TEHTRIS XDR

49 min

the tehtris xdr connector enables automated interactions with the tehtris xdr platform, facilitating threat detection and response activities tehtris xdr provides a comprehensive cybersecurity solution that monitors and protects against advanced threats across various vectors by integrating with swimlane turbine, users can automate the retrieval of detailed xdr events, manage alert statuses, and control endpoint security measures such as isolation and disk scan statuses this connector empowers security teams to efficiently respond to incidents, manage quarantined files, and maintain an up to date software list on endpoints, all within the swimlane turbine platform the tehtris xdr connector streamlines security operations, enabling faster threat detection and response while reducing manual workload the tehtris xdr connector integrates with swimlane turbine tehtris xdr platform is used to control and improve the it security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities prerequisites to utilize the tehtris xdr connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the tehtris xdr api username your tehtris xdr account username password your tehtris xdr account password asset setup to generate an api key from tehtris xdr platform, navigate to parameters > api keys to create a new key to use with some api, click add a popup is displayed, in which you may easily find api, first enter a label that describes the purpose for the api key choose all required api filtered by name, by product or by method several api may be selected to share same api key when selection is done, click create when the key is generated, a warning appears ?provided only once, store it somewhere safe? full 60 chars of api key string will never be displayed in key management tab, only the prefix appears, so key shall be copied now use the copy to clipboard button function, and click close capabilities this connector provides the following capabilities fetch events get alert status get edr disk scan status get edr isolation status get software list list all quarantine files list running process restore a file from a quarantine send isolation action update alert status notes once logged in to the xdr platform using your username and password, select the tehtris xdr option, where you will find the swagger documentation configurations tehtris xdr http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username api as username string required password generated api key as password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch events retrieve detailed events from tehtris xdr starting from a specified date by using the 'fromdate' parameter endpoint url /xdr/v1/event method get input argument name type required description parameters fromdate number required seconds since epoch in utc timezone of the starting date from when fetch the events if countonly is false, it can not be earlier than 43 days in the past parameters todate number optional seconds since epoch in utc timezone of the ending date to fetch the events leave blank to fetch events until now parameters eventid number optional if used, response contains only events with 'id' greater than this parameter parameters countonly boolean optional if true, then count alert instead of retrieving list of alerts parameters bytag boolean optional if true and countonly is true, then count alert by tag parameters limit number optional if countonly is false, number of events to return in one query can not be greater than 1000 parameters offset number optional if countonly is false, the number of events to skip before starting to collect the result set parameters filterid string optional the filter id used to retrieve events, if no filter id is specified in query the first filter id store with api key is used parameters createdormodified string optional created query all alerts created between "fromdate" and "todate" "modified" query all alerts created since last 43 days and whose status has been modified between "fromdate" and "todate" input example {"parameters" {"fromdate" 1707974685,"todate" 1707974690,"eventid" 1,"countonly"\ false,"bytag"\ false,"limit" 100,"offset" 0,"filterid" "1","createdormodified" "created"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {}} get alert status retrieve detailed alert statuses from tehtris xdr using a specified watchpointid endpoint url /xdr/v2/event/watch point/{{watchpointid}}/alerts method get input argument name type required description path parameters watchpointid string required identifier of watch point parameters limit number optional limit on the number of returned alerts you can set it to 0 to simulate a count only parameters offset number optional offset input example {"parameters" {"limit" 1000,"offset" 0},"path parameters" {"watchpointid" "2bc15a58 2fa9 527d 8553 4b5dfc7b0456 g2"}} output parameter type description status code number http status code of the response reason string response reason phrase alerts array output field alerts alerts sha256 string output field alerts sha256 alerts rflid number unique identifier alerts ipsrc string output field alerts ipsrc alerts description string output field alerts description alerts pid number unique identifier alerts pcreatedatetime string time value alerts uid string unique identifier alerts path string output field alerts path alerts cmdline string output field alerts cmdline alerts uuid string unique identifier alerts apptype string type of the resource alerts os release string output field alerts os release alerts eventname string name of the resource alerts tag string output field alerts tag alerts id number unique identifier alerts egkbid number unique identifier alerts mitretechs string output field alerts mitretechs alerts egkbname string name of the resource alerts os architecture string output field alerts os architecture alerts os server boolean output field alerts os server alerts lvl number output field alerts lvl alerts tehtris object output field alerts tehtris output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"alerts" \[{}]}} get edr disk scan status retrieve the current disk scan status in tehtris xdr using the appliance id and edr uuid endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/scan disk method get input argument name type required description path parameters applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 path parameters edruuid string required the uuid of the endpoint you want to use this api on parameters scanid string optional id of the scan if no id is specified, will retrieve the status of the scheduled scan input example {"parameters" {"scanid" ""},"path parameters" {"applianceid" 1,"edruuid" ""}} output parameter type description status code number http status code of the response reason string response reason phrase status object status value status status string status value status data object response data status data scanned folders array response data status data start time string response data status data end time string response data status data files scanned number response data status data binaries scanned number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"status" {"status" "string","data" {}}}} get edr isolation status retrieve the current isolation status of an endpoint in tehtris xdr using specific identifiers endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/isolation method get input argument name type required description path parameters edruuid string required the uuid of the endpoint you want to use this api on path parameters applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 input example {"path parameters" {"edruuid" "","applianceid" 2}} output parameter type description status code number http status code of the response reason string response reason phrase status boolean status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"status"\ true}} get software list retrieve a list of software installed on an endpoint identified by edruuid and applianceid in tehtris xdr endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/software method get input argument name type required description path parameters edruuid string required the uuid of the endpoint you want to use this api on path parameters applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 input example {"path parameters" {"edruuid" "","applianceid" 1}} output parameter type description status code number http status code of the response reason string response reason phrase columns array output field columns columns type string type of the resource columns name string name of the resource columns default string output field columns default data array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"columns" \[{}],"data" \["string"]}} list all quarantine files retrieve all files quarantined by tehtris xdr for a specific endpoint, requiring edruuid and applianceid endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/remediation/quarantine method get input argument name type required description path parameters edruuid string required the uuid of the endpoint you want to use this api on path parameters applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 input example {"path parameters" {"edruuid" "","applianceid" 1}} output parameter type description status code number http status code of the response reason string response reason phrase quarantinepaths array output field quarantinepaths output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"quarantinepaths" \["string"]}} list running process retrieve currently running ueba modules in tehtris xdr using the 'rid' path parameter for identification endpoint url /siem/{{rid}}/uba/v4/ueba/observe running modules method get input argument name type required description path parameters rid number required the appliance id input example {"path parameters" {"rid" 1}} output parameter type description status code number http status code of the response reason string response reason phrase list array output field list output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"list" \["string"]}} restore a file from a quarantine restores a quarantined file within tehtris xdr using the edr uuid, appliance id, and the specified file path endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/remediation/quarantine method patch input argument name type required description path parameters edruuid string required the uuid of the endpoint you want to use this api on path parameters applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 parameters path string required path of the file to restore input example {"parameters" {"path" ""},"path parameters" {"edruuid" "","applianceid" 1}} output parameter type description status code number http status code of the response reason string response reason phrase restoredpath string output field restoredpath output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"restoredpath" "string"}} send isolation action initiates an endpoint isolation in tehtris xdr using the provided edruuid, applianceid, and a specified isolation action endpoint url /edr/v2/live/{{applianceid}}/{{edruuid}}/isolation method post input argument name type required description path parameters edruuid string required the uuid of the endpoint you want to use this api on path parameters applianceid number required the appliance number where the endpoint is connected minimum value is 1 and maximum value is 254 parameters isolationaction string required enable/disable the network isolation enable all incoming and outgoing connections on the selected endpoint are blocked except their connections to the tehtris appliances and dns requests disable disables the isolation whitelist while isolation is enabled, whitelist the ruleset input parameters power string optional soft power = isolation policy; hard power = enforce isolation without config towhitelist object optional parameter for send isolation action input example {"parameters" {"isolationaction" "enable","power" "soft"},"json body" {"towhitelist" {}},"path parameters" {"edruuid" "","applianceid" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {}} update alert status modify the name, description, and status of a tehtris xdr watch point; set status to close to freeze it endpoint url /xdr/v2/event/watch point/{{watchpointid}} method patch input argument name type required description path parameters watchpointid string required identifier of watch point name string optional name of the resource description string optional parameter for update alert status status string optional status value input example {"json body" {"name" "potential ransomware activity","description" "some alerts match the detection of 'potential ransomware activity' with 'ad fr server 248' value on 'hostname ' keys ","status" "checked"},"path parameters" {"watchpointid" "2bc15a58 2fa9 527d 8553 4b5dfc7b0456 g2"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description type string type of the resource severity number output field severity creation object output field creation creation date string date value edition object output field edition edition date string date value composedof object output field composedof composedof scenarios array output field composedof scenarios composedof pivots array output field composedof pivots composedof pivots key string output field composedof pivots key composedof pivots value string value for the parameter childof object output field childof childof metaids object unique identifier id string unique identifier freezedatetime string time value isfreeze boolean output field isfreeze maycontaintoooldalerts boolean output field maycontaintoooldalerts output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 15 feb 2024 20 37 23 gmt"},"reason" "ok","json body" {"name" "potential ransomware activity, ad fr server 248","description" "some alerts match the detection of 'potential ransomware activity' with 'ad fr s ","type" "auto scn pvt","severity" 9,"creation" {"date" "2023 05 01t10 47 35+00 00"},"edition" {"date" "2023 05 01t10 47 35+00 00"},"composedof" {"scenarios" \[],"pivots" \[]},"childof response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 15 feb 2024 20 37 23 gmt