The Malshare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.
This document provides information about the Malshare connector, which facilitates automated interactions, with a Malshare server using FortiSOAR™ playbooks. Add the Malshare connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Malshare server for analyzes, searching the Malshare server for reports based on specific parameters, and retrieving reports from the Malshare server.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Malshare connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Malshare server to which you will connect and perform the automated operations. |
API Key | API key that is configured for your account to access the Malshare endpoint. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
List Hashes | Retrieves a list of hashes from the Malshare server for the last 24 hours. | list_hashes Investigation |
List URLs | Retrieves a list of all the URLS (sources) from the Malshare server for the last 24 hours. | list_urls Investigation |
Get File Information | Retrieves the file details associated with the hash that you specify from the Malshare server. | get_file_details Investigation |
Search Query | Performs a search query on the Malshare server using the sample hashes, sources, and file names that you specify and retrieving file details from the Malshare server based on the query that you specify. | search_query Investigation |
Submit Sample | Submits a file from the FortiSOAR™ Attachments module to the Malshare server for analyzes. | detonate_file Investigation |
Parameter | Description |
---|---|
File Type | (Optional) Type of file for which you want to retrieve a list of hashes from the Malshare server. Based on the file type MD5, SHA-1, or SHA-256 values are retrieved from the Malshare server. Note: If you do not specify any File Type, then a list containing all the hashes will be retrieved from the Malshare server. |
The JSON output contains a list of MD5, SHA-1, or SHA-256 values based on the file type that you have specified, or a list of all hashes, retrieved from the Malshare server.
Following image displays a sample output:
None.
The JSON output contains a list of all URLs (sources) retrieved from the Malshare server.
Following image displays a sample output:
Parameter | Description |
---|---|
Hash | MD5, SHA-1, or SHA-256 value of the file whose details you want to retrieve from the Malshare server. |
The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, SSDEEP, Filetype, and Sources associated with the hash that you have specified, retrieved from the Malshare server.
Following image displays a sample output:
Parameter | Description |
---|---|
Search Query | Query containing sample hashes, sources, and file names, that you want to run on the Malshare server and retrieve associated file information. |
The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, Type, and Sources associated with the query that you have specified, retrieved from the Malshare server.
Following image displays a sample output:
Parameter | Description |
---|---|
File IRI | ID or IRI value of the file that you want to submit to the Malshare server for analyzes. File IRI used to access the file directly from the FortiSOAR™ Attachments module.In the playbook, the value of the File IRI field defaults to the {{vars.file_iri}} value.For this operation, you must submit the files from the FortiSOAR™ Attachments module only. |
The JSON output contains the MD5 value of the file retrieved from the Malshare server based on the file you have submitted from the FortiSOAR™ Attachments
module. You can use this MD5 value in the future to query and retrieve file details from the Malshare server for this file.
Following image displays a sample output:
The Sample - Malshare - 1.0.0
playbook collection comes bundled with the Malshare connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malshare connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Malshare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.
This document provides information about the Malshare connector, which facilitates automated interactions, with a Malshare server using FortiSOAR™ playbooks. Add the Malshare connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Malshare server for analyzes, searching the Malshare server for reports based on specific parameters, and retrieving reports from the Malshare server.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Malshare connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Malshare server to which you will connect and perform the automated operations. |
API Key | API key that is configured for your account to access the Malshare endpoint. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
List Hashes | Retrieves a list of hashes from the Malshare server for the last 24 hours. | list_hashes Investigation |
List URLs | Retrieves a list of all the URLS (sources) from the Malshare server for the last 24 hours. | list_urls Investigation |
Get File Information | Retrieves the file details associated with the hash that you specify from the Malshare server. | get_file_details Investigation |
Search Query | Performs a search query on the Malshare server using the sample hashes, sources, and file names that you specify and retrieving file details from the Malshare server based on the query that you specify. | search_query Investigation |
Submit Sample | Submits a file from the FortiSOAR™ Attachments module to the Malshare server for analyzes. | detonate_file Investigation |
Parameter | Description |
---|---|
File Type | (Optional) Type of file for which you want to retrieve a list of hashes from the Malshare server. Based on the file type MD5, SHA-1, or SHA-256 values are retrieved from the Malshare server. Note: If you do not specify any File Type, then a list containing all the hashes will be retrieved from the Malshare server. |
The JSON output contains a list of MD5, SHA-1, or SHA-256 values based on the file type that you have specified, or a list of all hashes, retrieved from the Malshare server.
Following image displays a sample output:
None.
The JSON output contains a list of all URLs (sources) retrieved from the Malshare server.
Following image displays a sample output:
Parameter | Description |
---|---|
Hash | MD5, SHA-1, or SHA-256 value of the file whose details you want to retrieve from the Malshare server. |
The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, SSDEEP, Filetype, and Sources associated with the hash that you have specified, retrieved from the Malshare server.
Following image displays a sample output:
Parameter | Description |
---|---|
Search Query | Query containing sample hashes, sources, and file names, that you want to run on the Malshare server and retrieve associated file information. |
The JSON output contains the details of the file such as, MD5, SHA-1, SHA-256, Type, and Sources associated with the query that you have specified, retrieved from the Malshare server.
Following image displays a sample output:
Parameter | Description |
---|---|
File IRI | ID or IRI value of the file that you want to submit to the Malshare server for analyzes. File IRI used to access the file directly from the FortiSOAR™ Attachments module.In the playbook, the value of the File IRI field defaults to the {{vars.file_iri}} value.For this operation, you must submit the files from the FortiSOAR™ Attachments module only. |
The JSON output contains the MD5 value of the file retrieved from the Malshare server based on the file you have submitted from the FortiSOAR™ Attachments
module. You can use this MD5 value in the future to query and retrieve file details from the Malshare server for this file.
Following image displays a sample output:
The Sample - Malshare - 1.0.0
playbook collection comes bundled with the Malshare connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malshare connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.