Skip to main content

Cyber Triage

This Integration is part of the Cyber Triage Pack.#


Use the Cyber Triage integration to collect and analyze endpoint data

This integration requires Team version of Cyber Triage (not the Standalone desktop version).

This integration was integrated and tested with Cyber Triage v2.4.0.

Configure Cyber Triage on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Cyber Triage.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Hostname of Cyber Triage server (e.g. : the ip or hostname where the Cyber Triage server is setup.
    • REST Port : REST port for Cyber Triage server. 9443 is the default port and currently cannot be changed in Cyber Triage.
    • API Key : can be retrieved from the Cyber Triage server by going to Options -> Deployment Mode -> REST API Key.
    • Username : the username and password of a Windows account with administrative privileges on all endpoints that need to be investigated.
    • Use proxy : select if you have a proxy setup in your environment and need to use it to reach the Cyber Triage server.
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Initiate a collection on an endpoint: ct-triage-endpoint

Initiate a collection on an endpoint

Initiates a Cyber Triage collection on an endpoint.

Base Command
Argument Name Description Required
endpoint IP or hostname of a Windows endpoint Required
full_scan Scan the entire file system for suspicious files Optional
malware_hash_upload Send MD5 hashes to an external malware analysis service Optional
malware_file_upload Send unknown files to an external malware analysis service. Hash upload must be enabled to execute file uploads. Optional
Context Output
Path Type Description
CyberTriage.SessionId string The session ID for the newly created session
Endpoint.IPAddress string The endpoint IP address that Cyber Triage investigated
Endpoint.Hostname string The endpoint hostname that Cyber Triage investigated
Command Example
!ct-triage-endpoint endpoint=ct-win10-01 full_scan=no
Context Example

CyberTriage.SessionID: ct-win10-01|1538074422288
CyberTriage.Hostname: ct-win10-01

Human Readable Output

A collection has been scheduled for ct-win10-01