ReversingLabs A1000 performs the ReversingLabs Hashing Algorithm (RHA
) functional similarity analysis on each file, which determines whether the analyzed sample is like previously seen malware or goodware. ReversingLabs A1000 identifies malformed files or files with known malicious characteristics by using multiple threat classification methods. This provides a complete and powerful static/dynamic analysis solution.
This document provides information about the ReversingLabs A1000 connector, which facilitates automated interactions, with a ReversingLabs A1000 server using FortiSOAR™ playbooks. Add the ReversingLabs A1000 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading samples for analysis and retrieving reports for the submitted sample.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.9.0.0-662 and later
ReversingLabs A1000 Version Tested on: 3.5.0.0
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-reversinglabsa1000
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the ReversingLabs A1000 connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server | URL of the endpoint for the ReversingLabs A1000 server to which you will connect and perform the automated operations. |
Username | Username to access the ReversingLabs A1000 endpoint. |
Password | Password to access the ReversingLabs A1000 endpoint. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Upload Sample | Uploads a sample file to ReversingLabs A1000 for analysis. | |
Get Report using File Hash | Retrieves a report from ReversingLabs A1000 for the sample that you have submitted based on the SHA1 of the sample. | |
Re-analyze Sample using File Hash | Requests ReversingLabs A1000 to re-analyze a previously submitted sample based on the SHA1 of the previously submitted sample. |
Notes:
Using this operation, you submit files available in FortiSOAR™, in the 'Attachments' module to ReversingLabs A1000. You can select multiple fields to be submitted to ReversingLabs A1000 for Malware analysis.
You must ensure that the custom fileHash
field is available in the FortiSOAR™ Attachments
module. The fileHash
field holds a ReversingLabs A1000 return value, which is the SHA1 of submitted sample. Use the SHA1 value when you want to retrieve the report from ReversingLabs A1000. Updates to the Attachment
module to add the SHA1 of a sample is achieved using FortiSOAR™ Playbooks.
Parameter | Description |
---|---|
File IRI | List of File IRI. File IRI used to access the file directly from the FortiSOAR™ Attachments module <br />In the playbook, this defaults to the {{vars.file_iri_list}} value. |
The JSON output contains the following:
The submitted
parameter of the JSON object in case of success, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™ (Attachments
Module).
The submit_failed
parameter of the JSON object in case of failure, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™.
The pre_exist
parameter of the JSON object in case of success contains file hash as keys and the values as file iri of existing samples on ReversingLabs A1000 server.
Following image displays a sample output:
Parameter | Description |
---|---|
File Hash | Single file hash or a list of file hash based on which you want to retrieve a report from ReversingLabs A1000. |
A JSON output containing the report from ReversingLabs A1000 for a sample based on the specified file hash or SHA1 of the sample.
Note: The not_found
parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.
Following image displays a sample output:
Parameter | Description |
---|---|
File Hash | Single file hash or a list of file hash based on which you want to request ReversingLabs A1000 to reanalyze a previously submitted sample. |
The JSON contains the report from ReversingLabs A1000 for a sample that has been reanalyzed based on the specified file hash or SHA1 of the previously submitted sample.
Note: The not_found
parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.
Following image displays a sample output:
The Sample - ReversingLabs A1000 - 1.0.0
playbook collection comes bundled with the ReversingLabs A1000 connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ReversingLabs A1000 connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
ReversingLabs A1000 performs the ReversingLabs Hashing Algorithm (RHA
) functional similarity analysis on each file, which determines whether the analyzed sample is like previously seen malware or goodware. ReversingLabs A1000 identifies malformed files or files with known malicious characteristics by using multiple threat classification methods. This provides a complete and powerful static/dynamic analysis solution.
This document provides information about the ReversingLabs A1000 connector, which facilitates automated interactions, with a ReversingLabs A1000 server using FortiSOAR™ playbooks. Add the ReversingLabs A1000 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading samples for analysis and retrieving reports for the submitted sample.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.9.0.0-662 and later
ReversingLabs A1000 Version Tested on: 3.5.0.0
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-reversinglabsa1000
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the ReversingLabs A1000 connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server | URL of the endpoint for the ReversingLabs A1000 server to which you will connect and perform the automated operations. |
Username | Username to access the ReversingLabs A1000 endpoint. |
Password | Password to access the ReversingLabs A1000 endpoint. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Upload Sample | Uploads a sample file to ReversingLabs A1000 for analysis. | |
Get Report using File Hash | Retrieves a report from ReversingLabs A1000 for the sample that you have submitted based on the SHA1 of the sample. | |
Re-analyze Sample using File Hash | Requests ReversingLabs A1000 to re-analyze a previously submitted sample based on the SHA1 of the previously submitted sample. |
Notes:
Using this operation, you submit files available in FortiSOAR™, in the 'Attachments' module to ReversingLabs A1000. You can select multiple fields to be submitted to ReversingLabs A1000 for Malware analysis.
You must ensure that the custom fileHash
field is available in the FortiSOAR™ Attachments
module. The fileHash
field holds a ReversingLabs A1000 return value, which is the SHA1 of submitted sample. Use the SHA1 value when you want to retrieve the report from ReversingLabs A1000. Updates to the Attachment
module to add the SHA1 of a sample is achieved using FortiSOAR™ Playbooks.
Parameter | Description |
---|---|
File IRI | List of File IRI. File IRI used to access the file directly from the FortiSOAR™ Attachments module <br />In the playbook, this defaults to the {{vars.file_iri_list}} value. |
The JSON output contains the following:
The submitted
parameter of the JSON object in case of success, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™ (Attachments
Module).
The submit_failed
parameter of the JSON object in case of failure, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™.
The pre_exist
parameter of the JSON object in case of success contains file hash as keys and the values as file iri of existing samples on ReversingLabs A1000 server.
Following image displays a sample output:
Parameter | Description |
---|---|
File Hash | Single file hash or a list of file hash based on which you want to retrieve a report from ReversingLabs A1000. |
A JSON output containing the report from ReversingLabs A1000 for a sample based on the specified file hash or SHA1 of the sample.
Note: The not_found
parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.
Following image displays a sample output:
Parameter | Description |
---|---|
File Hash | Single file hash or a list of file hash based on which you want to request ReversingLabs A1000 to reanalyze a previously submitted sample. |
The JSON contains the report from ReversingLabs A1000 for a sample that has been reanalyzed based on the specified file hash or SHA1 of the previously submitted sample.
Note: The not_found
parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.
Following image displays a sample output:
The Sample - ReversingLabs A1000 - 1.0.0
playbook collection comes bundled with the ReversingLabs A1000 connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ReversingLabs A1000 connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.