Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

The Malshare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.

This document provides information about the Malshare connector, which facilitates automated interactions, with a Malshare server using FortiSOAR™ playbooks. Add the Malshare connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Malshare server for analyzes, searching the Malshare server for reports based on specific parameters, and retrieving reports from the Malshare server.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Malshare server to which you will connect and perform the automated operations.
  • You must have the API key used to access the Malshare endpoint.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Malshare connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Malshare server to which you will connect and perform the automated operations.
API Key API key that is configured for your account to access the Malshare endpoint.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
List Hashes Retrieves a list of hashes from the Malshare server for the last 24 hours. list_hashes
Investigation
List URLs Retrieves a list of all the URLS (sources) from the Malshare server for the last 24 hours. list_urls
Investigation
Get File Information Retrieves the file details associated with the hash that you specify from the Malshare server. get_file_details
Investigation
Search Query Performs a search query on the Malshare server using the sample hashes, sources, and file names that you specify and retrieving file details from the Malshare server based on the query that you specify. search_query
Investigation
Submit Sample Submits a file from the FortiSOAR™ Attachments module to the Malshare server for analyzes. detonate_file
Investigation

 

operation: List Hashes

Input parameters

 

Parameter Description
File Type (Optional) Type of file for which you want to retrieve a list of hashes from the Malshare server. Based on the file type MD5, SHA-1, or SHA-256 values are retrieved from the Malshare server.
Note: If you do not specify any File Type, then a list containing all the hashes will be retrieved from the Malshare server.

 

Output

The JSON output contains a list of MD5, SHA-1, or SHA-256 values based on the file type that you have specified, or a list of all hashes, retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the List Hashes operation

 

operation: List URLs

Input parameters

None.

Output

The JSON output contains a list of all URLs (sources) retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the List Hashes operation

 

operation: Get File Information

Input parameters

 

Parameter Description
Hash MD5, SHA-1, or SHA-256 value of the file whose details you want to retrieve from the Malshare server.

 

Output

The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, SSDEEP, Filetype, and Sources associated with the hash that you have specified, retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the Get File Information operation

 

operation: Search Query

Input parameters

 

Parameter Description
Search Query Query containing sample hashes, sources, and file names, that you want to run on the Malshare server and retrieve associated file information.

 

Output

The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, Type, and Sources associated with the query that you have specified, retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the Search Query operation

 

operation: Submit Sample

Input parameters

 

Parameter Description
File IRI ID or IRI value of the file that you want to submit to the Malshare server for analyzes. File IRI used to access the file directly from the FortiSOAR™ Attachments module.
In the playbook, the value of the File IRI field defaults to the {{vars.file_iri}} value.
For this operation, you must submit the files from the FortiSOAR™ Attachments module only.

 

Output

The JSON output contains the MD5 value of the file retrieved from the Malshare server based on the file you have submitted from the FortiSOAR™ Attachments module. You can use this MD5 value in the future to query and retrieve file details from the Malshare server for this file.

Following image displays a sample output:

 

Sample output of the Submit Sample operation

 

Included playbooks

The Sample - Malshare - 1.0.0 playbook collection comes bundled with the Malshare connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malshare connector.

  • Get File Information
  • List Hashes
  • List URLs
  • Search Query
  • Submit Sample

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

The Malshare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.

This document provides information about the Malshare connector, which facilitates automated interactions, with a Malshare server using FortiSOAR™ playbooks. Add the Malshare connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Malshare server for analyzes, searching the Malshare server for reports based on specific parameters, and retrieving reports from the Malshare server.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Malshare connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Malshare server to which you will connect and perform the automated operations.
API Key API key that is configured for your account to access the Malshare endpoint.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
List Hashes Retrieves a list of hashes from the Malshare server for the last 24 hours. list_hashes
Investigation
List URLs Retrieves a list of all the URLS (sources) from the Malshare server for the last 24 hours. list_urls
Investigation
Get File Information Retrieves the file details associated with the hash that you specify from the Malshare server. get_file_details
Investigation
Search Query Performs a search query on the Malshare server using the sample hashes, sources, and file names that you specify and retrieving file details from the Malshare server based on the query that you specify. search_query
Investigation
Submit Sample Submits a file from the FortiSOAR™ Attachments module to the Malshare server for analyzes. detonate_file
Investigation

 

operation: List Hashes

Input parameters

 

Parameter Description
File Type (Optional) Type of file for which you want to retrieve a list of hashes from the Malshare server. Based on the file type MD5, SHA-1, or SHA-256 values are retrieved from the Malshare server.
Note: If you do not specify any File Type, then a list containing all the hashes will be retrieved from the Malshare server.

 

Output

The JSON output contains a list of MD5, SHA-1, or SHA-256 values based on the file type that you have specified, or a list of all hashes, retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the List Hashes operation

 

operation: List URLs

Input parameters

None.

Output

The JSON output contains a list of all URLs (sources) retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the List Hashes operation

 

operation: Get File Information

Input parameters

 

Parameter Description
Hash MD5, SHA-1, or SHA-256 value of the file whose details you want to retrieve from the Malshare server.

 

Output

The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, SSDEEP, Filetype, and Sources associated with the hash that you have specified, retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the Get File Information operation

 

operation: Search Query

Input parameters

 

Parameter Description
Search Query Query containing sample hashes, sources, and file names, that you want to run on the Malshare server and retrieve associated file information.

 

Output

The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, Type, and Sources associated with the query that you have specified, retrieved from the Malshare server.

Following image displays a sample output:

 

Sample output of the Search Query operation

 

operation: Submit Sample

Input parameters

 

Parameter Description
File IRI ID or IRI value of the file that you want to submit to the Malshare server for analyzes. File IRI used to access the file directly from the FortiSOAR™ Attachments module.
In the playbook, the value of the File IRI field defaults to the {{vars.file_iri}} value.
For this operation, you must submit the files from the FortiSOAR™ Attachments module only.

 

Output

The JSON output contains the MD5 value of the file retrieved from the Malshare server based on the file you have submitted from the FortiSOAR™ Attachments module. You can use this MD5 value in the future to query and retrieve file details from the Malshare server for this file.

Following image displays a sample output:

 

Sample output of the Submit Sample operation

 

Included playbooks

The Sample - Malshare - 1.0.0 playbook collection comes bundled with the Malshare connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malshare connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.