TeamT5 threatsonar Edr

the teamt5 threatsonar edr connector facilitates seamless integration with teamt5's endpoint detection and response system, enabling automated threat analysis and incident response teamt5 threatsonar edr is a cutting edge endpoint detection and response platform that provides comprehensive visibility into endpoint activities and potential threats by integrating with swimlane turbine, users can automate the retrieval of endpoint data, manage isolation states, and access detailed incident and malware information this connector empowers security teams to streamline their incident response workflows, enhance threat hunting capabilities, and maintain robust endpoint security posture without manual intervention the actionable intelligence and automated response capabilities provided by this integration are crucial for maintaining a proactive defense against evolving cyber threats prerequisites to effectively utilize the teamt5 threatsonar edr connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url the base endpoint url for the teamt5 threatsonar edr api api key a valid api key provided by teamt5 to authenticate requests capabilities this connector provides the following capabilities data retrieval count data retrieval deisolate data retrieval endpoints list data retrieval isolate data retrieval show endpoint events connections endpoint events show hunter processes connections hunter processes endpoints hunter processes show incidentreport index incidentreport show malwareinfo show network ips endpoints network ips processes and so on configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x auth token api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions data retrieval count retrieve a count of endpoints, categorized by client and department, from teamt5 threatsonar edr endpoint url /api/v2/endpoints/count method get input argument name type required description online boolean optional online output parameter type description status code number http status code of the response reason string response reason phrase clients array output field clients id number unique identifier name string name of the resource departments array output field departments id number unique identifier name string name of the resource count number count value count number count value count number count value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "clients" \[], "count" 159 } } ] data retrieval deisolate deisolate a specific endpoint in teamt5 threatsonar edr using the provided endpoint id endpoint url /api/v2/endpoints/{{endpoint id}}/deisolate method post input argument name type required description endpoint id string required endpoint id output parameter type description status code number http status code of the response reason string response reason phrase message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "message" "success" } } ] data retrieval endpoints list retrieve a list of endpoint records from teamt5 threatsonar edr using specified parameters endpoint url /api/v2/endpoints method get input argument name type required description ip address string optional ip address computer name string optional computer name scan start string optional scan start is in yyyy mm dd hh\ mm \ ss format scan end string optional scan end is in yyyy mm dd hh\ mm \ ss format entries per query number optional entries per query append event string optional append event above level number optional above level agent status string optional agent status output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] data retrieval isolate isolates an endpoint in teamt5 threatsonar edr using the provided endpoint id to contain potential threats endpoint url /api/v2/endpoints/{{endpoint id}}/isolate method post input argument name type required description endpoint id string required endpoint id output parameter type description status code number http status code of the response reason string response reason phrase message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "message" "success" } } ] data retrieval show query the execution status of threatsonar agents on specified hosts using the endpoint id endpoint url /api/v2/endpoints/{{endpoint id}} method get input argument name type required description endpoint id string required the id of the data retrieval endpoint scan start string optional scan start time in utc must set along with scan end scan end string optional scan end time in utc must set along with scan start append mac string optional append mac address optional append event string optional append event optional above level number optional above level optional agent status string optional agent status optional output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ {} ] } ] endpoint events connections retrieve connection details for a specific endpoint event in teamt5 threatsonar edr using the provided event id endpoint url /api/v2/endpoint/events/{{event id}}/connections method get input argument name type required description event id string required unique identifier headers object required http headers for the request content type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] endpoint events show retrieve detailed information for a specific endpoint event in teamt5 threatsonar edr using the provided event id endpoint url /api/v2/endpoint/events/{{event id}} method get input argument name type required description event id string required event id headers object required http headers for the request content type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase threat level number output field threat level ntfs changetime string time value ntfs createtime string time value file create time string time value process createtime object time value file createtime string time value ntfs last writetime string time value sha256 string output field sha256 file path string output field file path file last writetime string time value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "threat level" 1, "ntfs changetime" "2022 01 07 16 44 36", "ntfs createtime" "2022 01 07 16 44 36", "file create time" "2022 01 07t16 44 36 000z", "process createtime" null, "file createtime" "2022 01 07 16 44 36", "ntfs last writetime" "2022 01 07 16 44 36", "sha256" "359c5d85022c772db5e05306595d3ff31c8cefbf30506f716bd239c15ae04e82", "file path" "c \\\programdata\\\microsoft\\\windows defender\\\definitionupdates\\\\{965fec8b 1372 429e ", "file last writetime" "2022 01 07 18 00 25" } } ] hunter processes connections retrieve network connection details for a specific process in teamt5 threatsonar edr using the provided process id endpoint url /api/v2/hunter/processes/{{id}}/connections method get input argument name type required description id number required id headers object required http headers for the request content type string optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {}, {}, {} ] } ] hunter processes endpoints retrieves detailed information on a process by its id, including network ip connections, path parameters, and headers in teamt5 threatsonar edr endpoint url /api/v2/hunter/processes/{{id}}/endpoints method get input argument name type required description id number required id connect to string optional ip address to connect headers object required http headers for the request content type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {}, {} ] } ] hunter processes show retrieve detailed information on a process by its id from teamt5 threatsonar edr, including network ip connections requires path parameter 'id' endpoint url /api/v2/hunter/processes/{{id}} method get input argument name type required description id number required id headers object required http headers for the request content type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "name" "mstsc exe" } } ] incidentreport index retrieve a list of incident reports accessible by the current user in teamt5 threatsonar edr endpoint url /api/v2/incident reports/ method get input argument name type required description start at string optional start time for incident report query end at string optional end time for incident report query trigger types array optional list of trigger types for incident reports levels array optional list of levels for incident reports page number optional page number for pagination page size number optional number of items per page output parameter type description status code number http status code of the response reason string response reason phrase data array response data id number unique identifier uuid string unique identifier status string status value level number output field level department id number unique identifier client string output field client os string output field os os family string output field os family engine version string output field engine version connect ip string output field connect ip exchange token object output field exchange token intermediate token object output field intermediate token afterthoughts error detail object error message if any local time utc offset number output field local time utc offset source string output field source service request id string unique identifier scanned at string output field scanned at created at string output field created at updated at string output field updated at local ip string output field local ip version string output field version server apply whitelist number output field server apply whitelist example \[ { "status code" 200, "reason" "ok", "json body" { "data" \[], "page" 1, "page size" 2, "count" 2 } } ] incidentreport show retrieve detailed information for a specific incident report identified by an id in teamt5 threatsonar edr endpoint url /api/v2/incident reports/ method get input argument name type required description id number required the id of the incident report output parameter type description status code number http status code of the response reason string response reason phrase max level number output field max level metadata array response data file name string name of the resource file string output field file records array output field records attributes array output field attributes display name string name of the resource id number unique identifier level number output field level meta id object unique identifier rec data object response data file path string output field file path rec hash string output field rec hash rec src string output field rec src rec type string type of the resource rule id object unique identifier tactics object output field tactics techniques object output field techniques relations array output field relations from number output field from to number output field to verb string output field verb summary array output field summary example \[ { "status code" 200, "reason" "ok", "json body" { "max level" 5, "metadata" \[], "records" \[], "relations" \[], "summary" \[], "recommendation" \[] } } ] malwareinfo show retrieve stix compatible malware information from teamt5 threatsonar edr using a unique identifier endpoint url api/v2/malware infos/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta id string unique identifier report id string unique identifier indicator object output field indicator indicator types array type of the resource pattern type string type of the resource pattern array output field pattern valid from string unique identifier attack pattern object output field attack pattern name string name of the resource description string output field description kill chain phases array output field kill chain phases kill chain name string name of the resource phase name string name of the resource last mitre tag id string unique identifier mitre tag ids array unique identifier malware object output field malware name string name of the resource malware type array type of the resource is family boolean output field is family description string output field description malware analysis object output field malware analysis submitted string output field submitted example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "meta" {}, "indicator" {}, "attack pattern" {}, "malware" {}, "malware analysis" {}, "file" {}, "observed data" {}, "ipv4 addr" {}, "domain name" {}, "identity" {} } } ] network ips endpoints queries endpoints connected to a specified ip in teamt5 threatsonar edr using the provided 'ip id' endpoint url /api/v2/network/ips/{{ip id}}/endpoints method get input argument name type required description ip id string required unique identifier process id number optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] network ips processes query endpoint event connections for processes associated with a specified ip in teamt5 threatsonar edr, using the 'ip id' path parameter endpoint url /api/v2/network/ips/{{ip id}}/processes method get input argument name type required description ip id string required unique identifier headers object optional http headers for the request content type string optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ { "name" "mstsc exe" }, { "id" 548, "name" "lsass exe" }, { "id" 13634, "name" "httpd exe" } ] } ] network ips show retrieve detailed information for a specific ip by its id in teamt5 threatsonar edr, including path parameters and headers endpoint url /api/v2/network/ips/{{ip id}} method get input argument name type required description ip id string required ip id headers object required http headers for the request content type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase address string output field address example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "address" "8 8 8 8" } } ] report detail retrieve a detailed scan report from teamt5 threatsonar edr using a unique scan result id endpoint url /api/v2/scan results/{{scan result id}}/report detail method get input argument name type required description scan result id number required scan result id output parameter type description status code number http status code of the response reason string response reason phrase os name string name of the resource threats array output field threats total match rule lists array output field total match rule lists malicious level string output field malicious level malicious attribute tag array output field malicious attribute tag related paths object output field related paths network array output field network local port string output field local port process name string name of the resource remote ip string output field remote ip remote port string output field remote port state string output field state event log array output field event log eventid number unique identifier malicious level number output field malicious level malicious attribute tag array output field malicious attribute tag file name string name of the resource file string output field file process commandline object output field process commandline total visiblememory size string output field total visiblememory size free physicalmemory size string output field free physicalmemory size software list array output field software list example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "os name" "microsoft windows 10 \u5c08\u696d\u7248(x64 based pc)", "threats" \[], "network" \[], "event log" \[], "total visiblememory size" "6143 mb", "free physicalmemory size" "3298 mb", "software list" \[] } } ] report import report bundle upload a report bundle to teamt5 threatsonar edr for comprehensive threat analysis, requiring form data endpoint url /api/v2/scan results/import report bundle method post input argument name type required description form data object required response data report object required file to be uploaded file string required parameter for report import report bundle file name string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request report id number unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "url" "https //cloud threatsonar org 80/scan results?report viewer\[id]=1", "report id" 1 } } ] report show retrieves a base64 encoded pdf report of scan results from teamt5 threatsonar edr using the provided scan result id endpoint url /api/v2/scan results/{{scan result id}}/report method get input argument name type required description scan result id number required scan result id headers object required http headers for the request content type string required type of the resource output parameter type description file object attachments file string output field file file name string name of the resource example \[ { "file" { "file" "string", "file name" "example name" } } ] threattracer count events counts the number of events captured by teamt5 threatsonar edr within a specified time range, requiring start on, end on, and client id parameters endpoint url /api/v2/threat tracer/events/meta method get input argument name type required description start on string required start of date range end on string required end of date range the date range must be within 6 months client id number required the client id can be obtained from list clients api output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta total hits count number count value total pages number output field total pages example \[ { "status code" 200, "reason" "ok", "json body" { "meta" {} } } ] threattracer list clients retrieve a list of clients from teamt5 threatsonar edr for monitoring and management purposes endpoint url /api/v2/clients method get output parameter type description status code number http status code of the response reason string response reason phrase clients array output field clients id number unique identifier name string name of the resource example \[ { "status code" 200, "reason" "ok", "json body" { "clients" \[] } } ] threattracer list events retrieve a list of events from teamt5 threatsonar edr within a specified time range, requiring start on, end on, and client id parameters endpoint url /api/v2/threat tracer/events method get input argument name type required description start on string required start of date range end on string required end of date range the date range must be within 6 months client id number required the client id can be obtained from list clients api limit number optional the maximum amount of events offset number optional the amount events to skip output parameter type description status code number http status code of the response reason string response reason phrase events array output field events id number unique identifier ruleset type string type of the resource ruleset id string unique identifier ruleset name string name of the resource hunter event id number unique identifier client name string name of the resource department name string name of the resource endpoint name string name of the resource local ip string output field local ip os name string name of the resource first seen at string output field first seen at level number output field level normalized file path string output field normalized file path sha256 hash string output field sha256 hash is ignored boolean output field is ignored created at string output field created at example \[ { "status code" 200, "reason" "ok", "json body" { "events" \[] } } ]