Twinwave

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Stealth mode cybersecurity startup Supported Cortex XSOAR versions: 6.0.0 and later.

Configure Twinwave on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Twinwave.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    isFetchFetch incidentsFalse
    incidentTypeIncident typeFalse
    api-tokenTwinwave API tokenTrue
    first_fetchNumber of jobs to first fetchFalse
    max_fetchFalse
    sourceFilter incidents by submission source.False
    usernameFilter UI incidents by username. Exact match only. (Cannot use if source is all or api)False
    proxyUse system proxy settingsFalse
    insecureTrust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

twinwave-submit-url


Submit New URL for Scanning

Base Command

twinwave-submit-url

Input

Argument NameDescriptionRequired
urlThe target URL to visit and analyze. Unlike the UI, the API does not automatically un-defang the submitted URL.Required
enginesArray of strings (EngineName). List of engines to be used during the analysis. If you'd like to use the default Engines for your account, omit this field or specify the empty array []. .Optional
parametersOptional list of parameters to customize behavior during analysis of the job. (E.g., passwords for archives.) {"archive_document_password": "", "decode_rewritten_urls": "true/false"}.Optional
priorityThe job's priority relative to other jobs. Jobs with a lower priority value are processed before those with a higher value. (e.g., a priority=1 job will be processed before a priority=2 job.) Valid priority values are between 1 and 255. You may omit this field, in which case a default priority (10) is used. Default is 10.Optional
profileAn optional profile name that defines the analysis behavior to be used during the analysis for this job. Profiles names map to behaviors like identifying what collection of engines will be used. If no profile name is submitted the system will use the default profile.Optional

Context Output

PathTypeDescription
Twinwave.Submissions.JobIDUnknownJob ID

twinwave-submit-file


Submit File for Scanning

Base Command

twinwave-submit-file

Input

Argument NameDescriptionRequired
entry_idThe entry id of the File.Required
priorityThe job's priority relative to other jobs. Jobs with a lower priority value are processed before those with a higher value. (e.g., a priority=1 job will be processed before a priority=2 job.) Valid priority values are between 1 and 255. You may omit this field, in which case a default priority (10) is used. Default is 10.Optional
profileAn optional profile name that defines the analysis behavior to be used during the analysis for this job. Profiles names map to behaviors like identifying what collection of engines will be used. If no profile name is submitted the system will use the default profile.Optional

Context Output

PathTypeDescription
Twinwave.Submissions.JobIDUnknownJob ID

twinwave-resubmit-job


Resubmit a Job

Base Command

twinwave-resubmit-job

Input

Argument NameDescriptionRequired

Context Output

PathTypeDescription
Twinwave.Submissions.JobIDUnknownJob ID

twinwave-get-job-summary


Get Job Summary

Base Command

twinwave-get-job-summary

Input

Argument NameDescriptionRequired
job_idthe job ID.Required

Context Output

PathTypeDescription
Twinwave.JobSummaryUnknownTwinwave Job Summary
Twinwave.JobSummary.IDUnknownJob ID
Twinwave.JobSummary.Tasks.IDUnknownTask ID
Twinwave.JobSummary.Tasks.JobIDUnknownJob ID associated to the task

twinwave-get-job-normalized-forensics


Get a Job's Normalized Forensics

Base Command

twinwave-get-job-normalized-forensics

Input

Argument NameDescriptionRequired
job_idThe job ID.Required

Context Output

PathTypeDescription
Twinwave.JobNormalizedForensicsUnknownTwinwave Job Normalized Forensics
Twinwave.JobNormalizedForensics.JobIDUnknownJob ID

twinwave-get-task-normalized-forensics


Get a Task's Normalized Forensics

Base Command

twinwave-get-task-normalized-forensics

Input

Argument NameDescriptionRequired
job_idThe job ID.Required
task_idThe task ID.Required

Context Output

PathTypeDescription
Twinwave.TaskNormalizedForensicsUnknownTwinwave Task Normalized Forensics
Twinwave.TaskNormalizedForensics.TaskIDUnknownTask ID
Twinwave.TaskNormalizedForensics.JobIDUnknownJob ID

twinwave-get-task-raw-forensics


Get a Task's Raw Forensics

Base Command

twinwave-get-task-raw-forensics

Input

Argument NameDescriptionRequired
job_idThe job ID.Required
task_idThe task ID.Required

Context Output

PathTypeDescription
Twinwave.TaskRawForensicsUnknownTwinwave Task Raw Forensics
Twinwave.TaskRawForensics.JobIDUnknownJob ID
Twinwave.TaskRawForensics.TaskIDUnknownTask ID

twinwave-download-submitted-resource


Download the Submitted Resource.

Download a password-protected Zip archive of the Resource. Use the password 'infected' to decrypt the archive.

All Resources discovered during the analysis are available for download via this endpoint. To get the list of SHA256s for the Job's Resources, see The Resources array from Get a Job Summary.

Base Command

twinwave-download-submitted-resource

Input

Argument NameDescriptionRequired
job_idThe job ID.Required
sha256The File sha256.Required

Context Output

PathTypeDescription
File.NameUnknownName of the file
File.EntryIDUnknownEntry ID of the file

twinwave-get-engines


List Available Engines

Base Command

twinwave-get-engines

Input

Argument NameDescriptionRequired

Context Output

PathTypeDescription
Twinwave.EnginesUnknownAvailable Engines
Twinwave.Engines.NameUnknownName of the engine
Twinwave.Engines.DefaultEnabledUnknownDefault Enabled (True/False)
Twinwave.Engines.SupportedTypesUnknownSupported Types

twinwave-search-across-jobs-and-resources


Search Across Jobs and Resources

Base Command

twinwave-search-across-jobs-and-resources

Input

Argument NameDescriptionRequired
termSpecify the string to search for in the specified field. (E.g. .exe or example.com).Optional
fieldEnum: "filename" "url" "tag" "sha256" "md5".Optional
typeEnum: "exact" "substring".Optional
countSpecify the maximum number of results to be returned. This has a hard limit of 100; specifying a number greater than that will result in a 400 Bad Request and the search will not be performed.Optional
shared_onlySpecify true to only search across Jobs (and their Resources) which have been shared.Optional
submitted_bySpecify a username or part of a username (e.g. alice@example.com or alice) to only search across Jobs (and their Resources) submitted by the matching user.Optional
timeframeSpecify the maximum number of days back to search for results. Specify 0 for no limit. For example, setting this to 7 returns results within the last week.Optional
pageThe page for which you want results. This defaults to 1 the first page. See HasNext in the response of your search to know whether or not there are more pages for your search criteria.Optional

Context Output

PathTypeDescription
Twinwave.JobsAndResourcesUnknownJobs and Resources
Twinwave.JobsAndResources.JobsUnknownJob Details
Twinwave.JobsAndResources.Jobs.IDUnknownJob ID

twinwave-get-temp-artifact-url


Get a Temporary Artifact URL

Base Command

twinwave-get-temp-artifact-url

Input

Argument NameDescriptionRequired
pathThroughout the analysis of a Resource, a variety of Artifacts may be generated. These include things like Screenshots, PCAPs, HAR files, etc. This API endpoint generates a temporary URL that can be used to download the contents of an artifact.

After making a call to this endpoint, the URL field will contain a link to a signed URL for the desired Artifact. This link has a limited lifetime, so upon receiving it, you should immediately make a GET request to retrieve the actual Artifact.
Required

Context Output

PathTypeDescription
Twinwave.TempArtifactURL.URLUnknownTemporary URL