TEHTRIS XDR

the tehtris xdr connector enables automated interactions with the tehtris xdr platform, facilitating threat detection and response activities tehtris xdr provides a comprehensive cybersecurity solution that monitors and protects against advanced threats across various vectors by integrating with swimlane turbine, users can automate the retrieval of detailed xdr events, manage alert statuses, and control endpoint security measures such as isolation and disk scan statuses this connector empowers security teams to efficiently respond to incidents, manage quarantined files, and maintain an up to date software list on endpoints, all within the swimlane turbine platform the tehtris xdr connector streamlines security operations, enabling faster threat detection and response while reducing manual workload the tehtris xdr connector integrates with swimlane turbine tehtris xdr platform is used to control and improve the it security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities prerequisites to utilize the tehtris xdr connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the tehtris xdr api username your tehtris xdr account username password your tehtris xdr account password asset setup to generate an api key from tehtris xdr platform, navigate to parameters > api keys to create a new key to use with some api, click add a popup is displayed, in which you may easily find api, first enter a label that describes the purpose for the api key choose all required api filtered by name, by product or by method several api may be selected to share same api key when selection is done, click create when the key is generated, a warning appears ?provided only once, store it somewhere safe? full 60 chars of api key string will never be displayed in key management tab, only the prefix appears, so key shall be copied now use the copy to clipboard button function, and click close capabilities this connector provides the following capabilities fetch events get alert status get edr disk scan status get edr isolation status get software list list all quarantine files list running process restore a file from a quarantine send isolation action update alert status configurations tehtris xdr http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username api as username string required password generated api key as password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch events retrieve detailed events from tehtris xdr starting from a specified date by using the 'fromdate' parameter endpoint url /xdr/v1/event method get input argument name type required description fromdate number required seconds since epoch in utc timezone of the starting date from when fetch the events if countonly is false, it can not be earlier than 43 days in the past todate number optional seconds since epoch in utc timezone of the ending date to fetch the events leave blank to fetch events until now eventid number optional if used, response contains only events with 'id' greater than this parameter countonly boolean optional if true, then count alert instead of retrieving list of alerts bytag boolean optional if true and countonly is true, then count alert by tag limit number optional if countonly is false, number of events to return in one query can not be greater than 1000 offset number optional if countonly is false, the number of events to skip before starting to collect the result set filterid string optional the filter id used to retrieve events, if no filter id is specified in query the first filter id store with api key is used createdormodified string optional created query all alerts created between "fromdate" and "todate" "modified" query all alerts created since last 43 days and whose status has been modified between "fromdate" and "todate" output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get alert status retrieve detailed alert statuses from tehtris xdr using a specified watchpointid endpoint url /xdr/v2/event/watch point/{{watchpointid}}/alerts method get input argument name type required description watchpointid string required identifier of watch point limit number optional limit on the number of returned alerts you can set it to 0 to simulate a count only offset number optional offset output parameter type description status code number http status code of the response reason string response reason phrase alerts array output field alerts sha256 string output field sha256 rflid number unique identifier ipsrc string output field ipsrc description string output field description pid number unique identifier pcreatedatetime string time value uid string unique identifier path string output field path cmdline string output field cmdline uuid string unique identifier apptype string type of the resource os release string output field os release eventname string name of the resource tag string output field tag id number unique identifier egkbid number unique identifier mitretechs string output field mitretechs egkbname string name of the resource os architecture string output field os architecture os server boolean output field os server lvl number output field lvl tehtris object output field tehtris example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "alerts" \[] } } ] get edr disk scan status retrieve the current disk scan status in tehtris xdr using the appliance id and edr uuid endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/scan disk method get input argument name type required description applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 edruuid string required the uuid of the endpoint you want to use this api on scanid string optional id of the scan if no id is specified, will retrieve the status of the scheduled scan output parameter type description status code number http status code of the response reason string response reason phrase status object status value status string status value data object response data scanned folders array output field scanned folders start time string time value end time string time value files scanned number output field files scanned binaries scanned number output field binaries scanned example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "status" {} } } ] get edr isolation status retrieve the current isolation status of an endpoint in tehtris xdr using specific identifiers endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/isolation method get input argument name type required description edruuid string required the uuid of the endpoint you want to use this api on applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 output parameter type description status code number http status code of the response reason string response reason phrase status boolean status value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "status" true } } ] get software list retrieve a list of software installed on an endpoint identified by edruuid and applianceid in tehtris xdr endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/software method get input argument name type required description edruuid string required the uuid of the endpoint you want to use this api on applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 output parameter type description status code number http status code of the response reason string response reason phrase columns array output field columns type string type of the resource name string name of the resource default string output field default data array response data example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "columns" \[], "data" \[] } } ] list all quarantine files retrieve all files quarantined by tehtris xdr for a specific endpoint, requiring edruuid and applianceid endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/remediation/quarantine method get input argument name type required description edruuid string required the uuid of the endpoint you want to use this api on applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 output parameter type description status code number http status code of the response reason string response reason phrase quarantinepaths array output field quarantinepaths example \[ { "status code" 204, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "quarantinepaths" \[] } } ] list running process retrieve currently running ueba modules in tehtris xdr using the 'rid' path parameter for identification endpoint url /siem/{{rid}}/uba/v4/ueba/observe running modules method get input argument name type required description rid number required the appliance id output parameter type description status code number http status code of the response reason string response reason phrase list array output field list example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "list" \[] } } ] restore a file from a quarantine restores a quarantined file within tehtris xdr using the edr uuid, appliance id, and the specified file path endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/remediation/quarantine method patch input argument name type required description edruuid string required the uuid of the endpoint you want to use this api on applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 path string required path of the file to restore output parameter type description status code number http status code of the response reason string response reason phrase restoredpath string output field restoredpath example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "restoredpath" "string" } } ] send isolation action initiates an endpoint isolation in tehtris xdr using the provided edruuid, applianceid, and a specified isolation action endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/isolation method post input argument name type required description edruuid string required the uuid of the endpoint you want to use this api on applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 isolationaction string required enable/disable the network isolation enable all incoming and outgoing connections on the selected endpoint are blocked except their connections to the tehtris appliances and dns requests disable disables the isolation whitelist while isolation is enabled, whitelist the ruleset input power string optional soft power = isolation policy; hard power = enforce isolation without config towhitelist object optional parameter for send isolation action output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 204, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] update alert status modify the name, description, and status of a tehtris xdr watch point; set status to close to freeze it endpoint url /xdr/v2/event/watch point/{{watchpointid}} method patch input argument name type required description watchpointid string required identifier of watch point name string optional name of the resource description string optional parameter for update alert status status string optional status value output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description type string type of the resource severity number output field severity creation object output field creation date string date value edition object output field edition date string date value composedof object output field composedof scenarios array output field scenarios pivots array output field pivots key string output field key value string value for the parameter childof object output field childof metaids object unique identifier id string unique identifier freezedatetime string time value isfreeze boolean output field isfreeze maycontaintoooldalerts boolean output field maycontaintoooldalerts example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 15 feb 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "name" "potential ransomware activity, ad fr server 248", "description" "some alerts match the detection of 'potential ransomware activity' with 'ad fr s ", "type" "auto scn pvt", "severity" 9, "creation" {}, "edition" {}, "composedof" {}, "childof" {}, "id" "2bc15a58 2fa9 527d 8553 4b5dfc7b0456 g2", "freezedatetime" "2023 12 01t10 47 35+00 00", "isfreeze" false, "maycontaintoooldalerts" false } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 15 feb 2024 20 37 23 gmt notes once logged in to the xdr platform using your username and password, select the tehtris xdr option, where you will find the swagger documentation