Splunk Trustar

53 min

the trustar connector for turbine provides an integration with trustar's intelligence platform trustar is a threat intelligence platform that allows for collection, enrichment, and operationalization of threat data the integration with turbine allows for automated and streamlined workflows, making it easier for security teams to prioritize and respond to threats with the turbine trustar integration, you can automate the process of ingesting threat intelligence data, enriching alerts with this data, and taking actions based on the intelligence provided this can greatly enhance the speed and effectiveness of threat detection and response prerequisites before you can use the trustar connector for turbine, you'll need access to the trustar api this requires an api key and oauth2 authorization additionally, you'll need to understand the specific request parameters and schemas for the various api endpoints, as well as the responses that they return limitations the trustar api has certain limitations for example, when searching for indicators, the time range values for the start and end of the time window must not exceed a maximum size of 1 year additionally, the query term for searching must be at least 3 characters in length please refer to the trustar api documentation for detailed information about these limitations references trustar api documentation https //docs trustar co/api/v20/index html#https // configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the api key string required client secret the api secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create workflow create a new workflow a company cannot create more than 5 workflows there cannot be more than 10 source enclaves per workflow endpoint url /api/2 0/workflows method post input argument name type required description name string required name of the resource workflowconfig object required parameter for create workflow type string optional type of the resource workflowconfigindicatorprioritization object optional parameter for create workflow workflowsource object optional parameter for create workflow workflowdestination object optional parameter for create workflow observabletypes array optional type of the resource priorityscores array optional parameter for create workflow safelistguids array required unique identifier output parameter type description response object output field response guid string unique identifier name string name of the resource created number output field created updated number output field updated workflowconfig object output field workflowconfig type string type of the resource workflowsource object output field workflowsource workflowdestination object output field workflowdestination safelistguids array unique identifier example \[ { "response" { "guid" "string", "name" "string", "created" 0, "updated" 0, "workflowconfig" {}, "safelistguids" \[] } } ] delete workflow delete an existing workflow endpoint url /api/2 0/workflows/{{id}} method delete input argument name type required description id string optional unique identifier output parameter type description response object output field response example \[ { "response" {} } ] get enclaves get the list of all enclaves that the user has access to endpoint url /api/2 0/enclaves method get output parameter type description response array output field response name string name of the resource templatename string name of the resource workflowsupported boolean output field workflowsupported read boolean output field read create boolean output field create update boolean date value id string unique identifier type string type of the resource example \[ { "response" \[ {} ] } ] get observables for submission find all observables contained in a submission endpoint url /api/2 0/observables method get input argument name type required description submissionid string required unique identifier idtype string optional unique identifier enclaveguid string optional unique identifier pagesize number optional parameter for get observables for submission pagenumber number optional parameter for get observables for submission output parameter type description response object output field response content array response content value string value for the parameter type string type of the resource pageable object output field pageable unpaged boolean output field unpaged pagenumber number output field pagenumber pagesize number output field pagesize paged boolean output field paged sort object output field sort unsorted boolean output field unsorted sorted boolean output field sorted empty boolean output field empty offset number output field offset numberofelements number output field numberofelements first boolean output field first sort object output field sort unsorted boolean output field unsorted sorted boolean output field sorted empty boolean output field empty last boolean output field last size number output field size number number output field number empty boolean output field empty example \[ { "response" { "content" \[], "pageable" {}, "numberofelements" 0, "first" true, "sort" {}, "last" true, "size" 0, "number" 0, "empty" true } } ] get submission status find and return the processing status of the submission endpoint url /api/2 0/submissions/{{id}}/status method get input argument name type required description id string required unique identifier output parameter type description response object output field response id string unique identifier status string status value errormessage string response message example \[ { "response" { "id" "string", "status" "submission processing", "errormessage" "string" } } ] get workflow retrieve the workflow for the guid endpoint url /api/2 0/workflows/{{id}} method get input argument name type required description id string required unique identifier output parameter type description response object output field response guid string unique identifier name string name of the resource created string output field created updated string output field updated workflowconfig object output field workflowconfig type string type of the resource workflowconfigindicatorprioritization object output field workflowconfigindicatorprioritization workflowsource object output field workflowsource workflowdestination object output field workflowdestination observabletypes array type of the resource priorityscores array output field priorityscores safelistguids array unique identifier example \[ { "response" { "guid" "string value", "name" "string value", "created" "int64 value", "updated" "int64 value", "workflowconfig" {}, "safelistguids" \[] } } ] get workflows get the workflows for this company endpoint url /api/2 0/workflows method get input argument name type required description type string optional type of the resource name string optional name of the resource createdfrom string optional parameter for get workflows createdto string optional parameter for get workflows updatedfrom string optional parameter for get workflows updatedto string optional parameter for get workflows output parameter type description response object output field response content array response content guid string unique identifier name string name of the resource created number output field created updated number output field updated workflowconfig object output field workflowconfig type string type of the resource workflowsource object output field workflowsource workflowdestination object output field workflowdestination safelistguids array unique identifier pageable object output field pageable unpaged boolean output field unpaged pagenumber number output field pagenumber pagesize number output field pagesize paged boolean output field paged sort object output field sort unsorted boolean output field unsorted sorted boolean output field sorted empty boolean output field empty offset number output field offset totalpages number output field totalpages totalelements number output field totalelements numberofelements number output field numberofelements first boolean output field first example \[ { "response" { "content" \[], "pageable" {}, "totalpages" 0, "totalelements" 0, "numberofelements" 0, "first" true, "sort" {}, "last" true, "empty" true, "size" 0, "number" 0 } } ] redact submission redact a submission using your company’s redaction library all terms from your current redaction library will be applied to the title and body of your submission endpoint url /api/2 0/submissions/redact method post input argument name type required description title string optional parameter for redact submission content string optional response content output parameter type description response object output field response title string output field title content string response content example \[ { "response" { "title" "string", "content" "string" } } ] search indicators search for indicators and return a cursor page endpoint url /api/2 0/indicators/search method post input argument name type required description pagesize number optional parameter for search indicators queryterm string optional parameter for search indicators from number optional parameter for search indicators to number optional parameter for search indicators sortcolumn string optional parameter for search indicators sortorder string optional parameter for search indicators priorityscores array optional parameter for search indicators enclaveguids array optional unique identifier types array optional type of the resource attributes array optional parameter for search indicators value string optional value for the parameter type string optional type of the resource includedtags array optional parameter for search indicators excludedtags array optional parameter for search indicators cursor string optional parameter for search indicators includesafelisted boolean optional parameter for search indicators output parameter type description response object output field response items array output field items guid string unique identifier enclaveguid string unique identifier workflowguid string unique identifier observable object output field observable value string value for the parameter type string type of the resource priorityscore string score value attributes array output field attributes value string value for the parameter type string type of the resource usertags array output field usertags submissiontags array output field submissiontags scorecontexts array output field scorecontexts enclaveguid string unique identifier sourcename string name of the resource normalizedscore number score value weight number output field weight properties object output field properties property1 array output field property1 property2 array output field property2 created number output field created updated number output field updated processedat number output field processedat example \[ { "response" { "items" \[], "responsemetadata" {} } } ] search observables search observables according to specified criteria endpoint url /api/2 0/observables/search method post input argument name type required description pagesize number optional parameter for search observables queryterm string optional parameter for search observables from number optional parameter for search observables to number optional parameter for search observables sortcolumn string optional parameter for search observables sortorder string optional parameter for search observables enclaveguids array optional unique identifier types array optional type of the resource includedtags array optional parameter for search observables excludedtags array optional parameter for search observables cursor string optional parameter for search observables output parameter type description response object output field response items array output field items type string type of the resource value string value for the parameter firstseen number output field firstseen lastseen number output field lastseen enclaveguids array unique identifier tags array output field tags responsemetadata object response data nextcursor string output field nextcursor totalitems number output field totalitems example \[ { "response" { "items" \[], "responsemetadata" {} } } ] search submission search for submissions (intel, events and indicators) and return a cursor page endpoint url /api/2 0/submissions/search method post input argument name type required description pagesize number optional parameter for search submission queryterm string optional parameter for search submission from string optional parameter for search submission to string optional parameter for search submission enclaveguids array optional unique identifier includedtags array optional parameter for search submission excludedtags array optional parameter for search submission cursor string optional parameter for search submission sortcolumn string optional parameter for search submission output parameter type description response object output field response items array output field items guid string unique identifier enclaveguid string unique identifier title string output field title created number output field created updated number output field updated tags array output field tags responsemetadata object response data nextcursor string output field nextcursor totalitems number output field totalitems example \[ { "response" { "items" \[], "responsemetadata" {} } } ] update workflow update an existing workflow a company cannot create more than 5 workflows there cannot be more than 10 source enclaves per workflow endpoint url /api/2 0/workflows/{{id}} method put input argument name type required description id string required unique identifier name string required name of the resource workflowconfig object required parameter for update workflow type string optional type of the resource workflowconfigindicatorprioritization object optional parameter for update workflow workflowsource object optional parameter for update workflow workflowdestination object optional parameter for update workflow observabletypes array optional type of the resource priorityscores array optional parameter for update workflow safelistguids array required unique identifier output parameter type description response object output field response guid string unique identifier name string name of the resource created number output field created updated number output field updated workflowconfig object output field workflowconfig type string type of the resource workflowsource object output field workflowsource workflowdestination object output field workflowdestination safelistguids array unique identifier example \[ { "response" { "guid" "string", "name" "string", "created" 0, "updated" 0, "workflowconfig" {}, "safelistguids" \[] } } ]