RL TitaniumCloud REST APIs

Publisher: ReversingLabs
Connector Version: 2.3.0
Product Vendor: ReversingLabs
Product Name: TitaniumCloud
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0

This app integrates with ReversingLabs cloud services to implement reputation and investigative actions for file samples and their metadata

ReversingLabs TitaniumCloud File Reputation

This app implements the investigative action 'file reputation' on the ReversingLabs TitaniumCloud file reputation service. Information includes ReversingLabs Malware Presence information and Anti-Virus scanner information.

The ReversingLabs TitaniumCloud File Reputation, part of ReversingLabs Threat Intelligence provides up-to-date file reputation, Anti-Virus scan information and internal analysis information on billions of goodware and malware samples.

Malware samples are continually reanalyzed to ensure that the reputation information is relevant at all times.

In addition to file reputation and historical AV reputation, additional Threat Intelligence can be obtained from TitaniumCloud via multiple APIs and Feeds, which allow users to search for files by hash or anti-virus detection name. It is also possible to hunt for files from a single malware family, search for functionally similar samples, perform bulk queries, and receive alerts on file reputation changes.

For more information, consult the official product website.

How to Configure the App

Access the Asset Settings tab on the Asset Configuration page. The variables described in the previous section are displayed in this tab.

Input the username and password required to connect to ReversingLabs TitaniumCloud File Reputation service.

Select the "Verify server certificate" checkbox to ensure that the self-signed certificates are not accepted.

Note: Action parameter 'hunting report vault id' expects JSON type of content from file.

Playbook Backward Compatibility

Following new actions have been added:

certificate analytics
uri statistics
file similarity analytics
advanced search
joe sandbox adapter

Port Information

The app uses HTTP/ HTTPS protocol for communicating with the RL TitaniumCloud REST APIs server. Below are the default ports used by the Splunk SOAR Connector.

SERVICE NAME	TRANSPORT PROTOCOL	PORT
http	tcp	80
https	tcp	443

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TitaniumCloud asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
username	required	string	Username
password	required	password	Password
url	optional	string	TitaniumCloud or T1000 url
verify_server_cert	optional	boolean	Verify server certificate

Supported Actions

joe sandbox adapter - ReversingLabs plug-in for Joe Sandbox which will update threat hunting metadata with dynamic analysis results
test connectivity - Validate the asset configuration for connectivity
file reputation - Queries ReversingLabs for file reputation info
advanced search - Queries ReversingLabs Advanced Search with specified search query
file similarity analytics - Queries ReversingLabs file similarity analytics for the specified file
uri statistics - Queries ReversingLabs URI statistics for the specified URI
certificate analytics - Queries ReversingLabs certificate analytics for the specified certificate thumbprint

action: 'joe sandbox adapter'

ReversingLabs plug-in for Joe Sandbox which will update threat hunting metadata with dynamic analysis results

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
joe_report_vault_id	optional	Joe Sandbox dynamic analysis report vault ID	string	`vault id`
hunting_report_vault_id	required	Threat hunting report vault id	string	`vault id`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.parameter.hunting_report_vault_id	string	`vault id`
action_result.parameter.joe_report_vault_id	string	`vault id`
action_result.data.*.hunting_report_vault_id	string	`vault id`
action_result.data.*.readable_summary.classification.classification	string
action_result.data.*.readable_summary.classification.description	string
action_result.data.*.readable_summary.classification.reason	string
action_result.data.*.readable_summary.classification.threat.description	string
action_result.data.*.readable_summary.classification.threat.factor	numeric
action_result.data.*.readable_summary.classification.threat.name	string
action_result.status	string
action_result.message	string
action_result.summary	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'test connectivity'

Validate the asset configuration for connectivity

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'file reputation'

Queries ReversingLabs for file reputation info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
hash	optional	File hash to query	string	`md5` `sha1` `sha256`
hunting_report_vault_id	optional	Threat hunting report vault id	string	`vault id`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.parameter.hash	string	`md5` `sha1` `sha256`
action_result.parameter.hunting_report_vault_id	string	`vault id`
action_result.data.*.hunting_report_vault_id	string	`vault id`
action_result.data.*.readable_summary.classification.classification	string
action_result.data.*.readable_summary.classification.description	string
action_result.data.*.readable_summary.classification.reason	string
action_result.data.*.readable_summary.classification.threat.description	string
action_result.data.*.readable_summary.classification.threat.factor	numeric
action_result.data.*.readable_summary.classification.threat.name	string
action_result.status	string
action_result.message	string
action_result.summary	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'advanced search'

Queries ReversingLabs Advanced Search with specified search query

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
search_parameter	optional	RL Advanced Search query search field	string
results_per_page	optional	Number of results per one page (Default:1000)	numeric
page_number	optional	Page number (Default:1)	numeric
hunting_report_vault_id	optional	Threat hunting report vault id	string	`vault id`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.parameter.hunting_report_vault_id	string	`vault id`
action_result.parameter.page_number	numeric
action_result.parameter.results_per_page	numeric
action_result.parameter.search_parameter	string
action_result.data.*.hunting_report_vault_id	string	`vault id`
action_result.data.*.readable_summary.classification.classification	string
action_result.data.*.readable_summary.classification.description	string
action_result.data.*.readable_summary.classification.reason	string
action_result.data.*.readable_summary.classification.threat.description	string
action_result.data.*.readable_summary.classification.threat.factor	numeric
action_result.data.*.readable_summary.classification.threat.name	string
action_result.status	string
action_result.message	string
action_result.summary	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'file similarity analytics'

Queries ReversingLabs file similarity analytics for the specified file

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
hash	optional	File SHA1 hash value	string	`sha1`
sample_type	optional	RL TitaniumCore sample type	string
hunting_report_vault_id	optional	Threat hunting report that represents current state of the hunting workflow	string	`vault id`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.parameter.hash	string	`sha1`
action_result.parameter.hunting_report_vault_id	string	`vault id`
action_result.parameter.sample_type	string
action_result.data.*.hunting_report_vault_id	string	`vault id`
action_result.data.*.readable_summary.classification.classification	string
action_result.data.*.readable_summary.classification.description	string
action_result.data.*.readable_summary.classification.reason	string
action_result.data.*.readable_summary.classification.threat.description	string
action_result.data.*.readable_summary.classification.threat.factor	numeric
action_result.data.*.readable_summary.classification.threat.name	string
action_result.status	string
action_result.message	string
action_result.summary	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'uri statistics'

Queries ReversingLabs URI statistics for the specified URI

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
uri	optional	URI value that will get queried. Can be: url, domain, email address or ip address	string
hunting_report_vault_id	optional	Threat hunting report that represent current state of the hunting workflow	string	`vault id`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.parameter.hunting_report_vault_id	string	`vault id`
action_result.parameter.uri	string
action_result.data.*.hunting_report_vault_id	string	`vault id`
action_result.data.*.readable_summary.classification.classification	string
action_result.data.*.readable_summary.classification.description	string
action_result.data.*.readable_summary.classification.reason	string
action_result.data.*.readable_summary.classification.threat.description	string
action_result.data.*.readable_summary.classification.threat.factor	numeric
action_result.data.*.readable_summary.classification.threat.name	string
action_result.status	string
action_result.message	string
action_result.summary	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'certificate analytics'

Queries ReversingLabs certificate analytics for the specified certificate thumbprint

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
thumbprint	optional	Certificate thumbprint that will get queried. Can be: url, domain, email address or ip address	string
hunting_report_vault_id	optional	Threat hunting report that represents current state of the hunting workflow	string	`vault id`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.parameter.hunting_report_vault_id	string	`vault id`
action_result.parameter.thumbprint	string
action_result.data.*.hunting_report_vault_id	string	`vault id`
action_result.data.*.readable_summary.classification.classification	string
action_result.data.*.readable_summary.classification.description	string
action_result.data.*.readable_summary.classification.reason	string
action_result.data.*.readable_summary.classification.threat.description	string
action_result.data.*.readable_summary.classification.threat.factor	numeric
action_result.data.*.readable_summary.classification.threat.name	string
action_result.status	string
action_result.message	string
action_result.summary	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

Name		Name	Last commit message	Last commit date
Latest commit History 107 Commits
.github/workflows		.github/workflows
img		img
release_notes		release_notes
wheels		wheels
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
NOTICE		NOTICE
README.md		README.md
__init__.py		__init__.py
logo_reversinglabs_ticloud.svg		logo_reversinglabs_ticloud.svg
logo_reversinglabs_ticloud_dark.svg		logo_reversinglabs_ticloud_dark.svg
manual_readme_content.md		manual_readme_content.md
requirements.txt		requirements.txt
reversinglabs_ticloud.json		reversinglabs_ticloud.json
reversinglabs_ticloud_connector.py		reversinglabs_ticloud_connector.py
reversinglabs_ticloud_consts.py		reversinglabs_ticloud_consts.py
reversinglabs_ticloud_template.html		reversinglabs_ticloud_template.html
reversinglabs_ticloud_view.py		reversinglabs_ticloud_view.py
tox.ini		tox.ini

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

RL TitaniumCloud REST APIs

ReversingLabs TitaniumCloud File Reputation

How to Configure the App

Port Information

Configuration Variables

Supported Actions

action: 'joe sandbox adapter'

Action Parameters

Action Output

action: 'test connectivity'

Action Parameters

Action Output

action: 'file reputation'

Action Parameters

Action Output

action: 'advanced search'

Action Parameters

Action Output

action: 'file similarity analytics'

Action Parameters

Action Output

action: 'uri statistics'

Action Parameters

Action Output

action: 'certificate analytics'

Action Parameters

Action Output

About

Releases 1

Packages

Contributors 12

Languages

License

splunk-soar-connectors/reversinglabs-ticloud

Folders and files

Latest commit

History

Repository files navigation

RL TitaniumCloud REST APIs

ReversingLabs TitaniumCloud File Reputation

How to Configure the App

Port Information

Configuration Variables

Supported Actions

action: 'joe sandbox adapter'

Action Parameters

Action Output

action: 'test connectivity'

Action Parameters

Action Output

action: 'file reputation'

Action Parameters

Action Output

action: 'advanced search'

Action Parameters

Action Output

action: 'file similarity analytics'

Action Parameters

Action Output

action: 'uri statistics'

Action Parameters

Action Output

action: 'certificate analytics'

Action Parameters

Action Output

About

Resources

License

Stars

Watchers

Forks

Releases 1

Packages 0

Contributors 12

Languages

Packages