Fortinet Document Library

Version:


Table of Contents

Intezer Analyze

1.0.0
Copy Link

About the connector

Intezer introduces a genetic malware analysis solution, based on the concept that malware is composed of previously written software. Intezer Analyze identifies new malware by comparing its code with previously seen threats.

This document provides information about the Intezer Analyze connector, which facilitates automated interactions, with an Intezer Analyze API using FortiSOAR™ playbooks. Add the Intezer Analyze connector as a step in FortiSOAR™ playbooks and perform automated operations, such as performing malware analysis of suspicious files and a variety of automated investigation process operations, such as submitting a filehash to Intezer Analyze for analysis, generating a vaccine for a specific file, and retrieving analyzes of files previously submitted to Intezer Analyze.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.12.1-253

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-intezer-analyze

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of Intezer Analyze server to which you will connect and perform automated operations.
  • API key configured for your account for using the Intezer Analyze API.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the connectors page, select the Intezer Analyze connector and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or Hostname URL of the Intezer Analyze server to which you will connect and perform the automated operations.
API Key API key configured for your account for using the Intezer Analyze API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Submit File Submits a file to Intezer Analyze for analysis. submit_sample
Investigation
Get Analysis Retrieves a summary of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the Analysis ID you have specified. The summary contains high-level analyses results. get_analysis
Investigation
Submit Hash Submits the hash value of a file to be analyzed by Intezer Analyze.
Note: This operation only submits the hash value of the file and it enables you to analyze a file without actually submitting it to Intezer Analyze.
submit_sample
Investigation
Get Hash Reputation Retrieves latest available results of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the filehash value you have specified. hash_reputation
Investigation
Get Sub Analysis Retrieves a list of sub-analysis IDs from Intezer Analyze of the analysis ID that you have specified, including the sub-analysis IDs of the root file. get_analysis
Investigation
Generate Vaccine Enables you to generate a vaccine for a specific file. Vaccine can be in the YARA, OpenIOC, STIX, or STIX2 format. generate_vaccine
Investigation

operation: Submit File

Input parameters

Parameter Description
Scan File From Select the type of file reference that you will be submitting to Intezer Analyze for analysis. You can choose from the following options: Attachment IRI, File IRI, or File Path.
  • Attachment ID: Attachment ID is used to access the file directly from the FortiSOAR™ Attachments module.
  • File IRI: IRI of the file that is present in FortiSOAR™.
  • File Path: Full path of the file that is present in FortiSOAR™.
Reference / File Path Reference or file path based on the option you have selected from the Scan File From drop-down list.
  • If you select Attachment ID or File IRI, then specify the attachment ID or file IRI of the file that you want to submit to Intezer Analyze for analysis.
  • If you select File Path, then specify the full path of the file that is present in FortiSOAR™ and which you want to submit to Intezer Analyze for analysis.

Output

The output contains the following populated JSON schema:

     "result_url": "" 
}

operation: Get Analysis

Input parameters

Parameter Description
Analysis ID Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for analysis whose summary of the analysis you want to retrieve from Intezer Analyze.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result_url": "", 
     "result": { 
         "analysis_url": "", 
         "analysis_id": "", 
         "analysis_time": "", 
         "sha256": "", 
         "sub_verdict": "", 
         "is_private": "", 
         "verdict": "" 
     } 
}

operation: Submit Hash

Input parameters

Parameter Description
Filehash Value of the filehash that you want to submit to Intezer Analyze for analysis.
Note: Supported filehash formats are: SHA256, SHA1, and MD5.

Output

The output contains the following populated JSON schema:

     "result_url": "" 
}

operation: Get Hash Reputation

Input parameters

Parameter Description
Filehash Filehash value of a file that has been previously submitted to Intezer Analyze for analysis whose reputation information you want to retrieve from Intezer Analyze.
Note: Supported filehash formats are: SHA256, SHA1, and MD5.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result_url": "", 
     "result": { 
         "analysis_url": "", 
         "analysis_id": "", 
         "analysis_time": "", 
         "sha256": "", 
         "sub_verdict": "", 
         "is_private": "", 
         "verdict": "" 
     } 
}

operation: Get Sub Analysis

Input parameters

Parameter Description
Analysis ID Unique identifier that is assigned to a file that has been previously submitted to Intezer Analyze for analysis whose sub-analysis IDs you want to retrieve from Intezer Analyze.

Output

The output contains the following populated JSON schema:

     "sub_analyses": [ 
         { 
             "sub_analysis_id": "", 
             "sha256": "", 
             "source": "" 
         } 
     ] 
}

operation: Generate Vaccine

Input parameters

Parameter Description
Analysis ID Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine.
Sub Analysis ID Unique identifier that is assigned to the results of each child file of a previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine.
Vaccine Format Format of the vaccine to be generated. You can choose from the following options: YARA, OpenIOC, STIX, or STIX2.
By default, this is set as YARA.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result_url": "", 
     "result": "" 
}

Included playbooks

The Sample - Intezer Analyze - 1.0.0 playbook collection comes bundled with the Intezer Analyze connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intezer Analyze connector.

  • Generate Vaccine
  • Get Analysis
  • Get Hash Reputation
  • Get Sub Analysis
  • Submit File
  • Submit Hash

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Intezer introduces a genetic malware analysis solution, based on the concept that malware is composed of previously written software. Intezer Analyze identifies new malware by comparing its code with previously seen threats.

This document provides information about the Intezer Analyze connector, which facilitates automated interactions, with an Intezer Analyze API using FortiSOAR™ playbooks. Add the Intezer Analyze connector as a step in FortiSOAR™ playbooks and perform automated operations, such as performing malware analysis of suspicious files and a variety of automated investigation process operations, such as submitting a filehash to Intezer Analyze for analysis, generating a vaccine for a specific file, and retrieving analyzes of files previously submitted to Intezer Analyze.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.12.1-253

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-intezer-analyze

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the connectors page, select the Intezer Analyze connector and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or Hostname URL of the Intezer Analyze server to which you will connect and perform the automated operations.
API Key API key configured for your account for using the Intezer Analyze API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Submit File Submits a file to Intezer Analyze for analysis. submit_sample
Investigation
Get Analysis Retrieves a summary of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the Analysis ID you have specified. The summary contains high-level analyses results. get_analysis
Investigation
Submit Hash Submits the hash value of a file to be analyzed by Intezer Analyze.
Note: This operation only submits the hash value of the file and it enables you to analyze a file without actually submitting it to Intezer Analyze.
submit_sample
Investigation
Get Hash Reputation Retrieves latest available results of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the filehash value you have specified. hash_reputation
Investigation
Get Sub Analysis Retrieves a list of sub-analysis IDs from Intezer Analyze of the analysis ID that you have specified, including the sub-analysis IDs of the root file. get_analysis
Investigation
Generate Vaccine Enables you to generate a vaccine for a specific file. Vaccine can be in the YARA, OpenIOC, STIX, or STIX2 format. generate_vaccine
Investigation

operation: Submit File

Input parameters

Parameter Description
Scan File From Select the type of file reference that you will be submitting to Intezer Analyze for analysis. You can choose from the following options: Attachment IRI, File IRI, or File Path.
  • Attachment ID: Attachment ID is used to access the file directly from the FortiSOAR™ Attachments module.
  • File IRI: IRI of the file that is present in FortiSOAR™.
  • File Path: Full path of the file that is present in FortiSOAR™.
Reference / File Path Reference or file path based on the option you have selected from the Scan File From drop-down list.
  • If you select Attachment ID or File IRI, then specify the attachment ID or file IRI of the file that you want to submit to Intezer Analyze for analysis.
  • If you select File Path, then specify the full path of the file that is present in FortiSOAR™ and which you want to submit to Intezer Analyze for analysis.

Output

The output contains the following populated JSON schema:

     "result_url": "" 
}

operation: Get Analysis

Input parameters

Parameter Description
Analysis ID Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for analysis whose summary of the analysis you want to retrieve from Intezer Analyze.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result_url": "", 
     "result": { 
         "analysis_url": "", 
         "analysis_id": "", 
         "analysis_time": "", 
         "sha256": "", 
         "sub_verdict": "", 
         "is_private": "", 
         "verdict": "" 
     } 
}

operation: Submit Hash

Input parameters

Parameter Description
Filehash Value of the filehash that you want to submit to Intezer Analyze for analysis.
Note: Supported filehash formats are: SHA256, SHA1, and MD5.

Output

The output contains the following populated JSON schema:

     "result_url": "" 
}

operation: Get Hash Reputation

Input parameters

Parameter Description
Filehash Filehash value of a file that has been previously submitted to Intezer Analyze for analysis whose reputation information you want to retrieve from Intezer Analyze.
Note: Supported filehash formats are: SHA256, SHA1, and MD5.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result_url": "", 
     "result": { 
         "analysis_url": "", 
         "analysis_id": "", 
         "analysis_time": "", 
         "sha256": "", 
         "sub_verdict": "", 
         "is_private": "", 
         "verdict": "" 
     } 
}

operation: Get Sub Analysis

Input parameters

Parameter Description
Analysis ID Unique identifier that is assigned to a file that has been previously submitted to Intezer Analyze for analysis whose sub-analysis IDs you want to retrieve from Intezer Analyze.

Output

The output contains the following populated JSON schema:

     "sub_analyses": [ 
         { 
             "sub_analysis_id": "", 
             "sha256": "", 
             "source": "" 
         } 
     ] 
}

operation: Generate Vaccine

Input parameters

Parameter Description
Analysis ID Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine.
Sub Analysis ID Unique identifier that is assigned to the results of each child file of a previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine.
Vaccine Format Format of the vaccine to be generated. You can choose from the following options: YARA, OpenIOC, STIX, or STIX2.
By default, this is set as YARA.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result_url": "", 
     "result": "" 
}

Included playbooks

The Sample - Intezer Analyze - 1.0.0 playbook collection comes bundled with the Intezer Analyze connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intezer Analyze connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.