Intezer introduces a genetic malware analysis solution, based on the concept that malware is composed of previously written software. Intezer Analyze identifies new malware by comparing its code with previously seen threats.
This document provides information about the Intezer Analyze connector, which facilitates automated interactions, with an Intezer Analyze API using FortiSOAR™ playbooks. Add the Intezer Analyze connector as a step in FortiSOAR™ playbooks and perform automated operations, such as performing malware analysis of suspicious files and a variety of automated investigation process operations, such as submitting a filehash to Intezer Analyze for analysis, generating a vaccine for a specific file, and retrieving analyzes of files previously submitted to Intezer Analyze.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-intezer-analyze
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the Intezer Analyze connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Hostname URL of the Intezer Analyze server to which you will connect and perform the automated operations. |
API Key | API key configured for your account for using the Intezer Analyze API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File | Submits a file to Intezer Analyze for analysis. | submit_sample Investigation |
Get Analysis | Retrieves a summary of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the Analysis ID you have specified. The summary contains high-level analyses results. | get_analysis Investigation |
Submit Hash | Submits the hash value of a file to be analyzed by Intezer Analyze. Note: This operation only submits the hash value of the file and it enables you to analyze a file without actually submitting it to Intezer Analyze. |
submit_sample Investigation |
Get Hash Reputation | Retrieves latest available results of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the filehash value you have specified. | hash_reputation Investigation |
Get Sub Analysis | Retrieves a list of sub-analysis IDs from Intezer Analyze of the analysis ID that you have specified, including the sub-analysis IDs of the root file. | get_analysis Investigation |
Generate Vaccine | Enables you to generate a vaccine for a specific file. Vaccine can be in the YARA, OpenIOC, STIX, or STIX2 format. | generate_vaccine Investigation |
Parameter | Description |
---|---|
Scan File From | Select the type of file reference that you will be submitting to Intezer Analyze for analysis. You can choose from the following options: Attachment IRI, File IRI, or File Path.
|
Reference / File Path | Reference or file path based on the option you have selected from the Scan File From drop-down list.
|
The output contains the following populated JSON schema:
{
"result_url": ""
}
Parameter | Description |
---|---|
Analysis ID | Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for analysis whose summary of the analysis you want to retrieve from Intezer Analyze. |
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": {
"analysis_url": "",
"analysis_id": "",
"analysis_time": "",
"sha256": "",
"sub_verdict": "",
"is_private": "",
"verdict": ""
}
}
Parameter | Description |
---|---|
Filehash | Value of the filehash that you want to submit to Intezer Analyze for analysis. Note: Supported filehash formats are: SHA256, SHA1, and MD5. |
The output contains the following populated JSON schema:
{
"result_url": ""
}
Parameter | Description |
---|---|
Filehash | Filehash value of a file that has been previously submitted to Intezer Analyze for analysis whose reputation information you want to retrieve from Intezer Analyze. Note: Supported filehash formats are: SHA256, SHA1, and MD5. |
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": {
"analysis_url": "",
"analysis_id": "",
"analysis_time": "",
"sha256": "",
"sub_verdict": "",
"is_private": "",
"verdict": ""
}
}
Parameter | Description |
---|---|
Analysis ID | Unique identifier that is assigned to a file that has been previously submitted to Intezer Analyze for analysis whose sub-analysis IDs you want to retrieve from Intezer Analyze. |
The output contains the following populated JSON schema:
{
"sub_analyses": [
{
"sub_analysis_id": "",
"sha256": "",
"source": ""
}
]
}
Parameter | Description |
---|---|
Analysis ID | Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine. |
Sub Analysis ID | Unique identifier that is assigned to the results of each child file of a previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine. |
Vaccine Format | Format of the vaccine to be generated. You can choose from the following options: YARA, OpenIOC, STIX, or STIX2. By default, this is set as YARA. |
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": ""
}
The Sample - Intezer Analyze - 1.0.0
playbook collection comes bundled with the Intezer Analyze connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intezer Analyze connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Intezer introduces a genetic malware analysis solution, based on the concept that malware is composed of previously written software. Intezer Analyze identifies new malware by comparing its code with previously seen threats.
This document provides information about the Intezer Analyze connector, which facilitates automated interactions, with an Intezer Analyze API using FortiSOAR™ playbooks. Add the Intezer Analyze connector as a step in FortiSOAR™ playbooks and perform automated operations, such as performing malware analysis of suspicious files and a variety of automated investigation process operations, such as submitting a filehash to Intezer Analyze for analysis, generating a vaccine for a specific file, and retrieving analyzes of files previously submitted to Intezer Analyze.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-intezer-analyze
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the Intezer Analyze connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Hostname URL of the Intezer Analyze server to which you will connect and perform the automated operations. |
API Key | API key configured for your account for using the Intezer Analyze API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File | Submits a file to Intezer Analyze for analysis. | submit_sample Investigation |
Get Analysis | Retrieves a summary of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the Analysis ID you have specified. The summary contains high-level analyses results. | get_analysis Investigation |
Submit Hash | Submits the hash value of a file to be analyzed by Intezer Analyze. Note: This operation only submits the hash value of the file and it enables you to analyze a file without actually submitting it to Intezer Analyze. |
submit_sample Investigation |
Get Hash Reputation | Retrieves latest available results of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the filehash value you have specified. | hash_reputation Investigation |
Get Sub Analysis | Retrieves a list of sub-analysis IDs from Intezer Analyze of the analysis ID that you have specified, including the sub-analysis IDs of the root file. | get_analysis Investigation |
Generate Vaccine | Enables you to generate a vaccine for a specific file. Vaccine can be in the YARA, OpenIOC, STIX, or STIX2 format. | generate_vaccine Investigation |
Parameter | Description |
---|---|
Scan File From | Select the type of file reference that you will be submitting to Intezer Analyze for analysis. You can choose from the following options: Attachment IRI, File IRI, or File Path.
|
Reference / File Path | Reference or file path based on the option you have selected from the Scan File From drop-down list.
|
The output contains the following populated JSON schema:
{
"result_url": ""
}
Parameter | Description |
---|---|
Analysis ID | Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for analysis whose summary of the analysis you want to retrieve from Intezer Analyze. |
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": {
"analysis_url": "",
"analysis_id": "",
"analysis_time": "",
"sha256": "",
"sub_verdict": "",
"is_private": "",
"verdict": ""
}
}
Parameter | Description |
---|---|
Filehash | Value of the filehash that you want to submit to Intezer Analyze for analysis. Note: Supported filehash formats are: SHA256, SHA1, and MD5. |
The output contains the following populated JSON schema:
{
"result_url": ""
}
Parameter | Description |
---|---|
Filehash | Filehash value of a file that has been previously submitted to Intezer Analyze for analysis whose reputation information you want to retrieve from Intezer Analyze. Note: Supported filehash formats are: SHA256, SHA1, and MD5. |
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": {
"analysis_url": "",
"analysis_id": "",
"analysis_time": "",
"sha256": "",
"sub_verdict": "",
"is_private": "",
"verdict": ""
}
}
Parameter | Description |
---|---|
Analysis ID | Unique identifier that is assigned to a file that has been previously submitted to Intezer Analyze for analysis whose sub-analysis IDs you want to retrieve from Intezer Analyze. |
The output contains the following populated JSON schema:
{
"sub_analyses": [
{
"sub_analysis_id": "",
"sha256": "",
"source": ""
}
]
}
Parameter | Description |
---|---|
Analysis ID | Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine. |
Sub Analysis ID | Unique identifier that is assigned to the results of each child file of a previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine. |
Vaccine Format | Format of the vaccine to be generated. You can choose from the following options: YARA, OpenIOC, STIX, or STIX2. By default, this is set as YARA. |
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": ""
}
The Sample - Intezer Analyze - 1.0.0
playbook collection comes bundled with the Intezer Analyze connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intezer Analyze connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.