Skip to main content

Hatching Triage

This Integration is part of the Hatching Triage Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Submit a high volume of samples to run in a sandbox and view reports This integration was integrated and tested with version 0 of Hatching Triage

Configure Hatching Triage on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Hatching Triage.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API URLPrivate url is https://private.tria.ge/api/v0/True
    API KeyThe API Key to use for the connection.True
    Verify SSLFalse
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

triage-query-samples#


Get a list of all samples either private or public

Base Command#

triage-query-samples

Input#

Argument NameDescriptionRequired
subsetGet samples from either private or public reports. Possible values are: owned, public.Optional

Context Output#

PathTypeDescription
Triage.submissions.completedDateDate the sample analysis was completed
Triage.submissions.filenameStringName of the file submitted
Triage.submissions.idStringUnique identifier of the submission
Triage.submissions.kindStringType of analysis
Triage.submissions.privateBooleanIf the submissions is private or publically viewable
Triage.submissions.statusStringStatus of the submitted file
Triage.submissions.submittedDateDate the sample was submitted
Triage.submissions.tasks.idStringArray of tasks that have been applied to the sample (static, behavioral, etc)
Triage.submissions.tasks.statusStringStatus of the task
Triage.submissions.tasks.targetStringSample the task is being run on
Triage.submissions.urlStringURL that was submitted

triage-submit-sample#


Submits a file or url for analysis

Base Command#

triage-submit-sample

Input#

Argument NameDescriptionRequired
kindSelect if sample is a URL, file, or a file that should be fetched from a URL. Possible values are: url, file, fetch.Required
interactiveChoose if the sample should be interacted with in the GUI glovebox. Possible values are: false, true. Default is false.Optional
profilesSelect what profile to run the sample with. Requires the user to be registered with a company.Optional
dataData to submit for analysis. For URLs give the URL. For files, give the entry-id of the file.Required

Context Output#

PathTypeDescription
Triage.submissions.filenameStringName of the submitted file
Triage.submissions.idStringUnique identifier of the submission
Triage.submissions.kindStringType of sample to analyze
Triage.submissions.privateBooleanIf the file is private or publicly viewable
Triage.submissions.statusStringStatus of the analysis of the submission
Triage.submissions.submittedDateDate that the sample was submitted on

Command example#

!triage-submit-sample data="4@1" kind="file"

Human Readable Output#

triage-get-sample#


Pulls back basic information about the sample id given

Base Command#

triage-get-sample

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required

Context Output#

PathTypeDescription
Triage.samples.completedDateDate the sample analysis was completed
Triage.samples.filenameStringName of the submitted sample
Triage.samples.idStringUnique identifier of the sample
Triage.samples.kindStringType of sample submitted
Triage.samples.privateBooleanState of the visibility of the sample
Triage.samples.statusStringCurrent status of the sample analysis
Triage.samples.submittedDateDate the sample was submitted
Triage.samples.tasks.idStringTask name that was applied to the sample
Triage.samples.tasks.statusStringStatus of the task
Triage.samples.tasks.targetStringTarget of the task, e.g. filename for file submissions

triage-get-sample-summary#


Gets a summary report of the sample id provided

Base Command#

triage-get-sample-summary

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required

Context Output#

PathTypeDescription
Triage.sample-summaries.completedDateDate the sample analysis was completed
Triage.sample-summaries.createdDateDate the analysis report was created
Triage.sample-summaries.customString
Triage.sample-summaries.ownerString
Triage.sample-summaries.sampleStringUnique identifier of the sample
Triage.sample-summaries.scoreNumberScore of the sample on a scale of 0 to 10
Triage.sample-summaries.sha256StringSHA256 of the sample
Triage.sample-summaries.statusStringStatus of the analysis
Triage.sample-summaries.targetStringTarget for analysis
Triage.sample-summaries.tasksStringTasks performed in the analysis

Command example#

!triage-get-sample-summary sample_id="220807-d5sxnaebbx"

Human Readable Output#

triage-delete-sample#


Deletes a sample from the sandbox

Base Command#

triage-delete-sample

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required

Context Output#

There is no context output for this command.

triage-set-sample-profile#


When a sample is in the static_analysis status, a profile should be selected in order to continue.

Base Command#

triage-set-sample-profile

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required
autoLet Triage automatically select a profile, default is True. Possible values are: true, false.Optional
pickIf submitting an archive file, select which files to analyze. Multiple files can be specified with a comma seperator.Format is archive_file_name/sample_file.exe,archive_file_name/sample_file2.exe.Optional
profilesProfile ID to use.Optional

Context Output#

There is no context output for this command.

triage-get-static-report#


Get the static analysis of a sample

Base Command#

triage-get-static-report

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required

Context Output#

PathTypeDescription
Triage.sample.reports.static.analysis.reportedUnknownDate the sample was submitted
DBotScore.IndicatorStringTriage analysis target
DBotScore.TypeStringThe indicator type - File or URL
DBotScore.VendorStringThe integration used to generate the indicator
DBotScore.ScoreNumberAnalysis verdict as score from 1 to 10
File.NameStringThe full file name (including file extension).
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA1 hash of the file.
URL.DataStringThe URL

Command example#

!triage-get-static-report sample_id="220807-d5sxnaebbx"

Human Readable Output#

triage-get-report-triage#


Retrieves the generated Triage behavioral report for a single task

Base Command#

triage-get-report-triage

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required
task_idName of a behavioral task part of the sample analysis (e.g. behavioral1, behavioral2).Required

Context Output#

PathTypeDescription
Triage.sample.reports.triageUnknownTriage report of the submitted sample
DBotScore.IndicatorStringTriage analysis target
DBotScore.TypeStringThe indicator type - File or URL
DBotScore.VendorStringThe integration used to generate the indicator
DBotScore.ScoreNumberAnalysis verdict as score from 1 to 10
File.NameStringThe full file name (including file extension).
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA1 hash of the file.
URL.DataStringThe URL

Command example#

!triage-get-report-triage sample_id="220807-d5sxnaebbx" task_id="behavioral1"

Human Readable Output#

triage-get-kernel-monitor#


Retrieves the output of the kernel monitor

Base Command#

triage-get-kernel-monitor

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required
task_idName of a behavioral task part of the sample analysis (e.g. behavioral1, behavioral2).Required

Context Output#

There is no context output for this command.

triage-get-pcap#


Retrieves the PCAP of the analysis for further manual analysis

Base Command#

triage-get-pcap

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required
task_idName of a behavioral task part of the sample analysis (e.g. behavioral1, behavioral2).Required

Context Output#

There is no context output for this command.

triage-get-dumped-file#


Retrieves files dumped by the sample. The names can be found under the "dumped" section from the triage report output

Base Command#

triage-get-dumped-file

Input#

Argument NameDescriptionRequired
sample_idSample's unique identifier, can be found using the query samples command.Required
task_idName of the task for the sample (e.g. behavioral1, static1, etc).Required
file_nameName of the dumped file.Required

Context Output#

There is no context output for this command.

triage-get-users#


Return all users within the company as a paginated list. Returns a single user if a userID is provided

Base Command#

triage-get-users

Input#

Argument NameDescriptionRequired
userIDUnique identifier of the user. Leave blank to query for all users.Optional

Context Output#

PathTypeDescription
Triage.users.company_idStringCompany unique identifier
Triage.users.created_atDateDate users account was created
Triage.users.emailStringUsers email
Triage.users.email_confirmed_atDateDate user confirmed their email/account
Triage.users.first_nameStringUsers first name
Triage.users.idStringUsers unique identifier
Triage.users.last_nameStringUsers last name
Triage.users.permissionsStringUsers permissions

triage-create-user#


Creates a new user and returns it. The user will become a member of the company the requesting user is a member of

Base Command#

triage-create-user

Input#

Argument NameDescriptionRequired
usernameUsers username, usually their email.Required
firstNameUsers first name.Required
lastNameUsers last name.Required
passwordUsers password.Required
permissionsUsers permissions. Possible values are: view_samples, submit_samples, delete_samples, edit_profiles, access_api, manage_machines, manage_company.Required

Context Output#

PathTypeDescription
Triage.users.company_idStringCompany unique identifier
Triage.users.created_atDateDate users account was created
Triage.users.emailStringUsers email
Triage.users.email_confirmed_atDateDate user confirmed their email/account
Triage.users.first_nameStringUsers first name
Triage.users.idStringUsers unique identifier
Triage.users.last_nameStringUsers last name
Triage.users.permissionsStringUsers permissions

triage-delete-user#


Delete a user and all associated data, invalidating any sessions and removing their API keys. Any samples submitted by this user are kept

Base Command#

triage-delete-user

Input#

Argument NameDescriptionRequired
userIDUsers unique identifier, can be found by querying for all users.Required

Context Output#

There is no context output for this command.

triage-create-api-key#


Creates a new key can be used to make API calls on behalf of the specified user. The user should have been granted the access_api permission beforehand

Base Command#

triage-create-api-key

Input#

Argument NameDescriptionRequired
userIDUsers unique identifier, can be found by querying for all users.Required
nameName of the API key. Default is Created from XSOAR.Optional

Context Output#

PathTypeDescription
Triage.apikey.keyStringAPI Key
Triage.apikey.nameStringName of the API Key

triage-get-api-key#


Lists all API keys that the user has.

Base Command#

triage-get-api-key

Input#

Argument NameDescriptionRequired
userIDUsers unique identifier, can be found by querying for all users.Required

Context Output#

PathTypeDescription
Triage.apikey.keyStringAPI Key
Triage.apikey.nameStringName of the API Key

triage-delete-api-key#


Delete the user's API key with the specified name

Base Command#

triage-delete-api-key

Input#

Argument NameDescriptionRequired
userIDUsers unique identifier, can be found by querying for all users.Required
nameName of the API key to delete.Required

Context Output#

There is no context output for this command.

triage-get-profiles#


List all profiles that your company has

Base Command#

triage-get-profiles

Input#

Argument NameDescriptionRequired
profileIDUnique identifier of the profile, can be found by querying for all profiles.Optional

Context Output#

PathTypeDescription
Triage.profiles..idStringUnique identifier of the profile
Triage.profiles..nameStringName of the profile
Triage.profiles..networkStringNetwork configuration
Triage.profiles..options.browserStringBrowser options
Triage.profiles..tagsStringApplied tags
Triage.profiles..timeoutNumberMax run time of the profile

triage-create-profile#


Create a new profile

Base Command#

triage-create-profile

Input#

Argument NameDescriptionRequired
nameName of the profile to create.Required
tagsTags to apply to the profile.Required
timeoutLength of time the profile should run for.Optional
networkNetwork configuration the profile should use. Possible values are: drop, internet, proxy.Optional

Context Output#

PathTypeDescription
Triage.profiles.idStringProfile unique identifier
Triage.profiles.nameStringProfile name
Triage.profiles.networkStringProfile network configuration
Triage.profiles.optionsUnknownProfile options
Triage.profiles.tagsStringProfile tags
Triage.profiles.timeoutNumberProfile max run time

triage-update-profile#


Update an existing profile

Base Command#

triage-update-profile

Input#

Argument NameDescriptionRequired
profileIDUnique identifier of the profile to update.Required
nameName of the profile.Required
tagsTags to apply to the profile.Required
timeoutLength of time the profile should run for.Optional

Context Output#

There is no context output for this command.

triage-query-search#


Get a list of private and public samples matching the search query

Base Command#

triage-query-search

Input#

Argument NameDescriptionRequired
queryThe search query for Triage.Required

Context Output#

PathTypeDescription
Triage.samples.completeddateDate the sample analysis was completed
Triage.samples.filenamestringName of the file submitted
Triage.samples.idstringUnique identifier of the submission
Triage.samples.kindstringType of analysis
Triage.samples.privatebooleanIf the submissions is private or publically viewable
Triage.samples.statusstringStatus of the submitted file
Triage.samples.submitteddateDate the sample was submitted
Triage.samples.tasks.idstringArray of tasks that have been applied to the sample (static, behavioral, etc)
Triage.samples.tasks.statusstringStatus of the task
Triage.samples.tasks.targetstringSample the task is being run on
Triage.samples.urlstringURL that was submitted

Command example#

!triage-query-search query="tag:stealer AND tag:spyware"

Human Readable Output#

triage-delete-profile#


Update the profile with the specified ID or name. The stored profile is overwritten, so it is important that the submitted profile has all fields, with the exception of the ID

Base Command#

triage-delete-profile

Input#

Argument NameDescriptionRequired
profileIDUnique identifier of the profile to delete.Required

Context Output#

There is no context output for this command.