my TPAPI.ini:

tex_api_enabled = TRUE
scrub_service_portal_enabled = FALSE
logs_api_enabled = TRUE
api_key = <an API Key>
allowed_networks[]=0.0.0.0/0

if I enable the scrub service portal I can connect and use it, but this is for extraction only. I need emulation.

So how are you calling the API?
What endpoint and what data are you passing?

Sounds like you're calling it with scrub_options (for Threat Extraction) instead of te_options (Threat Emulation).

no, we used te_options.

Here is a (incomplete) PS I used to pass a file to TE:

# Usage: Emulate-TransferFile.ps1 -TEFile Path-To-File -Action action

#

# action can be: upload, query, report

#

# return exit codes

#   1 == invalid arguments

#   2 == invalid action

#   3 == file invalid or does not exist

#   4 == AV only verdict without TE report

#   5 == Unknown verdict - report download failed

[CmdletBinding()]

Param(

[Parameter(

Mandatory=$true,

HelpMessage="Path to file to be emulated in TE.")]

[String]$TEFile,

[Parameter(

Mandatory=$true,

HelpMessage="upload, query or report")]

[String]$Action

)

#def

# TE emulator API

$TEServer = 'FQDN of TE:18194'

$TEApiKey = '<our API Key'

# TE images to be used for emulation

# add multiple images by adding GUIDs seperated by comma to TEIMAGES variable below

# Look for currently available images using [Expert@cp-te-1:0]# tecli s d i

#

# Win10 64-bit, Office2016: 10b4a9c6-e414-425c-ae8b-fe4dd7b25244

# Win7, Office 2013: 5e5de275-a103-4f67-b55b-47532918fa59 (available)

# WinXP, Office 2003/7: e50e99f3-5963-4573-af9e-e3f4750b55e2 (available)

# Win7, Office 2003/7: 7e6fe36e-889e-4c25-8704-56378f0830df

# Win7, Office 2010: 8d188031-1010-4466-828b-0cd13d4303ff

# Win7 64-bit, Office 2013: 3ff3ddae-e7fd-4969-818c-d5f1a2be336d

# Win8.1 64-bit, Office 2013: 6c453c9b-20f7-471a-956c-3198a868dc92

$TEImages = "e50e99f3-5963-4573-af9e-e3f4750b55e2,5e5de275-a103-4f67-b55b-47532918fa59"

$TEImageRev = "1"

if (-not (Test-Path $TEFile))

{

throw [System.IO.FileNotFoundException] "$TEFile not found."

}

# do magic byte check on filename

# ToDo: we need Get-FileSignature.ps1 from Skript Repository as psm1 on the Management Server

$TEFileType = Get-FileSignature -Path $TEFile

#We do not support Executables

if ($TEFileType.HexSignature -eq "4D5A")

{

throw [System.IO.FileFormatException] "$TEFile is an executable"

}

# we should have excluded all unsupported files and filesizes by now!

# calculate SHA1 from file

$TESHA1 = Get-FileHash -Path $TEFile -Algorithm SHA1

#Case Query (forums don't support formatting, the real ps1 is correctly formatted here):

$QueryBody = @{

request = @{

sha1 = $TESHA1

file_type = "zip"

features = "te", "av"

te = @{

reports = "pdf"

}

}

}

Invoke-RestMethod -Method Post -Uri "https://$TEServer/tecloud/api/v1/file/query" -Header @{"Authorization"=$TEApiKey} -Body (ConvertTo-Json $QueryBody) -SkipCertificateCheck

What exactly do you get back from the API when you run this script?

Invoke-RestMethod : Authentication failed because the remote party has closed the transport stream.

btw: You'll need PS 6 to run this, because we need -SkipCertificateCheck in Invoke-RestMethod (see my other post here: How do I change the https certificate for Sandblast API?)

For Get-FileSignature you'll need Script Get-FileSignature, but you could just comment this out.

What will be most helpful is to see:

• What your script sent the API (what the raw JSON/HTTP Request looks like)
• What the API actually responded with

There may be a log file on the Threat Emulation appliance we can look at--checking on this.

But if you can make your script log the raw API calls/responses somehow, that will help tremendously as well. 

never mind, I just figured out that I posted the wrong version of the script.

And I found sk137032, which I was not aware of when I initially started to work on this...

I will try to follow the examples there and will report later.