About the connector
Intezer introduces a genetic malware analysis solution, based on the concept that malware is composed of previously written software. Intezer Analyze identifies new malware by comparing its code with previously seen threats.
This document provides information about the Intezer Analyze connector, which facilitates automated interactions, with an Intezer Analyze API using FortiSOAR™ playbooks. Add the Intezer Analyze connector as a step in FortiSOAR™ playbooks and perform automated operations, such as performing malware analysis of suspicious files and a variety of automated investigation process operations, such as submitting a filehash to Intezer Analyze for analysis, generating a vaccine for a specific file, and retrieving analyzes of files previously submitted to Intezer Analyze.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-intezer-analyze
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of Intezer Analyze server to which you will connect and perform automated operations.
- API key configured for your account for using the Intezer Analyze API.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the connectors page, select the Intezer Analyze connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
IP address or Hostname URL of the Intezer Analyze server to which you will connect and perform the automated operations. |
| API Key |
API key configured for your account for using the Intezer Analyze API. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Submit File |
Submits a file to Intezer Analyze for analysis. |
submit_sample
Investigation |
| Get Analysis |
Retrieves a summary of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the Analysis ID you have specified. The summary contains high-level analyses results. |
get_analysis
Investigation |
| Submit Hash |
Submits the hash value of a file to be analyzed by Intezer Analyze.
Note: This operation only submits the hash value of the file and it enables you to analyze a file without actually submitting it to Intezer Analyze. |
submit_sample
Investigation |
| Get Hash Reputation |
Retrieves latest available results of the analyses of a file that had been previously submitted to Intezer Analyze for analysis, based on the filehash value you have specified. |
hash_reputation
Investigation |
| Get Sub Analysis |
Retrieves a list of sub-analysis IDs from Intezer Analyze of the analysis ID that you have specified, including the sub-analysis IDs of the root file. |
get_analysis
Investigation |
| Generate Vaccine |
Enables you to generate a vaccine for a specific file. Vaccine can be in the YARA, OpenIOC, STIX, or STIX2 format. |
generate_vaccine
Investigation |
operation: Submit File
Input parameters
| Parameter |
Description |
| Scan File From |
Select the type of file reference that you will be submitting to Intezer Analyze for analysis. You can choose from the following options: Attachment IRI, File IRI, or File Path.
- Attachment ID: Attachment ID is used to access the file directly from the FortiSOAR™ Attachments module.
- File IRI: IRI of the file that is present in FortiSOAR™.
- File Path: Full path of the file that is present in FortiSOAR™.
|
| Reference / File Path |
Reference or file path based on the option you have selected from the Scan File From drop-down list.
- If you select Attachment ID or File IRI, then specify the attachment ID or file IRI of the file that you want to submit to Intezer Analyze for analysis.
- If you select File Path, then specify the full path of the file that is present in FortiSOAR™ and which you want to submit to Intezer Analyze for analysis.
|
Output
The output contains the following populated JSON schema:
{
"result_url": ""
}
operation: Get Analysis
Input parameters
| Parameter |
Description |
| Analysis ID |
Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for analysis whose summary of the analysis you want to retrieve from Intezer Analyze. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": {
"analysis_url": "",
"analysis_id": "",
"analysis_time": "",
"sha256": "",
"sub_verdict": "",
"is_private": "",
"verdict": ""
}
}
operation: Submit Hash
Input parameters
| Parameter |
Description |
| Filehash |
Value of the filehash that you want to submit to Intezer Analyze for analysis.
Note: Supported filehash formats are: SHA256, SHA1, and MD5. |
Output
The output contains the following populated JSON schema:
{
"result_url": ""
}
operation: Get Hash Reputation
Input parameters
| Parameter |
Description |
| Filehash |
Filehash value of a file that has been previously submitted to Intezer Analyze for analysis whose reputation information you want to retrieve from Intezer Analyze.
Note: Supported filehash formats are: SHA256, SHA1, and MD5. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": {
"analysis_url": "",
"analysis_id": "",
"analysis_time": "",
"sha256": "",
"sub_verdict": "",
"is_private": "",
"verdict": ""
}
}
operation: Get Sub Analysis
Input parameters
| Parameter |
Description |
| Analysis ID |
Unique identifier that is assigned to a file that has been previously submitted to Intezer Analyze for analysis whose sub-analysis IDs you want to retrieve from Intezer Analyze. |
Output
The output contains the following populated JSON schema:
{
"sub_analyses": [
{
"sub_analysis_id": "",
"sha256": "",
"source": ""
}
]
}
operation: Generate Vaccine
Input parameters
| Parameter |
Description |
| Analysis ID |
Unique identifier that is assigned to a file that has been previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine. |
| Sub Analysis ID |
Unique identifier that is assigned to the results of each child file of a previously submitted (uploaded) to Intezer Analyze for which you want to generate the vaccine. |
| Vaccine Format |
Format of the vaccine to be generated. You can choose from the following options: YARA, OpenIOC, STIX, or STIX2.
By default, this is set as YARA. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"result_url": "",
"result": ""
}
Included playbooks
The Sample - Intezer Analyze - 1.0.0 playbook collection comes bundled with the Intezer Analyze connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intezer Analyze connector.
- Generate Vaccine
- Get Analysis
- Get Hash Reputation
- Get Sub Analysis
- Submit File
- Submit Hash
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
