ReversingLabs TitaniumCloud v2
This Integration is part of the ReversingLabs TitaniumCloud Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Overview#
ReversingLabs TitaniumCloud is a threat intelligence solution providing up-to-date file reputation services, threat classification and rich context on over 10 billion goodware and malware files. A powerful set of REST API query and feed functions deliver targeted file and malware intelligence for threat identification, analysis, intelligence development, and threat hunting services.
This integration was integrated and tested with ReversingLabs TitaniumCloud.
Prerequisites#
In order to use this integration you will need to obtain a TitaniumCloud account with sufficient user rights.
Depending on the command in question, this integration requires user rights on several TitaniumCloud API-s.
See the details on required API user rights in each of the commands' section.
Configure ReversingLabs Titanium Cloud on Cortex XSOAR#
- Visit the Marketplace and search for the ReversingLabs TitaniumCloud pack.
- Upon finding the pack, install it.
- Navigate to Settings > Integrations > Servers & Services.
- After finding the ReversingLabs TitaniumCloud v2 integration, click Add instance to create and configure a new integration instance.
- Configure the following fields:
- Name
- A meaningful name for your integration instance
- ReversingLabs TitaniumCloud URL
- The base URL of TitaniumCloud
- Default value is "https://data.reversinglabs.com"
- Credentials
- TitaniumCloud username
- TitaniumCloud password
- Reliability
- Your desired reliability for this integration
- Name
- Click Test to validate the configuration.
- Click Done to finish configuring this instance.
Commands#
The following is a list of commands that you can execute on Cortex XSOAR either as part of an automation or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- reversinglabs-titaniumcloud-file-reputation
- reversinglabs-titaniumcloud-av-scanners
- reversinglabs-titaniumcloud-file-analysis
- reversinglabs-titaniumcloud-rha1-functional-similarity
- reversinglabs-titaniumcloud-rha1-analytics
- reversinglabs-titaniumcloud-uri-statistics
- reversinglabs-titaniumcloud-uri-index
- reversinglabs-titaniumcloud-advanced-search
- reversinglabs-titaniumcloud-expression-search
- reversinglabs-titaniumcloud-file-download
- reversinglabs-titaniumcloud-file-upload
- reversinglabs-titaniumcloud-url-report
- reversinglabs-titaniumcloud-analyze-url
- reversinglabs-titaniumcloud-submit-for-dynamic-analysis
- reversinglabs-titaniumcloud-get-dynamic-analysis-results
- reversinglabs-titaniumcloud-certificate-analytics
reversinglabs-titaniumcloud-file-reputation#
Provides file reputation data for a file (malicious, suspicious, known good or unknown).
Required API rights:
- TCA-0101
Command Example#
!reversinglabs-titaniumcloud-file-reputation hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Input#
Argument Name | Description | Required |
---|---|---|
hash | Desired sample hash | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
File.MD5 | MD5 indicator. |
File.SHA1 | SHA-1 indicator. |
File.SHA256 | SHA-256 indicator. |
DBotScore | Returned DBot score. |
ReversingLabs.file_reputation | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-av-scanners#
Provides AV vendor cross-reference data for a desired sample from multiple AV scanners.
Required API rights:
- TCA-0103
Command Example#
!reversinglabs-titaniumcloud-av-scanners hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Input#
Argument Name | Description | Required |
---|---|---|
hash | Desired sample hash | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
File.MD5 | MD5 indicator. |
File.SHA1 | SHA-1 indicator. |
File.SHA256 | SHA-256 indicator. |
ReversingLabs.av_scanners | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-file-analysis#
Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information.
Required API rights:
- TCA-0104
Command Example#
!reversinglabs-titaniumcloud-file-analysis hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Input#
Argument Name | Description | Required |
---|---|---|
hash | Desired sample hash. | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
File.MD5 | MD5 indicator. |
File.SHA1 | SHA-1 indicator. |
File.SHA256 | SHA-256 indicator. |
ReversingLabs.file_analysis | Full report in JSON. |
reversinglabs-titaniumcloud-rha1-functional-similarity#
Provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level.
Required API rights:
- TCA-0301
- TCA-0104
Command Example#
!reversinglabs-titaniumcloud-rha1-functional-similarity hash="21841b32c6165b27dddbd4d6eb3a672defe54271" result-limit="20"
Input#
Argument Name | Description | Required |
---|---|---|
hash | Desired sample hash. | True |
result-limit | Maximum number of results. | False |
Human Readable Output#
A downloadable file containing the complete analysis report JSON is returned.
Context Output#
Path | Description |
---|---|
ReversingLabs.functional_similarity | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-rha1-analytics#
Provides real-time counters of malicious, suspicious and known samples functionally similar to the provided file (SHA1 hash) at the selected precision level.
Required API rights:
- TCA-0321
- TCA-0104
Command Example#
!reversinglabs-titaniumcloud-rha1-analytics hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Input#
Argument Name | Description | Required |
---|---|---|
hash | Desired sample hash. | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
File.MD5 | MD5 indicator. |
File.SHA1 | SHA-1 indicator. |
File.SHA256 | SHA-256 indicator. |
DBotScore | Returned DBot score. |
ReversingLabs.rha1_analytics | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-uri-statistics#
Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL).
Required API rights:
- TCA-0402
Command Example#
!reversinglabs-titaniumcloud-uri-statistics uri="google.com"
Input#
Argument Name | Description | Required |
---|---|---|
uri | Desired URI string. | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
IP.Address | IPv4 address. |
Domain.Name | Domain name. |
URL.Data | URL string. |
Email.To | Email recipient. |
ReversingLabs.uri-statistics | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-uri-index#
Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification.
Required API rights:
- TCA-0401
Command Example#
!reversinglabs-titaniumcloud-uri-index uri="google.com" result-limit="10"
Input#
Argument Name | Description | Required |
---|---|---|
uri | Desired URI string. | True |
result-limit | Maximum number of results. | False |
Human Readable Output#
A downloadable file containing the complete analysis report JSON is returned.
Context Output#
Path | Description |
---|---|
ReversingLabs.uri-index | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-advanced-search#
Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='.
Required API rights:
- TCA-0320
Command Example#
!reversinglabs-titaniumcloud-advanced-search query="av-count:5 available:TRUE" result-limit="10"
Input#
Argument Name | Description | Required |
---|---|---|
query | Advanced Search query. | True |
result-limit | Maximum number of results. | False |
Human Readable Output#
A downloadable file containing the complete analysis report JSON is returned.
Context Output#
Path | Description |
---|---|
ReversingLabs.advanced_search | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-expression-search#
This service provides samples first seen on a particular date, filtered by search criteria. At least 2 criteria must be supplied for a successful query. Available search criteria are: reputation status, threat level, trust factor, threat name, platform, subplatform, malware type, malware family, file type, file size, and AV scanner detection. Certain fields support relational operators: ‘<=’, ‘>=’, and ‘=’.
Required API rights:
- TCA-0306
Command Example#
!reversinglabs-titaniumcloud-expression-search query="status=MALICIOUS sample_type=MicrosoftWord|MicrosoftExcel|MicrosoftPowerPoint" result-limit="10"
Input#
Argument Name | Description | Required |
---|---|---|
query | Expression Search query. | True |
date | Search date. | False |
result-limit | Maximum number of results. | False |
Human Readable Output#
A downloadable file containing the complete analysis report JSON is returned.
Context Output#
Path | Description |
---|---|
ReversingLabs.expression_search | Full report in JSON. |
Context Example#
Full context:
reversinglabs-titaniumcloud-file-download#
Downloads files associated with a SHA1, MD5 or SHA256 hash.
Required API rights:
- TCA-0201
Command Example#
!reversinglabs-titaniumcloud-file-download hash=21841b32c6165b27dddbd4d6eb3a672defe54271
Input#
Argument Name | Description | Required |
---|---|---|
hash | Desired sample hash. | True |
Human Readable Output#
reversinglabs-titaniumcloud-file-upload#
Uploads a file to TitaniumCloud. Using this API, the file is automatically sent for analysis.
Required API rights:
- TCA-0202
Command Example#
!reversinglabs-titaniumcloud-file-upload entryId="3552@1651bd83-3242-43e4-8084-26de8937ca81"
Input#
Argument Name | Description | Required |
---|---|---|
entryId | File entry ID. | True |
Human Readable Output#
reversinglabs-titaniumcloud-url-report#
This service returns threat intelligence data for the submitted URL.
Required API rights:
- TCA-0403
Command Example#
!reversinglabs-titaniumcloud-url-report url="google.com"
Input#
Argument Name | Description | Required |
---|---|---|
url | Desired URL string. | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
URL.Data | The selected URL. |
DBotScore | Returned DBot score. |
ReversingLabs.url_report | Full report in JSON. |