Publisher: TwinWave
Connector Version: 1.0.1
Product Vendor: TwinWave
Product Name: TwinWave
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0
A threat analysis platform to reduce the friction of repetitive manual tasks typically associated with investigating threats
The TwinWave Splunk SOAR app can be used to connect with the TwinWave analysis platform
The following actions are supported by the app:
- Submitting a URL for analysis
- Submitting a file for analysis
- Fetching analysis (job) summary data
- Fetching the forensics for a job
- Downloading screenshots for a job and attaching them to the vault
- Downloading an offline PDF report for a job and attaching it to the vault
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TwinWave asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
api_token | required | password | API token from the app |
since | optional | numeric | Start of time range stated in hours |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
on poll - Callback action for the on_poll ingest functionality
get job forensics - Get the consolidated forensics for a completed job
get job summary - Get a job summary
list recent jobs - Get a list of recent jobs
detonate file - Submit File for Scanning
detonate url - Submit New URL for Scanning
get pdf report - Get the PDF report for a completed job
get job screenshots - Get screenshots for the specified job and store them in the vault
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Callback action for the on_poll ingest functionality
Type: ingest
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
container_id | optional | Container IDs to limit the ingestion to | string | |
start_time | optional | Start of time range, in epoch time (milliseconds). If not specified, the default is past 10 days | numeric | |
end_time | optional | End of time range, in epoch time (milliseconds). If not specified, the default is now | numeric | |
container_count | optional | Maximum number of container records to query for | numeric | |
artifact_count | optional | Maximum number of artifact records to query for | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.data | string | |
action_result.summary | string | |
action_result.parameter.container_id | string | |
action_result.parameter.start_time | numeric | |
action_result.parameter.end_time | numeric | |
action_result.parameter.container_count | numeric | |
action_result.parameter.artifact_count | numeric | |
action_result.status | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get the consolidated forensics for a completed job
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
job_id | required | Job id of the forensics you want pulled | string | twinwave job id |
wait | optional | Wait for job to finish before returning results | boolean | |
timeout | optional | Maximum time (in minutes) to wait for job to be complete | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.job_id | string | twinwave job id |
action_result.parameter.wait | boolean | |
action_result.parameter.timeout | numeric | |
action_result.status | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.data | string | |
action_result.summary | string | |
action_result.data.*.TLS.*.Issuer | string | |
action_result.data.*.TLS.*.Source.IP | string | |
action_result.data.*.TLS.*.Source.Port | numeric | |
action_result.data.*.TLS.*.Details.JA3 | string | |
action_result.data.*.TLS.*.Engines | string | |
action_result.data.*.TLS.*.Subject | string | |
action_result.data.*.TLS.*.Destination.IP | string | |
action_result.data.*.TLS.*.Destination.Port | numeric | |
action_result.data.*.TLS.*.Fingerprint | numeric | |
action_result.data.*.HTTP.*.URL | string | |
action_result.data.*.HTTP.*.Path | string | |
action_result.data.*.HTTP.*.Method | string | |
action_result.data.*.HTTP.*.Source.*.IP | string | |
action_result.data.*.HTTP.*.Source.*.Port | numeric | |
action_result.data.*.HTTP.*.Hostname | string | |
action_result.data.*.HTTP.*.TotalSize | string | |
action_result.data.*.HTTP.*.UserAgent | string | |
action_result.data.*.HTTP.*.TotalSize | numeric | |
action_result.data.*.HTTP.*.UserAgent | string | |
action_result.data.*.HTTP.*.StatusCode | numeric | |
action_result.data.*.HTTP.*.Destination.*.IP | string | |
action_result.data.*.HTTP.*.Destination.*.Port | numeric | |
action_result.data.*.HTTP.*.RequestSize | numeric | |
action_result.data.*.HTTP.*.ResponseSize | numeric | |
action_result.data.*.HTTP.*.RequestHeaders | string | |
action_result.data.*.HTTP.*.ResponseHeaders | numeric | |
action_result.data.*.Logs | string | |
action_result.data.*.URLs.*.URL | string | |
action_result.data.*.URLs.*.Context | string | |
action_result.data.*.URLs.*.Engines | string | |
action_result.data.*.URLs.*.LinkText | string | |
action_result.data.*.Files.*.MD5 | string | |
action_result.data.*.Files.*.Path | string | |
action_result.data.*.Files.*.Size | numeric | |
action_result.data.*.Files.*.SHA256 | string | |
action_result.data.*.Files.*.Ssdeep | string | |
action_result.data.*.Files.*.Context | string | |
action_result.data.*.Files.*.Details.*.SHA1 | string | |
action_result.data.*.Files.*.Details.*.CRC32 | string | |
action_result.data.*.Files.*.Details.*.ClamAV | string | |
action_result.data.*.Files.*.Details.*.SHA512 | string | |
action_result.data.*.Files.*.Details.*.GuestPath | string | |
action_result.data.*.Files.*.FileName | string | |
action_result.data.*.Files.*.FileType | string | |
action_result.data.*.Files.*.NetworkSources | string | |
action_result.data.*.Forms.*.Action | string | |
action_result.data.*.Forms.*.Inputs.*.ID | string | |
action_result.data.*.Forms.*.Inputs.*.Name | string | |
action_result.data.*.Forms.*.Inputs.*.Type | string | |
action_result.data.*.Forms.*.Inputs.*.SourceCode | string | |
action_result.data.*.Forms.*.Inputs.*.Placeholder | string | |
action_result.data.*.Forms.*.method | string | |
action_result.data.*.Forms.*.Engines | string | |
action_result.data.*.Forms.*.PageURL | string | |
action_result.data.*.Forms.*.SourceCode | string | |
action_result.data.*.Hosts.*.IP | string | |
action_result.data.*.Hosts.*.ASN | numeric | |
action_result.data.*.Hosts.*.City | string | |
action_result.data.*.Hosts.*.Country | string | |
action_result.data.*.Hosts.*.Engines | string | |
action_result.data.*.Hosts.*.Houstname | string | |
action_result.data.*.Hosts.*.Organization | string | |
action_result.data.*.Score | numeric | |
action_result.data.*.Engine | string | |
action_result.data.*.Images.*.Type | string | |
action_result.data.*.Images.*.Resource | string | |
action_result.data.*.Images.*.ImageHashes | string | |
action_result.data.*.Images.*.ArtifactPath | string | |
action_result.data.*.Images.*.DetectedObjects | string | |
action_result.data.*.Details.engines | string | |
action_result.data.*.EndTime | string | |
action_result.data.*.Mutexes.*.Name | string | |
action_result.data.*.Mutexes.*.Engines | string | |
action_result.data.*.Network.*.Length | numeric | |
action_result.data.*.Network.*.Source.*.IP | string | |
action_result.data.*.Network.*.Source.*.Port | numeric | |
action_result.data.*.Network.*.Service | string | |
action_result.data.*.Network.*.Protocol | string | |
action_result.data.*.Network.*.Destination.*.IP | string | |
action_result.data.*.Network.*.Destination.*.Port | numeric | |
action_result.data.*.Strings.*.String | string | |
action_result.data.*.Strings.*.Engines | string | |
action_result.data.*.Verdict | string | |
action_result.data.*.Version | string | |
action_result.data.*.Processes.*.PID | numeric | |
action_result.data.*.Processes.*.Name | string | |
action_result.data.*.Processes.*.PPID | numeric | |
action_result.data.*.Processes.*.Path | string | |
action_result.data.*.Processes.*.Details.*.Calls | string | |
action_result.data.*.Processes.*.Details.Threads | string | |
action_result.data.*.Processes.*.Details.Environment.*.retval | numeric | |
action_result.data.*.Processes.*.Details.Environment.*.OSMajor | numeric | |
action_result.data.*.Processes.*.Details.Environment.*.OSMinor | numeric | |
action_result.data.*.Processes.*.Details.Environment.*.TempPath | string | |
action_result.data.*.Processes.*.Details.Environment.*.UserName | string | |
action_result.data.*.Processes.*.Details.Environment.*.is_success | string | |
action_result.data.*.Processes.*.Details.Environment.*.CommandLine | string | |
action_result.data.*.Processes.*.Details.Environment.*.InstallDate | numeric | |
action_result.data.*.Processes.*.Details.Environment.*.MachineGUID | string | |
action_result.data.*.Processes.*.Details.Environment.*.MainExeBase | string | |
action_result.data.*.Processes.*.Details.Environment.*.MainExeSize | string | |
action_result.data.*.Processes.*.Details.Environment.*.ProductName | string | |
action_result.data.*.Processes.*.Details.Environment.*.WindowsPath | string | |
action_result.data.*.Processes.*.Details.Environment.*.ComputerName | string | |
action_result.data.*.Processes.*.Details.Environment.*.RegisteredOwner | string | |
action_result.data.*.Processes.*.Details.Environment.*.SystemVolumeGUID | string | |
action_result.data.*.Processes.*.Details.Environment.*.RegisteredOrganization | string | |
action_result.data.*.Processes.*.Details.Environment.*.SystemVolumeSerialNumber | string | |
action_result.data.*.Processes.*.Details.Arguements | string | |
action_result.data.*.StartTime | string | |
action_result.data.*.DNSServers | string | |
action_result.data.*.Detections.*.Name | string | |
action_result.data.*.Detections.*.Details.Data.*.Hit | string | |
action_result.data.*.Detections.*.Engines | string | |
action_result.data.*.Detections.*.Severity | numeric | |
action_result.data.*.Detections.*.Description | string | |
action_result.data.*.DNSRequests.*.Query | string | |
action_result.data.*.DNSRequests.*.Server | string | |
action_result.data.*.DNSRequests.*.Engines | string | |
action_result.data.*.DNSRequests.*.QueryType | string | |
action_result.data.*.DNSRequests.*.Responses.*.Type | string | |
action_result.data.*.DNSRequests.*.Responses.*.Value | string | |
action_result.data.*.Screenshots.*.URI | string | |
action_result.data.*.Screenshots.*.Engines | string | |
action_result.data.*.Screenshots.*.Resource | string | |
action_result.data.*.Screenshots.*.ImageHashes | string | |
action_result.data.*.Screenshots.*.ArtifactPath | string | |
action_result.data.*.DisplayScore | numeric | |
action_result.data.*.MitreAttacks.*.ID | string | |
action_result.data.*.MitreAttacks.*.Tactic | string | |
action_result.data.*.MitreAttacks.*.Engines | string | |
action_result.data.*.MitreAttacks.*.Technique | string | |
action_result.data.*.MitreAttacks.*.SubTechnique | string | |
action_result.data.*.Registrykeys.*.Name | string | |
action_result.data.*.Registrykeys.*.Action | string | |
action_result.data.*.Registrykeys.*.Engines | string | |
action_result.data.*.WhoisResults.*.Org | string | |
action_result.data.*.WhoisResults.*.City | string | |
action_result.data.*.WhoisResults.*.Name | string | |
action_result.data.*.WhoisResults.*.State | string | |
action_result.data.*.WhoisResults.*.DNSSec | string | |
action_result.data.*.WhoisResults.*.Emails | string | |
action_result.data.*.WhoisResults.*.Address | string | |
action_result.data.*.WhoisResults.*.Country | string | |
action_result.data.*.WhoisResults.*.Engines | string | |
action_result.data.*.WhoisResults.*.ZipCode | string | |
action_result.data.*.WhoisResults.*.CreatedAt | string | |
action_result.data.*.WhoisResults.*.ExpiresAt | string | |
action_result.data.*.WhoisResults.*.Registrar | string | |
action_result.data.*.WhoisResults.*.UpdatedAt | string | |
action_result.data.*.WhoisResults.*.DomainName | string | |
action_result.data.*.WhoisResults.*.NameServers | string | |
action_result.data.*.WhoisResults.*.WhoisServer | string | |
action_result.data.*.PhishedBrands | string | |
action_result.data.*.MalwareConfigs | string | |
action_result.data.*.SavedArtifacts | string | |
action_result.data.*.MalwareFamilies | string |
Get a job summary
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
job_id | required | Job id of the job summary you want to fetch | string | twinwave job id |
wait | optional | Wait for job to finish before returning results | boolean | |
timeout | optional | Maximum time (in minutes) to wait for job to be complete | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.job_id | string | twinwave job id |
action_result.parameter.wait | boolean | |
action_result.parameter.timeout | numeric | |
action_result.status | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.data | string | |
action_result.summary | string | |
action_result.*.data.*.ID | string | twinwave job id |
action_result.data.*.Score | numeric | |
action_result.data.*.State | string | |
action_result.data.*.Tasks.*.ID | string | |
action_result.data.*.Tasks.*.State | string | |
action_result.data.*.Tasks.*.Engine | string | |
action_result.data.*.Tasks.*.Results.*.Score | numeric | |
action_result.data.*.Tasks.*.Results.*.Details | string | |
action_result.data.*.Tasks.*.Results.*.Forensics.*.Raw | string | |
action_result.data.*.Tasks.*.Results.*.Forensics.*.Normalized | string | |
action_result.data.*.Tasks.*.Priority | numeric | |
action_result.data.*.Tasks.*.CreatedAt | string | |
action_result.data.*.Tasks.*.StartedAt | string | |
action_result.data.*.Tasks.*.StateText | string | |
action_result.data.*.Tasks.*.StateText | string | |
action_result.data.*.Tasks.*.UpdatedAt | string | |
action_result.data.*.Tasks.*.ResourceID | string | |
action_result.data.*.APIKey.*.ID | string | |
action_result.data.*.APIKey.*.Label | string | |
action_result.data.*.Labels.*.ID | numeric | |
action_result.data.*.Labels.*.Jobs | string | |
action_result.data.*.Labels.*.Type | string | |
action_result.data.*.Labels.*.Value | string | |
action_result.data.*.Profile | string | |
action_result.data.*.Sharing.*.SharedAt | string | |
action_result.data.*.Sharing.*.SharedBy | string | |
action_result.data.*.Sharing.*.ShareToken | string | |
action_result.data.*.APIKeyID | string | |
action_result.data.*.Priority | numeric | |
action_result.data.*.TenantID | string | |
action_result.data.*.Username | string | |
action_result.data.*.CreatedAt | string | |
action_result.data.*.Resources.*.ID | string | |
action_result.data.*.Resources.*.Name | string | |
action_result.data.*.Resources.*.Type | string | |
action_result.data.*.Resources.*.JobID | string | |
action_result.data.*.Resources.*.Score | numeric | |
action_result.data.*.Resources.*.Location | string | |
action_result.data.*.Resources.*.ParentID | string | |
action_result.data.*.Resources.*.CreatedAt | string | |
action_result.data.*.Resources.*.DisplayScore | numeric | |
action_result.data.*.Resources.*.FileMetadata.*.MD5 | string | |
action_result.data.*.Resources.*.FileMetadata.*.Size | numeric | |
action_result.data.*.Resources.*.FileMetadata.*.SHA256 | string | |
action_result.data.*.Resources.*.FileMetadata.*.FileType | string | |
action_result.data.*.Resources.*.FileMetadata.*.MimeType | string | |
action_result.data.*.Resources.*.FileMetadata.*.IsEncrypted | string | |
action_result.data.*.Resources.*.InjectionMetadata.*.AddedBy | string | |
action_result.data.*.Resources.*.InjectionMetadata.*.AddedBecause | string | |
action_result.data.*.ResourceTree | string | |
action_result.data.*.StartedAt | string | |
action_result.data.*.UpdatedAt | string | |
action_result.data.*.Parameters | string | |
action_result.data.*.Submissions.*.MD5 | string | |
action_result.data.*.Submissions.*.Name | string | |
action_result.data.*.Submissions.*.SHA256 | string | |
action_result.data.*.CompletedAt | string | |
action_result.data.*.DisplayScore | numeric | |
action_result.data.*.Verdict | string | |
action_result.data.*.ForensicsPath | string | |
action_result.data.*.ResourceCount | numeric | |
action_result.data.*.RequestedEngines | string | |
action_result.data.*.SubmissionSource | string |
Get a list of recent jobs
Type: generic
Read only: False
No parameters are required for this action
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.data | string | |
action_result.data.*.ID | string | |
action_result.data.*.Score | numeric | |
action_result.data.*.State | string | |
action_result.data.*.Tasks.*.ID | string | |
action_result.data.*.Tasks.*.State | string | |
action_result.data.*.Tasks.*.Engine | string | |
action_result.data.*.Tasks.*.Results.*.Score | numeric | |
action_result.data.*.Tasks.*.Results.*.Details | string | |
action_result.data.*.Tasks.*.Results.*.Forensics.*.Raw | string | |
action_result.data.*.Tasks.*.Results.*.Forensics.*.Normalized | string | |
action_result.data.*.Tasks.*.Priority | numeric | |
action_result.data.*.Tasks.*.CreatedAt | string | |
action_result.data.*.Tasks.*.StartedAt | string | |
action_result.data.*.Tasks.*.StateText | string | |
action_result.data.*.Tasks.*.StateText | string | |
action_result.data.*.Tasks.*.UpdatedAt | string | |
action_result.data.*.Tasks.*.ResourceID | string | |
action_result.data.*.APIKey.*.ID | string | |
action_result.data.*.APIKey.*.Label | string | |
action_result.data.*.Labels.*.ID | numeric | |
action_result.data.*.Labels.*.Jobs | string | |
action_result.data.*.Labels.*.Type | string | |
action_result.data.*.Labels.*.Value | string | |
action_result.data.*.Profile | string | |
action_result.data.*.Sharing.*.SharedAt | string | |
action_result.data.*.Sharing.*.SharedBy | string | |
action_result.data.*.Sharing.*.ShareToken | string | |
action_result.data.*.APIKeyID | string | |
action_result.data.*.Priority | numeric | |
action_result.data.*.TenantID | string | |
action_result.data.*.Username | string | |
action_result.data.*.CreatedAt | string | |
action_result.data.*.Resources.*.ID | string | |
action_result.data.*.Resources.*.Name | string | |
action_result.data.*.Resources.*.Type | string | |
action_result.data.*.Resources.*.JobID | string | |
action_result.data.*.Resources.*.Score | numeric | |
action_result.data.*.Resources.*.Location | string | |
action_result.data.*.Resources.*.ParentID | string | |
action_result.data.*.Resources.*.CreatedAt | string | |
action_result.data.*.Resources.*.DisplayScore | numeric | |
action_result.data.*.Resources.*.FileMetadata.*.MD5 | string | |
action_result.data.*.Resources.*.FileMetadata.*.Size | numeric | |
action_result.data.*.Resources.*.FileMetadata.*.SHA256 | string | |
action_result.data.*.Resources.*.FileMetadata.*.FileType | string | |
action_result.data.*.Resources.*.FileMetadata.*.MimeType | string | |
action_result.data.*.Resources.*.FileMetadata.*.IsEncrypted | string | |
action_result.data.*.Resources.*.InjectionMetadata.*.AddedBy | string | |
action_result.data.*.Resources.*.InjectionMetadata.*.AddedBecause | string | |
action_result.data.*.StartedAt | string | |
action_result.data.*.UpdatedAt | string | |
action_result.data.*.Parameters | string | |
action_result.data.*.Submissions.*.MD5 | string | |
action_result.data.*.Submissions.*.Name | string | |
action_result.data.*.Submissions.*.SHA256 | string | |
action_result.data.*.CompletedAt | string | |
action_result.data.*.DisplayScore | numeric | |
action_result.data.*.ForensicsPath | string | |
action_result.data.*.ResourceCount | numeric | |
action_result.data.*.RequestedEngines | string | |
action_result.data.*.SubmissionSource | string | |
action_result.summary | string |
Submit File for Scanning
Type: investigate
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
file | required | File hash to submit | string | vault id |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.file | string | vault id |
action_result.status | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.data.*.JobID | string | twinwave job id |
action_result.data.*.QueueDepth | numeric | |
action_result.data.*.QuotaRemaining | numeric | |
action_result.data.*.AppURL | string | url |
action_result.summary | string |
Submit New URL for Scanning
Type: investigate
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to submit | string | url |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.url | string | url |
action_result.status | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.data.*.JobID | string | twinwave job id |
action_result.data.*.QueueDepth | numeric | |
action_result.data.*.QuotaRemaining | numeric | |
action_result.data.*.AppURL | string | url |
action_result.summary | string |
Get the PDF report for a completed job
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
job_id | required | Job id of the job summary you want to download the PDF for | string | twinwave job id |
wait | optional | Wait for job to finish before returning results | boolean | |
timeout | optional | Maximum time (in minutes) to wait for job to be complete | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.job_id | string | twinwave job id |
action_result.parameter.wait | boolean | |
action_result.parameter.timeout | numeric | |
action_result.status | string | |
action_result.data | string | |
action_result.summary | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get screenshots for the specified job and store them in the vault
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
job_id | required | Job id of the job summary you want to download the PDF for | string | twinwave job id |
wait | optional | Wait for job to finish before returning results | boolean | |
timeout | optional | Maximum time (in minutes) to wait for job to be complete | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.job_id | string | twinwave job id |
action_result.parameter.wait | boolean | |
action_result.parameter.timeout | numeric | |
action_result.status | string | |
action_result.data.*.screenshot_count | numeric | |
action_result.summary | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |