Twinwave
Twinwave Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
TwinWave’s threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities.
Supported Cortex XSOAR versions: 6.0.0 and later.
#
Configure Twinwave in CortexParameter | Description | Required |
---|---|---|
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
api-token | Twinwave API token | True |
first_fetch | Number of jobs to first fetch | False |
max_fetch | False | |
source | Filter incidents by submission source. | False |
username | Filter UI incidents by username. Exact match only. (Cannot use if source is all or api) | False |
proxy | Use system proxy settings | False |
insecure | Trust any certificate (not secure) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
twinwave-submit-urlSubmit New URL for Scanning.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandtwinwave-submit-url
#
InputArgument Name | Description | Required |
---|---|---|
url | The target URL to visit and analyze. Unlike the UI, the API does not automatically un-defang the submitted URL. | Required |
engines | Array of strings (EngineName). List of engines to be used during the analysis. If you'd like to use the default Engines for your account, omit this field or specify the empty array []. . | Optional |
parameters | Optional list of parameters to customize behavior during analysis of the job. (E.g., passwords for archives.) {"archive_document_password": "", "decode_rewritten_urls": "true/false"}. | Optional |
priority | The job's priority relative to other jobs. Jobs with a lower priority value are processed before those with a higher value. (e.g., a priority=1 job will be processed before a priority=2 job.) Valid priority values are between 1 and 255. You may omit this field, in which case a default priority (10) is used. Default is 10. | Optional |
profile | An optional profile name that defines the analysis behavior to be used during the analysis for this job. Profiles names map to behaviors like identifying what collection of engines will be used. If no profile name is submitted the system will use the default profile. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.Submissions.JobID | Unknown | Job ID |
#
twinwave-submit-fileSubmit File for Scanning.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandtwinwave-submit-file
#
InputArgument Name | Description | Required |
---|---|---|
entry_id | The entry id of the File. | Required |
priority | The job's priority relative to other jobs. Jobs with a lower priority value are processed before those with a higher value. (e.g., a priority=1 job will be processed before a priority=2 job.) Valid priority values are between 1 and 255. You may omit this field, in which case a default priority (10) is used. Default is 10. | Optional |
profile | An optional profile name that defines the analysis behavior to be used during the analysis for this job. Profiles names map to behaviors like identifying what collection of engines will be used. If no profile name is submitted the system will use the default profile. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.Submissions.JobID | Unknown | Job ID |
#
twinwave-resubmit-jobResubmit a Job
#
Base Commandtwinwave-resubmit-job
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.Submissions.JobID | Unknown | Job ID |
#
twinwave-get-job-summaryGet Job Summary
#
Base Commandtwinwave-get-job-summary
#
InputArgument Name | Description | Required |
---|---|---|
job_id | the job ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.JobSummary | Unknown | Twinwave Job Summary |
Twinwave.JobSummary.ID | Unknown | Job ID |
Twinwave.JobSummary.Tasks.ID | Unknown | Task ID |
Twinwave.JobSummary.Tasks.JobID | Unknown | Job ID associated to the task |
#
twinwave-get-job-normalized-forensicsGet a Job's Normalized Forensics
#
Base Commandtwinwave-get-job-normalized-forensics
#
InputArgument Name | Description | Required |
---|---|---|
job_id | The job ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.JobNormalizedForensics | Unknown | Twinwave Job Normalized Forensics |
Twinwave.JobNormalizedForensics.JobID | Unknown | Job ID |
#
twinwave-get-task-normalized-forensicsGet a Task's Normalized Forensics
#
Base Commandtwinwave-get-task-normalized-forensics
#
InputArgument Name | Description | Required |
---|---|---|
job_id | The job ID. | Required |
task_id | The task ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.TaskNormalizedForensics | Unknown | Twinwave Task Normalized Forensics |
Twinwave.TaskNormalizedForensics.TaskID | Unknown | Task ID |
Twinwave.TaskNormalizedForensics.JobID | Unknown | Job ID |
#
twinwave-get-task-raw-forensicsGet a Task's Raw Forensics
#
Base Commandtwinwave-get-task-raw-forensics
#
InputArgument Name | Description | Required |
---|---|---|
job_id | The job ID. | Required |
task_id | The task ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.TaskRawForensics | Unknown | Twinwave Task Raw Forensics |
Twinwave.TaskRawForensics.JobID | Unknown | Job ID |
Twinwave.TaskRawForensics.TaskID | Unknown | Task ID |
#
twinwave-download-submitted-resourceDownload the Submitted Resource.
Download a password-protected Zip archive of the Resource. Use the password 'infected' to decrypt the archive.
All Resources discovered during the analysis are available for download via this endpoint. To get the list of SHA256s for the Job's Resources, see The Resources array from Get a Job Summary.
#
Base Commandtwinwave-download-submitted-resource
#
InputArgument Name | Description | Required |
---|---|---|
job_id | The job ID. | Required |
sha256 | The File sha256. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | Unknown | Name of the file |
File.EntryID | Unknown | Entry ID of the file |
#
twinwave-get-enginesList Available Engines
#
Base Commandtwinwave-get-engines
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.Engines | Unknown | Available Engines |
Twinwave.Engines.Name | Unknown | Name of the engine |
Twinwave.Engines.DefaultEnabled | Unknown | Default Enabled (True/False) |
Twinwave.Engines.SupportedTypes | Unknown | Supported Types |
#
twinwave-search-across-jobs-and-resourcesSearch Across Jobs and Resources
#
Base Commandtwinwave-search-across-jobs-and-resources
#
InputArgument Name | Description | Required |
---|---|---|
term | Specify the string to search for in the specified field. (E.g. .exe or example.com). | Optional |
field | Enum: "filename" "url" "tag" "sha256" "md5". | Optional |
type | Enum: "exact" "substring". | Optional |
count | Specify the maximum number of results to be returned. This has a hard limit of 100; specifying a number greater than that will result in a 400 Bad Request and the search will not be performed. | Optional |
shared_only | Specify true to only search across Jobs (and their Resources) which have been shared. | Optional |
submitted_by | Specify a username or part of a username (e.g. alice@example.com or alice) to only search across Jobs (and their Resources) submitted by the matching user. | Optional |
timeframe | Specify the maximum number of days back to search for results. Specify 0 for no limit. For example, setting this to 7 returns results within the last week. | Optional |
page | The page for which you want results. This defaults to 1 the first page. See HasNext in the response of your search to know whether or not there are more pages for your search criteria. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.JobsAndResources | Unknown | Jobs and Resources |
Twinwave.JobsAndResources.Jobs | Unknown | Job Details |
Twinwave.JobsAndResources.Jobs.ID | Unknown | Job ID |
#
twinwave-get-temp-artifact-urlGet a Temporary Artifact URL
#
Base Commandtwinwave-get-temp-artifact-url
#
InputArgument Name | Description | Required |
---|---|---|
path | Throughout the analysis of a Resource, a variety of Artifacts may be generated. These include things like Screenshots, PCAPs, HAR files, etc. This API endpoint generates a temporary URL that can be used to download the contents of an artifact. After making a call to this endpoint, the URL field will contain a link to a signed URL for the desired Artifact. This link has a limited lifetime, so upon receiving it, you should immediately make a GET request to retrieve the actual Artifact. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Twinwave.TempArtifactURL.URL | Unknown | Temporary URL |