Stellar SIEM

stellar siem is a security information and event management solution that provides real time threat detection and response capabilities stellar siem is a comprehensive security information and event management platform designed to enhance threat detection and incident response by integrating with swimlane turbine, users can automate case management, streamline alert handling, and perform advanced data queries without writing code this integration empowers security teams to efficiently manage incidents, enrich threat intelligence, and improve overall security posture through seamless automation and actionable insights limitations the alerts endpoint returns at most 50 results per request; use skip and limit for pagination (e g second page skip=10\&limit=10 ) the execute elasticsearch job action may require custom code depending on query structure supported versions this stellar siem connector uses the stellar cyber public api (v1) refer to https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html for version specific details additional docs https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html https //docs stellarcyber ai/5 2 xs/using/api/api auth htm https //docs stellarcyber ai/prod docs/5 1 x/using/api/api case query htm https //docs stellarcyber ai/6 3 xs/using/api/api elasticsearch query htm configuration prerequisites before you can use the stellar siem connector for turbine, you'll need access to the stellar siem api this requires the following http bearer authentication using the following parameters url the endpoint url for accessing stellar siem api token a valid bearer token for authenticating api requests authentication methods http bearer authentication url the base url of your stellar cyber server (e g https //myserver stellarcyber cloud ) token jwt obtained from post /connect/api/v1/access token using your email and api key (basic auth) use a dedicated api user and refresh the token as needed; tokens expire in 10 minutes capabilities this stellar siem connector provides the following capabilities list cases get case scores retrieve paginated alerts execute elasticsearch job list connectors list tenants create connector list users add comment to a case update case list cases returns a list of cases with optional pagination and filtering (limit, offset, tenantid, sort, order, status, min score) maximum 500 cases per request stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/case/listcases get case scores retrieves case scores for a given case id stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/case/getcasescores retrieve paginated alerts retrieves paginated alerts for the given case use the path parameter case id ( id ) and the query parameters skip and limit (maximum 50 per request) response includes data docs with alert documents stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html (see cases → alerts endpoint) execute elasticsearch job performs an elasticsearch dsl query on a specified index via /connect/api/data/{index}/ search implemented with custom code in connector/src/execute es job py only available to super admin users with root scope (api key from generate new token on system | organization management | users); not available for scoped api keys use path parameters index (e g aella eventsummary , aella ser ) and json body for the query dsl stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/using/api/api elasticsearch query htm list connectors returns a list of connectors in the stellar cyber instance stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/connector/listconnectors list tenants returns a list of tenants in the stellar cyber instance stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/tenant/listtenant create connector creates a new connector in the stellar cyber instance send the connector definition in the json body stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/connector/createconnector list users returns a list of users in the stellar cyber instance stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/user/listuser add comment to a case adds a comment to an existing case provide the case id in the path and the comment payload in the json body stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/case/createcasecomment update case updates an existing case (status, assignee, tags, etc ) provide the case id in the path and the update payload in the json body stellar cyber's documentation for this action can be found https //docs stellarcyber ai/6 3 xs/resources/swaggerui/dist/index saas html#/case/updatecase configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add comment to a case add a comment to a specified case in stellar siem using the case id and a comment string this action requires path parameters and a json body endpoint url /cases/{{id}}/comments method post input argument name type required description path parameters id string required case id (path parameter) comment string optional the comment text input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {},"comment" "string"} output parameter type description data object the created comment data comment string response data data id string response data data case id string response data data created at number response data data modified at number response data data user string response data output example {"data" {"comment" "string"," id" "string","case id" "string","created at" 123,"modified at" 123,"user" "string"}} create connector create a connector configuration in stellar siem using post /connect/api/v1/connector with query parameters and json body endpoint url /connector method post input argument name type required description parameters update profile boolean optional for on premises only, update dr profile for saas, the api returns 400 when true default false parameters profile string optional profile name default "default" cust id string optional unique identifier name string optional name of the resource type string optional type of the resource category string optional e g asset is collect boolean optional parameter for create connector is respond boolean optional parameter for create connector run on string optional parameter for create connector conf string optional parameter for create connector filter list array optional parameter for create connector advanced setting boolean optional parameter for create connector input example {"parameters" {"update profile"\ true,"profile" "default"},"cust id" "string","name" "example name","type" "string","category" "string","is collect"\ true,"is respond"\ true,"run on" "string","conf" "string","filter list" \["string"],"advanced setting"\ true} execute elasticsearch job perform an elasticsearch dsl query on a specified index in stellar siem via /connect/api/data requires super admin and root scope access with a new token endpoint url /data/{{index}}/ search method post input argument name type required description path parameters index string required index pattern (e g aella eventsummary ) input example {"path parameters" {"index" "string"},"parameters" {}} output parameter type description status code number http status code of the response reason string response reason phrase output example {} get case scores retrieve the case score activities of a given case in stellar siem, returning a list of score activities with reasons and associated alerts requires the case id as a path parameter endpoint url /cases/{{id}}/scores method get input argument name type required description path parameters id string required case id (path parameter) input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description data array list of case score activity objects data reasons array score reasons with associated alerts data reasons alerts array response data data reasons alerts index string response data data reasons alerts id string response data data reasons reason string response data data score number score value data timestamp number epoch timestamp data version number response data output example {"data" \[]} list cases retrieve a list of existing cases in stellar siem with optional filters and pagination endpoint url /cases method get input argument name type required description parameters tenantid string optional filter by tenant id parameters cust id string optional filter by tenant id (alias) parameters name string optional filter by case name parameters not name string optional exclude by case name parameters ticket id number optional filter by case number parameters not ticket id number optional parameters for the list cases action parameters from ticket id number optional parameters for the list cases action parameters to ticket id number optional parameters for the list cases action parameters score number optional filter by case score parameters not score number optional parameters for the list cases action parameters from score number optional parameters for the list cases action parameters to score number optional parameters for the list cases action parameters size number optional filter by alert count parameters not size number optional parameters for the list cases action parameters from size number optional parameters for the list cases action parameters to size number optional parameters for the list cases action parameters status string optional filter by status (new in progress escalated resolved cancelled) parameters not status string optional parameters for the list cases action parameters severity string optional filter by severity (critical high medium low) parameters not severity string optional parameters for the list cases action parameters modified by string optional filter by modifier parameters not modified by string optional parameters for the list cases action parameters modified at number optional filter by modification time (epoch ms) parameters not modified at number optional parameters for the list cases action parameters from modified at number optional parameters for the list cases action input example {"parameters" {"tenantid" "string","cust id" "string","name" "example name","not name" "example name","ticket id" 123,"not ticket id" 123,"from ticket id" 123,"to ticket id" 123,"score" 123,"not score" 123,"from score" 123,"to score" 123,"size" 123,"not size" 123,"from size" 123,"to size" 123,"status" "active","not status" "active","severity" "string","not severity" "string","modified by" "string","not modified by" "string","modified at" 123,"not modified at" 123,"from modified at" 123,"to modified at" 123,"created by" "string","not created by" "string","created at" 123,"not created at" 123,"from created at" 123,"to created at" 123,"tags" "string","not tags" "string","assignee" "string","not assignee" "string","event id" "string","event index" "string","min score" 123,"min size auto" 123,"search" "string","queue" "string","skip" 123,"limit" 123,"sort" "string","order" "string","include summary"\ true,"include details"\ true,"format summary"\ true}} output parameter type description data object response data data cases array list of cases data cases id string response data data cases acknowledged number response data data cases assignee string response data data cases closed number response data data cases created at number response data data cases created by string response data data cases cust id string response data data cases insyncs array response data data cases insyncs insync id string response data data cases insyncs insync name string response data data cases insyncs status string response data data cases insyncs last synced out time number response data data cases insyncs last synced in time number response data data cases insyncs error message string response data data cases insyncs source id string response data data cases insyncs source link string response data data cases insyncs type string response data data cases modified at number response data data cases modified by string response data data cases name string response data data cases score number response data data cases size number response data data cases status string response data output example {"data" {"cases" \[{}],"total" 123}} list connectors retrieve a list of configured connectors in stellar siem, optionally filtered by tenant using cust id endpoint url /connector method get input argument name type required description parameters cust id string optional optional get all connectors assigned to a specified tenant cust id can be retrieved from system administration tenants page input example {"parameters" {"cust id" "string"}} output parameter type description total number total count of connectors connectors array list of connector objects connectors id string unique identifier connectors category string output field connectors category connectors configuration string output field connectors configuration connectors tenantid string unique identifier connectors is collect boolean output field connectors is collect connectors is respond boolean output field connectors is respond connectors name string name of the resource connectors run on string output field connectors run on connectors type string type of the resource connectors version string output field connectors version connectors last activity string output field connectors last activity connectors last data received string response data connectors status string status value connectors active boolean output field connectors active connectors filter list array output field connectors filter list connectors created at number output field connectors created at connectors modified at number output field connectors modified at output example {"total" 123,"connectors" \[]} list tenants retrieve the list of existing tenants in stellar siem optional fields query allows inclusion of specific fields in the response endpoint url /tenants method get input argument name type required description parameters fields string optional optional comma separated list of fields to include in response (e g , "cust id,cust name") input example {"path parameters" {},"parameters" {"fields" "string"}} output parameter type description data array list of tenant objects data org id string response data data cust name string response data data cust id string response data data ds num number response data data user num number response data data tgrp name string response data data contact string response data data contact email string response data data contact phone string response data data address string response data data daily limit number response data data info string response data data retention group string response data data mfa enabled boolean response data data authentication method string response data data sso config string response data data ingestion limit number response data data tenant session override boolean response data data session timeout number response data data message string response data data created at number response data data modified at number response data output example {"data" \[]} list users retrieve the list of existing users in stellar siem with an optional cust id query to filter the results endpoint url /users method get input argument name type required description parameters cust id string optional filter the list by cust id (tenant) input example {"path parameters" {},"parameters" {"cust id" "string"}} output parameter type description data array list of user objects data created at number response data data created by string response data data modified at number response data data modified by string response data data cust id string response data data default boolean response data data display name string response data data email string response data data email notify boolean response data data language string response data data mfa enabled boolean response data data name string response data data phone string response data data priv profile id string response data data query string response data data user role string response data data tgrp id string response data data homepage object response data data homepage url string response data data homepage alias string response data data cdp boolean response data data duplicate object response data data duplicate name boolean response data data duplicate email boolean response data output example {"data" \[]} retrieve paginated alerts retrieve a specified range of alerts for a case in stellar siem using the case id, with options to skip and set a limit up to 50 alerts per request endpoint url /cases/{{id}}/alerts method get input argument name type required description path parameters id string required case id (path parameter) parameters skip number required number of records to skip before returning results e g skip=10\&limit=10 returns the second 10 alerts parameters limit number required maximum number of results to return a maximum of 50 results can be returned at a time e g limit=10 returns the first 10 alerts input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"skip" 123,"limit" 123}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data docs array response data data docs version number response data data docs type string response data data docs source object response data data docs seq no number response data data docs primary term number response data data docs index string response data data docs id string response data data docs found boolean response data output example {"status code" 200,"reason" "ok","json body" {"data" {"docs" \[]}}} update case update a specific case in stellar siem using its id with details like name, severity, status, assignee, tags, and resolution endpoint url /cases/{{id}} method put input argument name type required description path parameters id string required case id (path parameter) name string optional case name (max length 200) severity string optional critical, high, medium, or low status string optional escalated, new, in progress, resolved, or cancelled assignee string optional assignee username tags object optional add or delete tags tags delete array optional tags to remove tags add array optional tags to add update alerts boolean optional whether to update associated alerts resolution string optional false positive, benign, or true positive input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {},"name" "example name","severity" "string","status" "active","assignee" "string","tags" {"delete" \["string"],"add" \["string"]},"update alerts"\ true,"resolution" "string"} output parameter type description data object updated case object data id string response data data acknowledged number response data data assignee string response data data closed number response data data created at number response data data created by string response data data cust id string response data data insyncs array response data data insyncs insync id string response data data insyncs insync name string response data data insyncs status string response data data insyncs last synced out time number response data data insyncs last synced in time number response data data insyncs error message string response data data insyncs source id string response data data insyncs source link string response data data insyncs type string response data data modified at number response data data modified by string response data data name string response data data score number response data data size number response data data status string response data data resolution string response data output example {"data" {" id" "string","acknowledged" 123,"assignee" "string","closed" 123,"created at" 123,"created by" "string","cust id" "string","insyncs" \[{}],"modified at" 123,"modified by" "string","name" "example name","score" 123,"size" 123,"status" "active","resolution" "string"}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt