Skip to main content

Twinwave

This Integration is part of the Twinwave Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

TwinWave’s threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities.

Supported Cortex XSOAR versions: 6.0.0 and later.

Configure Twinwave in Cortex#

ParameterDescriptionRequired
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
api-tokenTwinwave API tokenTrue
first_fetchNumber of jobs to first fetchFalse
max_fetchFalse
sourceFilter incidents by submission source.False
usernameFilter UI incidents by username. Exact match only. (Cannot use if source is all or api)False
proxyUse system proxy settingsFalse
insecureTrust any certificate (not secure)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

twinwave-submit-url#


Submit New URL for Scanning.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

twinwave-submit-url

Input#

Argument NameDescriptionRequired
urlThe target URL to visit and analyze. Unlike the UI, the API does not automatically un-defang the submitted URL.Required
enginesArray of strings (EngineName). List of engines to be used during the analysis. If you'd like to use the default Engines for your account, omit this field or specify the empty array []. .Optional
parametersOptional list of parameters to customize behavior during analysis of the job. (E.g., passwords for archives.) {"archive_document_password": "", "decode_rewritten_urls": "true/false"}.Optional
priorityThe job's priority relative to other jobs. Jobs with a lower priority value are processed before those with a higher value. (e.g., a priority=1 job will be processed before a priority=2 job.) Valid priority values are between 1 and 255. You may omit this field, in which case a default priority (10) is used. Default is 10.Optional
profileAn optional profile name that defines the analysis behavior to be used during the analysis for this job. Profiles names map to behaviors like identifying what collection of engines will be used. If no profile name is submitted the system will use the default profile.Optional

Context Output#

PathTypeDescription
Twinwave.Submissions.JobIDUnknownJob ID

twinwave-submit-file#


Submit File for Scanning.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

twinwave-submit-file

Input#

Argument NameDescriptionRequired
entry_idThe entry id of the File.Required
priorityThe job's priority relative to other jobs. Jobs with a lower priority value are processed before those with a higher value. (e.g., a priority=1 job will be processed before a priority=2 job.) Valid priority values are between 1 and 255. You may omit this field, in which case a default priority (10) is used. Default is 10.Optional
profileAn optional profile name that defines the analysis behavior to be used during the analysis for this job. Profiles names map to behaviors like identifying what collection of engines will be used. If no profile name is submitted the system will use the default profile.Optional

Context Output#

PathTypeDescription
Twinwave.Submissions.JobIDUnknownJob ID

twinwave-resubmit-job#


Resubmit a Job

Base Command#

twinwave-resubmit-job

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Twinwave.Submissions.JobIDUnknownJob ID

twinwave-get-job-summary#


Get Job Summary

Base Command#

twinwave-get-job-summary

Input#

Argument NameDescriptionRequired
job_idthe job ID.Required

Context Output#

PathTypeDescription
Twinwave.JobSummaryUnknownTwinwave Job Summary
Twinwave.JobSummary.IDUnknownJob ID
Twinwave.JobSummary.Tasks.IDUnknownTask ID
Twinwave.JobSummary.Tasks.JobIDUnknownJob ID associated to the task

twinwave-get-job-normalized-forensics#


Get a Job's Normalized Forensics

Base Command#

twinwave-get-job-normalized-forensics

Input#

Argument NameDescriptionRequired
job_idThe job ID.Required

Context Output#

PathTypeDescription
Twinwave.JobNormalizedForensicsUnknownTwinwave Job Normalized Forensics
Twinwave.JobNormalizedForensics.JobIDUnknownJob ID

twinwave-get-task-normalized-forensics#


Get a Task's Normalized Forensics

Base Command#

twinwave-get-task-normalized-forensics

Input#

Argument NameDescriptionRequired
job_idThe job ID.Required
task_idThe task ID.Required

Context Output#

PathTypeDescription
Twinwave.TaskNormalizedForensicsUnknownTwinwave Task Normalized Forensics
Twinwave.TaskNormalizedForensics.TaskIDUnknownTask ID
Twinwave.TaskNormalizedForensics.JobIDUnknownJob ID

twinwave-get-task-raw-forensics#


Get a Task's Raw Forensics

Base Command#

twinwave-get-task-raw-forensics

Input#

Argument NameDescriptionRequired
job_idThe job ID.Required
task_idThe task ID.Required

Context Output#

PathTypeDescription
Twinwave.TaskRawForensicsUnknownTwinwave Task Raw Forensics
Twinwave.TaskRawForensics.JobIDUnknownJob ID
Twinwave.TaskRawForensics.TaskIDUnknownTask ID

twinwave-download-submitted-resource#


Download the Submitted Resource.

Download a password-protected Zip archive of the Resource. Use the password 'infected' to decrypt the archive.

All Resources discovered during the analysis are available for download via this endpoint. To get the list of SHA256s for the Job's Resources, see The Resources array from Get a Job Summary.

Base Command#

twinwave-download-submitted-resource

Input#

Argument NameDescriptionRequired
job_idThe job ID.Required
sha256The File sha256.Required

Context Output#

PathTypeDescription
File.NameUnknownName of the file
File.EntryIDUnknownEntry ID of the file

twinwave-get-engines#


List Available Engines

Base Command#

twinwave-get-engines

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Twinwave.EnginesUnknownAvailable Engines
Twinwave.Engines.NameUnknownName of the engine
Twinwave.Engines.DefaultEnabledUnknownDefault Enabled (True/False)
Twinwave.Engines.SupportedTypesUnknownSupported Types

twinwave-search-across-jobs-and-resources#


Search Across Jobs and Resources

Base Command#

twinwave-search-across-jobs-and-resources

Input#

Argument NameDescriptionRequired
termSpecify the string to search for in the specified field. (E.g. .exe or example.com).Optional
fieldEnum: "filename" "url" "tag" "sha256" "md5".Optional
typeEnum: "exact" "substring".Optional
countSpecify the maximum number of results to be returned. This has a hard limit of 100; specifying a number greater than that will result in a 400 Bad Request and the search will not be performed.Optional
shared_onlySpecify true to only search across Jobs (and their Resources) which have been shared.Optional
submitted_bySpecify a username or part of a username (e.g. alice@example.com or alice) to only search across Jobs (and their Resources) submitted by the matching user.Optional
timeframeSpecify the maximum number of days back to search for results. Specify 0 for no limit. For example, setting this to 7 returns results within the last week.Optional
pageThe page for which you want results. This defaults to 1 the first page. See HasNext in the response of your search to know whether or not there are more pages for your search criteria.Optional

Context Output#

PathTypeDescription
Twinwave.JobsAndResourcesUnknownJobs and Resources
Twinwave.JobsAndResources.JobsUnknownJob Details
Twinwave.JobsAndResources.Jobs.IDUnknownJob ID

twinwave-get-temp-artifact-url#


Get a Temporary Artifact URL

Base Command#

twinwave-get-temp-artifact-url

Input#

Argument NameDescriptionRequired
pathThroughout the analysis of a Resource, a variety of Artifacts may be generated. These include things like Screenshots, PCAPs, HAR files, etc. This API endpoint generates a temporary URL that can be used to download the contents of an artifact.

After making a call to this endpoint, the URL field will contain a link to a signed URL for the desired Artifact. This link has a limited lifetime, so upon receiving it, you should immediately make a GET request to retrieve the actual Artifact.
Required

Context Output#

PathTypeDescription
Twinwave.TempArtifactURL.URLUnknownTemporary URL