Splunk Trustar

the trustar connector for turbine provides an integration with trustar's intelligence platform trustar is a threat intelligence platform that allows for collection, enrichment, and operationalization of threat data the integration with turbine allows for automated and streamlined workflows, making it easier for security teams to prioritize and respond to threats with the turbine trustar integration, you can automate the process of ingesting threat intelligence data, enriching alerts with this data, and taking actions based on the intelligence provided this can greatly enhance the speed and effectiveness of threat detection and response prerequisites before you can use the trustar connector for turbine, you'll need access to the trustar api this requires an api key and oauth2 authorization additionally, you'll need to understand the specific request parameters and schemas for the various api endpoints, as well as the responses that they return limitations the trustar api has certain limitations for example, when searching for indicators, the time range values for the start and end of the time window must not exceed a maximum size of 1 year additionally, the query term for searching must be at least 3 characters in length please refer to the trustar api documentation for detailed information about these limitations references https //docs trustar co/api/v20/index html#https // configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the api key string required client secret the api secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create workflow create a new workflow a company cannot create more than 5 workflows there cannot be more than 10 source enclaves per workflow endpoint url /api/2 0/workflows method post input argument name type required description name string optional name of the resource workflowconfig object optional parameter for create workflow workflowconfig type string optional type of the resource workflowconfig workflowconfigindicatorprioritization object optional parameter for create workflow workflowconfig workflowsource object optional parameter for create workflow workflowconfig workflowdestination object optional parameter for create workflow workflowconfig observabletypes array optional type of the resource workflowconfig priorityscores array optional parameter for create workflow safelistguids array optional unique identifier input example {"json body" {"name" "string value","workflowconfig" {"type" "string value","workflowconfigindicatorprioritization" {},"workflowsource" {},"workflowdestination" {},"observabletypes" \["string value 1"],"priorityscores" \["string value 2"]},"safelistguids" \["string value 3"]}} output parameter type description response object output field response response guid string unique identifier response name string name of the resource response created number output field response created response updated number output field response updated response workflowconfig object output field response workflowconfig response workflowconfig type string type of the resource response workflowconfig workflowsource object output field response workflowconfig workflowsource response workflowconfig workflowdestination object output field response workflowconfig workflowdestination response safelistguids array unique identifier output example {"response" {"guid" "string","name" "string","created" 0,"updated" 0,"workflowconfig" {"type" "indicator prioritization","workflowsource" {},"workflowdestination" {}},"safelistguids" \["string"]}} delete workflow delete an existing workflow endpoint url /api/2 0/workflows/{{id}} method delete input argument name type required description path parameters id string optional parameters for the delete workflow action input example {"path parameters" {"id" "the unique guid for the workflow"}} output parameter type description response object output field response output example {"response" {}} get enclaves get the list of all enclaves that the user has access to endpoint url /api/2 0/enclaves method get output parameter type description response array output field response response name string name of the resource response templatename string name of the resource response workflowsupported boolean output field response workflowsupported response read boolean output field response read response create boolean output field response create response update boolean date value response id string unique identifier response type string type of the resource output example {"response" \[{"name" "string","templatename" "string","workflowsupported"\ true,"read"\ true,"create"\ true,"update"\ true,"id" "string","type" "open"}]} get observables for submission find all observables contained in a submission endpoint url /api/2 0/observables method get input argument name type required description parameters submissionid string required parameters for the get observables for submission action parameters idtype string optional parameters for the get observables for submission action parameters enclaveguid string optional parameters for the get observables for submission action parameters pagesize number optional parameters for the get observables for submission action parameters pagenumber number optional parameters for the get observables for submission action input example {"parameters" {"submissionid" "abc123","idtype" "internal","enclaveguid" "guid123","pagesize" 100,"pagenumber" 0}} output parameter type description response object output field response response content array response content response content value string value for the parameter response content type string type of the resource response pageable object output field response pageable response pageable unpaged boolean output field response pageable unpaged response pageable pagenumber number output field response pageable pagenumber response pageable pagesize number output field response pageable pagesize response pageable paged boolean output field response pageable paged response pageable sort object output field response pageable sort response pageable sort unsorted boolean output field response pageable sort unsorted response pageable sort sorted boolean output field response pageable sort sorted response pageable sort empty boolean output field response pageable sort empty response pageable offset number output field response pageable offset response numberofelements number output field response numberofelements response first boolean output field response first response sort object output field response sort response sort unsorted boolean output field response sort unsorted response sort sorted boolean output field response sort sorted response sort empty boolean output field response sort empty response last boolean output field response last response size number output field response size response number number output field response number response empty boolean output field response empty output example {"response" {"content" \[{}],"pageable" {"unpaged"\ true,"pagenumber" 0,"pagesize" 0,"paged"\ true,"sort" {},"offset" 0},"numberofelements" 0,"first"\ true,"sort" {"unsorted"\ true,"sorted"\ true,"empty"\ true},"last"\ true,"size" 0,"number" 0,"empty"\ true}} get submission status find and return the processing status of the submission endpoint url /api/2 0/submissions/{{id}}/status method get input argument name type required description path parameters id string required parameters for the get submission status action input example {"path parameters" {"id" "the unique guid for the workflow"}} output parameter type description response object output field response response id string unique identifier response status string status value response errormessage string response message output example {"response" {"id" "string","status" "submission processing","errormessage" "string"}} get workflow retrieve the workflow for the guid endpoint url /api/2 0/workflows/{{id}} method get input argument name type required description path parameters id string required parameters for the get workflow action input example {"path parameters" {"id" "the unique guid for the workflow"}} output parameter type description response object output field response response guid string unique identifier response name string name of the resource response created string output field response created response updated string output field response updated response workflowconfig object output field response workflowconfig response workflowconfig type string type of the resource response workflowconfig workflowconfigindicatorprioritization object output field response workflowconfig workflowconfigindicatorprioritization response workflowconfig workflowsource object output field response workflowconfig workflowsource response workflowconfig workflowdestination object output field response workflowconfig workflowdestination response workflowconfig observabletypes array type of the resource response workflowconfig priorityscores array output field response workflowconfig priorityscores response safelistguids array unique identifier output example {"response" {"guid" "string value","name" "string value","created" "int64 value","updated" "int64 value","workflowconfig" {"type" "string value","workflowconfigindicatorprioritization" {},"workflowsource" {},"workflowdestination" {},"observabletypes" \[],"priorityscores" \[]},"safelistguids" \["string value 2"]}} get workflows get the workflows for this company endpoint url /api/2 0/workflows method get input argument name type required description parameters type string optional parameters for the get workflows action parameters name string optional parameters for the get workflows action parameters createdfrom string optional parameters for the get workflows action parameters createdto string optional parameters for the get workflows action parameters updatedfrom string optional parameters for the get workflows action parameters updatedto string optional parameters for the get workflows action input example {"parameters" {"type" "string value","name" "string value","createdfrom" "int64 value","createdto" "int64 value","updatedfrom" "int64 value","updatedto" "int64 value"}} output parameter type description response object output field response response content array response content response content guid string unique identifier response content name string name of the resource response content created number response content response content updated number response content response content workflowconfig object response content response content workflowconfig type string type of the resource response content workflowconfig workflowsource object response content response content workflowconfig workflowdestination object response content response content safelistguids array unique identifier response pageable object output field response pageable response pageable unpaged boolean output field response pageable unpaged response pageable pagenumber number output field response pageable pagenumber response pageable pagesize number output field response pageable pagesize response pageable paged boolean output field response pageable paged response pageable sort object output field response pageable sort response pageable sort unsorted boolean output field response pageable sort unsorted response pageable sort sorted boolean output field response pageable sort sorted response pageable sort empty boolean output field response pageable sort empty response pageable offset number output field response pageable offset response totalpages number output field response totalpages response totalelements number output field response totalelements response numberofelements number output field response numberofelements response first boolean output field response first output example {"response" {"content" \[{}],"pageable" {"unpaged"\ true,"pagenumber" 0,"pagesize" 0,"paged"\ true,"sort" {},"offset" 0},"totalpages" 0,"totalelements" 0,"numberofelements" 0,"first"\ true,"sort" {"unsorted"\ true,"sorted"\ true,"empty"\ true},"last"\ true,"empty"\ true,"size" 0,"number" 0}} redact submission redact a submission using your company’s redaction library all terms from your current redaction library will be applied to the title and body of your submission endpoint url /api/2 0/submissions/redact method post input argument name type required description title string optional parameter for redact submission content string optional response content input example {"json body" {"title" "string value","content" "string value 3"}} output parameter type description response object output field response response title string output field response title response content string response content output example {"response" {"title" "string","content" "string"}} search indicators search for indicators and return a cursor page endpoint url /api/2 0/indicators/search method post input argument name type required description parameters pagesize number optional parameters for the search indicators action queryterm string optional parameter for search indicators from number optional parameter for search indicators to number optional parameter for search indicators sortcolumn string optional parameter for search indicators sortorder string optional parameter for search indicators priorityscores array optional parameter for search indicators enclaveguids array optional unique identifier types array optional type of the resource attributes array optional parameter for search indicators attributes value string optional value for the parameter attributes type string optional type of the resource includedtags array optional parameter for search indicators excludedtags array optional parameter for search indicators cursor string optional parameter for search indicators includesafelisted boolean optional parameter for search indicators input example {"parameters" {"pagesize" 999},"json body" {"queryterm" "string","from" 0,"to" 0,"sortcolumn" "created","sortorder" "asc","priorityscores" \[0],"enclaveguids" \["string"],"types" \["ip4"],"attributes" \[{"value" "string","type" "threat actor"}],"includedtags" \["string"],"excludedtags" \["string"],"cursor" "string","includesafelisted"\ true}} output parameter type description response object output field response response items array output field response items response items guid string unique identifier response items enclaveguid string unique identifier response items workflowguid string unique identifier response items observable object output field response items observable response items observable value string value for the parameter response items observable type string type of the resource response items priorityscore string score value response items attributes array output field response items attributes response items attributes value string value for the parameter response items attributes type string type of the resource response items usertags array output field response items usertags response items submissiontags array output field response items submissiontags response items scorecontexts array output field response items scorecontexts response items scorecontexts enclaveguid string unique identifier response items scorecontexts sourcename string name of the resource response items scorecontexts normalizedscore number score value response items scorecontexts weight number output field response items scorecontexts weight response items scorecontexts properties object output field response items scorecontexts properties response items scorecontexts properties property1 array output field response items scorecontexts properties property1 response items scorecontexts properties property2 array output field response items scorecontexts properties property2 response items created number output field response items created response items updated number output field response items updated response items processedat number output field response items processedat output example {"response" {"items" \[{}],"responsemetadata" {"nextcursor" "string","totalitems" 0}}} search observables search observables according to specified criteria endpoint url /api/2 0/observables/search method post input argument name type required description parameters pagesize number optional parameters for the search observables action queryterm string optional parameter for search observables from number optional parameter for search observables to number optional parameter for search observables sortcolumn string optional parameter for search observables sortorder string optional parameter for search observables enclaveguids array optional unique identifier types array optional type of the resource includedtags array optional parameter for search observables excludedtags array optional parameter for search observables cursor string optional parameter for search observables input example {"parameters" {"pagesize" 999},"json body" {"queryterm" "string","from" 0,"to" 0,"sortcolumn" "first seen","sortorder" "asc","enclaveguids" \["string"],"types" \["ip4"],"includedtags" \["string"],"excludedtags" \["string"],"cursor" "string"}} output parameter type description response object output field response response items array output field response items response items type string type of the resource response items value string value for the parameter response items firstseen number output field response items firstseen response items lastseen number output field response items lastseen response items enclaveguids array unique identifier response items tags array output field response items tags response responsemetadata object response data response responsemetadata nextcursor string response data response responsemetadata totalitems number response data output example {"response" {"items" \[{}],"responsemetadata" {"nextcursor" "string","totalitems" 0}}} search submission search for submissions (intel, events and indicators) and return a cursor page endpoint url /api/2 0/submissions/search method post input argument name type required description parameters pagesize number optional parameters for the search submission action queryterm string optional parameter for search submission from string optional parameter for search submission to string optional parameter for search submission enclaveguids array optional unique identifier includedtags array optional parameter for search submission excludedtags array optional parameter for search submission cursor string optional parameter for search submission sortcolumn string optional parameter for search submission input example {"parameters" {"pagesize" 999},"json body" {"queryterm" "string value","from" "int64 value","to" "int64 value","enclaveguids" \["string value 1"],"includedtags" \["string value 2"],"excludedtags" \["string value 3"],"cursor" "string value 4","sortcolumn" "sort enum"}} output parameter type description response object output field response response items array output field response items response items guid string unique identifier response items enclaveguid string unique identifier response items title string output field response items title response items created number output field response items created response items updated number output field response items updated response items tags array output field response items tags response responsemetadata object response data response responsemetadata nextcursor string response data response responsemetadata totalitems number response data output example {"response" {"items" \[{}],"responsemetadata" {"nextcursor" "string","totalitems" 0}}} update workflow update an existing workflow a company cannot create more than 5 workflows there cannot be more than 10 source enclaves per workflow endpoint url /api/2 0/workflows/{{id}} method put input argument name type required description path parameters id string required parameters for the update workflow action name string optional name of the resource workflowconfig object optional parameter for update workflow workflowconfig type string optional type of the resource workflowconfig workflowconfigindicatorprioritization object optional parameter for update workflow workflowconfig workflowsource object optional parameter for update workflow workflowconfig workflowdestination object optional parameter for update workflow workflowconfig observabletypes array optional type of the resource workflowconfig priorityscores array optional parameter for update workflow safelistguids array optional unique identifier input example {"json body" {"name" "string value","workflowconfig" {"type" "string value","workflowconfigindicatorprioritization" {},"workflowsource" {},"workflowdestination" {},"observabletypes" \["string value 1"],"priorityscores" \["string value 2"]},"safelistguids" \["string value 3"]},"path parameters" {"id" "the unique guid for the workflow"}} output parameter type description response object output field response response guid string unique identifier response name string name of the resource response created number output field response created response updated number output field response updated response workflowconfig object output field response workflowconfig response workflowconfig type string type of the resource response workflowconfig workflowsource object output field response workflowconfig workflowsource response workflowconfig workflowdestination object output field response workflowconfig workflowdestination response safelistguids array unique identifier output example {"response" {"guid" "string","name" "string","created" 0,"updated" 0,"workflowconfig" {"type" "indicator prioritization","workflowsource" {},"workflowdestination" {}},"safelistguids" \["string"]}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt