ReversingLabs Titanium Cloud

Overview

Use the TitaniumCloud Integration Malware Analysis Platform to increase detection, analysis and response efficiency by identifying files with global goodware and malware database. It is a powerful threat intelligence solution with up-to-date, threat classification and rich context on over 6B goodware and malware files.

This integration was integrated and tested with ReversingLabs TitaniumCloud™.


Use Cases

  • Provide a file reputation status for a file to prepare for emerging threats by monitoring malware.

Prerequisites

You need to obtain the following ReversingLabs TitaniumCloud information.

  • Base URL for malware presence :
    • Preconfigured on Demisto - https://ticloud-aws1-api.reversinglabs.com
  • Base URL for extended RL Data :
    • Preconfigured on Demisto - https://ticloud-cdn-api.reversinglabs.com
  • Credentials for ReversingLabs TitaniumCloud
    • UserName
    • Password

Configure ReversingLabs Titanium Cloud on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for ReversingLabs Titanium Cloud.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a meaningful name for the integration instance.
    • Base URL for malware presence : https://ticloud-aws1-api.reversinglabs.com
    • Base URL for extended RL Data : https://ticloud-cdn-api.reversinglabs.com
    • Credentials and Password : paste the username and password for your TitaniumCloud account.
  4. Click Test to validate the URLs and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  • Retrieve malware presence status of a sample: file

Retrieve malware presence status of a sample: file

Get the ReversingLabs malware presence status for a file. This service supports single has queries and the option to return additional response data. The ReversingLabs Malware Statuses are:

  • Malicious
  • Suspicious
  • Known
  • Unknown

Command Example

!file file="c4ab31a0e6bee10933367e74b8af630daed5bd5e" extended="true"

Input

Parameter Description Required?
file The hash that you want to get reputation data for. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest. required
extended Directs the data browser to return richer response schema, with additional classifications and facts about the queried sample. If you do not specify this parameter in the command, the default is false . optional

Human Readable Output (extended = false)

Human Readable Output (extended = true)

Context Output

Parameter

Description

File.MD5

Bad hash detected.

File.SHA1

Bad hash SHA-1.

File.Malicious.Vendor

For malicious files, the vendor that made the decision.

File.Malicious.Detections

For malicious files, the total number of detections.

File.Malicious.TotalEngines

For malicious files, the total number of engines.

DBotScore.Indicator

The indicator that is being tested.

DBotScore.Type

Indicator type.

DBotScore.Vendor

Vendor used to calculate the score.

DBotScore.Score

The actual score.

Raw Output

{
"malware_presence" : {
"first_seen" : "2018-05-28T03:15:44" ,
"last_seen" : "2018-05-28T03:19:00" ,
"query_hash" : {
sha1 : c4ab31a0e6bee10933367e74b8af630daed5bd5e
} ,
"scanner_count" : 45 ,
"scanner_match" : 2 ,
"scanner_percent" : 4.44444465637207 ,
"status" : "KNOWN" ,
"threat_level" : 0 ,
"trust_factor" : 5 ,

}
}