About the connector
ReversingLabs A1000 performs the ReversingLabs Hashing Algorithm (RHA) functional similarity analysis on each file, which determines whether the analyzed sample is like previously seen malware or goodware. ReversingLabs A1000 identifies malformed files or files with known malicious characteristics by using multiple threat classification methods. This provides a complete and powerful static/dynamic analysis solution.
This document provides information about the ReversingLabs A1000 connector, which facilitates automated interactions, with a ReversingLabs A1000 server using FortiSOAR™ playbooks. Add the ReversingLabs A1000 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading samples for analysis and retrieving reports for the submitted sample.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.9.0.0-662 and later
ReversingLabs A1000 Version Tested on: 3.5.0.0
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-reversinglabsa1000
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of ReversingLabs A1000 server to which you will connect and perform the automated operations and credentials to access that URL.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the ReversingLabs A1000 connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server |
URL of the endpoint for the ReversingLabs A1000 server to which you will connect and perform the automated operations. |
| Username |
Username to access the ReversingLabs A1000 endpoint. |
| Password |
Password to access the ReversingLabs A1000 endpoint. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Upload Sample |
Uploads a sample file to ReversingLabs A1000 for analysis. |
|
| Get Report using File Hash |
Retrieves a report from ReversingLabs A1000 for the sample that you have submitted based on the SHA1 of the sample. |
|
| Re-analyze Sample using File Hash |
Requests ReversingLabs A1000 to re-analyze a previously submitted sample based on the SHA1 of the previously submitted sample. |
|
operation: Upload Sample
Input parameters
Notes:
-
Using this operation, you submit files available in FortiSOAR™, in the 'Attachments' module to ReversingLabs A1000. You can select multiple fields to be submitted to ReversingLabs A1000 for Malware analysis.
-
You must ensure that the custom fileHash field is available in the FortiSOAR™ Attachments module. The fileHash field holds a ReversingLabs A1000 return value, which is the SHA1 of submitted sample. Use the SHA1 value when you want to retrieve the report from ReversingLabs A1000. Updates to the Attachment module to add the SHA1 of a sample is achieved using FortiSOAR™ Playbooks.
| Parameter |
Description |
| File IRI |
List of File IRI. File IRI used to access the file directly from the FortiSOAR™ Attachments module <br />In the playbook, this defaults to the {{vars.file_iri_list}} value. |
Output
The JSON output contains the following:
-
The submitted parameter of the JSON object in case of success, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™ (Attachments Module).
-
The submit_failed parameter of the JSON object in case of failure, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™.
-
The pre_exist parameter of the JSON object in case of success contains file hash as keys and the values as file iri of existing samples on ReversingLabs A1000 server.
Following image displays a sample output:
operation: Get Report using File Hash
Input parameters
| Parameter |
Description |
| File Hash |
Single file hash or a list of file hash based on which you want to retrieve a report from ReversingLabs A1000. |
Output
A JSON output containing the report from ReversingLabs A1000 for a sample based on the specified file hash or SHA1 of the sample.
Note: The not_found parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.
Following image displays a sample output:
operation: Re-analyze Sample using File Hash
Input parameters
| Parameter |
Description |
| File Hash |
Single file hash or a list of file hash based on which you want to request ReversingLabs A1000 to reanalyze a previously submitted sample. |
Output
The JSON contains the report from ReversingLabs A1000 for a sample that has been reanalyzed based on the specified file hash or SHA1 of the previously submitted sample.
Note: The not_found parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.
Following image displays a sample output:
Included playbooks
The Sample - ReversingLabs A1000 - 1.0.0 playbook collection comes bundled with the ReversingLabs A1000 connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ReversingLabs A1000 connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
