diff --git a/README.md b/README.md index 0fe4ea0..02360e6 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,13 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION [customer monthly usage](#action-customer-monthly-usage) - TCA-9999 - Check Monthly usage of ReversingLabs API [customer quota limits](#action-customer-quota-limits) - TCA-9999 - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company. [customer yara api usage](#action-customer-yara-api-usage) - TCA-9999 - Check Yara usage on ReversingLabs API +[av scanners](#action-av-scanners) - TCA-0103 - Retrieve AV Scanner data from TitaniumCloud +[customer daily usage](#action-customer-daily-usage) - TCA-9999 - Check daily usage of ReversingLabs API +[customer dayrange usage](#action-customer-dayrange-usage) - TCA-9999 - Check ReversingLabs API usage for specified time range (in days) +[customer month range usage](#action-customer-month-range-usage) - TCA-9999 - Check ReversingLabs API usage for specified time range (in months) +[customer monthly usage](#action-customer-monthly-usage) - TCA-9999 - Check Monthly usage of ReversingLabs API +[customer quota limits](#action-customer-quota-limits) - TCA-9999 - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company. +[customer yara api usage](#action-customer-yara-api-usage) - TCA-9999 - Check Yara usage on ReversingLabs API [dynamic analysis results](#action-dynamic-analysis-results) - TCA-0106 - Retrieve a file dynamic analysis results [dynamic url analysis results](#action-dynamic-url-analysis-results) - TCA-0106 - Retrieve an url dynamic analysis results [file analysis](#action-file-analysis) - TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud @@ -51,10 +58,20 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION [get domain downloaded files](#action-get-domain-downloaded-files) - TCA-0405 - Retrieve a list of files downloaded from the submitted domain [get domain report](#action-get-domain-report) - TCA-0405 - API returns threat intelligence data for the submitted domain [get downloaded files](#action-get-downloaded-files) - TCA-0403 - Get files downloaded from url +[file analysis](#action-file-analysis) - TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud +[file reputation](#action-file-reputation) - TCA-0101 - Queries for file reputation info +[file reputation user override](#action-file-reputation-user-override) - TCA-0102 - File Reputation User Override +[functional similarity](#action-functional-similarity) - TCA-0301 - Retrieve a list of functionally similar hashes to the provided one +[get domain downloaded files](#action-get-domain-downloaded-files) - TCA-0405 - Retrieve a list of files downloaded from the submitted domain +[get domain report](#action-get-domain-report) - TCA-0405 - API returns threat intelligence data for the submitted domain +[get downloaded files](#action-get-downloaded-files) - TCA-0403 - Get files downloaded from url [get file](#action-get-file) - TCA-0201 - Download a sample from TitaniumCloud [get ip downloaded files](#action-get-ip-downloaded-files) - TCA-0406 - Retrieve a list of files downloaded from the submitted IP address [get ip report](#action-get-ip-report) - TCA-0406 - API returns threat intelligence data for the submitted ip address [get latest url analysis feed](#action-get-latest-url-analysis-feed) - TCA - 0403 - Get latest url analysis feed +[get ip downloaded files](#action-get-ip-downloaded-files) - TCA-0406 - Retrieve a list of files downloaded from the submitted IP address +[get ip report](#action-get-ip-report) - TCA-0406 - API returns threat intelligence data for the submitted ip address +[get latest url analysis feed](#action-get-latest-url-analysis-feed) - TCA - 0403 - Get latest url analysis feed [get list user overrides](#action-get-list-user-overrides) - TCA-0408 - Get user URL classification overrides [get list user overrides aggregated](#action-get-list-user-overrides-aggregated) - TCA-0408 - Get user URL classification overrides aggregated [get network reputation](#action-get-network-reputation) - TCA-0407 - Get reputation of a requested URL, domain or IP address @@ -68,6 +85,17 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION [get yara retro matches](#action-get-yara-retro-matches) - TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range [imphash similarity](#action-imphash-similarity) - TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) [list active file reputation user overrides](#action-list-active-file-reputation-user-overrides) - TCA-0102 - List Active File Reputation User Overrides +[get network reputation](#action-get-network-reputation) - TCA-0407 - Get reputation of a requested URL, domain or IP address +[get related domains](#action-get-related-domains) - TCA-0405 - API provides a list of domains that have the same top parent domain as the requested domain +[get resolutions from domain](#action-get-resolutions-from-domains) - TCA-0405 - API provides a list of domain-to-IP mappings for the requested domain +[get resolutions from ip](#action-get-resolutions-from-ip) - TCA-0406 - API provides a list of IP-to-domain mappings for the requested IP address +[get url analysis feed from date](#action-get-url-analysis-feed-from-date) - TCA-0403 - Get url analysis feed from date +[get urls from domain](#action-get-urls-from-domain) - TCA-0405 - API provides a list of URLs associated with the requested domain +[get urls from ip](#action-get-urls-from-ip) - TCA-0406 - API provides a list of URLs associated with the requested IP address +[get yara matches](#action-get-yara-matches) - TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range +[get yara retro matches](#action-get-yara-retro-matches) - TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range +[imphash similarity](#action-imphash-similarity) - TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) +[list active file reputation user overrides](#action-list-active-file-reputation-user-overrides) - TCA-0102 - List Active File Reputation User Overrides [network reputation user override](#action-network-reputation-user-override) - TCA-0408 - Override user network location reputation [reanalyze file](#action-reanalyze-file) - TCA-0205 - Reanalyze sample [submit for dynamic analysis](#action-submit-for-dynamic-analysis) - TCA-0207 - Submit an existing sample for dynamic analysis @@ -85,6 +113,22 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION [yara retro check status](#action-yara-retro-check-status) - TCA-0319 - Check the retro hunt status for the specified ruleset [yara retro cancel hunt](#action-yara-retro-cancel-hunt) - TCA-0319 - Cancel the retro hunt for the specified ruleset +[reanalyze file](#action-reanalyze-file) - TCA-0205 - Reanalyze sample +[submit for dynamic analysis](#action-submit-for-dynamic-analysis) - TCA-0207 - Submit an existing sample for dynamic analysis +[submit url for dynamic analysis](#action-submit-url-for-dynamic-analysis) - TCA-0207 - Submit an existing url sample for dynamic analysis +[upload file](#action-upload-file) - TCA-0202 - Upload file to TitaniumCloud +[uri index](#action-uri-index) - TCA-0401 - Retrieve a list of all available file hashes associated with a given URI +[uri statistics](#action-uri-statistics) - TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI +[url reputation](#action-url-reputation) - TCA-0403 - Queries URL Threat Intelligence +[yara create ruleset](#action-yara-create-ruleset) - TCA-0303 - Create a new YARA ruleset +[yara delete ruleset](#action-yara-delete-ruleset) - TCA-0303 - Delete YARA ruleset +[yara get ruleset info](#action-yara-get-ruleset-info) - TCA-0303 - Get YARA ruleset info +[yara get ruleset text](#action-yara-get-ruleset-text) - TCA-0303 - Get YARA ruleset text +[yara retro enable hunt](#action-yara-retro-enable-hunt) - TCA-0319 - Enable YARA retro hunt +[yara retro start hunt](#action-yara-retro-start-hunt) - TCA-0319 - Start YARA retro hunt for the specified ruleset +[yara retro check status](#action-yara-retro-check-status) - TCA-0319 - Check the retro hunt status for the specified ruleset +[yara retro cancel hunt](#action-yara-retro-cancel-hunt) - TCA-0319 - Cancel the retro hunt for the specified ruleset + ## action: 'test connectivity' Validate the asset configuration for connectivity using supplied configuration @@ -100,12 +144,16 @@ No parameters are required for this action #### Action Output No Output +## action: 'advanced search' +TCA-0320 - Search for hashes using multi-part search criteria ## action: 'advanced search' TCA-0320 - Search for hashes using multi-part search criteria +Type: **investigate** Type: **investigate** Read only: **False** +TCA-0320 - Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='. TCA-0320 - Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='. #### Action Parameters @@ -113,6 +161,8 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **query** | required | Advanced Search query | string | **limit** | optional | Maximum number of results | numeric | +**query** | required | Advanced Search query | string | +**limit** | optional | Maximum number of results | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -120,66 +170,89 @@ DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES action_result.status | string | | success or failed action_result.parameter.limit | numeric | | action_result.parameter.query | string | | +action_result.status | string | | success or failed +action_result.parameter.limit | numeric | | +action_result.parameter.query | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'analyze url' +TCA-0404 - Analyze a given URL ## action: 'analyze url' TCA-0404 - Analyze a given URL +Type: **investigate** Type: **investigate** Read only: **False** +TCA-0404 - This service allows users to submit a URL for analysis. TCA-0404 - This service allows users to submit a URL for analysis. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **url** | required | URL to analyze | string | `url` +**url** | required | URL to analyze | string | `url` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed action_result.parameter.url | string | | +action_result.status | string | | success or failed +action_result.parameter.url | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'av scanners' +TCA-0103 - Retrieve AV Scanner data from TitaniumCloud ## action: 'av scanners' TCA-0103 - Retrieve AV Scanner data from TitaniumCloud +Type: **investigate** Type: **investigate** Read only: **False** +TCA-0103 - Provides AV vendor cross-reference data for a desired sample from multiple AV scanners. TCA-0103 - Provides AV vendor cross-reference data for a desired sample from multiple AV scanners. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **hash** | required | File hash | string | `sha1` `sha256` `md5` +**hash** | required | File hash | string | `sha1` `sha256` `md5` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed action_result.parameter.hash | string | | +action_result.status | string | | success or failed +action_result.parameter.hash | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'customer daily usage' +TCA-9999 - Check daily usage of ReversingLabs API ## action: 'customer daily usage' TCA-9999 - Check daily usage of ReversingLabs API Type: **generic** Read only: **False** +TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company #### Action Parameters @@ -187,6 +260,8 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **date** | required | Specifies the date for which customer usage information should be returned | string | | **company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | +**date** | required | Specifies the date for which customer usage information should be returned | string | | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -196,16 +271,25 @@ action_result.data.*.usage_report.*.product | string | | action_result.data.*.usage_report.*.number_of_queries | string | | action_result.data.*.usage_report.*.used_bytes | string | | action_result.status | string | | success or failed +action_result.data.*.date | Date | | YYYY-MM-DD +action_result.data.*.usage_report.*.product | string | | +action_result.data.*.usage_report.*.number_of_queries | string | | +action_result.data.*.usage_report.*.used_bytes | string | | +action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'customer dayrange usage' +TCA-9999 - Check ReversingLabs API usage for specified time range (in days) ## action: 'customer dayrange usage' TCA-9999 - Check ReversingLabs API usage for specified time range (in days) Type: **generic** Read only: **False** +TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company #### Action Parameters @@ -214,21 +298,29 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **from_date** | required | Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format. | string | | **to_date** | required | Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format. | string | | **company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | +**from_date** | required | Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format. | string | | +**to_date** | required | Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format. | string | | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed +action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'customer month range usage' +TCA-9999 - Check ReversingLabs API usage for specified time range (in months) ## action: 'customer month range usage' TCA-9999 - Check ReversingLabs API usage for specified time range (in months) Type: **generic** Read only: **False** +TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company #### Action Parameters @@ -237,21 +329,29 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **from_month** | required | Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format. | string | | **to_month** | required | Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format. | string | | **company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | +**from_month** | required | Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format. | string | | +**to_month** | required | Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format. | string | | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed +action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'customer monthly usage' +TCA-9999 - Check Monthly usage of ReversingLabs API ## action: 'customer monthly usage' TCA-9999 - Check Monthly usage of ReversingLabs API Type: **generic** Read only: **False** +TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company TCA-9999 - API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company #### Action Parameters @@ -259,6 +359,8 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **month** | required | Specifies the month for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format. | string | | **company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | +**month** | required | Specifies the month for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format. | string | | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -271,19 +373,31 @@ action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +action_result.data.*.month | string | | YYYY-MM +action_result.data.*.usage_report.*.product | string | +action_result.data.*.usage_report.*.number_of_queries | string | +action_result.data.*.usage_report.*.used_bytes | string | +action_result.status | string | | success or failed +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +## action: 'customer quota limits' +TCA-9999 - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company. ## action: 'customer quota limits' TCA-9999 - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company. Type: **generic** Read only: **False** +TCA-9999 - API allows ReversingLabs customers to track quota limits of TitaniumCloud services provisioned to all accounts in a company TCA-9999 - API allows ReversingLabs customers to track quota limits of TitaniumCloud services provisioned to all accounts in a company #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | string | | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -297,19 +411,32 @@ action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +action_result.data.*.limits.*.limit | numeric | | +action_result.data.*limits.*.limit_type | string | | +action_result.data.*limits.*.limit_exceeded | boolean | | +action_result.data.*limits.*.products | string | | +action_result.data.*limits.*.users | string | | +action_result.status | string | | success or failed +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +## action: 'customer yara api usage' +TCA-9999 - Check Yara usage on ReversingLabs API. ## action: 'customer yara api usage' TCA-9999 - Check Yara usage on ReversingLabs API. Type: **generic** Read only: **False** +TCA-9999 - This query returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request. TCA-9999 - This query returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **format** | optional | Specify the response format. Supported values are xml and json. The default is JSON. | string | json | +**format** | optional | Specify the response format. Supported values are xml and json. The default is JSON. | string | json | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -317,16 +444,24 @@ DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES action_result.data.*.product | string | | action_result.data.*.number_of_active_rulesets | string | | action_result.status | string | | success or failed +action_result.data.*.product | string | | +action_result.data.*.number_of_active_rulesets | string | | +action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +## action: 'dynamic analysis results' +TCA-0106 - Retrieve dynamic analysis results ## action: 'dynamic analysis results' TCA-0106 - Retrieve dynamic analysis results Type: **generic** Read only: **False** +TCA-0106 - This service allows users to retrieve dynamic analysis results for a file that was submitted for dynamic analysis. TCA-0106 - This service allows users to retrieve dynamic analysis results for a file that was submitted for dynamic analysis. #### Action Parameters @@ -335,6 +470,9 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **sha1** | required | Selected sample's SHA-1 hash | string | `sha1` **analysis_id** | optional | Return only the results of this analysis | string | **latest** | optional | Return only the latest analysis results | boolean | +**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` +**analysis_id** | optional | Return only the results of this analysis | string | +**latest** | optional | Return only the latest analysis results | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -343,18 +481,27 @@ action_result.status | string | | success or failed action_result.parameter.analysis_id | string | | action_result.parameter.latest | boolean | | action_result.parameter.sha1 | string | | +action_result.status | string | | success or failed +action_result.parameter.analysis_id | string | | +action_result.parameter.latest | boolean | | +action_result.parameter.sha1 | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'dynamic url analysis results' +TCA-0106 - Retrieve dynamic analysis results for url ## action: 'dynamic url analysis results' TCA-0106 - Retrieve dynamic analysis results for url Type: **investigate** Read only: **true** +Read only: **true** +TCA-0106 - This service allows users to retrieve dynamic analysis results for an url that was submitted for dynamic analysis. TCA-0106 - This service allows users to retrieve dynamic analysis results for an url that was submitted for dynamic analysis. #### Action Parameters @@ -363,6 +510,9 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **url** | required | Provide one of the following: sha1, base64 or url | string | `sha1` `url` | **analysis_id** | optional | Return only the results of this analysis | string | **latest** | optional | Return only the latest analysis results | boolean | +**url** | required | Provide one of the following: sha1, base64 or url | string | `sha1` `url` | +**analysis_id** | optional | Return only the results of this analysis | string | +**latest** | optional | Return only the latest analysis results | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -370,18 +520,25 @@ DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES action_result.parameter.analysis_id | string | | action_result.parameter.data.0.requested_sha1_url | string | | +## action: 'file analysis' +TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud +action_result.parameter.analysis_id | string | | +action_result.parameter.data.0.requested_sha1_url | string | | + ## action: 'file analysis' TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud Type: **investigate** Read only: **False** +TCA-0104 - Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information. TCA-0104 - Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **hash** | required | File hash | string | `sha1` `sha256` `md5` `vault id` +**hash** | required | File hash | string | `sha1` `sha256` `md5` `vault id` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -393,6 +550,7 @@ action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | ## action: 'file reputation' TCA-0101 - Queries for file reputation info @@ -417,13 +575,18 @@ action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'file reputation user override' +TCA-0102 - File Reputation User Override ## action: 'file reputation user override' TCA-0102 - File Reputation User Override +Type: **generic** Type: **generic** Read only: **False** +TCA-0102 - The File Reputation User Override service enables File sample classification overrides. TCA-0102 - The File Reputation User Override service enables File sample classification overrides. #### Action Parameters @@ -431,12 +594,16 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **override_samples** | required | List of samples to override structured in JSON format. Visit documentation for guidance. | string | **remove_overrides** | optional | List of samples whose classification override needs to be removed structured in JSON format. Visit documentation for guidance | string | +**override_samples** | required | List of samples to override structured in JSON format. Visit documentation for guidance. | string | +**remove_overrides** | optional | List of samples whose classification override needs to be removed structured in JSON format. Visit documentation for guidance | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.parameter.override_samples | string | | action_result.parameter.remove_overrides | string | | +action_result.parameter.override_samples | string | | +action_result.parameter.remove_overrides | string | | action_result.status | string | | success or failed action_result.parameter.hash | string | | action_result.data | string | | @@ -444,6 +611,7 @@ action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | ## action: 'functional similarity' TCA-0301 - Retrieve a list of functionally similar hashes to the provided one @@ -470,13 +638,19 @@ action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +## action: 'get domain downloaded files' +TCA-0405 - Retrieve a list of files downloaded from the submitted domain ## action: 'get domain downloaded files' TCA-0405 - Retrieve a list of files downloaded from the submitted domain +Type: **generic** +Read only: **False** Type: **generic** Read only: **False** +TCA-0405 - The response will contain metadata for files downloaded from the submitted domain. Empty fields are not included in the response. TCA-0405 - The response will contain metadata for files downloaded from the submitted domain. Empty fields are not included in the response. #### Action Parameters @@ -486,11 +660,37 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **extended** | optional | Chose whether you want extended result data set | boolean | **limit** | optional | The number of files to return in the response. Default is 1000 | numeric | **classification** | optional | Return only samples that match the requested classification for given domain | string | +**domain** | required | The domain for which to retrieve the downloaded files | string | domain +**extended** | optional | Chose whether you want extended result data set | boolean | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | +**classification** | optional | Return only samples that match the requested classification for given domain | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'get domain report' +TCA-0405 - API returns threat intelligence data for the submitted domain + +Type: **generic** +Read only: **False** + +TCA-0405 - The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**domain** | required | The domain for which to retrieve the report | string | `domain` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed +action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | @@ -515,6 +715,7 @@ action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | ## action: 'get downloaded files' TCA - 0403 - Get files downloaded from url @@ -620,74 +821,145 @@ action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get latest url analysis feed' -TCA - 0403 - Get latest url analysis feed +## action: 'get file' +TCA-0201 - Download a sample from TitaniumCloud -Type: **generic** -Read only: **False** +Type: **investigate** +Read only: **True** -Returns the latest URL analyses reports aggregated as list. +TCA-0201 - Download a sample from TitaniumCloud and add it to the vault. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | -**max_results** | optional | Maximum results to be returned in the list | numeric | +**hash** | required | Hash of file/sample to download | string | `md5` `sha1` `sha256` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.results_per_page | numeric | | -action_result.parameter.max_results | numeric | | -action_result.status | string | | +action_result.status | string | | success or failed +action_result.parameter.hash | string | `md5` `sha1` `sha256` | +action_result.data | string | | +action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get list user overrides' -TCA-0408 - Get user URL classification overrides +## action: 'get ip downloaded files' +TCA-0406 - Retrieve a list of files downloaded from the submitted IP address Type: **generic** -Read only: **False** +Read only: **True** -TCA-0408 - Get user URL classification overrides +TCA-0406 - The response will contain metadata for files downloaded from the submitted IP address. Empty fields are not included in the response. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**next_page_sha1** | optional | Optional parameter used for pagination | string | `sha1` +**ip_address** | required | The IP address for which to retrieve the downloaded files | string | `ip` +**extended** | optional | Chose whether you want extended result data set | boolean | +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | +**classification** | optional | Return only samples that match the requested classification for given domain | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.*.user_override.network_locations.*.network_location | string | `url` `domain` `ip` | -action_result.data.*.user_override.network_locations.*.type | string | `url` `domain` `ip` | action_result.status | string | | success or failed -action_result.message | string | | +action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'get list user overrides aggregated' -TCA-0408 - Get user URL classification overrides aggregated +## action: 'get ip report' +TCA-0406 - API returns threat intelligence data for the submitted ip address Type: **generic** -Read only: **False** +Read only: **True** -This API automatically handles paging and returns a list of results instead of a Response object. +TCA-0406 - The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**max_results** | optional | | numeric | +**ip_address** | required | The IP address for which to retrieve the report | string | `ip` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.*.*.network_location | string | `url` `domain` `ip` | -action_result.data.*.*.type | string | `url` `domain` `ip` | -action_result.status | string | | success or failed -action_result.message | string | | -summary.total_objects | numeric | | +action_result.status | string | | success or failed +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'get latest url analysis feed' +TCA - 0403 - Get latest url analysis feed + +Type: **generic** +Read only: **False** + +Returns the latest URL analyses reports aggregated as list. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | +**max_results** | optional | Maximum results to be returned in the list | numeric | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.results_per_page | numeric | | +action_result.parameter.max_results | numeric | | +action_result.status | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'get list user overrides' +TCA-0408 - Get user URL classification overrides + +Type: **generic** +Read only: **False** + +TCA-0408 - Get user URL classification overrides + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**next_page_sha1** | optional | Optional parameter used for pagination | string | `sha1` + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.data.*.user_override.network_locations.*.network_location | string | `url` `domain` `ip` | +action_result.data.*.user_override.network_locations.*.type | string | `url` `domain` `ip` | +action_result.status | string | | success or failed +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'get list user overrides aggregated' +TCA-0408 - Get user URL classification overrides aggregated + +Type: **generic** +Read only: **False** + +This API automatically handles paging and returns a list of results instead of a Response object. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**max_results** | optional | | numeric | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.data.*.*.network_location | string | `url` `domain` `ip` | +action_result.data.*.*.type | string | `url` `domain` `ip` | +action_result.status | string | | success or failed +action_result.message | string | | +summary.total_objects | numeric | | summary.total_objects_successful | numeric | | ## action: 'get network reputation' @@ -791,1454 +1063,2352 @@ action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get url analysis feed from date' -TCA - 0403 - Get url analysis feed from date +## action: 'get list user overrides' +TCA-0408 - Get user URL classification overrides Type: **generic** Read only: **False** -Accepts time format and a start time and returns URL analyses reports from that defined time onward aggregated as a list. +TCA-0408 - Get user URL classification overrides #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**time_format** | required | Possible values: 'utc' or 'timestamp' | string | -**start_time** | required | Time from which to retrieve results onwards | string | -**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | -**max_results** | optional | Maximum results to be returned in the list | numeric | +**next_page_sha1** | optional | Optional parameter used for pagination | string | `sha1` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.time_format | string | | -action_result.parameter.start_time | string | | -action_result.parameter.results_per_page | numeric | | -action_result.parameter.max_results | numeric | | -action_result.status | string | | -action_result.message | string | | +action_result.data.*.user_override.network_locations.*.network_location | string | `url` `domain` `ip` | +action_result.data.*.user_override.network_locations.*.type | string | `url` `domain` `ip` | +action_result.status | string | | success or failed +action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'get urls from domain' -TCA - 0405 - API provides a list of URLs associated with the requested domain. +## action: 'get list user overrides aggregated' +TCA-0408 - Get user URL classification overrides aggregated -Type: **investigate** +Type: **generic** Read only: **False** -TCA - 0405 - API provides a list of URLs associated with the requested domain. +This API automatically handles paging and returns a list of results instead of a Response object. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**domain** | required | The domain for which to retrieve the resolved IP addresses | string | `domain` -**page** | optional | String representing a page of results | string | -**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | +**max_results** | optional | | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.*.requested_domain | string | `domain` | -action_result.data.*.urls.*.url | string | `url` | -action_result.status | string | | -action_result.message | string | | +action_result.data.*.*.network_location | string | `url` `domain` `ip` | +action_result.data.*.*.type | string | `url` `domain` `ip` | +action_result.status | string | | success or failed +action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get urls from ip' -TCA - 0406 - API provides a list of URLs associated with the requested IP address. +## action: 'get network reputation' +TCA-0407 - Get reputation of a requested URL, domain or IP address Type: **investigate** Read only: **False** -TCA - 0406 - API provides a list of URLs associated with the requested IP address. +Service provides information regarding the reputation of a requested URL, domain or IP address. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ip_address** | required | The IP for which to retrieve the domain resolutions | string | `ip` -**page** | optional | String representing a page of results | string | -**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | +**network_locations** | required | domain, url or ip | string | `domain` `url` `ip` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.*.requested_ip | string | `ip` | -action_result.data.*.urls.*.url | string | `url` | -action_result.status | string | | +action_result.status | string | | success or failed action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get yara matches' -TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range +## action: 'get related domains' +TCA - 0405 - API provides a list of domains that have the same top parent domain as the requested domain -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range. +TCA - 0405 - API provides a list of domains that have the same top parent domain as the requested domain. If the requested domain is a top parent domain, the API will return all subdomains. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**time_format** | required | 'utc' or 'timestamp' | string | -**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | +**domain** | required | The domain for which to retrieve the downloaded files | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.time_format | string | | -action_result.parameter.time_value | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.*.requested_domain | string | `domain` | +action_result.data.*.related_domains.*.domain | string | `domain` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get yara retro matches' -TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range +## action: 'get resolutions from domain' +TCA - 0405 - API provides a list of domain-to-IP mappings for the requested domain -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range. +TCA - 0405 - API provides a list of domain-to-IP mappings for the requested domain. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**time_format** | required | 'utc' or 'timestamp' | string | -**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | +**domain** | required | The domain for which to retrieve the domain to IP mappings | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.data.*.rl.feed.name | string | | -action_result.data.*.rl.feed.time_range.from | string | | -action_result.data.*.rl.feed.time_range.to | string | | -action_result.data.*.rl.feed.last_timestamp | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.*.requested_domain | string | `domain` | +action_result.data.*.resolutions.*.record_type | string | | +action_result.data.*.resolutions.*.answer | string | | +action_result.data.*.resolutions.*.last_resolution_time | string | | +action_result.data.*.resolutions.*.provider | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'imphash similarity' -TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) +## action: 'get resolutions from ip' +TCA - 0406 - API provides a list of IP-to-domain mappings for the requested IP address Type: **investigate** -Read only: **True** +Read only: **False** -TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file. +TCA - 0406 - API provides a list of IP-to-domain mappings for the requested IP address #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**imphash** | required | Imphash | string | `hash` -**limit** | optional | Maximum number of results | numeric | +**ip_address** | required | The IP address for which to retrieve resolutions | string | `ip` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.imphash | string | | -action_result.parameter.limit | numeric | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.*.requested_ip | string | `ip` | +action_result.data.*.resolutions.*.host_name | string | `domain` | +action_result.data.*.resolutions.*.last_resolution_time | string | | +action_result.data.*.resolutions.*.provider | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'list active file reputation user overrides' -TCA-0102 - List Active File Reputation User Overrides +## action: 'get url analysis feed from date' +TCA - 0403 - Get url analysis feed from date Type: **generic** Read only: **False** -TCA-0102 - The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known. +Accepts time format and a start time and returns URL analyses reports from that defined time onward aggregated as a list. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash_type** | required | Required parameter that defines the type of hash | string | `sha1` `sha256` `md5` -**start_hash** | optional | When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value | string | `sha1` `sha256` `md5` +**time_format** | required | Possible values: 'utc' or 'timestamp' | string | +**start_time** | required | Time from which to retrieve results onwards | string | +**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | +**max_results** | optional | Maximum results to be returned in the list | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.*.user_override.hash_values | string | `sha1` `sha256` `md5` | -action_result.status | string | | success or failed +action_result.parameter.time_format | string | | +action_result.parameter.start_time | string | | +action_result.parameter.results_per_page | numeric | | +action_result.parameter.max_results | numeric | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'network reputation user override' -TCA-0408 - Override user network location reputation +## action: 'get urls from domain' +TCA - 0405 - API provides a list of URLs associated with the requested domain. +## action: 'get urls from domain' +TCA - 0405 - API provides a list of URLs associated with the requested domain. -Type: **generic** +Type: **investigate** Read only: **False** -The Network Reputation User OVerride service enables URL classification overrides +TCA - 0405 - API provides a list of URLs associated with the requested domain. +TCA - 0405 - API provides a list of URLs associated with the requested domain. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**override_list** | required | List of network locations which classification needs to be overriden | string | -**remove_overrides_list** | optional | List of network locations which classification override needs to be removed | string | +**domain** | required | The domain for which to retrieve the resolved IP addresses | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.override_list | string | | { "network_location": "http://example.com", "type": "url", "classification": "malicious", "categories": ["phishing"] } -action_result.parameter.remove_overrides_list | string | | { "network_location": "http://example.com", "type": "url" } -action_result.message | string | | +action_result.data.*.requested_domain | string | `domain` | +action_result.data.*.urls.*.url | string | `url` | +action_result.status | string | | +action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'reanalyze file' -TCA-0205 - Reanalyze sample +## action: 'get urls from ip' +TCA - 0406 - API provides a list of URLs associated with the requested IP address. Type: **investigate** Read only: **False** -TCA-0205 - This query sends a sample with the requested hash for rescanning. +TCA - 0406 - API provides a list of URLs associated with the requested IP address. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | File hash | string | +**ip_address** | required | The IP for which to retrieve the domain resolutions | string | `ip` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.hash | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.*.requested_ip | string | `ip` | +action_result.data.*.urls.*.url | string | `url` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'submit for dynamic analysis' -TCA-0207 - Submit an existing sample for dynamic analysis +## action: 'get yara matches' +TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0207 - This service allows users to detonate a file in the ReversingLabs TitaniumCloud sandbox. To submit a file for analysis, it must exist in TitaniumCloud. +TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` `vault id` -**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | +**time_format** | required | 'utc' or 'timestamp' | string | +**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | +**domain** | required | The domain for which to retrieve the resolved IP addresses | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.platform | string | | -action_result.parameter.sha1 | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.*.requested_domain | string | `domain` | +action_result.data.*.urls.*.url | string | `url` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'submit url for dynamic analysis' -TCA-0207 - Submit an existing URL sample for dynamic analysis +## action: 'get urls from ip' +TCA - 0406 - API provides a list of URLs associated with the requested IP address. Type: **investigate** Read only: **False** -TCA-0207 - This service allows users to detonate an URL in the ReversingLabs TitaniumCloud sandbox. To submit an url for analysis, it must exist in TitaniumCloud. +TCA - 0406 - API provides a list of URLs associated with the requested IP address. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**sha1** | required | Selected sample's url string | string | `url` `domain` -**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | +**ip_address** | required | The IP for which to retrieve the domain resolutions | string | `ip` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.*.rl.url | string | url | -action_result.data.*.rl.sha1 | string | sha1 | -action_result.data.*.rl.status | string | | -action_result.data.*.rl.url_base64 | string | | -action_result.data.*.rl.analysis_id | string | | +action_result.data.*.requested_ip | string | `ip` | +action_result.data.*.urls.*.url | string | `url` | +action_result.status | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | -## action: 'upload file' -TCA-0202 - Upload file to TitaniumCloud +## action: 'get yara matches' +TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range Type: **generic** Read only: **False** -TCA-0202 - Upload file to TitaniumCloud. +TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**vault_id** | required | Vault ID of file to upload | string | `vault id` -**file_name** | optional | Filename to use | string | `file name` +**time_format** | required | 'utc' or 'timestamp' | string | +**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.file_name | string | `file name` | -action_result.parameter.vault_id | string | `pe file` `pdf` `flash` `apk` `jar` `doc` `xls` `ppt` | +action_result.parameter.time_format | string | | +action_result.parameter.time_value | string | | +action_result.parameter.time_format | string | | +action_result.parameter.time_value | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'uri index' -TCA-0401 - Retrieve a list of all available file hashes associated with a given URI +## action: 'get yara retro matches' +TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range +## action: 'get yara retro matches' +TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range Type: **generic** Read only: **False** -TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification. +TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range. +TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**uri** | required | Desired URI string | string | `url` `domain` -**limit** | optional | Maximum number of results | numeric | +**time_format** | required | 'utc' or 'timestamp' | string | +**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | +**time_format** | required | 'utc' or 'timestamp' | string | +**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.limit | numeric | | -action_result.parameter.uri | string | | +action_result.data.*.rl.feed.name | string | | +action_result.data.*.rl.feed.time_range.from | string | | +action_result.data.*.rl.feed.time_range.to | string | | +action_result.data.*.rl.feed.last_timestamp | string | | +action_result.data.*.rl.feed.name | string | | +action_result.data.*.rl.feed.time_range.from | string | | +action_result.data.*.rl.feed.time_range.to | string | | +action_result.data.*.rl.feed.last_timestamp | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'uri statistics' -TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI +## action: 'imphash similarity' +TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) +## action: 'imphash similarity' +TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) -Type: **generic** -Read only: **False** +Type: **investigate** +Read only: **True** +Type: **investigate** +Read only: **True** -TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL). +TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file. +TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**uri** | required | Uri | string | `sha1` +**imphash** | required | Imphash | string | `hash` +**imphash** | required | Imphash | string | `hash` +**limit** | optional | Maximum number of results | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.uri | string | | +action_result.parameter.imphash | string | | +action_result.parameter.imphash | string | | +action_result.parameter.limit | numeric | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'url reputation' -TCA-0403 - Queries URL Threat Intelligence +## action: 'list active file reputation user overrides' +TCA-0102 - List Active File Reputation User Overrides -Type: **investigate** -Read only: **True** +Type: **generic** +Read only: **False** -TCA-0403 - Queries URL Threat Intelligence. +TCA-0102 - The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**url** | required | URL to query | string | `url` +**hash_type** | required | Required parameter that defines the type of hash | string | `sha1` `sha256` `md5` +**start_hash** | optional | When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value | string | `sha1` `sha256` `md5` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- +action_result.data.*.user_override.hash_values | string | `sha1` `sha256` `md5` | action_result.status | string | | success or failed -action_result.parameter.url | string | `url` | -action_result.data | string | | -action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara create ruleset' -TCA-0304 - Create a new YARA ruleset +## action: 'network reputation user override' +TCA-0408 - Override user network location reputation Type: **generic** Read only: **False** -TCA-0304 - Create a new YARA ruleset. +The Network Reputation User OVerride service enables URL classification overrides #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | -**ruleset_text** | required | Stringified YARA ruleset / a Unicode string | string | +**override_list** | required | List of network locations which classification needs to be overriden | string | +**remove_overrides_list** | optional | List of network locations which classification override needs to be removed | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | -action_result.parameter.ruleset_text | string | | -action_result.data | string | | -action_result.summary | string | | -action_result.message | string | | +action_result.parameter.override_list | string | | { "network_location": "http://example.com", "type": "url", "classification": "malicious", "categories": ["phishing"] } +action_result.parameter.remove_overrides_list | string | | { "network_location": "http://example.com", "type": "url" } +action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara delete ruleset' -TCA-0303 - Delete YARA ruleset +## action: 'reanalyze file' +TCA-0205 - Reanalyze sample -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0303 - Delete YARA ruleset. +TCA-0205 - This query sends a sample with the requested hash for rescanning. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**hash** | required | File hash | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | +action_result.parameter.hash | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara get ruleset info' -TCA-0303 - Get YARA ruleset info +## action: 'list active file reputation user overrides' +TCA-0102 - List Active File Reputation User Overrides Type: **generic** Read only: **False** -TCA-0303 - Get information for a specific YARA ruleset or all YARA rulesets in the collection. +TCA-0102 - The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | optional | YARA ruleset name | string | +**hash_type** | required | Required parameter that defines the type of hash | string | `sha1` `sha256` `md5` +**start_hash** | optional | When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value | string | `sha1` `sha256` `md5` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- +action_result.data.*.user_override.hash_values | string | `sha1` `sha256` `md5` | action_result.status | string | | success or failed -action_result.data.*.ruleset_name | string | | -action_result.data.*.valid | string | | -action_result.data.*.approved | string | | -action_result.data | string | | -action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara get ruleset text' -TCA-0303 - Get YARA ruleset text +## action: 'network reputation user override' +TCA-0408 - Override user network location reputation Type: **generic** Read only: **False** -TCA-0303 - Get the text of a YARA ruleset. +The Network Reputation User OVerride service enables URL classification overrides #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**override_list** | required | List of network locations which classification needs to be overriden | string | +**remove_overrides_list** | optional | List of network locations which classification override needs to be removed | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | -action_result.data.*.text | string | | -action_result.data | string | | -action_result.summary | string | | -action_result.message | string | | +action_result.parameter.override_list | string | | { "network_location": "http://example.com", "type": "url", "classification": "malicious", "categories": ["phishing"] } +action_result.parameter.remove_overrides_list | string | | { "network_location": "http://example.com", "type": "url" } +action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara retro cancel hunt' -TCA-0319 - Cancel the retro hunt for the specified ruleset +## action: 'reanalyze file' +TCA-0205 - Reanalyze sample -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0319 - Cancel the retro hunt for the specified ruleset. +TCA-0205 - This query sends a sample with the requested hash for rescanning. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**hash** | required | File hash | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | -action_result.data.*.ruleset_sha1 | string | | +action_result.parameter.hash | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | -summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara retro check status' -TCA-0319 - Check the retro hunt status for the specified ruleset +## action: 'submit for dynamic analysis' +TCA-0207 - Submit an existing sample for dynamic analysis -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0319 - Check the retro hunt status for the specified ruleset. +TCA-0207 - This service allows users to detonate a file in the ReversingLabs TitaniumCloud sandbox. To submit a file for analysis, it must exist in TitaniumCloud. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` `vault id` +**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | -action_result.data.*.retro_status | string | | -action_result.data.*.start_time | string | | -action_result.data.*.finish_time | string | | -action_result.data.*.reason | string | | -action_result.data.*.progress | string | | -action_result.data.*.estimated_finish_time | string | | +action_result.parameter.platform | string | | +action_result.parameter.sha1 | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara retro enable hunt' -TCA-0319 - Enable YARA retro hunt +## action: 'submit url for dynamic analysis' +TCA-0207 - Submit an existing URL sample for dynamic analysis + +Type: **investigate** +Read only: **False** + +TCA-0207 - This service allows users to detonate an URL in the ReversingLabs TitaniumCloud sandbox. To submit an url for analysis, it must exist in TitaniumCloud. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**sha1** | required | Selected sample's url string | string | `url` `domain` +**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.data.*.rl.url | string | url | +action_result.data.*.rl.sha1 | string | sha1 | +action_result.data.*.rl.status | string | | +action_result.data.*.rl.url_base64 | string | | +action_result.data.*.rl.analysis_id | string | | +action_result.data.*.rl.analysis_id | string | | + +## action: 'upload file' +TCA-0202 - Upload file to TitaniumCloud +## action: 'upload file' +TCA-0202 - Upload file to TitaniumCloud + +Type: **generic** +Read only: **False** + +TCA-0202 - Upload file to TitaniumCloud. +TCA-0202 - Upload file to TitaniumCloud. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**vault_id** | required | Vault ID of file to upload | string | `vault id` +**file_name** | optional | Filename to use | string | `file name` +**vault_id** | required | Vault ID of file to upload | string | `vault id` +**file_name** | optional | Filename to use | string | `file name` + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.file_name | string | `file name` | +action_result.parameter.vault_id | string | `pe file` `pdf` `flash` `apk` `jar` `doc` `xls` `ppt` | +action_result.parameter.file_name | string | `file name` | +action_result.parameter.vault_id | string | `pe file` `pdf` `flash` `apk` `jar` `doc` `xls` `ppt` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'uri index' +TCA-0401 - Retrieve a list of all available file hashes associated with a given URI +## action: 'uri index' +TCA-0401 - Retrieve a list of all available file hashes associated with a given URI + +Type: **generic** +Read only: **False** +Type: **generic** +Read only: **False** + +TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification. +TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**uri** | required | Desired URI string | string | `url` `domain` +**limit** | optional | Maximum number of results | numeric | +**uri** | required | Desired URI string | string | `url` `domain` +**limit** | optional | Maximum number of results | numeric | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.limit | numeric | | +action_result.parameter.uri | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'uri statistics' +TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI + +Type: **generic** +Read only: **False** + +TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL). + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**uri** | required | Uri | string | `sha1` + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.uri | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'url reputation' +TCA-0403 - Queries URL Threat Intelligence +action_result.status | string | | success or failed +action_result.parameter.limit | numeric | | +action_result.parameter.uri | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'uri statistics' +TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI + +Type: **generic** +Read only: **False** + +TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL). + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**uri** | required | Uri | string | `sha1` + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.uri | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'url reputation' +TCA-0403 - Queries URL Threat Intelligence + +Type: **investigate** +Read only: **True** + +TCA-0403 - Queries URL Threat Intelligence. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**url** | required | URL to query | string | `url` + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.url | string | `url` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara create ruleset' +TCA-0304 - Create a new YARA ruleset + +Type: **generic** +Read only: **True** + +TCA-0403 - Queries URL Threat Intelligence. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**url** | required | URL to query | string | `url` + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.url | string | `url` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara create ruleset' +TCA-0304 - Create a new YARA ruleset + +Type: **generic** +Read only: **False** + +TCA-0304 - Create a new YARA ruleset. +TCA-0304 - Create a new YARA ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_text** | required | Stringified YARA ruleset / a Unicode string | string | +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_text** | required | Stringified YARA ruleset / a Unicode string | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.parameter.ruleset_text | string | | +action_result.parameter.ruleset_name | string | | +action_result.parameter.ruleset_text | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara delete ruleset' +TCA-0303 - Delete YARA ruleset +## action: 'yara delete ruleset' +TCA-0303 - Delete YARA ruleset + +Type: **generic** +Read only: **False** + +TCA-0303 - Delete YARA ruleset. +TCA-0303 - Delete YARA ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.parameter.ruleset_name | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara get ruleset info' +TCA-0303 - Get YARA ruleset info +## action: 'yara get ruleset info' +TCA-0303 - Get YARA ruleset info + +Type: **generic** +Read only: **False** +Type: **generic** +Read only: **False** + +TCA-0303 - Get information for a specific YARA ruleset or all YARA rulesets in the collection. +TCA-0303 - Get information for a specific YARA ruleset or all YARA rulesets in the collection. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | optional | YARA ruleset name | string | +**ruleset_name** | optional | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.data.*.ruleset_name | string | | +action_result.data.*.valid | string | | +action_result.data.*.approved | string | | +action_result.data.*.ruleset_name | string | | +action_result.data.*.valid | string | | +action_result.data.*.approved | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara get ruleset text' +TCA-0303 - Get YARA ruleset text +## action: 'yara get ruleset text' +TCA-0303 - Get YARA ruleset text + +Type: **generic** +Type: **generic** +Read only: **False** + +TCA-0303 - Get the text of a YARA ruleset. +TCA-0303 - Get the text of a YARA ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data.*.text | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.parameter.ruleset_name | string | | +action_result.data.*.text | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro cancel hunt' +TCA-0319 - Cancel the retro hunt for the specified ruleset +## action: 'yara retro cancel hunt' +TCA-0319 - Cancel the retro hunt for the specified ruleset + +Type: **generic** +Read only: **False** + +TCA-0319 - Cancel the retro hunt for the specified ruleset. +TCA-0319 - Cancel the retro hunt for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data.*.ruleset_sha1 | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +action_result.parameter.ruleset_name | string | | +action_result.data.*.ruleset_sha1 | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro check status' +TCA-0319 - Check the retro hunt status for the specified ruleset +## action: 'yara retro check status' +TCA-0319 - Check the retro hunt status for the specified ruleset + +Type: **generic** +Read only: **False** + +TCA-0319 - Check the retro hunt status for the specified ruleset. +TCA-0319 - Check the retro hunt status for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data.*.retro_status | string | | +action_result.data.*.start_time | string | | +action_result.data.*.finish_time | string | | +action_result.data.*.reason | string | | +action_result.data.*.progress | string | | +action_result.data.*.estimated_finish_time | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data.*.retro_status | string | | +action_result.data.*.start_time | string | | +action_result.data.*.finish_time | string | | +action_result.data.*.reason | string | | +action_result.data.*.progress | string | | +action_result.data.*.estimated_finish_time | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro enable hunt' +TCA-0319 - Enable YARA retro hunt +## action: 'yara retro enable hunt' +TCA-0319 - Enable YARA retro hunt + +Type: **generic** +Read only: **False** + +TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro. +TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro start hunt' +TCA-0319 - Start YARA retro hunt for the specified ruleset + +Type: **generic** +Read only: **False** + +TCA-0319 - Start YARA retro hunt for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data.*.ruleset_sha1 | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +action_result.parameter.ruleset_name | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro start hunt' +TCA-0319 - Start YARA retro hunt for the specified ruleset + +Type: **generic** +Read only: **False** + +TCA-0319 - Start YARA retro hunt for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success or failed +action_result.parameter.ruleset_name | string | | +action_result.data.*.ruleset_sha1 | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | +summary.total_objects_successful | numeric | | + + +### Configuration Variables +The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TitaniumCloud asset in SOAR. + +VARIABLE | REQUIRED | TYPE | DESCRIPTION +-------- | -------- | ---- | ----------- +**url** | required | string | TitaniumCloud URL +**username** | required | string | TitaniumCloud username +**password** | required | password | TitaniumCloud password + +### Supported Actions +[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration +[yara create ruleset](#action-yara-create-ruleset) - TCA-0303 - Create a new YARA ruleset +[yara delete ruleset](#action-yara-delete-ruleset) - TCA-0303 - Delete YARA ruleset +[yara get ruleset info](#action-yara-get-ruleset-info) - TCA-0303 - Get YARA ruleset info +[yara get ruleset text](#action-yara-get-ruleset-text) - TCA-0303 - Get YARA ruleset text +[get yara matches](#action-get-yara-matches) - TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range +[yara retro enable hunt](#action-yara-retro-enable-hunt) - TCA-0319 - Enable YARA retro hunt +[yara retro start hunt](#action-yara-retro-start-hunt) - TCA-0319 - Start YARA retro hunt for the specified ruleset +[yara retro check status](#action-yara-retro-check-status) - TCA-0319 - Check the retro hunt status for the specified ruleset +[yara retro cancel hunt](#action-yara-retro-cancel-hunt) - TCA-0319 - Cancel the retro hunt for the specified ruleset +[get yara retro matches](#action-get-yara-retro-matches) - TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range +[imphash similarity](#action-imphash-similarity) - TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) +[advanced search](#action-advanced-search) - TCA-0320 - Search for hashes using multi-part search criteria +[av scanners](#action-av-scanners) - TCA-0103 - Retrieve AV Scanner data from TitaniumCloud +[file reputation](#action-file-reputation) - TCA-0101 - Queries for file reputation info +[file analysis](#action-file-analysis) - TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud +[functional similarity](#action-functional-similarity) - TCA-0301 - Retrieve a list of functionally similar hashes to the provided one +[url reputation](#action-url-reputation) - TCA-0403 - Queries URL Threat Intelligence +[get downloaded files](#action-get-downloaded-files) - TCA - 0403 - Get files downloaded from url +[get latest url analysis feed](#action-get-latest-url-analysis-feed) - TCA - 0403 - Get latest url analysis feed +[get url analysis feed from date](#action-get-url-analysis-feed-from-date) - TCA - 0403 - Get url analysis feed from date +[analyze url](#action-analyze-url) - TCA-0404 - Analyze a given URL +[uri statistics](#action-uri-statistics) - TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI +[uri index](#action-uri-index) - TCA-0401 - Retrieve a list of all available file hashes associated with a given URI +[submit for dynamic analysis](#action-submit-for-dynamic-analysis) - TCA-0207 - Submit an existing sample for dynamic analysis +[submit url for dynamic analysis](#action-submit-url-for-dynamic-analysis) - TCA-0207 - Submit an url sample for dynamic analysis +[dynamic analysis results](#action-dynamic-analysis-results) - TCA-0106 - Retrieve dynamic analysis results +[dynamic url analysis results](#action-dynamic-url-analysis-results) - TCA-0106 - Retrieve dynamic analysis results for url +[reanalyze file](#action-reanalyze-file) - TCA-0205 - Reanalyze sample +[upload file](#action-upload-file) - TCA-0202 - Upload file to TitaniumCloud +[get file](#action-get-file) - TCA-0201 - Download a sample from TitaniumCloud +[get network reputation](#action-get-network-reputation) - Network Reputation API +[get list user overrides](#action-get-list-user-overrides) - List User Overrides +[get list user overrides aggregated](#action-get-list-user-overrides-aggregated) - Returns a list of overrides that the user has made +[network reputation user override](#action-network-reputation-user-override) - Network Reputation User Override +[file reputation user override](#action-file-reputation-user-override) - File Reputation User Override +[list active file reputation user overrides](#action-list-active-file-reputation-user-overrides) - List Active File Reputation User Overrides +[customer daily usage](#action-customer-daily-usage) - Check daily usage of ReversingLabs API +[customer dayrange usage](#action-customer-dayrange-usage) - Check ReversingLabs API usage for specified time range (in days) +[customer monthly usage](#action-customer-monthly-usage) - Check Monthly usage of ReversingLabs API +[customer month range usage](#action-customer-month-range-usage) - Check ReversingLabs API usage for specified time range (in months) +[customer yara api usage](#action-customer-yara-api-usage) - Check Yara usage on ReversingLabs API +[customer quota limits](#action-customer-quota-limits) - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company +[get domain report](#action-get-domain-report) - API returns threat intelligence data for the submitted domain +[get domain downloaded files](#action-get-domain-downloaded-files) - Retrieve a list of files downloaded from the submitted domain +[get urls from domain](#action-get-urls-from-domain) - API provides a list of URLs associated with the requested domain +[get resolutions from domain](#action-get-resolutions-from-domain) - API provides a list of domain-to-IP mappings for the requested domain +[get related domains](#action-get-related-domains) - API provides a list of domains that have the same top parent domain as the requested domain +[get ip report](#action-get-ip-report) - API returns threat intelligence data for the submitted ip address +[get ip downloaded files](#action-get-ip-downloaded-files) - Retrieve a list of files downloaded from the submitted IP address +[get urls from ip](#action-get-urls-from-ip) - API provides a list of URLs associated with the requested IP address +[get resolutions from ip](#action-get-resolutions-from-ip) - API provides a list of IP-to-domain mappings for the requested IP address +[file reputation user override](#action-file-reputation-user-override) - File Reputation User Override +[list active file reputation user overrides](#action-list-active-file-reputation-user-overrides) - List Active File Reputation User Overrides +[customer daily usage](#action-customer-daily-usage) - Check daily usage of ReversingLabs API +[customer dayrange usage](#action-customer-dayrange-usage) - Check ReversingLabs API usage for specified time range (in days) +[customer monthly usage](#action-customer-monthly-usage) - Check Monthly usage of ReversingLabs API +[customer month range usage](#action-customer-month-range-usage) - Check ReversingLabs API usage for specified time range (in months) +[customer yara api usage](#action-customer-yara-api-usage) - Check Yara usage on ReversingLabs API +[customer quota limits](#action-customer-quota-limits) - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company +[get domain report](#action-get-domain-report) - API returns threat intelligence data for the submitted domain +[get domain downloaded files](#action-get-domain-downloaded-files) - Retrieve a list of files downloaded from the submitted domain +[get urls from domain](#action-get-urls-from-domain) - API provides a list of URLs associated with the requested domain +[get resolutions from domain](#action-get-resolutions-from-domain) - API provides a list of domain-to-IP mappings for the requested domain +[get related domains](#action-get-related-domains) - API provides a list of domains that have the same top parent domain as the requested domain +[get ip report](#action-get-ip-report) - API returns threat intelligence data for the submitted ip address +[get ip downloaded files](#action-get-ip-downloaded-files) - Retrieve a list of files downloaded from the submitted IP address +[get urls from ip](#action-get-urls-from-ip) - API provides a list of URLs associated with the requested IP address +[get resolutions from ip](#action-get-resolutions-from-ip) - API provides a list of IP-to-domain mappings for the requested IP address + +## action: 'test connectivity' +Validate the asset configuration for connectivity using supplied configuration + +Type: **test** +Read only: **True** + +Validate the asset configuration for connectivity using supplied configuration. + +#### Action Parameters +No parameters are required for this action + +#### Action Output +No Output + +## action: 'yara create ruleset' +TCA-0303 - Create a new YARA ruleset + +Type: **generic** +Read only: **False** + +TCA-0303 - Create a new YARA ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | +**ruleset_text** | required | Stringified YARA ruleset / a Unicode string | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.ruleset_name | string | | +action_result.parameter.ruleset_text | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara delete ruleset' +TCA-0303 - Delete YARA ruleset + +Type: **generic** +Read only: **False** + +TCA-0303 - Delete YARA ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.ruleset_name | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara get ruleset info' +TCA-0303 - Get YARA ruleset info + +Type: **generic** +Read only: **False** + +TCA-0303 - Get information for a specific YARA ruleset or all YARA rulesets in the collection. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | optional | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.data.\*.ruleset_name | string | | +action_result.data.\*.valid | string | | +action_result.data.\*.approved | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara get ruleset text' +TCA-0303 - Get YARA ruleset text + +Type: **generic** +Read only: **False** + +TCA-0303 - Get the text of a YARA ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ruleset_name | string | | +action_result.data.\*.text | string | | +action_result.status | string | | success failed +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'get yara matches' +TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range + +Type: **investigate** +Type: **investigate** +Read only: **False** + +TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**time_format** | required | 'utc' or 'timestamp' | string | +**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.time_format | string | | +action_result.parameter.time_value | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro enable hunt' +TCA-0319 - Enable YARA retro hunt + +Type: **investigate** +Type: **investigate** +Read only: **False** + +TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.ruleset_name | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro start hunt' +TCA-0319 - Start YARA retro hunt for the specified ruleset + +Type: **investigate** +Type: **investigate** +Read only: **False** + +TCA-0319 - Start YARA retro hunt for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.ruleset_name | string | | +action_result.data.\*.ruleset_sha1 | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro check status' +TCA-0319 - Check the retro hunt status for the specified ruleset + +Type: **generic** +Read only: **False** + +TCA-0319 - Check the retro hunt status for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.ruleset_name | string | | +action_result.data.\*.retro_status | string | | +action_result.data.\*.start_time | string | | +action_result.data.\*.finish_time | string | | +action_result.data.\*.reason | string | | +action_result.data.\*.progress | string | | +action_result.data.\*.estimated_finish_time | string | | +action_result.status | string | | success failed +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'yara retro cancel hunt' +TCA-0319 - Cancel the retro hunt for the specified ruleset Type: **generic** Read only: **False** -TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro. +TCA-0319 - Cancel the retro hunt for the specified ruleset. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**ruleset_name** | required | YARA ruleset name | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.ruleset_name | string | | +action_result.data.\*.ruleset_sha1 | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'get yara retro matches' +TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range + +Type: **investigate** +Type: **investigate** +Read only: **False** + +TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**time_format** | required | 'utc' or 'timestamp' | string | +**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.data.\*.rl.feed.name | string | | +action_result.data.\*.rl.feed.time_range.from | string | | +action_result.data.\*.rl.feed.time_range.to | string | | +action_result.data.\*.rl.feed.last_timestamp | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'imphash similarity' +TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) + +Type: **investigate** +Read only: **True** + +TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**imphash** | required | Imphash | string | `hash` +**limit** | optional | Maximum number of results | numeric | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.imphash | string | | +action_result.parameter.limit | numeric | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'advanced search' +TCA-0320 - Search for hashes using multi-part search criteria + +Type: **investigate** +Type: **investigate** +Read only: **False** + +TCA-0320 - Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**query** | required | Advanced Search query | string | +**limit** | optional | Maximum number of results | numeric | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.limit | numeric | | +action_result.parameter.query | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'av scanners' +TCA-0103 - Retrieve AV Scanner data from TitaniumCloud + +Type: **investigate** +Read only: **False** + +TCA-0103 - Provides AV vendor cross-reference data for a desired sample from multiple AV scanners. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**hash** | required | File hash | string | `sha1` `sha256` `md5` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | +action_result.status | string | | success failed +action_result.parameter.hash | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara retro start hunt' -TCA-0319 - Start YARA retro hunt for the specified ruleset +## action: 'file reputation' +TCA-0101 - Queries for file reputation info -Type: **generic** -Read only: **False** +Type: **investigate** +Read only: **True** -TCA-0319 - Start YARA retro hunt for the specified ruleset. +TCA-0101 - Queries for file reputation info. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**hash** | required | File hash to query | string | `hash` `sha256` `sha1` `md5` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success or failed -action_result.parameter.ruleset_name | string | | -action_result.data.*.ruleset_sha1 | string | | +action_result.status | string | | success failed +action_result.parameter.hash | string | `hash` `sha256` `sha1` `md5` | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | +## action: 'file analysis' +TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud -### Configuration Variables -The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TitaniumCloud asset in SOAR. +Type: **investigate** +Read only: **False** -VARIABLE | REQUIRED | TYPE | DESCRIPTION --------- | -------- | ---- | ----------- -**url** | required | string | TitaniumCloud URL -**username** | required | string | TitaniumCloud username -**password** | required | password | TitaniumCloud password +TCA-0104 - Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information. -### Supported Actions -[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration -[yara create ruleset](#action-yara-create-ruleset) - TCA-0303 - Create a new YARA ruleset -[yara delete ruleset](#action-yara-delete-ruleset) - TCA-0303 - Delete YARA ruleset -[yara get ruleset info](#action-yara-get-ruleset-info) - TCA-0303 - Get YARA ruleset info -[yara get ruleset text](#action-yara-get-ruleset-text) - TCA-0303 - Get YARA ruleset text -[get yara matches](#action-get-yara-matches) - TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range -[yara retro enable hunt](#action-yara-retro-enable-hunt) - TCA-0319 - Enable YARA retro hunt -[yara retro start hunt](#action-yara-retro-start-hunt) - TCA-0319 - Start YARA retro hunt for the specified ruleset -[yara retro check status](#action-yara-retro-check-status) - TCA-0319 - Check the retro hunt status for the specified ruleset -[yara retro cancel hunt](#action-yara-retro-cancel-hunt) - TCA-0319 - Cancel the retro hunt for the specified ruleset -[get yara retro matches](#action-get-yara-retro-matches) - TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range -[imphash similarity](#action-imphash-similarity) - TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) -[advanced search](#action-advanced-search) - TCA-0320 - Search for hashes using multi-part search criteria -[av scanners](#action-av-scanners) - TCA-0103 - Retrieve AV Scanner data from TitaniumCloud -[file reputation](#action-file-reputation) - TCA-0101 - Queries for file reputation info -[file analysis](#action-file-analysis) - TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud -[functional similarity](#action-functional-similarity) - TCA-0301 - Retrieve a list of functionally similar hashes to the provided one -[url reputation](#action-url-reputation) - TCA-0403 - Queries URL Threat Intelligence -[get downloaded files](#action-get-downloaded-files) - TCA - 0403 - Get files downloaded from url -[get latest url analysis feed](#action-get-latest-url-analysis-feed) - TCA - 0403 - Get latest url analysis feed -[get url analysis feed from date](#action-get-url-analysis-feed-from-date) - TCA - 0403 - Get url analysis feed from date -[analyze url](#action-analyze-url) - TCA-0404 - Analyze a given URL -[uri statistics](#action-uri-statistics) - TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI -[uri index](#action-uri-index) - TCA-0401 - Retrieve a list of all available file hashes associated with a given URI -[submit for dynamic analysis](#action-submit-for-dynamic-analysis) - TCA-0207 - Submit an existing sample for dynamic analysis -[submit url for dynamic analysis](#action-submit-url-for-dynamic-analysis) - TCA-0207 - Submit an url sample for dynamic analysis -[dynamic analysis results](#action-dynamic-analysis-results) - TCA-0106 - Retrieve dynamic analysis results -[dynamic url analysis results](#action-dynamic-url-analysis-results) - TCA-0106 - Retrieve dynamic analysis results for url -[reanalyze file](#action-reanalyze-file) - TCA-0205 - Reanalyze sample -[upload file](#action-upload-file) - TCA-0202 - Upload file to TitaniumCloud -[get file](#action-get-file) - TCA-0201 - Download a sample from TitaniumCloud -[get network reputation](#action-get-network-reputation) - Network Reputation API -[get list user overrides](#action-get-list-user-overrides) - List User Overrides -[get list user overrides aggregated](#action-get-list-user-overrides-aggregated) - Returns a list of overrides that the user has made -[network reputation user override](#action-network-reputation-user-override) - Network Reputation User Override -[file reputation user override](#action-file-reputation-user-override) - File Reputation User Override -[list active file reputation user overrides](#action-list-active-file-reputation-user-overrides) - List Active File Reputation User Overrides -[customer daily usage](#action-customer-daily-usage) - Check daily usage of ReversingLabs API -[customer dayrange usage](#action-customer-dayrange-usage) - Check ReversingLabs API usage for specified time range (in days) -[customer monthly usage](#action-customer-monthly-usage) - Check Monthly usage of ReversingLabs API -[customer month range usage](#action-customer-month-range-usage) - Check ReversingLabs API usage for specified time range (in months) -[customer yara api usage](#action-customer-yara-api-usage) - Check Yara usage on ReversingLabs API -[customer quota limits](#action-customer-quota-limits) - Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company -[get domain report](#action-get-domain-report) - API returns threat intelligence data for the submitted domain -[get domain downloaded files](#action-get-domain-downloaded-files) - Retrieve a list of files downloaded from the submitted domain -[get urls from domain](#action-get-urls-from-domain) - API provides a list of URLs associated with the requested domain -[get resolutions from domain](#action-get-resolutions-from-domain) - API provides a list of domain-to-IP mappings for the requested domain -[get related domains](#action-get-related-domains) - API provides a list of domains that have the same top parent domain as the requested domain -[get ip report](#action-get-ip-report) - API returns threat intelligence data for the submitted ip address -[get ip downloaded files](#action-get-ip-downloaded-files) - Retrieve a list of files downloaded from the submitted IP address -[get urls from ip](#action-get-urls-from-ip) - API provides a list of URLs associated with the requested IP address -[get resolutions from ip](#action-get-resolutions-from-ip) - API provides a list of IP-to-domain mappings for the requested IP address +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**hash** | required | File hash | string | `sha1` `sha256` `md5` `vauld id` -## action: 'test connectivity' -Validate the asset configuration for connectivity using supplied configuration +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hash | string | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | -Type: **test** -Read only: **True** +## action: 'functional similarity' +TCA-0301 - Retrieve a list of functionally similar hashes to the provided one -Validate the asset configuration for connectivity using supplied configuration. +Type: **investigate** +Read only: **False** + +TCA-0301 - Provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level. #### Action Parameters -No parameters are required for this action +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**hash** | required | File hash | string | `sha1` +**limit** | optional | Maximum number of results | numeric | #### Action Output -No Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hash | string | | +action_result.parameter.limit | numeric | | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | -## action: 'yara create ruleset' -TCA-0303 - Create a new YARA ruleset +## action: 'url reputation' +TCA-0403 - Queries URL Threat Intelligence -Type: **generic** -Read only: **False** +Type: **investigate** +Read only: **True** -TCA-0303 - Create a new YARA ruleset. +TCA-0403 - Queries URL Threat Intelligence. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | -**ruleset_text** | required | Stringified YARA ruleset / a Unicode string | string | +**url** | required | URL to query | string | `url` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.ruleset_name | string | | -action_result.parameter.ruleset_text | string | | +action_result.parameter.url | string | `url` | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara delete ruleset' -TCA-0303 - Delete YARA ruleset +## action: 'get downloaded files' +TCA - 0403 - Get files downloaded from url -Type: **generic** +Type: **investigate** +Type: **investigate** Read only: **False** -TCA-0303 - Delete YARA ruleset. +Accepts a URL string and returns a list of downloaded files aggregated through multiple pages of results. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**url** | required | URL string | string | `url` +**extended** | optional | Return extended report | boolean | +**classification** | optional | Return only files of this classification | string | +**last_analysis** | optional | Return only files from the last analysis | boolean | +**analysis_id** | optional | Return only files from this analysis | string | +**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | +**max_results** | optional | Maximum results to be returned in the list | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.ruleset_name | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.parameter.url | string | | +action_result.parameter.extended | boolean | | +action_result.parameter.classification | string | | +action_result.parameter.last_analysis | boolean | | +action_result.parameter.analysis_id | string | | +action_result.parameter.results_per_page | numeric | | +action_result.parameter.max_results | numeric | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara get ruleset info' -TCA-0303 - Get YARA ruleset info +## action: 'get latest url analysis feed' +TCA - 0403 - Get latest url analysis feed Type: **generic** Read only: **False** -TCA-0303 - Get information for a specific YARA ruleset or all YARA rulesets in the collection. +Returns the latest URL analyses reports aggregated as list. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | optional | YARA ruleset name | string | +**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | +**max_results** | optional | Maximum results to be returned in the list | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.data.\*.ruleset_name | string | | -action_result.data.\*.valid | string | | -action_result.data.\*.approved | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.parameter.results_per_page | numeric | | +action_result.parameter.max_results | numeric | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara get ruleset text' -TCA-0303 - Get YARA ruleset text +## action: 'get url analysis feed from date' +TCA - 0403 - Get url analysis feed from date Type: **generic** Read only: **False** -TCA-0303 - Get the text of a YARA ruleset. +Accepts time format and a start time and returns URL analyses report from that defined time onward aggregated as a list. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**time_format** | required | Possible values: 'utc' or 'timestamp' | string | +**start_time** | required | Time from which to retrieve results onwards. Needs to be less than 90 days from now | string | +**start_time** | required | Time from which to retrieve results onwards. Needs to be less than 90 days from now | string | +**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | +**max_results** | optional | Maximum results to be returned in the list | numeric | + +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.parameter.time_format | string | | +action_result.parameter.start_time | string | | +action_result.parameter.results_per_page | numeric | | +action_result.parameter.max_results | numeric | | +action_result.status | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | + +## action: 'analyze url' +TCA-0404 - Analyze a given URL + +Type: **investigate** +Read only: **False** + +TCA-0404 - This service allows users to submit a URL for analysis. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**url** | required | URL to analyze | string | `url` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.ruleset_name | string | | -action_result.data.\*.text | string | | action_result.status | string | | success failed +action_result.parameter.url | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get yara matches' -TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range +## action: 'uri statistics' +TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI Type: **investigate** Read only: **False** -TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range. +TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL). #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**time_format** | required | 'utc' or 'timestamp' | string | -**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | +**uri** | required | Uri | string | +**uri** | required | Uri | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.time_format | string | | -action_result.parameter.time_value | string | | +action_result.parameter.uri | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara retro enable hunt' -TCA-0319 - Enable YARA retro hunt +## action: 'uri index' +TCA-0401 - Retrieve a list of all available file hashes associated with a given URI +Type: **investigate** Type: **investigate** Read only: **False** -TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro. +TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**uri** | required | Desired URI string | string | `url` `domain` +**limit** | optional | Maximum number of results | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.ruleset_name | string | | +action_result.parameter.limit | numeric | | +action_result.parameter.uri | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara retro start hunt' -TCA-0319 - Start YARA retro hunt for the specified ruleset +## action: 'submit for dynamic analysis' +TCA-0207 - Submit an existing sample for dynamic analysis Type: **investigate** Read only: **False** -TCA-0319 - Start YARA retro hunt for the specified ruleset. +TCA-0207 - This service allows users to detonate a file in the ReversingLabs TitaniumCloud sandbox. To submit a file for analysis, it must exist in TitaniumCloud. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` `vault id` +**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.ruleset_name | string | | -action_result.data.\*.ruleset_sha1 | string | | +action_result.parameter.platform | string | | +action_result.parameter.sha1 | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara retro check status' -TCA-0319 - Check the retro hunt status for the specified ruleset +## action: 'submit url for dynamic analysis' +TCA-0207 - Submit an url sample for dynamic analysis -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0319 - Check the retro hunt status for the specified ruleset. +TCA-0207 - This service allows users to analyze a url in the ReversingLabs TitaniumCloud sandbox. To submit an url for analysis, it must exist in TitaniumCloud. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**url** | required | Selected sample's url string | string | `url` `domain` +**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.ruleset_name | string | | -action_result.data.\*.retro_status | string | | -action_result.data.\*.start_time | string | | -action_result.data.\*.finish_time | string | | -action_result.data.\*.reason | string | | -action_result.data.\*.progress | string | | -action_result.data.\*.estimated_finish_time | string | | -action_result.status | string | | success failed -action_result.data | string | | +action_result.data.\*.rl.url | string | `url` | +action_result.data.\*.rl.sha1 | string | `sha1` | +action_result.data.\*.rl.status | string | | +action_result.data.\*.rl.url_base64 | string | | +action_result.data.\*.rl.analysis_id | string | | +action_result.status | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'yara retro cancel hunt' -TCA-0319 - Cancel the retro hunt for the specified ruleset +## action: 'dynamic analysis results' +TCA-0106 - Retrieve dynamic analysis results -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0319 - Cancel the retro hunt for the specified ruleset. +TCA-0106 - This service allows users to retrieve dynamic analysis results for a file that was submitted for dynamic analysis. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**ruleset_name** | required | YARA ruleset name | string | +**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` +**analysis_id** | optional | Return only the results of this analysis | string | +**latest** | optional | Return only the latest analysis results | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.ruleset_name | string | | -action_result.data.\*.ruleset_sha1 | string | | +action_result.parameter.analysis_id | string | | +action_result.parameter.latest | boolean | | +action_result.parameter.sha1 | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get yara retro matches' -TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range +## action: 'dynamic url analysis results' +TCA-0106 - Retrieve dynamic analysis results for url Type: **investigate** -Read only: **False** +Read only: **True** -TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range. +TCA-0106 - This service allows users to retrieve dynamic analysis results for an url that was submitted for dynamic analysis. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**time_format** | required | 'utc' or 'timestamp' | string | -**time_value** | required | 'YYYY-MM-DDThh:mm:ss' or Unix timestamp string | string | +**url** | required | Provide one of the following: sha1, base64 or url | string | `sha1` `url` +**analysis_id** | optional | Return only the results of this analysis | string | +**latest** | optional | Return only the latest analysis results | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.data.\*.rl.feed.name | string | | -action_result.data.\*.rl.feed.time_range.from | string | | -action_result.data.\*.rl.feed.time_range.to | string | | -action_result.data.\*.rl.feed.last_timestamp | string | | -action_result.data | string | | +action_result.parameter.analysis_id | string | | +action_result.data.0.requested_sha1_url | string | | +action_result.status | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'imphash similarity' -TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash) +## action: 'reanalyze file' +TCA-0205 - Reanalyze sample Type: **investigate** -Read only: **True** +Read only: **False** -TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file. +TCA-0205 - This query sends a sample with the requested hash for rescanning. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**imphash** | required | Imphash | string | `hash` -**limit** | optional | Maximum number of results | numeric | +**hash** | required | File hash | string | `md5` `sha1` `sha256` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.imphash | string | | -action_result.parameter.limit | numeric | | +action_result.parameter.hash | string | | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'advanced search' -TCA-0320 - Search for hashes using multi-part search criteria +## action: 'upload file' +TCA-0202 - Upload file to TitaniumCloud -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0320 - Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='. +TCA-0202 - Upload file to TitaniumCloud. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**query** | required | Advanced Search query | string | -**limit** | optional | Maximum number of results | numeric | +**vault_id** | required | Vault ID of file to upload | string | `vault id` +**file_name** | optional | Filename to use | string | `file name` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.limit | numeric | | -action_result.parameter.query | string | | +action_result.parameter.file_name | string | `file name` | +action_result.parameter.vault_id | string | `pe file` `pdf` `flash` `apk` `jar` `doc` `xls` `ppt` | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'av scanners' -TCA-0103 - Retrieve AV Scanner data from TitaniumCloud +## action: 'get file' +TCA-0201 - Download a sample from TitaniumCloud Type: **investigate** -Read only: **False** +Read only: **True** -TCA-0103 - Provides AV vendor cross-reference data for a desired sample from multiple AV scanners. +TCA-0201 - Download a sample from TitaniumCloud and add it to the vault. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | File hash | string | `sha1` `sha256` `md5` +**hash** | required | Hash of file/sample to download | string | `md5` `sha1` `sha256` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.status | string | | success failed -action_result.parameter.hash | string | | +action_result.parameter.hash | string | `md5` `sha1` `sha256` | action_result.data | string | | action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'file reputation' -TCA-0101 - Queries for file reputation info +## action: 'get network reputation' +Network Reputation API Type: **investigate** -Read only: **True** +Read only: **False** -TCA-0101 - Queries for file reputation info. +Service provides information regarding the reputation of a requested URL, domain, or IP address. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | File hash to query | string | `hash` `sha256` `sha1` `md5` +**network_locations** | required | Network location to check (URL,DNS,IP) | string | `domain` `url` `ip` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.hash | string | `hash` `sha256` `sha1` `md5` | -action_result.data | string | | -action_result.summary | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'file analysis' -TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud +## action: 'get list user overrides' +List User Overrides -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0104 - Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information. +The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | File hash | string | `sha1` `sha256` `md5` `vauld id` +**next_page_sha1** | optional | Optional parameter used for pagination | string | `sha1` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.hash | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.user_override.network_locations.\*.network_location | string | `url` `domain` `ip` | +action_result.data.\*.user_override.network_locations.\*.type | string | `url` `domain` `ip` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'functional similarity' -TCA-0301 - Retrieve a list of functionally similar hashes to the provided one +## action: 'get list user overrides aggregated' +Returns a list of overrides that the user has made -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0301 - Provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level. +This API automatically handles paging and returns a list of results instead of a Response object. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | File hash | string | `sha1` -**limit** | optional | Maximum number of results | numeric | +**max_results** | optional | Maximum number of results to be returned in the list | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.hash | string | | -action_result.parameter.limit | numeric | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.\*.network_location | string | `url` `domain` `ip` | +action_result.data.\*.\*.type | string | `url` `domain` `ip` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'url reputation' -TCA-0403 - Queries URL Threat Intelligence +## action: 'network reputation user override' +Network Reputation User Override -Type: **investigate** -Read only: **True** +Type: **generic** +Read only: **False** -TCA-0403 - Queries URL Threat Intelligence. +The Network Reputation User Override service enables URL classification overrides. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**url** | required | URL to query | string | `url` +**override_list** | required | List of network locations whose classification needs to be overriden structured in JSON format. Visit documentation for guidance | string | +**remove_overrides_list** | optional | List of network locations whose classification override needs to be removed structured in JSON format. Visit documentation for guidance | string | +**override_list** | required | List of network locations whose classification needs to be overriden structured in JSON format. Visit documentation for guidance | string | +**remove_overrides_list** | optional | List of network locations whose classification override needs to be removed structured in JSON format. Visit documentation for guidance | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.url | string | `url` | -action_result.data | string | | -action_result.summary | string | | +action_result.parameter.override_list | string | | +action_result.parameter.remove_overrides_list | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get downloaded files' -TCA - 0403 - Get files downloaded from url +## action: 'file reputation user override' +File Reputation User Override -Type: **investigate** +Type: **generic** Read only: **False** -Accepts a URL string and returns a list of downloaded files aggregated through multiple pages of results. +The File Reputation User Override service enables File sample classification overrides. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**url** | required | URL string | string | `url` -**extended** | optional | Return extended report | boolean | -**classification** | optional | Return only files of this classification | string | -**last_analysis** | optional | Return only files from the last analysis | boolean | -**analysis_id** | optional | Return only files from this analysis | string | -**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | -**max_results** | optional | Maximum results to be returned in the list | numeric | +**override_samples** | optional | List of samples to override structured in JSON format. Visit documentation for guidance | string | +**remove_overrides** | optional | List of samples whose classification override needs to be removed structured in JSON format. Visit documentation for guidance | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.url | string | | -action_result.parameter.extended | boolean | | -action_result.parameter.classification | string | | -action_result.parameter.last_analysis | boolean | | -action_result.parameter.analysis_id | string | | -action_result.parameter.results_per_page | numeric | | -action_result.parameter.max_results | numeric | | +action_result.parameter.override_samples | string | | +action_result.parameter.remove_overrides | string | | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get latest url analysis feed' -TCA - 0403 - Get latest url analysis feed +## action: 'list active file reputation user overrides' +List Active File Reputation User Overrides Type: **generic** Read only: **False** -Returns the latest URL analyses reports aggregated as list. +The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | -**max_results** | optional | Maximum results to be returned in the list | numeric | +**hash_type** | required | Required parameter that defines the type of hash | string | +**start_hash** | optional | When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value | string | `sha1` `sha256` `md5` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.results_per_page | numeric | | -action_result.parameter.max_results | numeric | | +action_result.data.\*.user_override.hash_values | string | `sha1` `sha256` `md5` | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get url analysis feed from date' -TCA - 0403 - Get url analysis feed from date +## action: 'customer daily usage' +Check daily usage of ReversingLabs API Type: **generic** Read only: **False** -Accepts time format and a start time and returns URL analyses report from that defined time onward aggregated as a list. +API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**time_format** | required | Possible values: 'utc' or 'timestamp' | string | -**start_time** | required | Time from which to retrieve results onwards. Needs to be less than 90 days from now | string | -**results_per_page** | optional | Number of results to be returned in one page, maximum value is 1000 | numeric | -**max_results** | optional | Maximum results to be returned in the list | numeric | +**date** | required | Specifies the date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format. | string | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.time_format | string | | -action_result.parameter.start_time | string | | -action_result.parameter.results_per_page | numeric | | -action_result.parameter.max_results | numeric | | +action_result.data.\*.date | string | | +action_result.data.\*.usage_report.\*.product | string | | +action_result.data.\*.usage_report.\*.number_of_queries | string | | +action_result.data.\*.usage_report.\*.used_bytes | string | | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'analyze url' -TCA-0404 - Analyze a given URL +## action: 'customer dayrange usage' +Check ReversingLabs API usage for specified time range (in days) -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0404 - This service allows users to submit a URL for analysis. +API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**url** | required | URL to analyze | string | `url` +**from_date** | required | Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format | string | +**to_date** | required | Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format | string | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.url | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'uri statistics' -TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI +## action: 'customer monthly usage' +Check Monthly usage of ReversingLabs API -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL). +API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**uri** | required | Uri | string | +**month** | required | Specifies the month for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format | string | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.uri | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.month | string | | +action_result.data.\*.usage_report.\*.product | string | | +action_result.data.\*.usage_report.\*.number_of_queries | string | | +action_result.data.\*.usage_report.\*.used_bytes | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'uri index' -TCA-0401 - Retrieve a list of all available file hashes associated with a given URI +## action: 'customer month range usage' +Check ReversingLabs API usage for specified time range (in months) -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification. +API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**uri** | required | Desired URI string | string | `url` `domain` -**limit** | optional | Maximum number of results | numeric | +**from_month** | required | Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format | string | +**to_month** | required | Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format | string | +**company** | optional | When this parameter is checked, the API will return usage for all accounts within the company | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.limit | numeric | | -action_result.parameter.uri | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'submit for dynamic analysis' -TCA-0207 - Submit an existing sample for dynamic analysis +## action: 'customer yara api usage' +Check Yara usage on ReversingLabs API -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0207 - This service allows users to detonate a file in the ReversingLabs TitaniumCloud sandbox. To submit a file for analysis, it must exist in TitaniumCloud. +This query returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` `vault id` -**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | +**format** | optional | Specify the response format. Supported values are xml and json. The default is JSON | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.platform | string | | -action_result.parameter.sha1 | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.product | string | | +action_result.data.\*.number_of_active_rulesets | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'submit url for dynamic analysis' -TCA-0207 - Submit an url sample for dynamic analysis +## action: 'customer quota limits' +Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0207 - This service allows users to analyze a url in the ReversingLabs TitaniumCloud sandbox. To submit an url for analysis, it must exist in TitaniumCloud. +API allows ReversingLabs customers to track quota limits of TitaniumCloud services provisioned to all accounts in a company. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**url** | required | Selected sample's url string | string | `url` `domain` -**platform** | required | Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options | string | +**company** | optional | When this parameter is checked, the API will return quota limits for all accounts within the company | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.\*.rl.url | string | `url` | -action_result.data.\*.rl.sha1 | string | `sha1` | -action_result.data.\*.rl.status | string | | -action_result.data.\*.rl.url_base64 | string | | -action_result.data.\*.rl.analysis_id | string | | +action_result.data.\*.limits.\*.limit | numeric | | +action_result.data.\*.limits.\*.limit_type | string | | +action_result.data.\*.limits.\*.limit_exceeded | boolean | | +action_result.data.\*.limits.\*.products | string | | +action_result.data.\*.limits.\*.users | string | | action_result.status | string | | -action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'dynamic analysis results' -TCA-0106 - Retrieve dynamic analysis results +## action: 'get domain report' +API returns threat intelligence data for the submitted domain -Type: **investigate** +Type: **generic** Read only: **False** -TCA-0106 - This service allows users to retrieve dynamic analysis results for a file that was submitted for dynamic analysis. +The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**sha1** | required | Selected sample's SHA-1 hash | string | `sha1` -**analysis_id** | optional | Return only the results of this analysis | string | -**latest** | optional | Return only the latest analysis results | boolean | +**domain** | required | The domain for which to retrieve the report | string | `domain` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.analysis_id | string | | -action_result.parameter.latest | boolean | | -action_result.parameter.sha1 | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'dynamic url analysis results' -TCA-0106 - Retrieve dynamic analysis results for url +## action: 'get domain downloaded files' +Retrieve a list of files downloaded from the submitted domain -Type: **investigate** -Read only: **True** +Type: **generic** +Read only: **False** -TCA-0106 - This service allows users to retrieve dynamic analysis results for an url that was submitted for dynamic analysis. +The response will contain metadata for files downloaded from the submitted domain. Empty fields are not included in the response. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**url** | required | Provide one of the following: sha1, base64 or url | string | `sha1` `url` -**analysis_id** | optional | Return only the results of this analysis | string | -**latest** | optional | Return only the latest analysis results | boolean | +**domain** | required | The domain for which to retrieve the downloaded files | string | `domain` +**extended** | optional | Chose whether you want extended result data set | boolean | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | +**classification** | optional | Return only samples that match the requested classification for given domain | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.analysis_id | string | | -action_result.data.0.requested_sha1_url | string | | action_result.status | string | | -action_result.summary | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'reanalyze file' -TCA-0205 - Reanalyze sample +## action: 'get urls from domain' +API provides a list of URLs associated with the requested domain Type: **investigate** Read only: **False** -TCA-0205 - This query sends a sample with the requested hash for rescanning. +API provides a list of URLs associated with the requested domain. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | File hash | string | `md5` `sha1` `sha256` +**domain** | required | The domain for which to retrieve the resolved IP addresses | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.hash | string | | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.requested_domain | string | `domain` | +action_result.data.\*.urls.\*.url | string | `url` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'upload file' -TCA-0202 - Upload file to TitaniumCloud +## action: 'get resolutions from domain' +API provides a list of domain-to-IP mappings for the requested domain -Type: **generic** +Type: **investigate** Read only: **False** -TCA-0202 - Upload file to TitaniumCloud. +API provides a list of domain-to-IP mappings for the requested domain. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**vault_id** | required | Vault ID of file to upload | string | `vault id` -**file_name** | optional | Filename to use | string | `file name` +**domain** | required | The domain for which to retrieve the domain to IP mappings | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.file_name | string | `file name` | -action_result.parameter.vault_id | string | `pe file` `pdf` `flash` `apk` `jar` `doc` `xls` `ppt` | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.requested_domain | string | `domain` | +action_result.data.\*.resolutions.\*.record_type | string | | +action_result.data.\*.resolutions.\*.answer | string | | +action_result.data.\*.resolutions.\*.last_resolution_time | string | | +action_result.data.\*.resolutions.\*.provider | string | | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get file' -TCA-0201 - Download a sample from TitaniumCloud +## action: 'get related domains' +API provides a list of domains that have the same top parent domain as the requested domain Type: **investigate** -Read only: **True** +Read only: **False** -TCA-0201 - Download a sample from TitaniumCloud and add it to the vault. +API provides a list of domains that have the same top parent domain as the requested domain. If the requested domain is a top parent domain, the API will return all subdomains. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**hash** | required | Hash of file/sample to download | string | `md5` `sha1` `sha256` +**domain** | required | The domain for which to retrieve the downloaded files | string | `domain` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.hash | string | `md5` `sha1` `sha256` | -action_result.data | string | | -action_result.summary | string | | +action_result.data.\*.requested_domain | string | `domain` | +action_result.data.\*.related_domains.\*.domain | string | `domain` | +action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get network reputation' -Network Reputation API +## action: 'get ip report' +API returns threat intelligence data for the submitted ip address -Type: **investigate** +Type: **generic** Read only: **False** -Service provides information regarding the reputation of a requested URL, domain, or IP address. +The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**network_locations** | required | Network location to check (URL,DNS,IP) | string | `domain` `url` `ip` +**ip_address** | required | The IP address for which to retrieve the report | string | `ip` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -2248,71 +3418,78 @@ action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get list user overrides' -List User Overrides +## action: 'get ip downloaded files' +Retrieve a list of files downloaded from the submitted IP address Type: **generic** Read only: **False** -The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known. +The response will contain metadata for files downloaded from the submitted IP address. Empty fields are not included in the response. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**next_page_sha1** | optional | Optional parameter used for pagination | string | `sha1` +**ip_address** | required | The IP address for which to retrieve the downloaded files | string | `ip` +**extended** | optional | Chose whether you want extended result data set | boolean | +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | +**classification** | optional | Return only samples that match the requested classification for given domain | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.\*.user_override.network_locations.\*.network_location | string | `url` `domain` `ip` | -action_result.data.\*.user_override.network_locations.\*.type | string | `url` `domain` `ip` | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'get list user overrides aggregated' -Returns a list of overrides that the user has made +## action: 'get urls from ip' +API provides a list of URLs associated with the requested IP address -Type: **generic** +Type: **investigate** Read only: **False** -This API automatically handles paging and returns a list of results instead of a Response object. +API provides a list of URLs associated with the requested IP address. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**max_results** | optional | Maximum number of results to be returned in the list | numeric | +**ip_address** | required | The IP for which to retrieve the domain resolutions | string | `ip` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.data.\*.\*.network_location | string | `url` `domain` `ip` | -action_result.data.\*.\*.type | string | `url` `domain` `ip` | +action_result.data.\*.requested_ip | string | `ip` | +action_result.data.\*.urls.\*.url | string | `url` | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | summary.total_objects_successful | numeric | | -## action: 'network reputation user override' -Network Reputation User Override +## action: 'get resolutions from ip' +API provides a list of IP-to-domain mappings for the requested IP address -Type: **generic** +Type: **investigate** Read only: **False** -The Network Reputation User Override service enables URL classification overrides. +API provides a list of IP-to-domain mappings for the requested IP address. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**override_list** | required | List of network locations whose classification needs to be overriden structured in JSON format. Visit documentation for guidance | string | -**remove_overrides_list** | optional | List of network locations whose classification override needs to be removed structured in JSON format. Visit documentation for guidance | string | +**ip_address** | required | The IP address for which to retrieve resolutions | string | `ip` +**page** | optional | String representing a page of results | string | +**limit** | optional | The number of files to return in the response. Default is 1000 | numeric | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.override_list | string | | -action_result.parameter.remove_overrides_list | string | | +action_result.data.\*.requested_ip | string | `ip` | +action_result.data.\*.resolutions.\*.host_name | string | `domain` | +action_result.data.\*.resolutions.\*.last_resolution_time | string | | +action_result.data.\*.resolutions.\*.provider | string | | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | diff --git a/reversinglabs_ticloudv2.json b/reversinglabs_ticloudv2.json index c9b30e7..99e8d3c 100644 --- a/reversinglabs_ticloudv2.json +++ b/reversinglabs_ticloudv2.json @@ -295,3803 +295,5091 @@ } }, "output": [ - { - "data_path": "action_result.parameter.ruleset_name", - "data_type": "string", - "column_name": "ruleset name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.text", - "data_type": "string", - "column_name": "text", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get yara matches", - "identifier": "get_yara_matches", - "description": "TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range", - "verbose": "TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range.", - "type": "investigate", - "read_only": false, - "parameters": { - "time_format": { - "description": "'utc' or 'timestamp'", - "data_type": "string", - "value_list": [ - "timestamp", - "utc" - ], - "default": "timestamp", - "required": true, - "order": 0, - "name": "time_format", - "id": 1, - "param_name": "time_format" - }, - "time_value": { - "description": "'YYYY-MM-DDThh:mm:ss' or Unix timestamp string", - "data_type": "string", - "required": true, - "order": 1, - "name": "time_value", - "id": 2, - "param_name": "time_value" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.time_format", - "data_type": "string", - "column_name": "time_format", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.time_value", - "data_type": "string", - "column_name": "time_value", - "column_order": 1 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "yara retro enable hunt", - "identifier": "yara_retro_enable_hunt", - "description": "TCA-0319 - Enable YARA retro hunt", - "verbose": "TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro.", - "type": "investigate", - "read_only": false, - "parameters": { - "ruleset_name": { - "description": "YARA ruleset name", - "data_type": "string", - "required": true, - "order": 0, - "name": "ruleset_name", - "id": 1, - "param_name": "ruleset_name" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.ruleset_name", - "data_type": "string", - "column_name": "ruleset name", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "yara retro start hunt", - "identifier": "yara_retro_start_hunt", - "description": "TCA-0319 - Start YARA retro hunt for the specified ruleset", - "verbose": "TCA-0319 - Start YARA retro hunt for the specified ruleset.", - "type": "investigate", - "read_only": false, - "parameters": { - "ruleset_name": { - "description": "YARA ruleset name", - "data_type": "string", - "required": true, - "order": 0, - "name": "ruleset_name", - "id": 1, - "param_name": "ruleset_name" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.ruleset_name", - "data_type": "string", - "column_name": "ruleset name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.ruleset_sha1", - "data_type": "string", - "column_name": "ruleset sha1", - "column_order": 1 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "yara retro check status", - "identifier": "yara_retro_check_status", - "description": "TCA-0319 - Check the retro hunt status for the specified ruleset", - "verbose": "TCA-0319 - Check the retro hunt status for the specified ruleset.", - "type": "generic", - "read_only": false, - "parameters": { - "ruleset_name": { - "description": "YARA ruleset name", - "data_type": "string", - "required": true, - "order": 0, - "name": "ruleset_name", - "id": 1, - "param_name": "ruleset_name" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ruleset_name", - "data_type": "string", - "column_name": "ruleset name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.retro_status", - "data_type": "string", - "column_name": "retro status", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.start_time", - "data_type": "string", - "column_name": "start time", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.finish_time", - "data_type": "string", - "column_name": "finish time", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.reason", - "data_type": "string", - "column_name": "reason", - "column_order": 4 - }, - { - "data_path": "action_result.data.*.progress", - "data_type": "string", - "column_name": "progress", - "column_order": 5 - }, - { - "data_path": "action_result.data.*.estimated_finish_time", - "data_type": "string", - "column_name": "estimated finish time", - "column_order": 6 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 7, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "yara retro cancel hunt", - "identifier": "yara_retro_cancel_hunt", - "description": "TCA-0319 - Cancel the retro hunt for the specified ruleset", - "verbose": "TCA-0319 - Cancel the retro hunt for the specified ruleset.", - "type": "generic", - "read_only": false, - "parameters": { - "ruleset_name": { - "description": "YARA ruleset name", - "data_type": "string", - "required": true, - "order": 0, - "name": "ruleset_name", - "id": 1, - "param_name": "ruleset_name" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.ruleset_name", - "data_type": "string", - "column_name": "ruleset name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.ruleset_sha1", - "data_type": "string", - "column_name": "ruleset sha1", - "column_order": 1 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get yara retro matches", - "identifier": "get_yara_retro_matches", - "description": "TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range", - "verbose": "TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range.", - "type": "investigate", - "read_only": false, - "parameters": { - "time_format": { - "description": "'utc' or 'timestamp'", - "data_type": "string", - "value_list": [ - "timestamp", - "utc" - ], - "default": "timestamp", - "required": true, - "order": 0, - "name": "time_format", - "id": 1, - "param_name": "time_format" - }, - "time_value": { - "description": "'YYYY-MM-DDThh:mm:ss' or Unix timestamp string", - "data_type": "string", - "required": true, - "order": 1, - "name": "time_value", - "id": 2, - "param_name": "time_value" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 4, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.data.*.rl.feed.name", - "data_type": "string", - "column_name": "Name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.rl.feed.time_range.from", - "data_type": "string", - "column_name": "Time range From", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.rl.feed.time_range.to", - "data_type": "string", - "column_name": "Time range to", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.rl.feed.last_timestamp", - "data_type": "string", - "column_name": "Last timestamp", - "column_order": 3 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "imphash similarity", - "identifier": "imphash_similarity", - "description": "TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash)", - "verbose": "TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file.", - "type": "investigate", - "read_only": true, - "parameters": { - "imphash": { - "description": "Imphash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "hash" - ], - "order": 0, - "name": "imphash", - "id": 1, - "param_name": "imphash" - }, - "limit": { - "description": "Maximum number of results", - "data_type": "numeric", - "default": 5000, - "order": 1, - "name": "limit", - "id": 2, - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.imphash", - "data_type": "string", - "column_name": "imphash", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.limit", - "data_type": "numeric", - "column_name": "limit", - "column_order": 1 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.imphash_similarity", - "title": "TitaniumCloud Imphash Similarity" - }, - "versions": "EQ(*)" - }, - { - "action": "advanced search", - "identifier": "advanced_search", - "description": "TCA-0320 - Search for hashes using multi-part search criteria", - "verbose": "TCA-0320 - Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='.", - "type": "investigate", - "read_only": false, - "parameters": { - "query": { - "description": "Advanced Search query", - "data_type": "string", - "required": true, - "order": 0, - "name": "query", - "id": 1, - "param_name": "query" - }, - "limit": { - "description": "Maximum number of results", - "data_type": "numeric", - "default": 5000, - "order": 1, - "name": "limit", - "id": 2, - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.limit", - "data_type": "numeric", - "column_name": "limit", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.query", - "data_type": "string", - "column_name": "query", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.advanced_search", - "title": "TitaniumCloud Advanced Search" - }, - "versions": "EQ(*)" - }, - { - "action": "av scanners", - "identifier": "av_scanners", - "description": "TCA-0103 - Retrieve AV Scanner data from TitaniumCloud", - "verbose": "TCA-0103 - Provides AV vendor cross-reference data for a desired sample from multiple AV scanners.", - "type": "investigate", - "read_only": false, - "parameters": { - "hash": { - "description": "File hash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "sha1", - "sha256", - "md5" - ], - "order": 0, - "name": "hash", - "id": 1, - "param_name": "hash" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.hash", - "data_type": "string", - "column_name": "hash", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.av_scanners", - "title": "TitaniumCloud AvScanners" - }, - "versions": "EQ(*)" - }, - { - "action": "file reputation", - "identifier": "file_reputation", - "description": "TCA-0101 - Queries for file reputation info", - "verbose": "TCA-0101 - Queries for file reputation info.", - "type": "investigate", - "read_only": true, - "parameters": { - "hash": { - "description": "File hash to query", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "hash", - "sha256", - "sha1", - "md5" - ], - "order": 0, - "name": "hash" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.hash", - "data_type": "string", - "contains": [ - "hash", - "sha256", - "sha1", - "md5" - ], - "column_name": "hash", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.file_reputation", - "title": "TitaniumCloud File Reputation" - }, - "versions": "EQ(*)" - }, - { - "action": "file analysis", - "identifier": "file_analysis", - "description": "TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud", - "verbose": "TCA-0104 - Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information.", - "type": "investigate", - "read_only": false, - "parameters": { - "hash": { - "description": "File hash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "sha1", - "sha256", - "md5", - "vauld id" - ], - "order": 0, - "name": "hash", - "id": 1, - "param_name": "hash" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.hash", - "data_type": "string", - "column_name": "hash", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.file_analysis", - "title": "TitaniumCloud File Analysis" - }, - "versions": "EQ(*)" - }, - { - "action": "functional similarity", - "identifier": "functional_similarity", - "description": "TCA-0301 - Retrieve a list of functionally similar hashes to the provided one", - "verbose": "TCA-0301 - Provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level.", - "type": "investigate", - "read_only": false, - "parameters": { - "hash": { - "description": "File hash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "sha1" - ], - "order": 0, - "name": "hash", - "id": 1, - "param_name": "hash" - }, - "limit": { - "description": "Maximum number of results", - "data_type": "numeric", - "default": 5000, - "order": 1, - "name": "limit", - "id": 2, - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.hash", - "data_type": "string", - "column_name": "hash", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.limit", - "data_type": "numeric", - "column_name": "limit", - "column_order": 1 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.functional_similarity", - "title": "TitaniumCloud RHA1 Functional Similarity" - }, - "versions": "EQ(*)" - }, - { - "action": "url reputation", - "identifier": "url_reputation", - "description": "TCA-0403 - Queries URL Threat Intelligence", - "verbose": "TCA-0403 - Queries URL Threat Intelligence.", - "type": "investigate", - "read_only": true, - "parameters": { - "url": { - "description": "URL to query", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "url" - ], - "order": 0, - "name": "url" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.url", - "data_type": "string", - "contains": [ - "url" - ], - "column_name": "url", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.url_reputation", - "title": "TitaniumCloud Url Reputation" - }, - "versions": "EQ(*)" - }, - { - "action": "get downloaded files", - "identifier": "get_url_downloaded_files", - "description": "TCA - 0403 - Get files downloaded from url", - "verbose": "Accepts a URL string and returns a list of downloaded files aggregated through multiple pages of results.", - "type": "investigate", - "read_only": false, - "parameters": { - "url": { - "description": "URL string", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "url" - ], - "value_list": [], - "default": "", - "order": 0, - "name": "url", - "id": 1, - "param_name": "url" - }, - "extended": { - "description": "Return extended report", - "data_type": "boolean", - "required": false, - "primary": false, - "contains": [], - "default": true, - "order": 1, - "name": "extended", - "id": 2, - "param_name": "extended" - }, - "classification": { - "description": "Return only files of this classification", - "data_type": "string", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": "", - "order": 2, - "name": "classification", - "id": 3, - "param_name": "classification" - }, - "last_analysis": { - "description": "Return only files from the last analysis", - "data_type": "boolean", - "required": false, - "primary": false, - "contains": [], - "default": false, - "order": 3, - "name": "last_analysis", - "id": 4, - "param_name": "last_analysis" - }, - "analysis_id": { - "description": "Return only files from this analysis", - "data_type": "string", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": "", - "order": 4, - "name": "analysis_id", - "id": 5, - "param_name": "analysis_id" - }, - "results_per_page": { - "description": "Number of results to be returned in one page, maximum value is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": 1000, - "order": 5, - "name": "results_per_page", - "id": 6, - "param_name": "results_per_page" - }, - "max_results": { - "description": "Maximum results to be returned in the list", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": 5000, - "order": 6, - "name": "max_results", - "id": 7, - "param_name": "max_results" - } - }, - "output": [ - { - "data_path": "action_result.parameter.url", - "data_type": "string", - "contains": [], - "column_name": "url", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.extended", - "data_type": "boolean", - "contains": [], - "column_name": "extended", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.classification", - "data_type": "string", - "contains": [], - "column_name": "classification", - "column_order": 2 - }, - { - "data_path": "action_result.parameter.last_analysis", - "data_type": "boolean", - "contains": [], - "column_name": "last_analysis", - "column_order": 3 - }, - { - "data_path": "action_result.parameter.analysis_id", - "data_type": "string", - "contains": [], - "column_name": "analysis_id", - "column_order": 4 - }, - { - "data_path": "action_result.parameter.results_per_page", - "data_type": "numeric", - "contains": [], - "column_name": "results_per_page", - "column_order": 5 - }, - { - "data_path": "action_result.parameter.max_results", - "data_type": "numeric", - "contains": [], - "column_name": "max_results", - "column_order": 6 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 7 - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.url_downloaded_files", - "title": "TitaniumCloud Url Downloaded Files" - }, - "versions": "EQ(*)" - }, - { - "action": "get latest url analysis feed", - "identifier": "get_latest_url_analysis_feed", - "description": "TCA - 0403 - Get latest url analysis feed", - "verbose": "Returns the latest URL analyses reports aggregated as list.", - "type": "generic", - "read_only": false, - "parameters": { - "results_per_page": { - "description": "Number of results to be returned in one page, maximum value is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": 1000, - "order": 0, - "name": "results_per_page", - "id": 1, - "param_name": "results_per_page" - }, - "max_results": { - "description": "Maximum results to be returned in the list", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": 5000, - "order": 1, - "name": "max_results", - "id": 2, - "param_name": "max_results" - } - }, - "output": [ - { - "data_path": "action_result.parameter.results_per_page", - "data_type": "numeric", - "contains": [], - "column_name": "results_per_page", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.max_results", - "data_type": "numeric", - "contains": [], - "column_name": "max_results", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2 - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.latest_url_analysis_feed", - "title": "TitaniumCloud Latest Url Analysis Feed" - }, - "versions": "EQ(*)" - }, - { - "action": "get url analysis feed from date", - "identifier": "get_url_analysis_feed_from_date", - "description": "TCA - 0403 - Get url analysis feed from date", - "verbose": "Accepts time format and a start time and returns URL analyses report from that defined time onward aggregated as a list.", - "type": "generic", - "read_only": false, - "parameters": { - "time_format": { - "description": "Possible values: 'utc' or 'timestamp'", - "data_type": "string", - "required": true, - "primary": false, - "value_list": [ - "timestamp", - "utc" - ], - "default": "timestamp", - "contains": [], - "order": 0, - "name": "time_format", - "id": 1, - "param_name": "time_format" - }, - "start_time": { - "description": "Time from which to retrieve results onwards. Needs to be less than 90 days from now", - "data_type": "string", - "required": true, - "primary": false, - "contains": [], - "value_list": [], - "default": "", - "order": 1, - "name": "start_time", - "id": 2, - "param_name": "start_time" - }, - "results_per_page": { - "description": "Number of results to be returned in one page, maximum value is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": 1000, - "order": 2, - "name": "results_per_page", - "id": 3, - "param_name": "results_per_page" - }, - "max_results": { - "description": "Maximum results to be returned in the list", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": 5000, - "order": 3, - "name": "max_results", - "id": 4, - "param_name": "max_results" - } - }, - "output": [ - { - "data_path": "action_result.parameter.time_format", - "data_type": "string", - "contains": [], - "column_name": "time_format", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.start_time", - "data_type": "string", - "contains": [], - "column_name": "start_time", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.results_per_page", - "data_type": "numeric", - "contains": [], - "column_name": "results_per_page", - "column_order": 2 - }, - { - "data_path": "action_result.parameter.max_results", - "data_type": "numeric", - "contains": [], - "column_name": "max_results", - "column_order": 3 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 4 - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.url_analysis_feed_from_date", - "title": "TitaniumCloud Url Analysis Feed From Date" - }, - "versions": "EQ(*)" - }, - { - "action": "analyze url", - "identifier": "analyze_url", - "description": "TCA-0404 - Analyze a given URL", - "verbose": "TCA-0404 - This service allows users to submit a URL for analysis.", - "type": "investigate", - "read_only": false, - "parameters": { - "url": { - "description": "URL to analyze", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "url" - ], - "order": 0, - "name": "url", - "id": 1, - "param_name": "url" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.url", - "data_type": "string", - "column_name": "url", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.analyze_url", - "title": "TitaniumCloud Analyze Url" - }, - "versions": "EQ(*)" - }, - { - "action": "uri statistics", - "identifier": "uri_statistics", - "description": "TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI", - "verbose": "TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL).", - "type": "investigate", - "read_only": false, - "parameters": { - "uri": { - "description": "Uri", - "data_type": "string", - "required": true, - "primary": true, - "order": 0, - "name": "uri", - "id": 1, - "param_name": "uri" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.uri", - "data_type": "string", - "column_name": "uri", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.uri_statistics", - "title": "TitaniumCloud Uri Statistics" - }, - "versions": "EQ(*)" - }, - { - "action": "uri index", - "identifier": "uri_index", - "description": "TCA-0401 - Retrieve a list of all available file hashes associated with a given URI", - "verbose": "TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification.", - "type": "investigate", - "read_only": false, - "parameters": { - "uri": { - "description": "Desired URI string", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "url", - "domain" - ], - "order": 0, - "name": "uri", - "id": 1, - "param_name": "uri" - }, - "limit": { - "description": "Maximum number of results", - "data_type": "numeric", - "default": 5000, - "order": 1, - "name": "limit", - "id": 2, - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.limit", - "data_type": "numeric", - "column_name": "limit", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.uri", - "data_type": "string", - "column_name": "uri", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.uri_index", - "title": "TitaniumCloud Uri Index" - }, - "versions": "EQ(*)" - }, - { - "action": "submit for dynamic analysis", - "identifier": "submit_for_dynamic_analysis", - "description": "TCA-0207 - Submit an existing sample for dynamic analysis", - "verbose": "TCA-0207 - This service allows users to detonate a file in the ReversingLabs TitaniumCloud sandbox. To submit a file for analysis, it must exist in TitaniumCloud.", - "type": "investigate", - "read_only": false, - "parameters": { - "sha1": { - "description": "Selected sample's SHA-1 hash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "sha1", - "vault id" - ], - "order": 0, - "name": "sha1", - "id": 1, - "param_name": "sha1" - }, - "platform": { - "description": "Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options", - "data_type": "string", - "value_list": [ - "windows10", - "windows11", - "windows7", - "macos11", - "linux" - ], - "default": "windows10", - "required": true, - "order": 1, - "name": "platform", - "id": 2, - "param_name": "platform" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.platform", - "data_type": "string", - "column_name": "platform", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.sha1", - "data_type": "string", - "column_name": "sha1", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.submit_for_dynamic_analysis", - "title": "TitaniumCloud Submit For Dynamic Analysis" - }, - "versions": "EQ(*)" - }, - { - "action": "submit url for dynamic analysis", - "identifier": "submit_url_for_dynamic_analysis", - "description": "TCA-0207 - Submit an url sample for dynamic analysis", - "verbose": "TCA-0207 - This service allows users to analyze a url in the ReversingLabs TitaniumCloud sandbox. To submit an url for analysis, it must exist in TitaniumCloud.", - "type": "investigate", - "read_only": false, - "parameters": { - "url": { - "description": "Selected sample's url string", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "url", - "domain" - ], - "order": 0, - "name": "url", - "id": 1, - "param_name": "url" - }, - "platform": { - "description": "Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options", - "data_type": "string", - "required": true, - "value_list": [ - "windows10", - "windows11", - "windows7", - "macos11", - "linux" - ], - "default": "windows10", - "order": 1, - "name": "platform", - "id": 2, - "param_name": "platform" - } - }, - "output": [ - { - "data_path": "action_result.data.*.rl.url", - "data_type": "string", - "contains": [ - "url" - ], - "column_name": "url", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.rl.sha1", - "data_type": "string", - "contains": [ - "sha1" - ], - "column_name": "sha1", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.rl.status", - "data_type": "string", - "column_name": "status", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.rl.url_base64", - "data_type": "string", - "column_name": "url base64", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.rl.analysis_id", - "data_type": "string", - "column_name": "analysis id", - "column_order": 4 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "dynamic analysis results", - "identifier": "get_report", - "description": "TCA-0106 - Retrieve dynamic analysis results", - "verbose": "TCA-0106 - This service allows users to retrieve dynamic analysis results for a file that was submitted for dynamic analysis.", - "type": "investigate", - "read_only": false, - "parameters": { - "sha1": { - "description": "Selected sample's SHA-1 hash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "sha1" - ], - "order": 0, - "name": "sha1", - "id": 1, - "param_name": "sha1" - }, - "analysis_id": { - "description": "Return only the results of this analysis", - "data_type": "string", - "order": 1, - "name": "analysis_id", - "id": 2, - "param_name": "analysis_id" - }, - "latest": { - "description": "Return only the latest analysis results", - "data_type": "boolean", - "default": false, - "order": 2, - "name": "latest", - "id": 3, - "param_name": "latest" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 3, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.analysis_id", - "data_type": "string", - "column_name": "analysis_id", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.latest", - "data_type": "boolean", - "column_name": "latest", - "column_order": 2 - }, - { - "data_path": "action_result.parameter.sha1", - "data_type": "string", - "column_name": "sha1", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.dynamic_analysis_results", - "title": "TitaniumCloud Get Dynamic Analysis Results" - }, - "versions": "EQ(*)" - }, - { - "action": "dynamic url analysis results", - "identifier": "get_url_report", - "description": "TCA-0106 - Retrieve dynamic analysis results for url", - "verbose": "TCA-0106 - This service allows users to retrieve dynamic analysis results for an url that was submitted for dynamic analysis.", - "type": "investigate", - "read_only": true, - "parameters": { - "url": { - "description": "Provide one of the following: sha1, base64 or url", - "data_type": "string", - "primary": true, - "contains": [ - "sha1", - "url" - ], - "required": true, - "order": 0, - "name": "url", - "id": 1, - "param_name": "url_sha1" - }, - "analysis_id": { - "description": "Return only the results of this analysis", - "data_type": "string", - "order": 1, - "name": "analysis_id", - "id": 2, - "param_name": "analysis_id" - }, - "latest": { - "description": "Return only the latest analysis results", - "data_type": "boolean", - "default": false, - "order": 2, - "name": "latest", - "id": 3, - "param_name": "latest" - } - }, - "output": [ - { - "data_path": "action_result.parameter.analysis_id", - "data_type": "string", - "column_name": "Analysis id", - "column_order": 0 - }, - { - "data_path": "action_result.data.0.requested_sha1_url", - "data_type": "string", - "column_name": "Requested SHA1", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.dynamic_url_analysis_results", - "title": "TitaniumCloud Get Dynamic Analysis Results for URL" - }, - "versions": "EQ(*)" - }, - { - "action": "reanalyze file", - "identifier": "reanalyze_file", - "description": "TCA-0205 - Reanalyze sample", - "verbose": "TCA-0205 - This query sends a sample with the requested hash for rescanning.", - "type": "investigate", - "read_only": false, - "parameters": { - "hash": { - "description": "File hash", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "md5", - "sha1", - "sha256" - ], - "order": 0, - "name": "hash" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.hash", - "data_type": "string", - "column_name": "hash", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "upload file", - "identifier": "upload_file", - "description": "TCA-0202 - Upload file to TitaniumCloud", - "verbose": "TCA-0202 - Upload file to TitaniumCloud.", - "type": "generic", - "read_only": false, - "parameters": { - "vault_id": { - "description": "Vault ID of file to upload", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "vault id" - ], - "order": 0, - "name": "vault_id", - "id": 1, - "param_name": "vault_id" - }, - "file_name": { - "description": "Filename to use", - "data_type": "string", - "contains": [ - "file name" - ], - "default": "sample", - "order": 1, - "name": "file_name", - "id": 2, - "param_name": "file_name", - "primary": true - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.file_name", - "data_type": "string", - "contains": [ - "file name" - ], - "column_name": "file_name", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.vault_id", - "data_type": "string", - "contains": [ - "pe file", - "pdf", - "flash", - "apk", - "jar", - "doc", - "xls", - "ppt" - ], - "column_name": "vault_id", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get file", - "identifier": "get_file", - "description": "TCA-0201 - Download a sample from TitaniumCloud", - "verbose": "TCA-0201 - Download a sample from TitaniumCloud and add it to the vault.", - "type": "investigate", - "read_only": true, - "parameters": { - "hash": { - "description": "Hash of file/sample to download", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "md5", - "sha1", - "sha256" - ], - "order": 0, - "name": "hash" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.parameter.hash", - "data_type": "string", - "contains": [ - "md5", - "sha1", - "sha256" - ], - "column_name": "hash", - "column_order": 0 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get network reputation", - "identifier": "get_network_reputation", - "description": "Network Reputation API", - "verbose": "Service provides information regarding the reputation of a requested URL, domain, or IP address.", - "type": "investigate", - "read_only": false, - "parameters": { - "network_locations": { - "description": "Network location to check (URL,DNS,IP)", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "domain", - "url", - "ip" - ], - "value_list": [], - "default": "", - "order": 0, - "name": "network_locations", - "id": 1, - "param_name": "network_locations" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 10, - "view": "reversinglabs_ticloudv2_views.network_reputation", - "title": "TitaniumCloud Network Reputation" - }, - "versions": "EQ(*)" - }, - { - "action": "get list user overrides", - "identifier": "get_list_user_overrides", - "description": "List User Overrides", - "verbose": "The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known.", - "type": "generic", - "read_only": false, - "parameters": { - "next_page_sha1": { - "description": "Optional parameter used for pagination", - "data_type": "string", - "required": false, - "primary": false, - "contains": [ - "sha1" - ], - "value_list": [], - "default": "", - "order": 0, - "name": "next_page_sha1" - } - }, - "output": [ - { - "data_path": "action_result.data.*.user_override.network_locations.*.network_location", - "data_type": "string", - "contains": [ - "url", - "domain", - "ip" - ], - "column_name": "network_location", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.user_override.network_locations.*.type", - "data_type": "string", - "contains": [ - "url", - "domain", - "ip" - ], - "column_name": "type", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get list user overrides aggregated", - "identifier": "get_list_user_overrides_aggregated", - "description": "Returns a list of overrides that the user has made", - "verbose": "This API automatically handles paging and returns a list of results instead of a Response object.", - "type": "generic", - "read_only": false, - "parameters": { - "max_results": { - "description": "Maximum number of results to be returned in the list", - "data_type": "numeric", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": "", - "order": 0, - "name": "max_results" - } - }, - "output": [ - { - "data_path": "action_result.data.*.*.network_location", - "data_type": "string", - "contains": [ - "url", - "domain", - "ip" - ], - "column_name": "network_location", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.*.type", - "data_type": "string", - "contains": [ - "url", - "domain", - "ip" - ], - "column_name": "type", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "network reputation user override", - "identifier": "network_reputation_user_override", - "description": "Network Reputation User Override", - "verbose": "The Network Reputation User Override service enables URL classification overrides.", - "type": "generic", - "read_only": false, - "parameters": { - "override_list": { - "description": "List of network locations whose classification needs to be overriden structured in JSON format. Visit documentation for guidance", - "data_type": "string", - "required": true, - "primary": false, - "contains": [], - "value_list": [], - "default": "", - "order": 0, - "name": "override_list" - }, - "remove_overrides_list": { - "description": "List of network locations whose classification override needs to be removed structured in JSON format. Visit documentation for guidance", - "data_type": "string", - "required": false, - "primary": false, - "contains": [], - "value_list": [], - "default": "", - "order": 1, - "name": "remove_overrides_list" - } - }, - "output": [ - { - "data_path": "action_result.parameter.override_list", - "data_type": "string", - "contains": [], - "column_name": "override_list", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.remove_overrides_list", - "data_type": "string", - "contains": [], - "column_name": "remove_overrides_list", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2 - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.network_reputation_user_override", - "title": "TitaniumCloud Network Reputation User Overrides" - }, - "versions": "EQ(*)" - }, - { - "action": "file reputation user override", - "identifier": "file_reputation_user_override", - "description": "File Reputation User Override", - "verbose": "The File Reputation User Override service enables File sample classification overrides.", - "type": "generic", - "read_only": false, - "parameters": { - "override_samples": { - "description": "List of samples to override structured in JSON format. Visit documentation for guidance", - "data_type": "string", - "required": false, - "primary": false, - "default": "", - "order": 0, - "name": "override_samples" - }, - "remove_overrides": { - "description": "List of samples whose classification override needs to be removed structured in JSON format. Visit documentation for guidance", - "data_type": "string", - "required": false, - "primary": false, - "default": "", - "order": 1, - "name": "remove_overrides" - } - }, - "output": [ - { - "data_path": "action_result.parameter.override_samples", - "data_type": "string", - "contains": [], - "column_name": "override_samples", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.remove_overrides", - "data_type": "string", - "contains": [], - "column_name": "remove_overrides", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 2 - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.file_reputation_user_overrides", - "title": "TitaniumCloud File Reputation User Overrides" - }, - "versions": "EQ(*)" - }, - { - "action": "list active file reputation user overrides", - "identifier": "list_active_file_reputation_user_overrides", - "description": "List Active File Reputation User Overrides", - "verbose": "The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known.", - "type": "generic", - "read_only": false, - "parameters": { - "hash_type": { - "description": "Required parameter that defines the type of hash", - "data_type": "string", - "required": true, - "primary": false, - "value_list": [ - "sha1", - "sha256", - "md5" - ], - "default": "sha1", - "order": 0, - "name": "hash_type" - }, - "start_hash": { - "description": "When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value", - "data_type": "string", - "required": false, - "primary": false, - "contains": [ - "sha1", - "sha256", - "md5" - ], - "default": "", - "order": 1, - "name": "start_hash" - } - }, - "output": [ - { - "data_path": "action_result.data.*.user_override.hash_values", - "data_type": "string", - "contains": [ - "sha1", - "sha256", - "md5" - ], - "column_name": "Hash Values", - "column_order": 0 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.list_active_file_overrides", - "title": "List Active File User Overrides" - }, - "versions": "EQ(*)" - }, - { - "action": "customer daily usage", - "identifier": "customer_daily_usage", - "description": "Check daily usage of ReversingLabs API", - "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", - "type": "generic", - "read_only": false, - "parameters": { - "date": { - "description": "Specifies the date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format.", - "data_type": "string", - "required": true, - "primary": false, - "order": 0, - "name": "date" - }, - "company": { - "description": "When this parameter is checked, the API will return usage for all accounts within the company", - "data_type": "boolean", - "required": false, - "param_name": "Company", - "default": false, - "order": 1, - "name": "company" - } - }, - "output": [ - { - "data_path": "action_result.data.*.date", - "data_type": "string", - "column_name": "Date", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.usage_report.*.product", - "data_type": "string", - "column_name": "Product", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.usage_report.*.number_of_queries", - "data_type": "string", - "column_name": "Number of Queries", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.usage_report.*.used_bytes", - "data_type": "string", - "column_name": "Used bytes (optional)", - "column_order": 3 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "customer dayrange usage", - "identifier": "customer_dayrange_usage", - "description": "Check ReversingLabs API usage for specified time range (in days)", - "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", - "type": "generic", - "read_only": false, - "parameters": { - "from_date": { - "description": "Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format", - "data_type": "string", - "required": true, - "primary": false, - "order": 0, - "name": "from_date" - }, - "to_date": { - "description": "Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format", - "data_type": "string", - "required": true, - "primary": false, - "order": 1, - "name": "to_date" - }, - "company": { - "description": "When this parameter is checked, the API will return usage for all accounts within the company", - "data_type": "boolean", - "required": false, - "param_name": "Company", - "default": false, - "order": 2, - "name": "company" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.customer_dayrange_usage", - "title": "TitaniumCloud API Usage" - }, - "versions": "EQ(*)" - }, - { - "action": "customer monthly usage", - "identifier": "customer_monthly_usage", - "description": "Check Monthly usage of ReversingLabs API", - "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", - "type": "generic", - "read_only": false, - "parameters": { - "month": { - "description": "Specifies the month for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", - "data_type": "string", - "required": true, - "primary": false, - "order": 0, - "name": "month" - }, - "company": { - "description": "When this parameter is checked, the API will return usage for all accounts within the company", - "data_type": "boolean", - "required": false, - "param_name": "Company", - "default": false, - "order": 1, - "name": "company" - } - }, - "output": [ - { - "data_path": "action_result.data.*.month", - "data_type": "string", - "column_name": "Date", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.usage_report.*.product", - "data_type": "string", - "column_name": "Product", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.usage_report.*.number_of_queries", - "data_type": "string", - "column_name": "Number of Queries", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.usage_report.*.used_bytes", - "data_type": "string", - "column_name": "Used bytes (optional)", - "column_order": 3 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "customer month range usage", - "identifier": "customer_monthrange_usage", - "description": "Check ReversingLabs API usage for specified time range (in months)", - "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", - "type": "generic", - "read_only": false, - "parameters": { - "from_month": { - "description": "Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", - "data_type": "string", - "required": true, - "primary": false, - "order": 0, - "name": "from_month" - }, - "to_month": { - "description": "Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", - "data_type": "string", - "required": true, - "primary": false, - "order": 1, - "name": "to_month" - }, - "company": { - "description": "When this parameter is checked, the API will return usage for all accounts within the company", - "data_type": "boolean", - "required": false, - "param_name": "Company", - "default": false, - "order": 2, - "name": "company" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.customer_monthrange_usage", - "title": "TitaniumCloud API Usage" - }, - "versions": "EQ(*)" - }, - { - "action": "customer yara api usage", - "identifier": "customer_yara_api_usage", - "description": "Check Yara usage on ReversingLabs API", - "verbose": "This query returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request.", - "type": "generic", - "read_only": false, - "parameters": { - "format": { - "description": "Specify the response format. Supported values are xml and json. The default is JSON", - "data_type": "string", - "value_list": [ - "json" - ], - "default": "json", - "required": false, - "primary": false, - "order": 0, - "name": "format" - } - }, - "output": [ - { - "data_path": "action_result.data.*.product", - "data_type": "string", - "column_name": "Product", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.number_of_active_rulesets", - "data_type": "string", - "column_name": "Number of Active Rulesets", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "customer quota limits", - "identifier": "customer_quota_limits", - "description": "Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company", - "verbose": "API allows ReversingLabs customers to track quota limits of TitaniumCloud services provisioned to all accounts in a company.", - "type": "generic", - "read_only": false, - "parameters": { - "company": { - "description": "When this parameter is checked, the API will return quota limits for all accounts within the company", - "data_type": "boolean", - "required": false, - "param_name": "Company", - "default": false, - "order": 0, - "name": "company" - } - }, - "output": [ - { - "data_path": "action_result.data.*.limits.*.limit", - "data_type": "numeric", - "column_name": "Limit", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.limits.*.limit_type", - "data_type": "string", - "column_name": "Limit Type", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.limits.*.limit_exceeded", - "data_type": "boolean", - "column_name": "Limit exceeded", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.limits.*.products", - "data_type": "string", - "column_name": "Products", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.limits.*.users", - "data_type": "string", - "column_name": "Users", - "column_order": 4 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get domain report", - "identifier": "get_domain_report", - "description": "API returns threat intelligence data for the submitted domain", - "verbose": "The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information.", - "type": "generic", - "read_only": false, - "parameters": { - "domain": { - "description": "The domain for which to retrieve the report", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "domain" - ], - "order": 0, - "name": "domain" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.domain_report", - "title": "Domain Report" - }, - "versions": "EQ(*)" - }, - { - "action": "get domain downloaded files", - "identifier": "get_domain_downloaded_files", - "description": "Retrieve a list of files downloaded from the submitted domain", - "verbose": "The response will contain metadata for files downloaded from the submitted domain. Empty fields are not included in the response.", - "type": "generic", - "read_only": false, - "parameters": { - "domain": { - "description": "The domain for which to retrieve the downloaded files", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "domain" - ], - "order": 0, - "name": "domain" - }, - "extended": { - "description": "Chose whether you want extended result data set", - "data_type": "boolean", - "required": false, - "primary": false, - "default": true, - "order": 1, - "name": "extended", - "param_name": "extended" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 2, - "name": "limit", - "param_name": "limit" - }, - "classification": { - "description": "Return only samples that match the requested classification for given domain", - "data_type": "string", - "required": false, - "primary": false, - "value_list": [ - "known", - "suspicious", - "malicious", - "unknown" - ], - "order": 3, - "name": "classification", - "param_name": "classification" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.domain_downloaded_files", - "title": "Domain Downloaded Files Report" - }, - "versions": "EQ(*)" - }, - { - "action": "get urls from domain", - "identifier": "get_urls_from_domain", - "description": "API provides a list of URLs associated with the requested domain", - "verbose": "API provides a list of URLs associated with the requested domain.", - "type": "investigate", - "read_only": false, - "parameters": { - "domain": { - "description": "The domain for which to retrieve the resolved IP addresses", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "domain" - ], - "order": 0, - "name": "domain" - }, - "page": { - "description": "String representing a page of results", - "data_type": "string", - "required": false, - "primary": false, - "order": 1, - "name": "page" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 2, - "name": "limit", - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.data.*.requested_domain", - "data_type": "string", - "contains": [ - "domain" - ], - "column_name": "Domain", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.urls.*.url", - "data_type": "string", - "contains": [ - "url" - ], - "column_name": "Url", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get resolutions from domain", - "identifier": "get_resolutions_from_domain", - "description": "API provides a list of domain-to-IP mappings for the requested domain", - "verbose": "API provides a list of domain-to-IP mappings for the requested domain.", - "type": "investigate", - "read_only": false, - "parameters": { - "domain": { - "description": "The domain for which to retrieve the domain to IP mappings", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "domain" - ], - "order": 0, - "name": "domain" - }, - "page": { - "description": "String representing a page of results", - "data_type": "string", - "required": false, - "primary": false, - "order": 1, - "name": "page" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 2, - "name": "limit", - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.data.*.requested_domain", - "data_type": "string", - "contains": [ - "domain" - ], - "column_name": "Domain", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.resolutions.*.record_type", - "data_type": "string", - "column_name": "Record Type", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.resolutions.*.answer", - "data_type": "string", - "column_name": "Answer", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.resolutions.*.last_resolution_time", - "data_type": "string", - "column_name": "Last resolution time", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.resolutions.*.provider", - "data_type": "string", - "column_name": "Provider", - "column_order": 4 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get related domains", - "identifier": "get_related_domains", - "description": "API provides a list of domains that have the same top parent domain as the requested domain", - "verbose": "API provides a list of domains that have the same top parent domain as the requested domain. If the requested domain is a top parent domain, the API will return all subdomains.", - "type": "investigate", - "read_only": false, - "parameters": { - "domain": { - "description": "The domain for which to retrieve the downloaded files", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "domain" - ], - "order": 0, - "name": "domain" - }, - "page": { - "description": "String representing a page of results", - "data_type": "string", - "required": false, - "primary": false, - "order": 1, - "name": "page" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 2, - "name": "limit", - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.data.*.requested_domain", - "data_type": "string", - "contains": [ - "domain" - ], - "column_name": "Domain", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.related_domains.*.domain", - "data_type": "string", - "contains": [ - "domain" - ], - "column_name": "Related domain", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" + "output": [ + { + "data_path": "action_result.parameter.ruleset_name", + "data_type": "string", + "column_name": "ruleset name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.text", + "data_type": "string", + "column_name": "text", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, - "versions": "EQ(*)" - }, - { - "action": "get ip report", - "identifier": "get_ip_report", - "description": "API returns threat intelligence data for the submitted ip address", - "verbose": "The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP.", - "type": "generic", - "read_only": false, - "parameters": { - "ip_address": { - "description": "The IP address for which to retrieve the report", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "ip" - ], - "order": 0, - "name": "ip_address" - } + { + "action": "get yara matches", + "identifier": "get_yara_matches", + "description": "TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range", + "verbose": "TCA-0303 - Get a recordset of YARA ruleset matches in the specified time range.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "time_format": { + "description": "'utc' or 'timestamp'", + "data_type": "string", + "value_list": [ + "timestamp", + "utc" + ], + "default": "timestamp", + "value_list": [ + "timestamp", + "utc" + ], + "default": "timestamp", + "required": true, + "order": 0, + "name": "time_format", + "id": 1, + "param_name": "time_format" + }, + "time_value": { + "description": "'YYYY-MM-DDThh:mm:ss' or Unix timestamp string", + "data_type": "string", + "required": true, + "order": 1, + "name": "time_value", + "id": 2, + "param_name": "time_value" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.time_format", + "data_type": "string", + "column_name": "time_format", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.time_value", + "data_type": "string", + "column_name": "time_value", + "column_order": 1 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.ip_report", - "title": "IP Report" + { + "action": "yara retro enable hunt", + "identifier": "yara_retro_enable_hunt", + "description": "TCA-0319 - Enable YARA retro hunt", + "verbose": "TCA-0319 - Enable the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "ruleset_name": { + "description": "YARA ruleset name", + "data_type": "string", + "required": true, + "order": 0, + "name": "ruleset_name", + "id": 1, + "param_name": "ruleset_name" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.ruleset_name", + "data_type": "string", + "column_name": "ruleset name", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, - "versions": "EQ(*)" - }, - { - "action": "get ip downloaded files", - "identifier": "get_ip_downloaded_files", - "description": "Retrieve a list of files downloaded from the submitted IP address", - "verbose": "The response will contain metadata for files downloaded from the submitted IP address. Empty fields are not included in the response.", - "type": "generic", - "read_only": false, - "parameters": { - "ip_address": { - "description": "The IP address for which to retrieve the downloaded files", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "ip" + { + "action": "yara retro start hunt", + "identifier": "yara_retro_start_hunt", + "description": "TCA-0319 - Start YARA retro hunt for the specified ruleset", + "verbose": "TCA-0319 - Start YARA retro hunt for the specified ruleset.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "ruleset_name": { + "description": "YARA ruleset name", + "data_type": "string", + "required": true, + "order": 0, + "name": "ruleset_name", + "id": 1, + "param_name": "ruleset_name" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.ruleset_name", + "data_type": "string", + "column_name": "ruleset name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.ruleset_sha1", + "data_type": "string", + "column_name": "ruleset sha1", + "column_order": 1 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "yara retro check status", + "identifier": "yara_retro_check_status", + "description": "TCA-0319 - Check the retro hunt status for the specified ruleset", + "verbose": "TCA-0319 - Check the retro hunt status for the specified ruleset.", + "type": "generic", + "read_only": false, + "parameters": { + "ruleset_name": { + "description": "YARA ruleset name", + "data_type": "string", + "required": true, + "order": 0, + "name": "ruleset_name", + "id": 1, + "param_name": "ruleset_name" + } + }, + "output": [ + "output": [ + { + "data_path": "action_result.parameter.ruleset_name", + "data_type": "string", + "column_name": "ruleset name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.retro_status", + "data_type": "string", + "column_name": "retro status", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.start_time", + "data_type": "string", + "column_name": "start time", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.finish_time", + "data_type": "string", + "column_name": "finish time", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.reason", + "data_type": "string", + "column_name": "reason", + "column_order": 4 + }, + { + "data_path": "action_result.data.*.progress", + "data_type": "string", + "column_name": "progress", + "column_order": 5 + }, + { + "data_path": "action_result.data.*.estimated_finish_time", + "data_type": "string", + "column_name": "estimated finish time", + "column_order": 6 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 7, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "order": 0, - "name": "ip_address" - }, - "extended": { - "description": "Chose whether you want extended result data set", - "data_type": "boolean", - "required": false, - "primary": false, - "default": true, - "order": 1, - "name": "extended", - "param_name": "extended" - }, - "page": { - "description": "String representing a page of results", - "data_type": "string", - "required": false, - "primary": false, - "order": 2, - "name": "page" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 3, - "name": "limit", - "param_name": "limit" - }, - "classification": { - "description": "Return only samples that match the requested classification for given domain", - "data_type": "string", - "required": false, - "primary": false, - "value_list": [ - "known", - "suspicious", - "malicious", - "unknown" + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "yara retro cancel hunt", + "identifier": "yara_retro_cancel_hunt", + "description": "TCA-0319 - Cancel the retro hunt for the specified ruleset", + "verbose": "TCA-0319 - Cancel the retro hunt for the specified ruleset.", + "type": "generic", + "read_only": false, + "parameters": { + "ruleset_name": { + "description": "YARA ruleset name", + "data_type": "string", + "required": true, + "order": 0, + "name": "ruleset_name", + "id": 1, + "param_name": "ruleset_name" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.ruleset_name", + "data_type": "string", + "column_name": "ruleset name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.ruleset_sha1", + "data_type": "string", + "column_name": "ruleset sha1", + "column_order": 1 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "order": 4, - "name": "classification", - "param_name": "classification" - } - }, - "output": [ - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "custom", - "width": 10, - "height": 5, - "view": "reversinglabs_ticloudv2_views.ip_downloaded_files", - "title": "IP Downloaded Files Report" - }, - "versions": "EQ(*)" - }, - { - "action": "get urls from ip", - "identifier": "get_urls_from_ip", - "description": "API provides a list of URLs associated with the requested IP address", - "verbose": "API provides a list of URLs associated with the requested IP address.", - "type": "investigate", - "read_only": false, - "parameters": { - "ip_address": { - "description": "The IP for which to retrieve the domain resolutions", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "ip" + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get yara retro matches", + "identifier": "get_yara_retro_matches", + "description": "TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range", + "verbose": "TCA-0319 - Get a recordset of YARA ruleset matches in the specified time range.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "time_format": { + "description": "'utc' or 'timestamp'", + "data_type": "string", + "value_list": [ + "timestamp", + "utc" + ], + "default": "timestamp", + "value_list": [ + "timestamp", + "utc" + ], + "default": "timestamp", + "required": true, + "order": 0, + "name": "time_format", + "id": 1, + "param_name": "time_format" + }, + "time_value": { + "description": "'YYYY-MM-DDThh:mm:ss' or Unix timestamp string", + "data_type": "string", + "required": true, + "order": 1, + "name": "time_value", + "id": 2, + "param_name": "time_value" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 4, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.data.*.rl.feed.name", + "data_type": "string", + "column_name": "Name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.rl.feed.time_range.from", + "data_type": "string", + "column_name": "Time range From", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.rl.feed.time_range.to", + "data_type": "string", + "column_name": "Time range to", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.rl.feed.last_timestamp", + "data_type": "string", + "column_name": "Last timestamp", + "column_order": 3 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "order": 0, - "name": "ip_address" - }, - "page": { - "description": "String representing a page of results", - "data_type": "string", - "required": false, - "primary": false, - "order": 1, - "name": "page" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 2, - "name": "limit", - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.data.*.requested_ip", - "data_type": "string", - "contains": [ - "ip" + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "imphash similarity", + "identifier": "imphash_similarity", + "description": "TCA-0302 - Get a a list of all available SHA1 hashes for files sharing the same import hash (imphash)", + "verbose": "TCA-0302 - Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file.", + "type": "investigate", + "read_only": true, + "parameters": { + "imphash": { + "description": "Imphash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "hash" + ], + "order": 0, + "name": "imphash", + "id": 1, + "param_name": "imphash" + }, + "limit": { + "description": "Maximum number of results", + "data_type": "numeric", + "default": 5000, + "order": 1, + "name": "limit", + "id": 2, + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.imphash", + "data_type": "string", + "column_name": "imphash", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.limit", + "data_type": "numeric", + "column_name": "limit", + "column_order": 1 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "column_name": "Requested IP", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.urls.*.url", - "data_type": "string", - "contains": [ - "url" + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.imphash_similarity", + "title": "TitaniumCloud Imphash Similarity" + }, + "versions": "EQ(*)" + }, + { + "action": "advanced search", + "identifier": "advanced_search", + "description": "TCA-0320 - Search for hashes using multi-part search criteria", + "verbose": "TCA-0320 - Search for hashes using multi-part search criteria. Supported criteria include more than 60 keywords, 35 antivirus vendors, 137 sample types and subtypes, and 283 tags that enable creating 510 unique search expressions with support for Boolean operators and case-insensitive wildcard matching. A number of search keywords support relational operators '<=' and '>='.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "query": { + "description": "Advanced Search query", + "data_type": "string", + "required": true, + "order": 0, + "name": "query", + "id": 1, + "param_name": "query" + }, + "limit": { + "description": "Maximum number of results", + "data_type": "numeric", + "default": 5000, + "order": 1, + "name": "limit", + "id": 2, + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.limit", + "data_type": "numeric", + "column_name": "limit", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.query", + "data_type": "string", + "column_name": "query", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "column_name": "Url", - "column_order": 1 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get resolutions from ip", - "identifier": "get_resolutions_from_ip", - "description": "API provides a list of IP-to-domain mappings for the requested IP address", - "verbose": "API provides a list of IP-to-domain mappings for the requested IP address.", - "type": "investigate", - "read_only": false, - "parameters": { - "ip_address": { - "description": "The IP address for which to retrieve resolutions", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "ip" + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.advanced_search", + "title": "TitaniumCloud Advanced Search" + }, + "versions": "EQ(*)" + }, + { + "action": "av scanners", + "identifier": "av_scanners", + "description": "TCA-0103 - Retrieve AV Scanner data from TitaniumCloud", + "verbose": "TCA-0103 - Provides AV vendor cross-reference data for a desired sample from multiple AV scanners.", + "type": "investigate", + "read_only": false, + "parameters": { + "hash": { + "description": "File hash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "sha1", + "sha256", + "md5" + ], + "order": 0, + "name": "hash", + "id": 1, + "param_name": "hash" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.hash", + "data_type": "string", + "column_name": "hash", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "order": 0, - "name": "ip_address" - }, - "page": { - "description": "String representing a page of results", - "data_type": "string", - "required": false, - "primary": false, - "order": 1, - "name": "page" - }, - "limit": { - "description": "The number of files to return in the response. Default is 1000", - "data_type": "numeric", - "required": false, - "primary": false, - "default": 1000, - "order": 2, - "name": "limit", - "param_name": "limit" - } - }, - "output": [ - { - "data_path": "action_result.data.*.requested_ip", - "data_type": "string", - "contains": [ - "ip" + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.av_scanners", + "title": "TitaniumCloud AvScanners" + }, + "versions": "EQ(*)" + }, + { + "action": "file reputation", + "identifier": "file_reputation", + "description": "TCA-0101 - Queries for file reputation info", + "verbose": "TCA-0101 - Queries for file reputation info.", + "type": "investigate", + "read_only": true, + "parameters": { + "hash": { + "description": "File hash to query", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "hash", + "sha256", + "sha1", + "md5" + ], + "order": 0, + "name": "hash" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.hash", + "data_type": "string", + "contains": [ + "hash", + "sha256", + "sha1", + "md5" + ], + "column_name": "hash", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "column_name": "IP Address", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.resolutions.*.host_name", - "data_type": "string", - "column_name": "Host name", - "contains": [ - "domain" + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.file_reputation", + "title": "TitaniumCloud File Reputation" + }, + "versions": "EQ(*)" + }, + { + "action": "file analysis", + "identifier": "file_analysis", + "description": "TCA-0104 - Retrieve File Analysis by hash data from TitaniumCloud", + "verbose": "TCA-0104 - Provides file analysis data on hashes. Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information.", + "type": "investigate", + "read_only": false, + "parameters": { + "hash": { + "description": "File hash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "sha1", + "sha256", + "md5", + "vauld id" + ], + "order": 0, + "name": "hash", + "id": 1, + "param_name": "hash" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.hash", + "data_type": "string", + "column_name": "hash", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } ], - "column_order": 1 - }, - { - "data_path": "action_result.data.*.resolutions.*.last_resolution_time", - "data_type": "string", - "column_name": "Last resolution time", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.resolutions.*.provider", - "data_type": "string", - "column_name": "Provider", - "column_order": 3 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status" - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.file_analysis", + "title": "TitaniumCloud File Analysis" + }, + "versions": "EQ(*)" + }, + { + "action": "functional similarity", + "identifier": "functional_similarity", + "description": "TCA-0301 - Retrieve a list of functionally similar hashes to the provided one", + "verbose": "TCA-0301 - Provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level.", + "type": "investigate", + "read_only": false, + "parameters": { + "hash": { + "description": "File hash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "sha1" + ], + "order": 0, + "name": "hash", + "id": 1, + "param_name": "hash" + }, + "limit": { + "description": "Maximum number of results", + "data_type": "numeric", + "default": 5000, + "order": 1, + "name": "limit", + "id": 2, + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.hash", + "data_type": "string", + "column_name": "hash", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.limit", + "data_type": "numeric", + "column_name": "limit", + "column_order": 1 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.functional_similarity", + "title": "TitaniumCloud RHA1 Functional Similarity" + }, + "versions": "EQ(*)" + }, + { + "action": "url reputation", + "identifier": "url_reputation", + "description": "TCA-0403 - Queries URL Threat Intelligence", + "verbose": "TCA-0403 - Queries URL Threat Intelligence.", + "type": "investigate", + "read_only": true, + "parameters": { + "url": { + "description": "URL to query", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "url" + ], + "order": 0, + "name": "url" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.url", + "data_type": "string", + "contains": [ + "url" + ], + "column_name": "url", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.url_reputation", + "title": "TitaniumCloud Url Reputation" + }, + "versions": "EQ(*)" + }, + { + "action": "get downloaded files", + "identifier": "get_url_downloaded_files", + "description": "TCA - 0403 - Get files downloaded from url", + "verbose": "Accepts a URL string and returns a list of downloaded files aggregated through multiple pages of results.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "url": { + "description": "URL string", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "url" + ], + "value_list": [], + "default": "", + "order": 0, + "name": "url", + "id": 1, + "param_name": "url" + }, + "extended": { + "description": "Return extended report", + "data_type": "boolean", + "required": false, + "primary": false, + "contains": [], + "default": true, + "order": 1, + "name": "extended", + "id": 2, + "param_name": "extended" + }, + "classification": { + "description": "Return only files of this classification", + "data_type": "string", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": "", + "order": 2, + "name": "classification", + "id": 3, + "param_name": "classification" + }, + "last_analysis": { + "description": "Return only files from the last analysis", + "data_type": "boolean", + "required": false, + "primary": false, + "contains": [], + "default": false, + "order": 3, + "name": "last_analysis", + "id": 4, + "param_name": "last_analysis" + }, + "analysis_id": { + "description": "Return only files from this analysis", + "data_type": "string", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": "", + "order": 4, + "name": "analysis_id", + "id": 5, + "param_name": "analysis_id" + }, + "results_per_page": { + "description": "Number of results to be returned in one page, maximum value is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": 1000, + "order": 5, + "name": "results_per_page", + "id": 6, + "param_name": "results_per_page" + }, + "max_results": { + "description": "Maximum results to be returned in the list", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": 5000, + "order": 6, + "name": "max_results", + "id": 7, + "param_name": "max_results" + } + }, + "output": [ + { + "data_path": "action_result.parameter.url", + "data_type": "string", + "contains": [], + "column_name": "url", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.extended", + "data_type": "boolean", + "contains": [], + "column_name": "extended", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.classification", + "data_type": "string", + "contains": [], + "column_name": "classification", + "column_order": 2 + }, + { + "data_path": "action_result.parameter.last_analysis", + "data_type": "boolean", + "contains": [], + "column_name": "last_analysis", + "column_order": 3 + }, + { + "data_path": "action_result.parameter.analysis_id", + "data_type": "string", + "contains": [], + "column_name": "analysis_id", + "column_order": 4 + }, + { + "data_path": "action_result.parameter.results_per_page", + "data_type": "numeric", + "contains": [], + "column_name": "results_per_page", + "column_order": 5 + }, + { + "data_path": "action_result.parameter.max_results", + "data_type": "numeric", + "contains": [], + "column_name": "max_results", + "column_order": 6 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 7 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.url_downloaded_files", + "title": "TitaniumCloud Url Downloaded Files" + }, + "versions": "EQ(*)" + }, + { + "action": "get latest url analysis feed", + "identifier": "get_latest_url_analysis_feed", + "description": "TCA - 0403 - Get latest url analysis feed", + "verbose": "Returns the latest URL analyses reports aggregated as list.", + "type": "generic", + "read_only": false, + "parameters": { + "results_per_page": { + "description": "Number of results to be returned in one page, maximum value is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": 1000, + "order": 0, + "name": "results_per_page", + "id": 1, + "param_name": "results_per_page" + }, + "max_results": { + "description": "Maximum results to be returned in the list", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": 5000, + "order": 1, + "name": "max_results", + "id": 2, + "param_name": "max_results" + } + }, + "output": [ + { + "data_path": "action_result.parameter.results_per_page", + "data_type": "numeric", + "contains": [], + "column_name": "results_per_page", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.max_results", + "data_type": "numeric", + "contains": [], + "column_name": "max_results", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.latest_url_analysis_feed", + "title": "TitaniumCloud Latest Url Analysis Feed" + }, + "versions": "EQ(*)" + }, + { + "action": "get url analysis feed from date", + "identifier": "get_url_analysis_feed_from_date", + "description": "TCA - 0403 - Get url analysis feed from date", + "verbose": "Accepts time format and a start time and returns URL analyses report from that defined time onward aggregated as a list.", + "type": "generic", + "read_only": false, + "parameters": { + "time_format": { + "description": "Possible values: 'utc' or 'timestamp'", + "data_type": "string", + "required": true, + "primary": false, + "value_list": [ + "timestamp", + "utc" + ], + "value_list": [ + "timestamp", + "utc" + ], + "default": "timestamp", + "contains": [], + "contains": [], + "order": 0, + "name": "time_format", + "id": 1, + "param_name": "time_format" + }, + "start_time": { + "description": "Time from which to retrieve results onwards. Needs to be less than 90 days from now", + "description": "Time from which to retrieve results onwards. Needs to be less than 90 days from now", + "data_type": "string", + "required": true, + "primary": false, + "contains": [], + "value_list": [], + "default": "", + "order": 1, + "name": "start_time", + "id": 2, + "param_name": "start_time" + }, + "results_per_page": { + "description": "Number of results to be returned in one page, maximum value is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": 1000, + "order": 2, + "name": "results_per_page", + "id": 3, + "param_name": "results_per_page" + }, + "max_results": { + "description": "Maximum results to be returned in the list", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": 5000, + "order": 3, + "name": "max_results", + "id": 4, + "param_name": "max_results" + } + }, + "output": [ + { + "data_path": "action_result.parameter.time_format", + "data_type": "string", + "contains": [], + "column_name": "time_format", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.start_time", + "data_type": "string", + "contains": [], + "column_name": "start_time", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.results_per_page", + "data_type": "numeric", + "contains": [], + "column_name": "results_per_page", + "column_order": 2 + }, + { + "data_path": "action_result.parameter.max_results", + "data_type": "numeric", + "contains": [], + "column_name": "max_results", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 4 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.url_analysis_feed_from_date", + "title": "TitaniumCloud Url Analysis Feed From Date" + }, + "versions": "EQ(*)" + }, + { + "action": "analyze url", + "identifier": "analyze_url", + "description": "TCA-0404 - Analyze a given URL", + "verbose": "TCA-0404 - This service allows users to submit a URL for analysis.", + "type": "investigate", + "read_only": false, + "parameters": { + "url": { + "description": "URL to analyze", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "url" + ], + "order": 0, + "name": "url", + "id": 1, + "param_name": "url" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.url", + "data_type": "string", + "column_name": "url", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.analyze_url", + "title": "TitaniumCloud Analyze Url" + }, + "versions": "EQ(*)" + }, + { + "action": "uri statistics", + "identifier": "uri_statistics", + "description": "TCA-0402 - Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI", + "verbose": "TCA-0402 - Provides the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI (domain, IP address, email or URL).", + "type": "investigate", + "read_only": false, + "parameters": { + "uri": { + "description": "Uri", + "data_type": "string", + "required": true, + "primary": true, + "order": 0, + "name": "uri", + "id": 1, + "param_name": "uri" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.uri", + "data_type": "string", + "column_name": "uri", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.uri_statistics", + "title": "TitaniumCloud Uri Statistics" + }, + "versions": "EQ(*)" + }, + { + "action": "uri index", + "identifier": "uri_index", + "description": "TCA-0401 - Retrieve a list of all available file hashes associated with a given URI", + "verbose": "TCA-0401 - Provides a list of all available file hashes associated with a given URI (domain, IP address, email or URL) regardless of file classification.", + "type": "investigate", + "type": "investigate", + "read_only": false, + "parameters": { + "uri": { + "description": "Desired URI string", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "url", + "domain" + ], + "order": 0, + "name": "uri", + "id": 1, + "param_name": "uri" + }, + "limit": { + "description": "Maximum number of results", + "data_type": "numeric", + "default": 5000, + "order": 1, + "name": "limit", + "id": 2, + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.limit", + "data_type": "numeric", + "column_name": "limit", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.uri", + "data_type": "string", + "column_name": "uri", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.uri_index", + "title": "TitaniumCloud Uri Index" + }, + "versions": "EQ(*)" + }, + { + "action": "submit for dynamic analysis", + "identifier": "submit_for_dynamic_analysis", + "description": "TCA-0207 - Submit an existing sample for dynamic analysis", + "verbose": "TCA-0207 - This service allows users to detonate a file in the ReversingLabs TitaniumCloud sandbox. To submit a file for analysis, it must exist in TitaniumCloud.", + "type": "investigate", + "read_only": false, + "parameters": { + "sha1": { + "description": "Selected sample's SHA-1 hash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "sha1", + "vault id" + ], + "order": 0, + "name": "sha1", + "id": 1, + "param_name": "sha1" + }, + "platform": { + "description": "Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options", + "data_type": "string", + "value_list": [ + "windows10", + "windows11", + "windows7", + "macos11", + "linux" + ], + "default": "windows10", + "value_list": [ + "windows10", + "windows11", + "windows7", + "macos11", + "linux" + ], + "default": "windows10", + "required": true, + "order": 1, + "name": "platform", + "id": 2, + "param_name": "platform" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.platform", + "data_type": "string", + "column_name": "platform", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.sha1", + "data_type": "string", + "column_name": "sha1", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.submit_for_dynamic_analysis", + "title": "TitaniumCloud Submit For Dynamic Analysis" + }, + "versions": "EQ(*)" + }, + { + "action": "submit url for dynamic analysis", + "identifier": "submit_url_for_dynamic_analysis", + "description": "TCA-0207 - Submit an url sample for dynamic analysis", + "verbose": "TCA-0207 - This service allows users to analyze a url in the ReversingLabs TitaniumCloud sandbox. To submit an url for analysis, it must exist in TitaniumCloud.", + "type": "investigate", + "read_only": false, + "parameters": { + "url": { + "description": "Selected sample's url string", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "url", + "domain" + ], + "order": 0, + "name": "url", + "id": 1, + "param_name": "url" + }, + "platform": { + "description": "Selected platform on which the analysis will be performed. See TCA-0207 API documentation for available options", + "data_type": "string", + "required": true, + "value_list": [ + "windows10", + "windows11", + "windows7", + "macos11", + "linux" + ], + "default": "windows10", + "value_list": [ + "windows10", + "windows11", + "windows7", + "macos11", + "linux" + ], + "default": "windows10", + "order": 1, + "name": "platform", + "id": 2, + "param_name": "platform" + } + }, + "output": [ + { + "data_path": "action_result.data.*.rl.url", + "data_type": "string", + "contains": [ + "url" + ], + "column_name": "url", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.rl.sha1", + "data_type": "string", + "contains": [ + "sha1" + ], + "column_name": "sha1", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.rl.status", + "data_type": "string", + "column_name": "status", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.rl.url_base64", + "data_type": "string", + "column_name": "url base64", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.rl.analysis_id", + "data_type": "string", + "column_name": "analysis id", + "column_order": 4 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "dynamic analysis results", + "identifier": "get_report", + "description": "TCA-0106 - Retrieve dynamic analysis results", + "verbose": "TCA-0106 - This service allows users to retrieve dynamic analysis results for a file that was submitted for dynamic analysis.", + "type": "investigate", + "read_only": false, + "parameters": { + "sha1": { + "description": "Selected sample's SHA-1 hash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "sha1" + ], + "order": 0, + "name": "sha1", + "id": 1, + "param_name": "sha1" + }, + "analysis_id": { + "description": "Return only the results of this analysis", + "data_type": "string", + "order": 1, + "name": "analysis_id", + "id": 2, + "param_name": "analysis_id" + }, + "latest": { + "description": "Return only the latest analysis results", + "data_type": "boolean", + "default": false, + "order": 2, + "name": "latest", + "id": 3, + "param_name": "latest" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 3, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.analysis_id", + "data_type": "string", + "column_name": "analysis_id", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.latest", + "data_type": "boolean", + "column_name": "latest", + "column_order": 2 + }, + { + "data_path": "action_result.parameter.sha1", + "data_type": "string", + "column_name": "sha1", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.dynamic_analysis_results", + "title": "TitaniumCloud Get Dynamic Analysis Results" + }, + "versions": "EQ(*)" + }, + { + "action": "dynamic url analysis results", + "identifier": "get_url_report", + "description": "TCA-0106 - Retrieve dynamic analysis results for url", + "verbose": "TCA-0106 - This service allows users to retrieve dynamic analysis results for an url that was submitted for dynamic analysis.", + "type": "investigate", + "read_only": true, + "parameters": { + "url": { + "description": "Provide one of the following: sha1, base64 or url", + "data_type": "string", + "primary": true, + "contains": [ + "sha1", + "url" + ], + "required": true, + "order": 0, + "name": "url", + "id": 1, + "param_name": "url_sha1" + }, + "analysis_id": { + "description": "Return only the results of this analysis", + "data_type": "string", + "order": 1, + "name": "analysis_id", + "id": 2, + "param_name": "analysis_id" + }, + "latest": { + "description": "Return only the latest analysis results", + "data_type": "boolean", + "default": false, + "order": 2, + "name": "latest", + "id": 3, + "param_name": "latest" + } + }, + "output": [ + { + "data_path": "action_result.parameter.analysis_id", + "data_type": "string", + "column_name": "Analysis id", + "column_order": 0 + }, + { + "data_path": "action_result.data.0.requested_sha1_url", + "data_type": "string", + "column_name": "Requested SHA1", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.dynamic_url_analysis_results", + "title": "TitaniumCloud Get Dynamic Analysis Results for URL" + }, + "versions": "EQ(*)" + }, + { + "action": "reanalyze file", + "identifier": "reanalyze_file", + "description": "TCA-0205 - Reanalyze sample", + "verbose": "TCA-0205 - This query sends a sample with the requested hash for rescanning.", + "type": "investigate", + "read_only": false, + "parameters": { + "hash": { + "description": "File hash", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "md5", + "sha1", + "sha256" + ], + "order": 0, + "name": "hash" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.hash", + "data_type": "string", + "column_name": "hash", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "upload file", + "identifier": "upload_file", + "description": "TCA-0202 - Upload file to TitaniumCloud", + "verbose": "TCA-0202 - Upload file to TitaniumCloud.", + "type": "generic", + "read_only": false, + "parameters": { + "vault_id": { + "description": "Vault ID of file to upload", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "vault id" + ], + "order": 0, + "name": "vault_id", + "id": 1, + "param_name": "vault_id" + }, + "file_name": { + "description": "Filename to use", + "data_type": "string", + "contains": [ + "file name" + ], + "default": "sample", + "order": 1, + "name": "file_name", + "id": 2, + "param_name": "file_name", + "primary": true + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.file_name", + "data_type": "string", + "contains": [ + "file name" + ], + "column_name": "file_name", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.vault_id", + "data_type": "string", + "contains": [ + "pe file", + "pdf", + "flash", + "apk", + "jar", + "doc", + "xls", + "ppt" + ], + "column_name": "vault_id", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get file", + "identifier": "get_file", + "description": "TCA-0201 - Download a sample from TitaniumCloud", + "verbose": "TCA-0201 - Download a sample from TitaniumCloud and add it to the vault.", + "type": "investigate", + "read_only": true, + "parameters": { + "hash": { + "description": "Hash of file/sample to download", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "md5", + "sha1", + "sha256" + ], + "order": 0, + "name": "hash" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.parameter.hash", + "data_type": "string", + "contains": [ + "md5", + "sha1", + "sha256" + ], + "column_name": "hash", + "column_order": 0 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get network reputation", + "identifier": "get_network_reputation", + "description": "Network Reputation API", + "verbose": "Service provides information regarding the reputation of a requested URL, domain, or IP address.", + "type": "investigate", + "read_only": false, + "parameters": { + "network_locations": { + "description": "Network location to check (URL,DNS,IP)", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain", + "url", + "ip" + ], + "value_list": [], + "default": "", + "order": 0, + "name": "network_locations", + "id": 1, + "param_name": "network_locations" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 10, + "view": "reversinglabs_ticloudv2_views.network_reputation", + "title": "TitaniumCloud Network Reputation" + }, + "versions": "EQ(*)" + }, + { + "action": "get list user overrides", + "identifier": "get_list_user_overrides", + "description": "List User Overrides", + "verbose": "The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known.", + "type": "generic", + "read_only": false, + "parameters": { + "next_page_sha1": { + "description": "Optional parameter used for pagination", + "data_type": "string", + "required": false, + "primary": false, + "contains": [ + "sha1" + ], + "value_list": [], + "default": "", + "order": 0, + "name": "next_page_sha1" + } + }, + "output": [ + { + "data_path": "action_result.data.*.user_override.network_locations.*.network_location", + "data_type": "string", + "contains": [ + "url", + "domain", + "ip" + ], + "column_name": "network_location", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.user_override.network_locations.*.type", + "data_type": "string", + "contains": [ + "url", + "domain", + "ip" + ], + "column_name": "type", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get list user overrides aggregated", + "identifier": "get_list_user_overrides_aggregated", + "description": "Returns a list of overrides that the user has made", + "verbose": "This API automatically handles paging and returns a list of results instead of a Response object.", + "type": "generic", + "read_only": false, + "parameters": { + "max_results": { + "description": "Maximum number of results to be returned in the list", + "data_type": "numeric", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": "", + "order": 0, + "name": "max_results" + } + }, + "output": [ + { + "data_path": "action_result.data.*.*.network_location", + "data_type": "string", + "contains": [ + "url", + "domain", + "ip" + ], + "column_name": "network_location", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.*.type", + "data_type": "string", + "contains": [ + "url", + "domain", + "ip" + ], + "column_name": "type", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "network reputation user override", + "identifier": "network_reputation_user_override", + "description": "Network Reputation User Override", + "verbose": "The Network Reputation User Override service enables URL classification overrides.", + "type": "generic", + "read_only": false, + "parameters": { + "override_list": { + "description": "List of network locations whose classification needs to be overriden structured in JSON format. Visit documentation for guidance", + "description": "List of network locations whose classification needs to be overriden structured in JSON format. Visit documentation for guidance", + "data_type": "string", + "required": true, + "primary": false, + "contains": [], + "value_list": [], + "default": "", + "order": 0, + "name": "override_list" + }, + "remove_overrides_list": { + "description": "List of network locations whose classification override needs to be removed structured in JSON format. Visit documentation for guidance", + "description": "List of network locations whose classification override needs to be removed structured in JSON format. Visit documentation for guidance", + "data_type": "string", + "required": false, + "primary": false, + "contains": [], + "value_list": [], + "default": "", + "order": 1, + "name": "remove_overrides_list" + } + }, + "output": [ + { + "data_path": "action_result.parameter.override_list", + "data_type": "string", + "contains": [], + "column_name": "override_list", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.remove_overrides_list", + "data_type": "string", + "contains": [], + "column_name": "remove_overrides_list", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.network_reputation_user_override", + "title": "TitaniumCloud Network Reputation User Overrides" + }, + "versions": "EQ(*)" + }, + { + "action": "file reputation user override", + "identifier": "file_reputation_user_override", + "description": "File Reputation User Override", + "verbose": "The File Reputation User Override service enables File sample classification overrides.", + "type": "generic", + "read_only": false, + "parameters": { + "override_samples": { + "description": "List of samples to override structured in JSON format. Visit documentation for guidance", + "data_type": "string", + "required": false, + "primary": false, + "default": "", + "order": 0, + "name": "override_samples" + }, + "remove_overrides": { + "description": "List of samples whose classification override needs to be removed structured in JSON format. Visit documentation for guidance", + "data_type": "string", + "required": false, + "primary": false, + "default": "", + "order": 1, + "name": "remove_overrides" + } + }, + "output": [ + { + "data_path": "action_result.parameter.override_samples", + "data_type": "string", + "contains": [], + "column_name": "override_samples", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.remove_overrides", + "data_type": "string", + "contains": [], + "column_name": "remove_overrides", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.file_reputation_user_overrides", + "title": "TitaniumCloud File Reputation User Overrides" + }, + "versions": "EQ(*)" + }, + { + "action": "list active file reputation user overrides", + "identifier": "list_active_file_reputation_user_overrides", + "description": "List Active File Reputation User Overrides", + "verbose": "The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known.", + "type": "generic", + "read_only": false, + "parameters": { + "hash_type": { + "description": "Required parameter that defines the type of hash", + "data_type": "string", + "required": true, + "primary": false, + "value_list": [ + "sha1", + "sha256", + "md5" + ], + "default": "sha1", + "order": 0, + "name": "hash_type" + }, + "start_hash": { + "description": "When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value", + "data_type": "string", + "required": false, + "primary": false, + "contains": [ + "sha1", + "sha256", + "md5" + ], + "default": "", + "order": 1, + "name": "start_hash" + } + }, + "output": [ + { + "data_path": "action_result.data.*.user_override.hash_values", + "data_type": "string", + "contains": [ + "sha1", + "sha256", + "md5" + ], + "column_name": "Hash Values", + "column_order": 0 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.list_active_file_overrides", + "title": "List Active File User Overrides" + }, + "versions": "EQ(*)" + }, + { + "action": "customer daily usage", + "identifier": "customer_daily_usage", + "description": "Check daily usage of ReversingLabs API", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "date": { + "description": "Specifies the date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format.", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "date" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 1, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.data.*.date", + "data_type": "string", + "column_name": "Date", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.usage_report.*.product", + "data_type": "string", + "column_name": "Product", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.usage_report.*.number_of_queries", + "data_type": "string", + "column_name": "Number of Queries", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.usage_report.*.used_bytes", + "data_type": "string", + "column_name": "Used bytes (optional)", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "customer dayrange usage", + "identifier": "customer_dayrange_usage", + "description": "Check ReversingLabs API usage for specified time range (in days)", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "from_date": { + "description": "Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "from_date" + }, + "to_date": { + "description": "Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format", + "data_type": "string", + "required": true, + "primary": false, + "order": 1, + "name": "to_date" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 2, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.customer_dayrange_usage", + "title": "TitaniumCloud API Usage" + }, + "versions": "EQ(*)" + }, + { + "action": "customer monthly usage", + "identifier": "customer_monthly_usage", + "description": "Check Monthly usage of ReversingLabs API", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "month": { + "description": "Specifies the month for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "month" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 1, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.data.*.month", + "data_type": "string", + "column_name": "Date", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.usage_report.*.product", + "data_type": "string", + "column_name": "Product", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.usage_report.*.number_of_queries", + "data_type": "string", + "column_name": "Number of Queries", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.usage_report.*.used_bytes", + "data_type": "string", + "column_name": "Used bytes (optional)", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "customer month range usage", + "identifier": "customer_monthrange_usage", + "description": "Check ReversingLabs API usage for specified time range (in months)", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "from_month": { + "description": "Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "from_month" + }, + "to_month": { + "description": "Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", + "data_type": "string", + "required": true, + "primary": false, + "order": 1, + "name": "to_month" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 2, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.customer_monthrange_usage", + "title": "TitaniumCloud API Usage" + }, + "versions": "EQ(*)" + }, + { + "action": "customer yara api usage", + "identifier": "customer_yara_api_usage", + "description": "Check Yara usage on ReversingLabs API", + "verbose": "This query returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request.", + "type": "generic", + "read_only": false, + "parameters": { + "format": { + "description": "Specify the response format. Supported values are xml and json. The default is JSON", + "data_type": "string", + "value_list": [ + "json" + ], + "default": "json", + "required": false, + "primary": false, + "order": 0, + "name": "format" + } + }, + "output": [ + { + "data_path": "action_result.data.*.product", + "data_type": "string", + "column_name": "Product", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.number_of_active_rulesets", + "data_type": "string", + "column_name": "Number of Active Rulesets", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "customer quota limits", + "identifier": "customer_quota_limits", + "description": "Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company", + "verbose": "API allows ReversingLabs customers to track quota limits of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "company": { + "description": "When this parameter is checked, the API will return quota limits for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 0, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.data.*.limits.*.limit", + "data_type": "numeric", + "column_name": "Limit", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.limits.*.limit_type", + "data_type": "string", + "column_name": "Limit Type", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.limits.*.limit_exceeded", + "data_type": "boolean", + "column_name": "Limit exceeded", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.limits.*.products", + "data_type": "string", + "column_name": "Products", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.limits.*.users", + "data_type": "string", + "column_name": "Users", + "column_order": 4 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get domain report", + "identifier": "get_domain_report", + "description": "API returns threat intelligence data for the submitted domain", + "verbose": "The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information.", + "type": "generic", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the report", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.domain_report", + "title": "Domain Report" + }, + "versions": "EQ(*)" + }, + { + "action": "get domain downloaded files", + "identifier": "get_domain_downloaded_files", + "description": "Retrieve a list of files downloaded from the submitted domain", + "verbose": "The response will contain metadata for files downloaded from the submitted domain. Empty fields are not included in the response.", + "type": "generic", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the downloaded files", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "extended": { + "description": "Chose whether you want extended result data set", + "data_type": "boolean", + "required": false, + "primary": false, + "default": true, + "order": 1, + "name": "extended", + "param_name": "extended" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + }, + "classification": { + "description": "Return only samples that match the requested classification for given domain", + "data_type": "string", + "required": false, + "primary": false, + "value_list": [ + "known", + "suspicious", + "malicious", + "unknown" + ], + "order": 3, + "name": "classification", + "param_name": "classification" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.domain_downloaded_files", + "title": "Domain Downloaded Files Report" + }, + "versions": "EQ(*)" + }, + { + "action": "get urls from domain", + "identifier": "get_urls_from_domain", + "description": "API provides a list of URLs associated with the requested domain", + "verbose": "API provides a list of URLs associated with the requested domain.", + "type": "investigate", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the resolved IP addresses", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Domain", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.urls.*.url", + "data_type": "string", + "contains": [ + "url" + ], + "column_name": "Url", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get resolutions from domain", + "identifier": "get_resolutions_from_domain", + "description": "API provides a list of domain-to-IP mappings for the requested domain", + "verbose": "API provides a list of domain-to-IP mappings for the requested domain.", + "type": "investigate", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the domain to IP mappings", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Domain", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.resolutions.*.record_type", + "data_type": "string", + "column_name": "Record Type", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.resolutions.*.answer", + "data_type": "string", + "column_name": "Answer", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.resolutions.*.last_resolution_time", + "data_type": "string", + "column_name": "Last resolution time", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.resolutions.*.provider", + "data_type": "string", + "column_name": "Provider", + "column_order": 4 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get related domains", + "identifier": "get_related_domains", + "description": "API provides a list of domains that have the same top parent domain as the requested domain", + "verbose": "API provides a list of domains that have the same top parent domain as the requested domain. If the requested domain is a top parent domain, the API will return all subdomains.", + "type": "investigate", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the downloaded files", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Domain", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.related_domains.*.domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Related domain", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get ip report", + "identifier": "get_ip_report", + "description": "API returns threat intelligence data for the submitted ip address", + "verbose": "The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP.", + "type": "generic", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP address for which to retrieve the report", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.ip_report", + "title": "IP Report" + }, + "versions": "EQ(*)" + }, + { + "action": "get ip downloaded files", + "identifier": "get_ip_downloaded_files", + "description": "Retrieve a list of files downloaded from the submitted IP address", + "verbose": "The response will contain metadata for files downloaded from the submitted IP address. Empty fields are not included in the response.", + "type": "generic", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP address for which to retrieve the downloaded files", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + }, + "extended": { + "description": "Chose whether you want extended result data set", + "data_type": "boolean", + "required": false, + "primary": false, + "default": true, + "order": 1, + "name": "extended", + "param_name": "extended" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 2, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 3, + "name": "limit", + "param_name": "limit" + }, + "classification": { + "description": "Return only samples that match the requested classification for given domain", + "data_type": "string", + "required": false, + "primary": false, + "value_list": [ + "known", + "suspicious", + "malicious", + "unknown" + ], + "order": 4, + "name": "classification", + "param_name": "classification" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.ip_downloaded_files", + "title": "IP Downloaded Files Report" + }, + "versions": "EQ(*)" + }, + { + "action": "get urls from ip", + "identifier": "get_urls_from_ip", + "description": "API provides a list of URLs associated with the requested IP address", + "verbose": "API provides a list of URLs associated with the requested IP address.", + "type": "investigate", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP for which to retrieve the domain resolutions", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "column_name": "Requested IP", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.urls.*.url", + "data_type": "string", + "contains": [ + "url" + ], + "column_name": "Url", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get resolutions from ip", + "identifier": "get_resolutions_from_ip", + "description": "API provides a list of IP-to-domain mappings for the requested IP address", + "verbose": "API provides a list of IP-to-domain mappings for the requested IP address.", + "type": "investigate", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP address for which to retrieve resolutions", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "column_name": "IP Address", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.resolutions.*.host_name", + "data_type": "string", + "column_name": "Host name", + "contains": [ + "domain" + ], + "column_order": 1 + }, + { + "data_path": "action_result.data.*.resolutions.*.last_resolution_time", + "data_type": "string", + "column_name": "Last resolution time", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.resolutions.*.provider", + "data_type": "string", + "column_name": "Provider", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "file reputation user override", + "identifier": "file_reputation_user_override", + "description": "File Reputation User Override", + "verbose": "The File Reputation User Override service enables File sample classification overrides.", + "type": "generic", + "read_only": false, + "parameters": { + "override_samples": { + "description": "List of samples to override structured in JSON format. Visit documentation for guidance", + "data_type": "string", + "required": false, + "primary": false, + "default": "", + "order": 0, + "name": "override_samples" + }, + "remove_overrides": { + "description": "List of samples whose classification override needs to be removed structured in JSON format. Visit documentation for guidance", + "data_type": "string", + "required": false, + "primary": false, + "default": "", + "order": 1, + "name": "remove_overrides" + } + }, + "output": [ + { + "data_path": "action_result.parameter.override_samples", + "data_type": "string", + "contains": [], + "column_name": "override_samples", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.remove_overrides", + "data_type": "string", + "contains": [], + "column_name": "remove_overrides", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 2 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.file_reputation_user_overrides", + "title": "TitaniumCloud File Reputation User Overrides" + }, + "versions": "EQ(*)" + }, + { + "action": "list active file reputation user overrides", + "identifier": "list_active_file_reputation_user_overrides", + "description": "List Active File Reputation User Overrides", + "verbose": "The File Reputation User Override service enables sample classification overrides. Any sample can be overridden to malicious, suspicious, or known.", + "type": "generic", + "read_only": false, + "parameters": { + "hash_type": { + "description": "Required parameter that defines the type of hash", + "data_type": "string", + "required": true, + "primary": false, + "value_list": [ + "sha1", + "sha256", + "md5" + ], + "default": "sha1", + "order": 0, + "name": "hash_type" + }, + "start_hash": { + "description": "When this parameter is present, the API will return up to 1000 hashes with a classification override starting from the start_hash value", + "data_type": "string", + "required": false, + "primary": false, + "contains": [ + "sha1", + "sha256", + "md5" + ], + "default": "", + "order": 1, + "name": "start_hash" + } + }, + "output": [ + { + "data_path": "action_result.data.*.user_override.hash_values", + "data_type": "string", + "contains": [ + "sha1", + "sha256", + "md5" + ], + "column_name": "Hash Values", + "column_order": 0 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.list_active_file_overrides", + "title": "List Active File User Overrides" + }, + "versions": "EQ(*)" + }, + { + "action": "customer daily usage", + "identifier": "customer_daily_usage", + "description": "Check daily usage of ReversingLabs API", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "date": { + "description": "Specifies the date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format.", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "date" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 1, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.data.*.date", + "data_type": "string", + "column_name": "Date", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.usage_report.*.product", + "data_type": "string", + "column_name": "Product", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.usage_report.*.number_of_queries", + "data_type": "string", + "column_name": "Number of Queries", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.usage_report.*.used_bytes", + "data_type": "string", + "column_name": "Used bytes (optional)", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "customer dayrange usage", + "identifier": "customer_dayrange_usage", + "description": "Check ReversingLabs API usage for specified time range (in days)", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "from_date": { + "description": "Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "from_date" + }, + "to_date": { + "description": "Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM-DD format", + "data_type": "string", + "required": true, + "primary": false, + "order": 1, + "name": "to_date" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 2, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.customer_dayrange_usage", + "title": "TitaniumCloud API Usage" + }, + "versions": "EQ(*)" + }, + { + "action": "customer monthly usage", + "identifier": "customer_monthly_usage", + "description": "Check Monthly usage of ReversingLabs API", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "month": { + "description": "Specifies the month for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "month" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 1, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.data.*.month", + "data_type": "string", + "column_name": "Date", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.usage_report.*.product", + "data_type": "string", + "column_name": "Product", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.usage_report.*.number_of_queries", + "data_type": "string", + "column_name": "Number of Queries", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.usage_report.*.used_bytes", + "data_type": "string", + "column_name": "Used bytes (optional)", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "customer month range usage", + "identifier": "customer_monthrange_usage", + "description": "Check ReversingLabs API usage for specified time range (in months)", + "verbose": "API allows ReversingLabs customers to track the usage of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "from_month": { + "description": "Specifies the from date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", + "data_type": "string", + "required": true, + "primary": false, + "order": 0, + "name": "from_month" + }, + "to_month": { + "description": "Specifies the to date for which customer usage information should be returned. Users can submit one value per request in the YYYY-MM format", + "data_type": "string", + "required": true, + "primary": false, + "order": 1, + "name": "to_month" + }, + "company": { + "description": "When this parameter is checked, the API will return usage for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 2, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.customer_monthrange_usage", + "title": "TitaniumCloud API Usage" + }, + "versions": "EQ(*)" + }, + { + "action": "customer yara api usage", + "identifier": "customer_yara_api_usage", + "description": "Check Yara usage on ReversingLabs API", + "verbose": "This query returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request.", + "type": "generic", + "read_only": false, + "parameters": { + "format": { + "description": "Specify the response format. Supported values are xml and json. The default is JSON", + "data_type": "string", + "value_list": [ + "json" + ], + "default": "json", + "required": false, + "primary": false, + "order": 0, + "name": "format" + } + }, + "output": [ + { + "data_path": "action_result.data.*.product", + "data_type": "string", + "column_name": "Product", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.number_of_active_rulesets", + "data_type": "string", + "column_name": "Number of Active Rulesets", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "customer quota limits", + "identifier": "customer_quota_limits", + "description": "Returns current quota limits for APIs accessible to the authenticated user or users belonging to the authenticated user's company", + "verbose": "API allows ReversingLabs customers to track quota limits of TitaniumCloud services provisioned to all accounts in a company.", + "type": "generic", + "read_only": false, + "parameters": { + "company": { + "description": "When this parameter is checked, the API will return quota limits for all accounts within the company", + "data_type": "boolean", + "required": false, + "param_name": "Company", + "default": false, + "order": 0, + "name": "company" + } + }, + "output": [ + { + "data_path": "action_result.data.*.limits.*.limit", + "data_type": "numeric", + "column_name": "Limit", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.limits.*.limit_type", + "data_type": "string", + "column_name": "Limit Type", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.limits.*.limit_exceeded", + "data_type": "boolean", + "column_name": "Limit exceeded", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.limits.*.products", + "data_type": "string", + "column_name": "Products", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.limits.*.users", + "data_type": "string", + "column_name": "Users", + "column_order": 4 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get domain report", + "identifier": "get_domain_report", + "description": "API returns threat intelligence data for the submitted domain", + "verbose": "The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information.", + "type": "generic", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the report", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.domain_report", + "title": "Domain Report" + }, + "versions": "EQ(*)" + }, + { + "action": "get domain downloaded files", + "identifier": "get_domain_downloaded_files", + "description": "Retrieve a list of files downloaded from the submitted domain", + "verbose": "The response will contain metadata for files downloaded from the submitted domain. Empty fields are not included in the response.", + "type": "generic", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the downloaded files", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "extended": { + "description": "Chose whether you want extended result data set", + "data_type": "boolean", + "required": false, + "primary": false, + "default": true, + "order": 1, + "name": "extended", + "param_name": "extended" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + }, + "classification": { + "description": "Return only samples that match the requested classification for given domain", + "data_type": "string", + "required": false, + "primary": false, + "value_list": [ + "known", + "suspicious", + "malicious", + "unknown" + ], + "order": 3, + "name": "classification", + "param_name": "classification" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.domain_downloaded_files", + "title": "Domain Downloaded Files Report" + }, + "versions": "EQ(*)" + }, + { + "action": "get urls from domain", + "identifier": "get_urls_from_domain", + "description": "API provides a list of URLs associated with the requested domain", + "verbose": "API provides a list of URLs associated with the requested domain.", + "type": "investigate", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the resolved IP addresses", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Domain", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.urls.*.url", + "data_type": "string", + "contains": [ + "url" + ], + "column_name": "Url", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, - "versions": "EQ(*)" - } - ], - "custom_made": true, - "version": 1, - "appname": "-", - "executable": "spawn3", - "disabled": false, - "pip39_dependencies": { - "wheel": [ { - "module": "certifi", - "input_file": "wheels/py3/certifi-2024.2.2-py3-none-any.whl" + "action": "get resolutions from domain", + "identifier": "get_resolutions_from_domain", + "description": "API provides a list of domain-to-IP mappings for the requested domain", + "verbose": "API provides a list of domain-to-IP mappings for the requested domain.", + "type": "investigate", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the domain to IP mappings", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Domain", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.resolutions.*.record_type", + "data_type": "string", + "column_name": "Record Type", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.resolutions.*.answer", + "data_type": "string", + "column_name": "Answer", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.resolutions.*.last_resolution_time", + "data_type": "string", + "column_name": "Last resolution time", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.resolutions.*.provider", + "data_type": "string", + "column_name": "Provider", + "column_order": 4 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, { - "module": "charset_normalizer", - "input_file": "wheels/py3/charset_normalizer-2.1.1-py3-none-any.whl" + "action": "get related domains", + "identifier": "get_related_domains", + "description": "API provides a list of domains that have the same top parent domain as the requested domain", + "verbose": "API provides a list of domains that have the same top parent domain as the requested domain. If the requested domain is a top parent domain, the API will return all subdomains.", + "type": "investigate", + "read_only": false, + "parameters": { + "domain": { + "description": "The domain for which to retrieve the downloaded files", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "domain" + ], + "order": 0, + "name": "domain" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Domain", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.related_domains.*.domain", + "data_type": "string", + "contains": [ + "domain" + ], + "column_name": "Related domain", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, { - "module": "idna", - "input_file": "wheels/py3/idna-3.7-py3-none-any.whl" + "action": "get ip report", + "identifier": "get_ip_report", + "description": "API returns threat intelligence data for the submitted ip address", + "verbose": "The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP.", + "type": "generic", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP address for which to retrieve the report", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.ip_report", + "title": "IP Report" + }, + "versions": "EQ(*)" }, { - "module": "requests", - "input_file": "wheels/py3/requests-2.32.2-py3-none-any.whl" + "action": "get ip downloaded files", + "identifier": "get_ip_downloaded_files", + "description": "Retrieve a list of files downloaded from the submitted IP address", + "verbose": "The response will contain metadata for files downloaded from the submitted IP address. Empty fields are not included in the response.", + "type": "generic", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP address for which to retrieve the downloaded files", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + }, + "extended": { + "description": "Chose whether you want extended result data set", + "data_type": "boolean", + "required": false, + "primary": false, + "default": true, + "order": 1, + "name": "extended", + "param_name": "extended" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 2, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 3, + "name": "limit", + "param_name": "limit" + }, + "classification": { + "description": "Return only samples that match the requested classification for given domain", + "data_type": "string", + "required": false, + "primary": false, + "value_list": [ + "known", + "suspicious", + "malicious", + "unknown" + ], + "order": 4, + "name": "classification", + "param_name": "classification" + } + }, + "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "custom", + "width": 10, + "height": 5, + "view": "reversinglabs_ticloudv2_views.ip_downloaded_files", + "title": "IP Downloaded Files Report" + }, + "versions": "EQ(*)" }, { - "module": "reversinglabs_sdk_py3", - "input_file": "wheels/py3/reversinglabs_sdk_py3-2.7.0-py3-none-any.whl" + "action": "get urls from ip", + "identifier": "get_urls_from_ip", + "description": "API provides a list of URLs associated with the requested IP address", + "verbose": "API provides a list of URLs associated with the requested IP address.", + "type": "investigate", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP for which to retrieve the domain resolutions", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "column_name": "Requested IP", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.urls.*.url", + "data_type": "string", + "contains": [ + "url" + ], + "column_name": "Url", + "column_order": 1 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" }, { - "module": "urllib3", - "input_file": "wheels/shared/urllib3-2.2.1-py3-none-any.whl" + "action": "get resolutions from ip", + "identifier": "get_resolutions_from_ip", + "description": "API provides a list of IP-to-domain mappings for the requested IP address", + "verbose": "API provides a list of IP-to-domain mappings for the requested IP address.", + "type": "investigate", + "read_only": false, + "parameters": { + "ip_address": { + "description": "The IP address for which to retrieve resolutions", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 0, + "name": "ip_address" + }, + "page": { + "description": "String representing a page of results", + "data_type": "string", + "required": false, + "primary": false, + "order": 1, + "name": "page" + }, + "limit": { + "description": "The number of files to return in the response. Default is 1000", + "data_type": "numeric", + "required": false, + "primary": false, + "default": 1000, + "order": 2, + "name": "limit", + "param_name": "limit" + } + }, + "output": [ + { + "data_path": "action_result.data.*.requested_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "column_name": "IP Address", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.resolutions.*.host_name", + "data_type": "string", + "column_name": "Host name", + "contains": [ + "domain" + ], + "column_order": 1 + }, + { + "data_path": "action_result.data.*.resolutions.*.last_resolution_time", + "data_type": "string", + "column_name": "Last resolution time", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.resolutions.*.provider", + "data_type": "string", + "column_name": "Provider", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" } - ] - } -} + ], + "custom_made": true, + "version": 1, + "appname": "-", + "executable": "spawn3", + "disabled": false, + "pip39_dependencies": { + "wheel": [ + { + "module": "certifi", + "input_file": "wheels/py3/certifi-2024.2.2-py3-none-any.whl" + }, + { + "module": "charset_normalizer", + "input_file": "wheels/py3/charset_normalizer-2.1.1-py3-none-any.whl" + }, + { + "module": "idna", + "input_file": "wheels/py3/idna-3.7-py3-none-any.whl" + }, + { + "module": "requests", + "input_file": "wheels/py3/requests-2.32.2-py3-none-any.whl" + }, + { + "module": "reversinglabs_sdk_py3", + "input_file": "wheels/py3/reversinglabs_sdk_py3-2.7.0-py3-none-any.whl" + }, + { + "module": "urllib3", + "input_file": "wheels/shared/urllib3-2.2.1-py3-none-any.whl" + } + ] + } + } \ No newline at end of file diff --git a/reversinglabs_ticloudv2_connector.py b/reversinglabs_ticloudv2_connector.py index 523cea1..b25ff6c 100644 --- a/reversinglabs_ticloudv2_connector.py +++ b/reversinglabs_ticloudv2_connector.py @@ -20,6 +20,7 @@ import os import re from urllib.parse import urlparse +from urllib.parse import urlparse # Phantom App imports import phantom.app as phantom @@ -137,6 +138,23 @@ class ReversinglabsTitaniumCloudV2Connector(BaseConnector): ACTION_ID_GET_IP_DOWNLOADED_FILES = "get_ip_downloaded_files" ACTION_ID_GET_URLS_FROM_IP = "get_urls_from_ip" ACTION_ID_GET_RESOLUTIONS_FROM_IP = "get_resolutions_from_ip" + ACTION_ID_FILE_REPUTATION_USER_OVERRIDE = "file_reputation_user_override" + ACTION_ID_LIST_ACTIVE_FILE_REPUTATION_USER_OVERRIDE = "list_active_file_reputation_user_overrides" + ACTION_ID_CUSTOMER_DAILY_USAGE = "customer_daily_usage" + ACTION_ID_CUSTOMER_MONTHLY_USAGE = "customer_monthly_usage" + ACTION_ID_CUSTOMER_MONTHRANGE_USAGE = "customer_monthrange_usage" + ACTION_ID_CUSTOMER_DAYRANGE_USAGE = "customer_dayrange_usage" + ACTION_ID_CUSTOMER_YARA_API_USAGE = "customer_yara_api_usage" + ACTION_ID_CUSTOMER_QUOTA_LIMITS = "customer_quota_limits" + ACTION_ID_GET_DOMAIN_REPORT = "get_domain_report" + ACTION_ID_GET_DOMAIN_DOWNLOADED_FILES = "get_domain_downloaded_files" + ACTION_ID_GET_URLS_FROM_DOMAIN = "get_urls_from_domain" + ACTION_ID_GET_RESOLUTIONS_FROM_DOMAIN = "get_resolutions_from_domain" + ACTION_ID_GET_RELATED_DOMAINS = "get_related_domains" + ACTION_ID_GET_IP_REPORT = "get_ip_report" + ACTION_ID_GET_IP_DOWNLOADED_FILES = "get_ip_downloaded_files" + ACTION_ID_GET_URLS_FROM_IP = "get_urls_from_ip" + ACTION_ID_GET_RESOLUTIONS_FROM_IP = "get_resolutions_from_ip" def __init__(self): # Call the BaseConnectors init first @@ -233,6 +251,7 @@ def handle_action(self, param): return action_result.set_status(phantom.APP_SUCCESS) + # TCA-0101 # TCA-0101 def _handle_file_reputation(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -253,6 +272,7 @@ def _handle_file_reputation(self, action_result, param): self.debug_print("Executed", self.get_action_identifier()) action_result.add_data(response.json()) + # TCA-0320 # TCA-0320 def _handle_advanced_search(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -268,6 +288,7 @@ def _handle_advanced_search(self, action_result, param): for result in response: action_result.add_data(result) + # TCA-0402 # TCA-0402 def _handle_uri_statistics(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -282,6 +303,7 @@ def _handle_uri_statistics(self, action_result, param): action_result.add_data(response.json()) + # TCA-0103 # TCA-0103 def _handle_av_scanners(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -293,6 +315,7 @@ def _handle_av_scanners(self, action_result, param): action_result.add_data(response.json()) + # TCA-0104 # TCA-0104 def _handle_file_analysis(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -306,6 +329,7 @@ def _handle_file_analysis(self, action_result, param): action_result.add_data(response.json()) + # TCA-0301 # TCA-0301 def _handle_functional_similarity(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -320,6 +344,7 @@ def _handle_functional_similarity(self, action_result, param): for result in response: action_result.add_data(result) + # TCA-0403 # TCA-0403 def _handle_url_reputation(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -340,6 +365,7 @@ def _handle_url_reputation(self, action_result, param): action_result.add_data(response.json()) + # TCA-0403 # TCA-0403 def _handle_get_url_downloaded_files(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -361,6 +387,7 @@ def _handle_get_url_downloaded_files(self, action_result, param): for x in response: action_result.add_data(x) + # TCA-0403 # TCA-0403 def _handle_get_latest_url_analysis_feed(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -378,6 +405,7 @@ def _handle_get_latest_url_analysis_feed(self, action_result, param): self.debug_print("ACTION RESULT DATA:", action_result) + # TCA-0403 # TCA-0403 def _handle_get_url_analysis_feed_from_date(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -397,6 +425,7 @@ def _handle_get_url_analysis_feed_from_date(self, action_result, param): for x in response: action_result.add_data(x) + # TCA-0404 # TCA-0404 def _handle_analyze_url(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -410,6 +439,7 @@ def _handle_analyze_url(self, action_result, param): action_result.add_data(response.json()) + # TCA-0401 # TCA-0401 def _handle_uri_index(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -424,6 +454,7 @@ def _handle_uri_index(self, action_result, param): for result in response: action_result.add_data(result) + # TCA-0302 # TCA-0302 def _handle_imphash_similarity(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -438,6 +469,7 @@ def _handle_imphash_similarity(self, action_result, param): for result in response: action_result.add_data(result) + # TCA-0106 and TCA-0207 # TCA-0106 and TCA-0207 def _handle_submit_for_dynamic_analysis(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -451,6 +483,7 @@ def _handle_submit_for_dynamic_analysis(self, action_result, param): action_result.add_data(response.json()) + # TCA-0106 and TCA_0207 # TCA-0106 and TCA_0207 def _handle_submit_url_for_dynamic_analysis(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -464,6 +497,7 @@ def _handle_submit_url_for_dynamic_analysis(self, action_result, param): action_result.add_data(response.json()) + # TCA-0207 # TCA-0207 def _handle_get_report(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -478,6 +512,7 @@ def _handle_get_report(self, action_result, param): self.debug_print("Executed", self.get_action_identifier()) action_result.add_data(response.json()) + # TCA-0207 # TCA-0207 def _handle_get_url_report(self, action_result, param): @@ -500,6 +535,7 @@ def _handle_get_url_report(self, action_result, param): self.debug_print("Executed", self.get_action_identifier()) action_result.add_data(response.json()) + # TCA-0205 # TCA-0205 def _handle_reanalyze_file(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -508,9 +544,11 @@ def _handle_reanalyze_file(self, action_result, param): host=self.ticloud_base_url, username=self.ticloud_username, password=self.ticloud_password, user_agent=self.USER_AGENT ) reanalyze.renalyze_samples(sample_hashes=param.get("hash")) + reanalyze.renalyze_samples(sample_hashes=param.get("hash")) self.debug_print("Executed", self.get_action_identifier()) + # TCA-0202 # TCA-0202 def _handle_upload_file(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -561,6 +599,7 @@ def _handle_upload_file(self, action_result, param): response = requests.post( url="{base_url}{ticloud_spex_url}{file_sha1}/meta".format( + base_url=base_url_with_schema, base_url=base_url_with_schema, ticloud_spex_url=self.ticloud_spex_url, file_sha1=file["metadata"]["sha1"], @@ -576,6 +615,7 @@ def _handle_upload_file(self, action_result, param): if response.status_code != 200: raise Exception("Unable to upload file meta to TitaniumCloud. Status code: {0}".format(response.status_code)) + # TCA-0201 # TCA-0201 def _handle_get_file(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -595,6 +635,7 @@ def _handle_get_file(self, action_result, param): if not success: raise Exception("Unable to store file in Vault. Error details: {0}".format(msg)) + # TCA-0303 # TCA-0303 def _handle_yara_create_ruleset(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -608,6 +649,7 @@ def _handle_yara_create_ruleset(self, action_result, param): action_result.add_data(response.json()) + # TCA-0303 # TCA-0303 def _handle_yara_delete_ruleset(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -619,6 +661,7 @@ def _handle_yara_delete_ruleset(self, action_result, param): self.debug_print("Executed", self.get_action_identifier()) + # TCA-0303 # TCA-0303 def _handle_yara_get_ruleset_info(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -632,6 +675,7 @@ def _handle_yara_get_ruleset_info(self, action_result, param): action_result.add_data(response.json()) + # TCA-0303 # TCA-0303 def _handle_yara_get_ruleset_text(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -645,6 +689,7 @@ def _handle_yara_get_ruleset_text(self, action_result, param): action_result.add_data(response.json()) + # TCA-0303 # TCA-0303 def _handle_get_yara_matches(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -658,6 +703,7 @@ def _handle_get_yara_matches(self, action_result, param): action_result.add_data(response.json()) + # TCA-0319 # TCA-0319 def _handle_yara_retro_enable_hunt(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -671,6 +717,7 @@ def _handle_yara_retro_enable_hunt(self, action_result, param): action_result.add_data(response.json()) + # TCA-0319 # TCA-0319 def _handle_yara_retro_start_hunt(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -684,6 +731,7 @@ def _handle_yara_retro_start_hunt(self, action_result, param): action_result.add_data(response.json()) + # TCA-0319 # TCA-0319 def _handle_yara_retro_check_status(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -697,6 +745,7 @@ def _handle_yara_retro_check_status(self, action_result, param): action_result.add_data(response.json()) + # TCA-0319 # TCA-0319 def _handle_yara_retro_cancel_hunt(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -710,6 +759,7 @@ def _handle_yara_retro_cancel_hunt(self, action_result, param): action_result.add_data(response.json()) + # TCA-0319 # TCA-0319 def _handle_get_yara_retro_matches(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -723,6 +773,7 @@ def _handle_get_yara_retro_matches(self, action_result, param): action_result.add_data(response.json()) + # TCA-0407 # TCA-0407 def _handle_get_network_reputation(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -747,6 +798,7 @@ def _handle_get_network_reputation(self, action_result, param): return action_result.get_status() + # TCA-0408 # TCA-0408 def _handle_get_list_user_overrides(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -762,6 +814,7 @@ def _handle_get_list_user_overrides(self, action_result, param): return action_result.get_status() + # TCA-0408 # TCA-0408 def _handle_get_list_user_overrides_aggregated(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) @@ -775,6 +828,7 @@ def _handle_get_list_user_overrides_aggregated(self, action_result, param): self.debug_print("Executed", self.get_action_identifier()) action_result.add_data(response) + # TCA-0408 # TCA-0408 def _handle_network_reputation_user_override(self, action_result, param): self.debug_print("Action handler", self.get_action_identifier()) diff --git a/reversinglabs_ticloudv2_views.py b/reversinglabs_ticloudv2_views.py index ab2a838..5142894 100644 --- a/reversinglabs_ticloudv2_views.py +++ b/reversinglabs_ticloudv2_views.py @@ -175,6 +175,9 @@ def dynamic_url_analysis_results(provides, all_app_runs, context): # Color code for each dropped file entry dropped_files = data.get("report").get("dropped_files") + if dropped_files is not None: + for df in dropped_files: + df["classification_color_dropped_files"] = color_code_classification(df.get("classification")) if dropped_files is not None: for df in dropped_files: df["classification_color_dropped_files"] = color_code_classification(df.get("classification")) @@ -184,6 +187,11 @@ def dynamic_url_analysis_results(provides, all_app_runs, context): analysis_ids = df.get("analysis_ids") for an_id in analysis_ids: an_id["classification_color_dropped_files_merged"] = color_code_classification(an_id.get("classification")) + # get color coding for entries in merged report + if df.get("analysis_ids"): + analysis_ids = df.get("analysis_ids") + for an_id in analysis_ids: + an_id["classification_color_dropped_files_merged"] = color_code_classification(an_id.get("classification")) context["data"] = data context["param"] = result.get_param() diff --git a/wheels/py3/reversinglabs_sdk_py3-2.5.4-py3-none-any.whl b/wheels/py3/reversinglabs_sdk_py3-2.5.4-py3-none-any.whl new file mode 100644 index 0000000..b4d9b80 Binary files /dev/null and b/wheels/py3/reversinglabs_sdk_py3-2.5.4-py3-none-any.whl differ