API connectors

API connectors pull threat intelligence from external sources into your event log on a 30-minute polling schedule.

Built-in connectors:

Shodan
Searches Shodan for hosts matching your domain and flags any with high-risk ports open (22, 23, 445, 3389, 5900, 27017, and others). Each new exposure is ingested as a threat.exposure event.
Required: API Key, Domain

VirusTotal
Looks up IP addresses seen in your recent SIEM events against VirusTotal's threat database. IPs flagged by multiple engines generate a threat.malicious_ip event.
Required: API Key

CISA KEV (no credentials needed)
Polls the CISA Known Exploited Vulnerabilities catalog. New entries since the last sync are ingested as threat.cve events with severity high.

GitHub Advisory
Fetches open Dependabot alerts for repositories in your GitHub org and creates events for each unresolved advisory.
Required: Personal Access Token (repo scope), GitHub Org/User name

Custom
Poll any REST endpoint on a schedule. Provide the URL and an auth header value; Turtini POSTs the response as a SIEM event.

Configuring a connector:
1. Security → Integrations → API Connectors
2. Click Configure on the connector you want to enable
3. Fill in the required fields (secret fields show "leave blank to keep existing" after initial save)
4. Click Enable Connector — a green Connected ✓ badge appears when credentials are saved
5. The last sync timestamp updates after each successful poll

Reconfiguring: click Reconfigure at any time. Leave secret fields blank to keep the existing saved key.