools.variables}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: mutate-investigation method: POST description: Create or update an investigation body: type: json data: query: '{{tools.mutation}}' variables: '{{tools.variables}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth path: /auth/api/v2/auth/token description: OAuth2 token endpoint operations: - name: get-access-token method: POST description: Obtain OAuth2 bearer token using client credentials body: type: json data: grant_type: client_credentials outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: threat-detection-api description: Unified REST API for Secureworks Taegis threat detection and response. resources: - path: /v1/alerts name: alerts description: Security alert queries operations: - method: POST name: query-alerts description: Query security alerts with GraphQL filters call: taegis-xdr.query-alerts with: query: rest.query variables: rest.variables outputParameters: - type: object mapping: $. - path: /v1/investigations name: investigations description: Investigation management operations: - method: POST name: query-investigations description: Query security investigations call: taegis-xdr.query-investigations outputParameters: - type: object mapping: $. - path: /v1/assets name: endpoint-assets description: Endpoint asset inventory operations: - method: POST name: query-endpoint-assets description: Query endpoint assets and agents call: taegis-xdr.query-endpoint-assets outputParameters: - type: object mapping: $. - path: /v1/threat-intelligence name: threat-intelligence description: Threat intelligence indicators operations: - method: POST name: query-threat-intelligence description: Query threat intelligence data call: taegis-xdr.query-threat-intelligence outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: threat-detection-mcp transport: http description: MCP server for AI-assisted threat detection and response with Secureworks Taegis XDR. tools: - name: query-xdr-alerts description: Query security alerts from Taegis XDR including severity, status, MITRE technique, and affected assets hints: readOnly: true openWorld: false call: taegis-xdr.query-alerts with: query: tools.query variables: tools.variables outputParameters: - type: object mapping: $. - name: query-investigations description: Query active and closed security investigations in Taegis XDR including priority, status, and assigned alerts hints: readOnly: true openWorld: false call: taegis-xdr.query-investigations with: query: tools.query variables: tools.variables outputParameters: - type: object mapping: $. - name: create-investigation description: Create a new security investigation in Taegis XDR to track and coordinate incident response hints: readOnly: false destructive: false idempotent: false call: taegis-xdr.mutate-investigation with: mutation: tools.mutation variables: tools.variables outputParameters: - type: object mapping: $. - name: query-endpoint-assets description: Query the endpoint asset inventory including hostname, IP addresses, OS, agent version, and isolation status hints: readOnly: true openWorld: false call: taegis-xdr.query-endpoint-assets with: query: tools.query variables: tools.variables outputParameters: - type: object mapping: $. - name: query-threat-intelligence description: Query threat intelligence indicators (IPs, domains, URLs, file hashes) for malicious activity assessment hints: readOnly: true openWorld: false call: taegis-xdr.query-threat-intelligence with: query: tools.query variables: tools.variables outputParameters: - type: object mapping: $.