TeamT5 threatsonar Edr

the teamt5 threatsonar edr connector facilitates seamless integration with teamt5's endpoint detection and response system, enabling automated threat analysis and incident response teamt5 threatsonar edr is a cutting edge endpoint detection and response platform that provides comprehensive visibility into endpoint activities and potential threats by integrating with swimlane turbine, users can automate the retrieval of endpoint data, manage isolation states, and access detailed incident and malware information this connector empowers security teams to streamline their incident response workflows, enhance threat hunting capabilities, and maintain robust endpoint security posture without manual intervention the actionable intelligence and automated response capabilities provided by this integration are crucial for maintaining a proactive defense against evolving cyber threats prerequisites to effectively utilize the teamt5 threatsonar edr connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url the base endpoint url for the teamt5 threatsonar edr api api key a valid api key provided by teamt5 to authenticate requests capabilities this connector provides the following capabilities data retrieval count data retrieval deisolate data retrieval endpoints list data retrieval isolate data retrieval show endpoint events connections endpoint events show hunter processes connections hunter processes endpoints hunter processes show incidentreport index incidentreport show malwareinfo show network ips endpoints network ips processes and so on configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x auth token api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions data retrieval count retrieve a count of endpoints, categorized by client and department, from teamt5 threatsonar edr endpoint url /api/v2/endpoints/count method get input argument name type required description online boolean optional online input example {"json body" {"online"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase clients array output field clients clients id number unique identifier clients name string name of the resource clients departments array output field clients departments clients departments id number unique identifier clients departments name string name of the resource clients departments count number count value clients count number count value count number count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"clients" \[{}],"count" 159}} data retrieval deisolate deisolate a specific endpoint in teamt5 threatsonar edr using the provided endpoint id endpoint url /api/v2/endpoints/{{endpoint id}}/deisolate method post input argument name type required description path parameters endpoint id string required endpoint id input example {"path parameters" {"endpoint id" "abc123"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"message" "success"}} data retrieval endpoints list retrieve a list of endpoint records from teamt5 threatsonar edr using specified parameters endpoint url /api/v2/endpoints method get input argument name type required description parameters ip address string optional ip address parameters computer name string optional computer name parameters scan start string optional scan start is in yyyy mm dd hh\ mm \ ss format parameters scan end string optional scan end is in yyyy mm dd hh\ mm \ ss format parameters entries per query number optional entries per query parameters append event string optional append event parameters above level number optional above level parameters agent status string optional agent status input example {"parameters" {"ip address" "192 168 1 2","computer name" "windows","scan start" "2019 01 00 03 00 00","scan end" "2019 01 01 03 00 00","entries per query" 10,"append event" "true","above level" 10,"agent status" "true"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" 1,"computer name" "qoo qmmmmm","computer manufacturer" "acer","username" "system","timezone" "+08 00","number of cores" 4,"cpu name" "qoo pc","os name" "microsoft windows 10 \u5bb6\u7528\u7248(x64 based pc)","installed at" "2020 11 16t10 58 40 000z","ram size" 8072,"connect ip" "192 168 1 1","local ip" "192 168 110 22","start scan counter" 1,"loader version" "2103p9","engine version" "2109p1"}]} data retrieval isolate isolates an endpoint in teamt5 threatsonar edr using the provided endpoint id to contain potential threats endpoint url /api/v2/endpoints/{{endpoint id}}/isolate method post input argument name type required description path parameters endpoint id string required endpoint id input example {"path parameters" {"endpoint id" "abc123"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"message" "success"}} data retrieval show query the execution status of threatsonar agents on specified hosts using the endpoint id endpoint url /api/v2/endpoints/{{endpoint id}} method get input argument name type required description path parameters endpoint id string required the id of the data retrieval endpoint scan start string optional scan start time in utc must set along with scan end scan end string optional scan end time in utc must set along with scan start append mac string optional append mac address optional append event string optional append event optional above level number optional above level optional agent status string optional agent status optional input example {"path parameters" {"endpoint id" "string"},"scan start" "string","scan end" "string","append mac" "string","append event" "string","above level" 123,"agent status" "active"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"id" 1,"computer name" "qoo qmmmmm","computer manufacturer" "acer","username" "system","timezone" "+08 00","number of cores" 4,"cpu name" "qoo pc","os name" "microsoft windows 10 \u5bb6\u7528\u7248(x64 based pc)","installed at" "2020 11 16t10 58 40 000z","ram size" 8072,"connect ip" "192 168 1 1","local ip" "192 168 110 22","start scan counter" 1,"loader version" "2103p9","engine version" "2109p1"}]} endpoint events connections retrieve connection details for a specific endpoint event in teamt5 threatsonar edr using the provided event id endpoint url /api/v2/endpoint/events/{{event id}}/connections method get input argument name type required description path parameters event id string required parameters for the endpoint events connections action headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"event id" "abc123\@21"},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" 101,"address" "8 8 8 8"}]} endpoint events show retrieve detailed information for a specific endpoint event in teamt5 threatsonar edr using the provided event id endpoint url /api/v2/endpoint/events/{{event id}} method get input argument name type required description path parameters event id string required event id headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"event id" "abc123"},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase threat level number output field threat level ntfs changetime string time value ntfs createtime string time value file create time string time value process createtime object time value file createtime string time value ntfs last writetime string time value sha256 string output field sha256 file path string output field file path file last writetime string time value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"threat level" 1,"ntfs changetime" "2022 01 07 16 44 36","ntfs createtime" "2022 01 07 16 44 36","file create time" "2022 01 07t16 44 36 000z","process createtime"\ null,"file createtime" "2022 01 07 16 44 36","ntfs last writetime" "2022 01 07 16 44 36","sha256" "359c5d85022c772db5e05306595d3ff31c8cefbf30506f716bd239c15ae04e82","file path" "c \\\programdata\\\microsoft\\\windows defender\\\definitionupdates\\\\{965fec8b 1372 429e ", hunter processes connections retrieve network connection details for a specific process in teamt5 threatsonar edr using the provided process id endpoint url /api/v2/hunter/processes/{{id}}/connections method get input argument name type required description path parameters id number required id headers object required http headers for the request headers content type string optional http headers for the request input example {"path parameters" {"id" 123},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" 1,"address" "192 168 1 14"},{"id" 2,"address" "192 168 1 87"},{"id" 3,"address" "192 168 1 24"}]} hunter processes endpoints retrieves detailed information on a process by its id, including network ip connections, path parameters, and headers in teamt5 threatsonar edr endpoint url /api/v2/hunter/processes/{{id}}/endpoints method get input argument name type required description path parameters id number required id parameters connect to string optional ip address to connect headers object required http headers for the request headers content type string required http headers for the request input example {"parameters" {"connect to" "192 168 1 137"},"path parameters" {"id" 123},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" 1,"department" "dept 1","computer name" "srv 1","ip address" "192 168 1 137","threat level" 3,"last scanned at" "2019 03 23t11 09 43 000z"},{"id" 2,"department" "dept 2","computer name" "tsrv 2","ip address" "192 168 1 23","threat level" 3,"last scanned at" "2019 12 07t16 39 47 000z"}]} hunter processes show retrieve detailed information on a process by its id from teamt5 threatsonar edr, including network ip connections requires path parameter 'id' endpoint url /api/v2/hunter/processes/{{id}} method get input argument name type required description path parameters id number required id headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"id" 123},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "mstsc exe"}} incidentreport index retrieve a list of incident reports accessible by the current user in teamt5 threatsonar edr endpoint url /api/v2/incident reports/ method get input argument name type required description start at string optional start time for incident report query end at string optional end time for incident report query trigger types array optional list of trigger types for incident reports levels array optional list of levels for incident reports page number optional page number for pagination page size number optional number of items per page input example {"start at" "string","end at" "string","trigger types" \["string"],"levels" \["string"],"page" 123,"page size" 123} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id number response data data uuid string response data data status string response data data level number response data data department id number response data data client string response data data os string response data data os family string response data data engine version string response data data connect ip string response data data exchange token object response data data intermediate token object response data data afterthoughts error detail object response data data local time utc offset number response data data source string response data data service request id string response data data scanned at string response data data created at string response data data updated at string response data data local ip string response data data version string response data data server apply whitelist number response data output example {"status code" 200,"reason" "ok","json body" {"data" \[{},{}],"page" 1,"page size" 2,"count" 2}} incidentreport show retrieve detailed information for a specific incident report identified by an id in teamt5 threatsonar edr endpoint url /api/v2/incident reports/ method get input argument name type required description parameters id number required the id of the incident report input example {"parameters" {"id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase max level number output field max level metadata array response data metadata file name string response data metadata file string response data records array output field records records attributes array output field records attributes records display name string name of the resource records id number unique identifier records level number output field records level records meta id object unique identifier records rec data object response data records rec data file path string response data records rec hash string output field records rec hash records rec src string output field records rec src records rec type string type of the resource records rule id object unique identifier records tactics object output field records tactics records techniques object output field records techniques relations array output field relations relations from number output field relations from relations to number output field relations to relations verb string output field relations verb summary array output field summary output example {"status code" 200,"reason" "ok","json body" {"max level" 5,"metadata" \[],"records" \[{},{},{}],"relations" \[{},{}],"summary" \["volume shadow copies have been deleted using svchost exe to prevent windows from creating file backups prior to deploying ransomware deletion of volume shadow copies may also affect system restore functions adversaries may disable or delete system recovery features to augment the effects of \<em>data destruction\</em> and \<em>data encrypted for impact\</em> techniques "], malwareinfo show retrieve stix compatible malware information from teamt5 threatsonar edr using a unique identifier endpoint url api/v2/malware infos/{{id}} method get input argument name type required description path parameters id string required parameters for the malwareinfo show action input example {"path parameters" {"id" "1 1234"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta id string unique identifier meta report id string unique identifier indicator object output field indicator indicator indicator types array type of the resource indicator pattern type string type of the resource indicator pattern array output field indicator pattern indicator valid from string unique identifier attack pattern object output field attack pattern attack pattern name string name of the resource attack pattern description string output field attack pattern description attack pattern kill chain phases array output field attack pattern kill chain phases attack pattern kill chain phases kill chain name string name of the resource attack pattern kill chain phases phase name string name of the resource attack pattern last mitre tag id string unique identifier attack pattern mitre tag ids array unique identifier malware object output field malware malware name string name of the resource malware malware type array type of the resource malware is family boolean output field malware is family malware description string output field malware description malware analysis object output field malware analysis malware analysis submitted string output field malware analysis submitted output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"id" "1 1234","report id" "1"},"indicator" {"indicator types" \[],"pattern type" "stix","pattern" \[],"valid from" "2022 07 07 10 57 26"},"attack pattern" {"name" "web service","description" "adversaries may use an existing, legitimate external web service as a means for ","kill chain phases" \[],"last mitre tag id" "t1102","mitre tag ids" \[]},"malware" {"name" "apt t5 02855","malware type" \[],"is family"\ true,"descripti network ips endpoints queries endpoints connected to a specified ip in teamt5 threatsonar edr using the provided 'ip id' endpoint url /api/v2/network/ips/{{ip id}}/endpoints method get input argument name type required description path parameters ip id string required parameters for the network ips endpoints action parameters process id number optional parameters for the network ips endpoints action input example {"parameters" {"process id" 123},"path parameters" {"ip id" "192 168 1 137"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" 1,"vmp hid" "00000000 0000 0000 0000 000000000000","computer name" "srv 1","computer manufacturer" "dell","username" "user 1","timezone" " 08 00","number of cores" 4,"cpu name" "bfebfbff000306d4","os name" "microsoft windows 7 \u5c08\u696d\u7248 (x64 based pc)","installed at" "2015 12 22t13 37 23 000z","department id" 1,"ram size" 8112,"connect ip" "192 168 1 1","local ip" "192 168 1 113","start scan counter" 248}]} network ips processes query endpoint event connections for processes associated with a specified ip in teamt5 threatsonar edr, using the 'ip id' path parameter endpoint url /api/v2/network/ips/{{ip id}}/processes method get input argument name type required description path parameters ip id string required parameters for the network ips processes action headers object optional http headers for the request headers content type string optional http headers for the request input example {"path parameters" {"ip id" "192 168 1 137"},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"name" "mstsc exe"},{"id" 548,"name" "lsass exe"},{"id" 13634,"name" "httpd exe"}]} network ips show retrieve detailed information for a specific ip by its id in teamt5 threatsonar edr, including path parameters and headers endpoint url /api/v2/network/ips/{{ip id}} method get input argument name type required description path parameters ip id string required ip id headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"ip id" "192 168 1 137"},"headers" {"content type" "application/octet binary"}} output parameter type description status code number http status code of the response reason string response reason phrase address string output field address output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"address" "8 8 8 8"}} report detail retrieve a detailed scan report from teamt5 threatsonar edr using a unique scan result id endpoint url /api/v2/scan results/{{scan result id}}/report detail method get input argument name type required description path parameters scan result id number required scan result id input example {"path parameters" {"scan result id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase os name string name of the resource threats array output field threats threats total match rule lists array output field threats total match rule lists threats malicious level string output field threats malicious level threats malicious attribute tag array output field threats malicious attribute tag threats related paths object output field threats related paths network array output field network network local port string output field network local port network process name string name of the resource network remote ip string output field network remote ip network remote port string output field network remote port network state string output field network state event log array output field event log event log eventid number unique identifier event log malicious level number output field event log malicious level event log malicious attribute tag array output field event log malicious attribute tag event log malicious attribute tag file name string name of the resource event log malicious attribute tag file string output field event log malicious attribute tag file event log process commandline object output field event log process commandline total visiblememory size string output field total visiblememory size free physicalmemory size string output field free physicalmemory size software list array output field software list output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"os name" "microsoft windows 10 \u5c08\u696d\u7248(x64 based pc)","threats" \[{}],"network" \[{}],"event log" \[{}],"total visiblememory size" "6143 mb","free physicalmemory size" "3298 mb","software list" \["eset security(15 1 12 0)","microsoft edge(100 0 1185 44)","microsoft edge update(1 3 157 61)"]}} report import report bundle upload a report bundle to teamt5 threatsonar edr for comprehensive threat analysis, requiring form data endpoint url /api/v2/scan results/import report bundle method post input argument name type required description form data object required response data form data report object required file to be uploaded form data report file string required response data form data report file name string required response data input example {"form data" {"report" {"file" "string","file name" "example name"}}} output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request report id number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"url" "https //cloud threatsonar org 80/scan results?report viewer\[id]=1","report id" 1}} report show retrieves a base64 encoded pdf report of scan results from teamt5 threatsonar edr using the provided scan result id endpoint url /api/v2/scan results/{{scan result id}}/report method get input argument name type required description path parameters scan result id number required scan result id headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"scan result id" 123},"headers" {"content type" "application/octet binary"}} output parameter type description file object attachments file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} threattracer count events counts the number of events captured by teamt5 threatsonar edr within a specified time range, requiring start on, end on, and client id parameters endpoint url /api/v2/threat tracer/events/meta method get input argument name type required description parameters start on string required start of date range parameters end on string required end of date range the date range must be within 6 months parameters client id number required the client id can be obtained from list clients api input example {"parameters" {"tracer id" "example id"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta total hits count number count value meta total pages number output field meta total pages output example {"status code" 200,"reason" "ok","json body" {"meta" {"total hits count" 3345678,"total pages" 35}}} threattracer list clients retrieve a list of clients from teamt5 threatsonar edr for monitoring and management purposes endpoint url /api/v2/clients method get output parameter type description status code number http status code of the response reason string response reason phrase clients array output field clients clients id number unique identifier clients name string name of the resource output example {"status code" 200,"reason" "ok","json body" {"clients" \[{}]}} threattracer list events retrieve a list of events from teamt5 threatsonar edr within a specified time range, requiring start on, end on, and client id parameters endpoint url /api/v2/threat tracer/events method get input argument name type required description parameters start on string required start of date range parameters end on string required end of date range the date range must be within 6 months parameters client id number required the client id can be obtained from list clients api parameters limit number optional the maximum amount of events parameters offset number optional the amount events to skip input example {"parameters" {"tracer id" "example id"}} output parameter type description status code number http status code of the response reason string response reason phrase events array output field events events id number unique identifier events ruleset type string type of the resource events ruleset id string unique identifier events ruleset name string name of the resource events hunter event id number unique identifier events client name string name of the resource events department name string name of the resource events endpoint name string name of the resource events local ip string output field events local ip events os name string name of the resource events first seen at string output field events first seen at events level number output field events level events normalized file path string output field events normalized file path events sha256 hash string output field events sha256 hash events is ignored boolean output field events is ignored events created at string output field events created at output example {"status code" 200,"reason" "ok","json body" {"events" \[{}]}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt