Publisher: ReversingLabs
Connector Version: 2.0.5
Product Vendor: ReversingLabs
Product Name: TISCALE
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0
This app integrates with ReversingLabs TiScale Enterprise Scale File Visibility platform to automate analysis and investigative actions for file samples
This app supports using ReversingLabs Advanced File Analysis to 'detonate file' on the TitaniumScale Advanced Malware Analysis Appliance.
The ReversingLabs TitaniumScale Appliance is powered by TitaniumCore, the malware analysis engine that performs automated static analysis using the Active File Decomposition technology.
TitaniumCore unpacks and recursively analyzes files without executing them, and extracts internal threat indicators to classify files and determine their threat level. TitaniumCore is capable of identifying thousands of file format families. It recursively unpacks hundreds of file format families, and fully repairs extracted files to enable further analysis.
For more information, consult the official product website.
Access the Asset Settings tab on the Asset Configuration page. The variables described in the
previous section are displayed in this tab.
The "Base URL" field requires the host URL of the ReversingLabs TitaniumScale service. Select the "Verify server certificate" checkbox to ensure that the self-signed certificates are not accepted.
The "API Key" requires the authentication token for accessing the TitaniumScale REST API.
The "Detonate timeout" variable defines how long the app should wait for the results from the TitaniumScale appliance.
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TISCALE asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| base_url | required | string | Base URL to TISCALE service |
| verify_server_cert | optional | boolean | Verify server certificate |
| api_key | optional | password | API Key |
| timeout | required | numeric | Detonate timeout in mins |
test connectivity - Validate the asset configuration for connectivity by attempting to log into the device
detonate file - Analyze the file in the TISCALE Advanced Malware Analysis Appliance and retrieve the analysis results
Validate the asset configuration for connectivity by attempting to log into the device
Type: test
Read only: True
No parameters are required for this action
No Output
Analyze the file in the TISCALE Advanced Malware Analysis Appliance and retrieve the analysis results
Type: investigate
Read only: True
This action requires the input file to be present in the vault and therefore takes the vault id as the input parameter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| file_vault_id | required | Vault ID of file to detonate | string | vault id |
| file_name | optional | Filename to use | string | |
| hunting_report_vault_id | optional | Threat hunting report that represents current state of the hunting workflow | string | vault id |
| full_report | optional | Receive full TiScale metadata in a response | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.file_name | string | |
| action_result.parameter.file_vault_id | string | vault id |
| action_result.parameter.full_report | string | |
| action_result.parameter.hunting_report_vault_id | string | vault id |
| action_result.data | string | |
| action_result.data.*.hunting_report_vault_id | string | |
| action_result.data.*.readable_summary.classification.classification | string | |
| action_result.data.*.readable_summary.classification.description | string | |
| action_result.data.*.readable_summary.classification.reason | string | |
| action_result.data.*.readable_summary.classification.threat.description | string | |
| action_result.data.*.readable_summary.classification.threat.factor | numeric | |
| action_result.data.*.readable_summary.classification.threat.name | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |