Publisher: Splunk
Connector Version: 1.0.0
Product Vendor: Tehtris
Product Name: Tehtris
Minimum Product Version: 6.3.0
This app integrates with Tehtris XDR platform endpoints
This table lists the configuration variables required to operate Tehtris. These variables are specified when configuring a Tehtris asset in Splunk SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| base_url | required | string | Tehtris XDR base url |
| api_key | required | password | Tehtris XDR api key |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
get events - Fetch XDR events
send for isolation - Send a host to the isolation module
remove from isolation - Remove a host from isolation
list processes - Get process tree from a process
update tag - Update endpoints tags
create app policy - Create new application policy based on sha256
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Fetch XDR events
Type: contain
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| from_date | required | Seconds since EPOCH in UTC timezone of the starting date from when fetch the events. | numeric | |
| to_date | optional | Seconds since EPOCH in UTC timezone of the ending date to fetch the events. Leave blank to fetch events until now | numeric | |
| limit | optional | Maximum number of fetched events. Can not be greater than 100. | numeric | |
| offset | optional | Number of events to skip before starting to collect the result set. | numeric | |
| filter_id | optional | The Filter ID used to retrieve events, if no filterId is specified in query the first filter Id store with API Key is used. | string | |
| hostname | required | Hostname to filter results by | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.summary.num_events | string | 10 | |
| action_result.data.*.id | string | ||
| action_result.data.*.lvl | string | ||
| action_result.data.*.pid | string | ||
| action_result.data.*.tag | string | ||
| action_result.data.*.uid | string | ||
| action_result.data.*.os__ | string | ||
| action_result.data.*.path | string | ||
| action_result.data.*.ppid | string | ||
| action_result.data.*.time | string | ||
| action_result.data.*.ipDst | string | ||
| action_result.data.*.ipSrc | string | ||
| action_result.data.*.rflId | string | ||
| action_result.data.*.egKBId | string | ||
| action_result.data.*.module | string | ||
| action_result.data.*.action | string | ||
| action_result.data.*.sha256 | string | ||
| action_result.data.threat.framework | string | ||
| action_result.data.*.threat.id | string | ||
| action_result.data.*.threat.name | string | ||
| action_result.data.*.uuid | string | ||
| action_result.data.*.cmdline | string | ||
| action_result.data.*.mitre | string | ||
| action_result.data.*.cmdline | string | ||
| action_result.data.*.tehtris.file.hash.sha256 | string | ||
| action_result.data.*.tehtris.file.hash.original | string | ||
| action_result.data.*.tehtris.host.id.* | string | ||
| action_result.data.*.tehtris.host.name.* | string | ||
| action_result.data.*.tehtris.user.name.* | string | ||
| action_result.data.*.tehtris.even.ingested | string | ||
| action_result.data.*.tehtris.source.ip | string | ||
| action_result.data.*.tehtris.process.pid | string | ||
| action_result.data.*.tehtris.process.parent.pid | string | ||
| action_result.data.*.tehtris.process.executable | string | ||
| action_result.data.*.tehtris.process.command_line | string | ||
| action_result.data.*.tehtris.groupIds.* | string | ||
| action_result.data.*.tehtris.enrichment.tags.* | string | ||
| action_result.data.*.tehtris.destination.ip | string | ||
| action_result.data.*.domain | string | ||
| action_result.data.*.location | string | ||
| action_result.data.*.username | string | ||
| action_result.data.*.eventName | string | ||
| action_result.data.*.hostname__ | string | ||
| action_result.data.*.description | string | ||
| action_result.data.*.os_server__ | boolean | ||
| action_result.data.*.submodule__ | string | ||
| action_result.data.*.os_release__ | string | ||
| action_result.data.*.os_version__ | string | ||
| action_result.data.*.fileVersion__ | string | ||
| action_result.data.*.productName__ | string | ||
| action_result.data.*.pCreateDatetime | string | ||
| action_result.data.*.publisherName__ | string | ||
| action_result.data.*.signatureType__ | string | ||
| action_result.data.*.os_architecture__ | string | ||
| action_result.data.*.signatureStatus__ | string | ||
| action_result.data.*.originalFilename__ | string | ||
| action_result.parameter.from_date | numeric | ||
| action_result.parameter.to_date | numeric | ||
| action_result.parameter.limit | numeric | ||
| action_result.parameter.offset | numeric | ||
| action_result.parameter.filter_id | string | ||
| action_result.parameter.hostname | string | ||
| action_result.message | string | ||
| summary.total_objects_successful | numeric | ||
| summary.total_objects | numeric |
Send a host to the isolation module
Type: contain
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hostname | required | Hostname to be sent for isolation | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.summary.result | string | Successfully posted uuid ffdf773d-b124-4387-b772-a87ec08640c2 for isolation | |
| action_result.parameter.hostname | string | ||
| action_result.message | string | ||
| summary.total_objects_successful | numeric | ||
| summary.total_objects | numeric |
Remove a host from isolation
Type: contain
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hostname | required | Hostname to be removed from isolation | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.summary.result | string | Successfully removed uuid ffdf773d-b124-4387-b772-a87ec08640c2 from isolation | |
| action_result.parameter.hostname | string | ||
| action_result.message | string | ||
| summary.total_objects_successful | numeric | ||
| summary.total_objects | numeric |
Get process tree from a process
Type: contain
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hostname | required | Hostname | string | |
| create_time | required | Local created time of the process | string | |
| pid | required | Database id of the process to use to build the tree | string | |
| number_of_parents | required | Number of parents to retrieve | numeric | |
| limit | required | Maximum number of results | numeric |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.summary.num_events | string | 10 | |
| action_result.data.*.id | string | ||
| action_result.data.*.pid | string | ||
| action_result.data.*.uid | string | ||
| action_result.data.*.ppid | string | ||
| action_result.data.*.cmdline | string | ||
| action_result.data.*.created | string | ||
| action_result.data.*.logonId | string | ||
| action_result.data.*.stopped | string | ||
| action_result.data.*.binaries.*.md5 | string | ||
| action_result.data.*.binaries.*.flag | string | ||
| action_result.data.*.binaries.*.path | string | ||
| action_result.data.*.binaries.*.sha1 | string | ||
| action_result.data.*.binaries.*.size | numeric | ||
| action_result.data.*.binaries.*.tags | string | ||
| action_result.data.*.binaries.*.atime | string | ||
| action_result.data.*.binaries.*.ctime | string | ||
| action_result.data.*.binaries.*.mtime | string | ||
| action_result.data.*.binaries.*.sha256 | string | ||
| action_result.data.*.binaries.*.avScore | numeric | ||
| action_result.data.*.binaries.*.avTotal | numeric | ||
| action_result.data.*.binaries.*.lastSeen | string | ||
| action_result.data.*.binaries.*.malicious | numeric | ||
| action_result.data.*.binaries.*.lastUpdate | string | ||
| action_result.data.*.binaries.*.signatures.*.C | string | ||
| action_result.data.*.binaries.*.signatures.*.L | string | ||
| action_result.data.*.binaries.*.signatures.*.O | string | ||
| action_result.data.*.binaries.*.signatures.*.S | string | ||
| action_result.data.*.binaries.*.signatures.*.CN | string | ||
| action_result.data.*.binaries.*.signatures.*.OU | string | ||
| action_result.data.*.binaries.*.signatures.*.type | string | ||
| action_result.data.*.binaries.*.signatures.*.notAfter | string | ||
| action_result.data.*.binaries.*.signatures.*.notBefore | string | ||
| action_result.data.*.binaries.*.signatures.*.issuers_fp.* | string | ||
| action_result.data.*.binaries.*.signatures.*.fingerprint | string | ||
| action_result.data.*.binaries.*.remediation | numeric | ||
| action_result.data.*.binaries.*.sandboxScore | numeric | ||
| action_result.data.*.bootTime | string | ||
| action_result.data.*.children.* | string | ||
| action_result.data.*.parentId | string | ||
| action_result.data.*.username | string | ||
| action_result.data.*.domainName | string | ||
| action_result.data.*.processFlag | numeric | ||
| action_result.data.*.remediation | numeric | ||
| action_result.data.*.createdServer | string | ||
| action_result.data.*.stoppedServer | string | ||
| action_result.parameter.hostname | string | ||
| action_result.parameter.create_time | string | ||
| action_result.parameter.pid | string | ||
| action_result.parameter.number_of_parents | numeric | ||
| action_result.parameter.limit | numeric | ||
| action_result.message | string | ||
| summary.total_objects_successful | numeric | ||
| summary.total_objects | numeric |
Update endpoints tags
Type: contain
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hostname | required | Hostname | string | |
| tag | required | Tag to be applied, should follow 'XXX_tags pattern | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.summary.result | string | Successfully added tag 'example_tag for uuid ffdf773d-b124-4387-b772-a87ec08640c2 | |
| action_result.parameter.hostname | string | ||
| action_result.parameter.tag | string | ||
| action_result.message | string | ||
| summary.total_objects_successful | numeric | ||
| summary.total_objects | numeric |
Create new application policy based on sha256
Type: contain
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hostnames | required | Comma separated hostnames | string | |
| sha256 | required | Comma spearated sha256 values | string | |
| order | required | Order to be attached to the policy | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.summary.result | string | Successfully posted new app policy for ffdf773d-b124-4387-b772-a87ec08640c2 | |
| action_result.parameter.hostnames | string | ||
| action_result.parameter.sha256 | string | ||
| action_result.parameter.order | string | ||
| action_result.message | string | ||
| summary.total_objects_successful | numeric | ||
| summary.total_objects | numeric |
Auto-generated Splunk SOAR Connector documentation.
Copyright 2025 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.