Use the Cyber Triage integration to collect and analyze endpoint data
This integration requires Team version of Cyber Triage (not the Standalone desktop version).
This integration was integrated and tested with Cyber Triage v2.4.0.
Configure Cyber Triage on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Cyber Triage.
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Hostname of Cyber Triage server (e.g. 192.168.1.2) : the ip or hostname where the Cyber Triage server is setup.
- REST Port : REST port for Cyber Triage server. 9443 is the default port and currently cannot be changed in Cyber Triage.
- API Key : can be retrieved from the Cyber Triage server by going to Options -> Deployment Mode -> REST API Key.
- Username : the username and password of a Windows account with administrative privileges on all endpoints that need to be investigated.
- Use proxy : select if you have a proxy setup in your environment and need to use it to reach the Cyber Triage server.
- Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Initiate a collection on an endpoint
Initiates a Cyber Triage collection on an endpoint.
|endpoint||IP or hostname of a Windows endpoint||Required|
|full_scan||Scan the entire file system for suspicious files||Optional|
|malware_hash_upload||Send MD5 hashes to an external malware analysis service||Optional|
|malware_file_upload||Send unknown files to an external malware analysis service. Hash upload must be enabled to execute file uploads.||Optional|
|CyberTriage.SessionId||string||The session ID for the newly created session|
|Endpoint.IPAddress||string||The endpoint IP address that Cyber Triage investigated|
|Endpoint.Hostname||string||The endpoint hostname that Cyber Triage investigated|
!ct-triage-endpoint endpoint=ct-win10-01 full_scan=no
Human Readable Output
A collection has been scheduled for ct-win10-01