Hatching Triage
Hatching Triage Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Submit a high volume of samples to run in a sandbox and view reports This integration was integrated and tested with version 0 of Hatching Triage
#
Configure Hatching Triage in CortexParameter | Description | Required |
---|---|---|
API URL | Private url is https://private.tria.ge/api/v0/ | True |
API Key | The API Key to use for the connection. | True |
Verify SSL | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
triage-query-samplesGet a list of all samples either private or public
#
Base Commandtriage-query-samples
#
InputArgument Name | Description | Required |
---|---|---|
subset | Get samples from either private or public reports. Possible values are: owned, public. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.submissions.completed | Date | Date the sample analysis was completed |
Triage.submissions.filename | String | Name of the file submitted |
Triage.submissions.id | String | Unique identifier of the submission |
Triage.submissions.kind | String | Type of analysis |
Triage.submissions.private | Boolean | If the submissions is private or publically viewable |
Triage.submissions.status | String | Status of the submitted file |
Triage.submissions.submitted | Date | Date the sample was submitted |
Triage.submissions.tasks.id | String | Array of tasks that have been applied to the sample (static, behavioral, etc) |
Triage.submissions.tasks.status | String | Status of the task |
Triage.submissions.tasks.target | String | Sample the task is being run on |
Triage.submissions.url | String | URL that was submitted |
#
triage-submit-sampleSubmits a file or url for analysis
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandtriage-submit-sample
#
InputArgument Name | Description | Required |
---|---|---|
kind | Select if sample is a URL, file, or a file that should be fetched from a URL. Possible values are: url, file, fetch. | Required |
interactive | Choose if the sample should be interacted with in the GUI glovebox. Possible values are: false, true. Default is false. | Optional |
profiles | Select what profile to run the sample with. Requires the user to be registered with a company. | Optional |
data | Data to submit for analysis. For URLs give the URL. For files, give the entry-id of the file. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.submissions.filename | String | Name of the submitted file |
Triage.submissions.id | String | Unique identifier of the submission |
Triage.submissions.kind | String | Type of sample to analyze |
Triage.submissions.private | Boolean | If the file is private or publicly viewable |
Triage.submissions.status | String | Status of the analysis of the submission |
Triage.submissions.submitted | Date | Date that the sample was submitted on |
#
Command example!triage-submit-sample data="4@1" kind="file"
#
Human Readable Output#
triage-get-samplePulls back basic information about the sample id given
#
Base Commandtriage-get-sample
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.samples.completed | Date | Date the sample analysis was completed |
Triage.samples.filename | String | Name of the submitted sample |
Triage.samples.id | String | Unique identifier of the sample |
Triage.samples.kind | String | Type of sample submitted |
Triage.samples.private | Boolean | State of the visibility of the sample |
Triage.samples.status | String | Current status of the sample analysis |
Triage.samples.submitted | Date | Date the sample was submitted |
Triage.samples.tasks.id | String | Task name that was applied to the sample |
Triage.samples.tasks.status | String | Status of the task |
Triage.samples.tasks.target | String | Target of the task, e.g. filename for file submissions |
#
triage-get-sample-summaryGets a summary report of the sample id provided
#
Base Commandtriage-get-sample-summary
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.sample-summaries.completed | Date | Date the sample analysis was completed |
Triage.sample-summaries.created | Date | Date the analysis report was created |
Triage.sample-summaries.custom | String | |
Triage.sample-summaries.owner | String | |
Triage.sample-summaries.sample | String | Unique identifier of the sample |
Triage.sample-summaries.score | Number | Score of the sample on a scale of 0 to 10 |
Triage.sample-summaries.sha256 | String | SHA256 of the sample |
Triage.sample-summaries.status | String | Status of the analysis |
Triage.sample-summaries.target | String | Target for analysis |
Triage.sample-summaries.tasks | String | Tasks performed in the analysis |
#
Command example!triage-get-sample-summary sample_id="220807-d5sxnaebbx"
#
Human Readable Output#
triage-delete-sampleDeletes a sample from the sandbox
#
Base Commandtriage-delete-sample
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
#
Context OutputThere is no context output for this command.
#
triage-set-sample-profileWhen a sample is in the static_analysis status, a profile should be selected in order to continue.
#
Base Commandtriage-set-sample-profile
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
auto | Let Triage automatically select a profile, default is True. Possible values are: true, false. | Optional |
pick | If submitting an archive file, select which files to analyze. Multiple files can be specified with a comma seperator.Format is archive_file_name/sample_file.exe,archive_file_name/sample_file2.exe. | Optional |
profiles | Profile ID to use. | Optional |
#
Context OutputThere is no context output for this command.
#
triage-get-static-reportGet the static analysis of a sample
#
Base Commandtriage-get-static-report
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.sample.reports.static.analysis.reported | Unknown | Date the sample was submitted |
DBotScore.Indicator | String | Triage analysis target |
DBotScore.Type | String | The indicator type - File or URL |
DBotScore.Vendor | String | The integration used to generate the indicator |
DBotScore.Score | Number | Analysis verdict as score from 1 to 10 |
File.Name | String | The full file name (including file extension). |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA1 hash of the file. |
URL.Data | String | The URL |
#
Command example!triage-get-static-report sample_id="220807-d5sxnaebbx"
#
Human Readable Output#
triage-get-report-triageRetrieves the generated Triage behavioral report for a single task
#
Base Commandtriage-get-report-triage
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
task_id | Name of a behavioral task part of the sample analysis (e.g. behavioral1, behavioral2). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.sample.reports.triage | Unknown | Triage report of the submitted sample |
DBotScore.Indicator | String | Triage analysis target |
DBotScore.Type | String | The indicator type - File or URL |
DBotScore.Vendor | String | The integration used to generate the indicator |
DBotScore.Score | Number | Analysis verdict as score from 1 to 10 |
File.Name | String | The full file name (including file extension). |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA1 hash of the file. |
URL.Data | String | The URL |
#
Command example!triage-get-report-triage sample_id="220807-d5sxnaebbx" task_id="behavioral1"
#
Human Readable Output#
triage-get-kernel-monitorRetrieves the output of the kernel monitor
#
Base Commandtriage-get-kernel-monitor
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
task_id | Name of a behavioral task part of the sample analysis (e.g. behavioral1, behavioral2). | Required |
#
Context OutputThere is no context output for this command.
#
triage-get-pcapRetrieves the PCAP of the analysis for further manual analysis
#
Base Commandtriage-get-pcap
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
task_id | Name of a behavioral task part of the sample analysis (e.g. behavioral1, behavioral2). | Required |
#
Context OutputThere is no context output for this command.
#
triage-get-dumped-fileRetrieves files dumped by the sample. The names can be found under the "dumped" section from the triage report output
#
Base Commandtriage-get-dumped-file
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample's unique identifier, can be found using the query samples command. | Required |
task_id | Name of the task for the sample (e.g. behavioral1, static1, etc). | Required |
file_name | Name of the dumped file. | Required |
#
Context OutputThere is no context output for this command.
#
triage-get-usersReturn all users within the company as a paginated list. Returns a single user if a userID is provided
#
Base Commandtriage-get-users
#
InputArgument Name | Description | Required |
---|---|---|
userID | Unique identifier of the user. Leave blank to query for all users. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.users.company_id | String | Company unique identifier |
Triage.users.created_at | Date | Date users account was created |
Triage.users.email | String | Users email |
Triage.users.email_confirmed_at | Date | Date user confirmed their email/account |
Triage.users.first_name | String | Users first name |
Triage.users.id | String | Users unique identifier |
Triage.users.last_name | String | Users last name |
Triage.users.permissions | String | Users permissions |
#
triage-create-userCreates a new user and returns it. The user will become a member of the company the requesting user is a member of
#
Base Commandtriage-create-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Users username, usually their email. | Required |
firstName | Users first name. | Required |
lastName | Users last name. | Required |
password | Users password. | Required |
permissions | Users permissions. Possible values are: view_samples, submit_samples, delete_samples, edit_profiles, access_api, manage_machines, manage_company. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.users.company_id | String | Company unique identifier |
Triage.users.created_at | Date | Date users account was created |
Triage.users.email | String | Users email |
Triage.users.email_confirmed_at | Date | Date user confirmed their email/account |
Triage.users.first_name | String | Users first name |
Triage.users.id | String | Users unique identifier |
Triage.users.last_name | String | Users last name |
Triage.users.permissions | String | Users permissions |
#
triage-delete-userDelete a user and all associated data, invalidating any sessions and removing their API keys. Any samples submitted by this user are kept
#
Base Commandtriage-delete-user
#
InputArgument Name | Description | Required |
---|---|---|
userID | Users unique identifier, can be found by querying for all users. | Required |
#
Context OutputThere is no context output for this command.
#
triage-create-api-keyCreates a new key can be used to make API calls on behalf of the specified user. The user should have been granted the access_api permission beforehand
#
Base Commandtriage-create-api-key
#
InputArgument Name | Description | Required |
---|---|---|
userID | Users unique identifier, can be found by querying for all users. | Required |
name | Name of the API key. Default is Created from XSOAR. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.apikey.key | String | API Key |
Triage.apikey.name | String | Name of the API Key |
#
triage-get-api-keyLists all API keys that the user has.
#
Base Commandtriage-get-api-key
#
InputArgument Name | Description | Required |
---|---|---|
userID | Users unique identifier, can be found by querying for all users. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.apikey.key | String | API Key |
Triage.apikey.name | String | Name of the API Key |
#
triage-delete-api-keyDelete the user's API key with the specified name
#
Base Commandtriage-delete-api-key
#
InputArgument Name | Description | Required |
---|---|---|
userID | Users unique identifier, can be found by querying for all users. | Required |
name | Name of the API key to delete. | Required |
#
Context OutputThere is no context output for this command.
#
triage-get-profilesList all profiles that your company has
#
Base Commandtriage-get-profiles
#
InputArgument Name | Description | Required |
---|---|---|
profileID | Unique identifier of the profile, can be found by querying for all profiles. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.profiles..id | String | Unique identifier of the profile |
Triage.profiles..name | String | Name of the profile |
Triage.profiles..network | String | Network configuration |
Triage.profiles..options.browser | String | Browser options |
Triage.profiles..tags | String | Applied tags |
Triage.profiles..timeout | Number | Max run time of the profile |
#
triage-create-profileCreate a new profile
#
Base Commandtriage-create-profile
#
InputArgument Name | Description | Required |
---|---|---|
name | Name of the profile to create. | Required |
tags | Tags to apply to the profile. | Required |
timeout | Length of time the profile should run for. | Optional |
network | Network configuration the profile should use. Possible values are: drop, internet, proxy. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.profiles.id | String | Profile unique identifier |
Triage.profiles.name | String | Profile name |
Triage.profiles.network | String | Profile network configuration |
Triage.profiles.options | Unknown | Profile options |
Triage.profiles.tags | String | Profile tags |
Triage.profiles.timeout | Number | Profile max run time |
#
triage-update-profileUpdate an existing profile
#
Base Commandtriage-update-profile
#
InputArgument Name | Description | Required |
---|---|---|
profileID | Unique identifier of the profile to update. | Required |
name | Name of the profile. | Required |
tags | Tags to apply to the profile. | Required |
timeout | Length of time the profile should run for. | Optional |
#
Context OutputThere is no context output for this command.
#
triage-query-searchGet a list of private and public samples matching the search query
#
Base Commandtriage-query-search
#
InputArgument Name | Description | Required |
---|---|---|
query | The search query for Triage. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Triage.samples.completed | date | Date the sample analysis was completed |
Triage.samples.filename | string | Name of the file submitted |
Triage.samples.id | string | Unique identifier of the submission |
Triage.samples.kind | string | Type of analysis |
Triage.samples.private | boolean | If the submissions is private or publically viewable |
Triage.samples.status | string | Status of the submitted file |
Triage.samples.submitted | date | Date the sample was submitted |
Triage.samples.tasks.id | string | Array of tasks that have been applied to the sample (static, behavioral, etc) |
Triage.samples.tasks.status | string | Status of the task |
Triage.samples.tasks.target | string | Sample the task is being run on |
Triage.samples.url | string | URL that was submitted |
#
Command example!triage-query-search query="tag:stealer AND tag:spyware"
#
Human Readable Output#
triage-delete-profileUpdate the profile with the specified ID or name. The stored profile is overwritten, so it is important that the submitted profile has all fields, with the exception of the ID
#
Base Commandtriage-delete-profile
#
InputArgument Name | Description | Required |
---|---|---|
profileID | Unique identifier of the profile to delete. | Required |
#
Context OutputThere is no context output for this command.