The Malwr connector provides an interface to connect with the malware analysis service. You can submit files to the malware analysis service and receive the results of a complete dynamic analysis back using this connector.
This document provides information about the Malwr connector, which facilitates automated interactions, with a Malwr server using FortiSOAR™ playbooks. Add the Malwr connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading files to the Malwr server and retrieving reports from Malwr.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
For the procedure to install a connector, click here.
Note: This procedure is optional, and you require to perform this procedure, only if want to view the result of the "Get report from malwr" playbook in html formatted tables. The "Get report from malwr" playbook is one of the playbooks that comes bundled with the Malwr connector. Also, the procedures mentioned in this document assume that you are using FortiSOAR™ version 4.9, if you are using FortiSOAR™ version 4.10 or later, then the FortiSOAR™ UI navigation has changed. Refer to the FortiSOAR™ documentation for the updated navigation.
Malwr
custom module located in the malwr_1_0_0 -> malwr -> playbooks -> modules->malwr.json
. Browse to the malwr.json
file and click Install to import the Malwr
module.Malwr
module as follows:Modules
page, from the Select a module to edit or create a new module drop-down list, select Attachments.Fields
section and add the Malwr
module as shown in the following image:Malwr
module is published, then you must update the role of the users who require to run the Get report from malwr
playbook to include access to the Malwr
module as follows:Roles
page, click the role to which who you want to provide access to the Malwr
module.Edit Role
page, in the Set Role Permissions
grid, in the Malwr row, click the combination of permissions you want to assign to the role. The Create
, Read
, Update
, and Delete
columns have checkboxes that allow you to assign specific permissions for each module.Get report from malwr
playbook to retrieve the report from the Malwr server.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Malwr connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
URL | URL of the Malwr server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether a SSL certificate will be required for the connection between the Malwr connector and Malwr server. By default, this option is set as true . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit Sample | Submits a sample file to the Malwr server for analysis. | submit_sample Investigation |
Get Report | Retrieves a report from the Malwr server for the samples that you had submitted to the Malwr server for analysis. Reports are retrieved based on the task_id of the sample. | get_report Investigation |
Note: Using this operation, you submit files that are available in the FortiSOAR™ Attachments
module to the Malwr server.
Parameter | Description |
---|---|
FileIRI | Use the FortiSOAR™ File IRI to submit files directly from the FortiSOAR™ Attachments module to the Malwr server.In the playbook, this defaults to the {{vars.file_iri}} value. |
Private | Specifies whether the file is private or not. By default, this option is set as false . |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains the task_id for the submitted sample. You can use this task_id in subsequent queries to retrieve reports from the Malwr server for the submitted file.
Following image displays a sample output:
Parameter | Description |
---|---|
task_id | task_id for a previously submitted file for which you want to retrieve a report from the Malwr server. |
The JSON output contains the report retrieved from the Malwr server for the previously submitted files.
Following image displays a sample output:
The Sample -
playbook collection comes bundled with the Malwr
- 1.0.0Malwr
connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Whois RDAP connector.
Malwr
custom module, which is defined in the Importing the Malwr module procedure.Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Malwr connector provides an interface to connect with the malware analysis service. You can submit files to the malware analysis service and receive the results of a complete dynamic analysis back using this connector.
This document provides information about the Malwr connector, which facilitates automated interactions, with a Malwr server using FortiSOAR™ playbooks. Add the Malwr connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading files to the Malwr server and retrieving reports from Malwr.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
For the procedure to install a connector, click here.
Note: This procedure is optional, and you require to perform this procedure, only if want to view the result of the "Get report from malwr" playbook in html formatted tables. The "Get report from malwr" playbook is one of the playbooks that comes bundled with the Malwr connector. Also, the procedures mentioned in this document assume that you are using FortiSOAR™ version 4.9, if you are using FortiSOAR™ version 4.10 or later, then the FortiSOAR™ UI navigation has changed. Refer to the FortiSOAR™ documentation for the updated navigation.
Malwr
custom module located in the malwr_1_0_0 -> malwr -> playbooks -> modules->malwr.json
. Browse to the malwr.json
file and click Install to import the Malwr
module.Malwr
module as follows:Modules
page, from the Select a module to edit or create a new module drop-down list, select Attachments.Fields
section and add the Malwr
module as shown in the following image:Malwr
module is published, then you must update the role of the users who require to run the Get report from malwr
playbook to include access to the Malwr
module as follows:Roles
page, click the role to which who you want to provide access to the Malwr
module.Edit Role
page, in the Set Role Permissions
grid, in the Malwr row, click the combination of permissions you want to assign to the role. The Create
, Read
, Update
, and Delete
columns have checkboxes that allow you to assign specific permissions for each module.Get report from malwr
playbook to retrieve the report from the Malwr server.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Malwr connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
URL | URL of the Malwr server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether a SSL certificate will be required for the connection between the Malwr connector and Malwr server. By default, this option is set as true . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit Sample | Submits a sample file to the Malwr server for analysis. | submit_sample Investigation |
Get Report | Retrieves a report from the Malwr server for the samples that you had submitted to the Malwr server for analysis. Reports are retrieved based on the task_id of the sample. | get_report Investigation |
Note: Using this operation, you submit files that are available in the FortiSOAR™ Attachments
module to the Malwr server.
Parameter | Description |
---|---|
FileIRI | Use the FortiSOAR™ File IRI to submit files directly from the FortiSOAR™ Attachments module to the Malwr server.In the playbook, this defaults to the {{vars.file_iri}} value. |
Private | Specifies whether the file is private or not. By default, this option is set as false . |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains the task_id for the submitted sample. You can use this task_id in subsequent queries to retrieve reports from the Malwr server for the submitted file.
Following image displays a sample output:
Parameter | Description |
---|---|
task_id | task_id for a previously submitted file for which you want to retrieve a report from the Malwr server. |
The JSON output contains the report retrieved from the Malwr server for the previously submitted files.
Following image displays a sample output:
The Sample -
playbook collection comes bundled with the Malwr
- 1.0.0Malwr
connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Whois RDAP connector.
Malwr
custom module, which is defined in the Importing the Malwr module procedure.Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.