About the connector
The Malshare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.
This document provides information about the Malshare connector, which facilitates automated interactions, with a Malshare server using FortiSOAR™ playbooks. Add the Malshare connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Malshare server for analyzes, searching the Malshare server for reports based on specific parameters, and retrieving reports from the Malshare server.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the Malshare server to which you will connect and perform the automated operations.
- You must have the API key used to access the Malshare endpoint.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Malshare connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the Malshare server to which you will connect and perform the automated operations. |
| API Key |
API key that is configured for your account to access the Malshare endpoint. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| List Hashes |
Retrieves a list of hashes from the Malshare server for the last 24 hours. |
list_hashes
Investigation |
| List URLs |
Retrieves a list of all the URLS (sources) from the Malshare server for the last 24 hours. |
list_urls
Investigation |
| Get File Information |
Retrieves the file details associated with the hash that you specify from the Malshare server. |
get_file_details
Investigation |
| Search Query |
Performs a search query on the Malshare server using the sample hashes, sources, and file names that you specify and retrieving file details from the Malshare server based on the query that you specify. |
search_query
Investigation |
| Submit Sample |
Submits a file from the FortiSOAR™ Attachments module to the Malshare server for analyzes. |
detonate_file
Investigation |
operation: List Hashes
Input parameters
| Parameter |
Description |
| File Type |
(Optional) Type of file for which you want to retrieve a list of hashes from the Malshare server. Based on the file type MD5, SHA-1, or SHA-256 values are retrieved from the Malshare server.
Note: If you do not specify any File Type, then a list containing all the hashes will be retrieved from the Malshare server. |
Output
The JSON output contains a list of MD5, SHA-1, or SHA-256 values based on the file type that you have specified, or a list of all hashes, retrieved from the Malshare server.
Following image displays a sample output:
operation: List URLs
Input parameters
None.
Output
The JSON output contains a list of all URLs (sources) retrieved from the Malshare server.
Following image displays a sample output:
operation: Get File Information
Input parameters
| Parameter |
Description |
| Hash |
MD5, SHA-1, or SHA-256 value of the file whose details you want to retrieve from the Malshare server. |
Output
The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, SSDEEP, Filetype, and Sources associated with the hash that you have specified, retrieved from the Malshare server.
Following image displays a sample output:
operation: Search Query
Input parameters
| Parameter |
Description |
| Search Query |
Query containing sample hashes, sources, and file names, that you want to run on the Malshare server and retrieve associated file information. |
Output
The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, Type, and Sources associated with the query that you have specified, retrieved from the Malshare server.
Following image displays a sample output:
operation: Submit Sample
Input parameters
| Parameter |
Description |
| File IRI |
ID or IRI value of the file that you want to submit to the Malshare server for analyzes. File IRI used to access the file directly from the FortiSOAR™ Attachments module.
In the playbook, the value of the File IRI field defaults to the {{vars.file_iri}} value.
For this operation, you must submit the files from the FortiSOAR™ Attachments module only. |
Output
The JSON output contains the MD5 value of the file retrieved from the Malshare server based on the file you have submitted from the FortiSOAR™ Attachments module. You can use this MD5 value in the future to query and retrieve file details from the Malshare server for this file.
Following image displays a sample output:
Included playbooks
The Sample - Malshare - 1.0.0 playbook collection comes bundled with the Malshare connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malshare connector.
- Get File Information
- List Hashes
- List URLs
- Search Query
- Submit Sample
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
