Fortinet Document Library

Version:


Table of Contents

ReversingLabs A1000

1.0.0
Copy Link

About the connector

 

ReversingLabs A1000 performs the ReversingLabs Hashing Algorithm (RHA) functional similarity analysis on each file, which determines whether the analyzed sample is like previously seen malware or goodware. ReversingLabs A1000 identifies malformed files or files with known malicious characteristics by using multiple threat classification methods. This provides a complete and powerful static/dynamic analysis solution. 

This document provides information about the ReversingLabs A1000 connector, which facilitates automated interactions, with a ReversingLabs A1000 server using FortiSOAR™ playbooks. Add the ReversingLabs A1000 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading samples for analysis and retrieving reports for the submitted sample.

 

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on:  4.9.0.0-662 and later

ReversingLabs A1000 Version Tested on: 3.5.0.0

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-reversinglabsa1000

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of ReversingLabs A1000 server to which you will connect and perform the automated operations and credentials to access that URL.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

 

 

In FortiSOAR™, on the Connectors page, select the ReversingLabs A1000 connector and click Configure to configure the following  parameters:

Parameter Description
Server URL of the endpoint for the ReversingLabs A1000 server to which you will connect and perform the automated operations.
Username Username to access the ReversingLabs A1000 endpoint.
Password Password to access the ReversingLabs A1000 endpoint.

 

 

Actions supported by the connector

 

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Upload Sample Uploads a sample file to ReversingLabs A1000 for analysis.  
Get Report using File Hash Retrieves a report from ReversingLabs A1000 for the sample that you have submitted based on the SHA1 of the sample.  
Re-analyze Sample using File Hash Requests ReversingLabs A1000 to re-analyze a previously submitted sample based on the SHA1 of the previously submitted sample.  

operation: Upload Sample

Input parameters

Notes:

  • Using this operation, you submit files available in FortiSOAR™, in the 'Attachments' module to ReversingLabs A1000. You can select multiple fields to be submitted to ReversingLabs A1000 for Malware analysis.

  • You must ensure that the custom fileHash field is available in the FortiSOAR™ Attachments module. The fileHash field holds a ReversingLabs A1000 return value, which is the SHA1 of submitted sample. Use the SHA1 value when you want to retrieve the report from ReversingLabs A1000. Updates to the Attachment module to add the SHA1 of a sample is achieved using FortiSOAR™ Playbooks.

Parameter Description
File IRI List of File IRI. File IRI used to access the file directly from the FortiSOAR™ Attachments module <br />In the playbook, this defaults to the {{vars.file_iri_list}} value.

Output

The JSON output contains the following:

  • The submitted parameter of the JSON object in case of success, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™ (Attachments Module).

  • The submit_failed parameter of the JSON object in case of failure, contains file hash as keys and the values as file iri of the submitted files from FortiSOAR™.

  • The pre_exist parameter of the JSON object in case of success contains file hash as keys and the values as file iri of existing samples on ReversingLabs A1000 server.

Following image displays a sample output:

operation: Get Report using File Hash

Input parameters

Parameter Description
File Hash Single file hash or a list of file hash based on which you want to retrieve a report from ReversingLabs A1000.

Output

A JSON output containing the report from ReversingLabs A1000 for a sample based on the specified file hash or SHA1 of the sample.

Note: The not_found parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.

Following image displays a sample output:

operation: Re-analyze Sample using File Hash

Input parameters

Parameter Description
File Hash Single file hash or a list of file hash based on which you want to request ReversingLabs A1000 to reanalyze a previously submitted sample.

Output

The JSON contains the report from ReversingLabs A1000 for a sample that has been reanalyzed based on the specified file hash or SHA1 of the previously submitted sample.

Note: The not_found parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.

Following image displays a sample output:

Included playbooks

The Sample - ReversingLabs A1000 - 1.0.0 playbook collection comes bundled with the ReversingLabs A1000 connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ReversingLabs A1000 connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

 

ReversingLabs A1000 performs the ReversingLabs Hashing Algorithm (RHA) functional similarity analysis on each file, which determines whether the analyzed sample is like previously seen malware or goodware. ReversingLabs A1000 identifies malformed files or files with known malicious characteristics by using multiple threat classification methods. This provides a complete and powerful static/dynamic analysis solution. 

This document provides information about the ReversingLabs A1000 connector, which facilitates automated interactions, with a ReversingLabs A1000 server using FortiSOAR™ playbooks. Add the ReversingLabs A1000 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as uploading samples for analysis and retrieving reports for the submitted sample.

 

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on:  4.9.0.0-662 and later

ReversingLabs A1000 Version Tested on: 3.5.0.0

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-reversinglabsa1000

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

 

 

In FortiSOAR™, on the Connectors page, select the ReversingLabs A1000 connector and click Configure to configure the following  parameters:

Parameter Description
Server URL of the endpoint for the ReversingLabs A1000 server to which you will connect and perform the automated operations.
Username Username to access the ReversingLabs A1000 endpoint.
Password Password to access the ReversingLabs A1000 endpoint.

 

 

Actions supported by the connector

 

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Upload Sample Uploads a sample file to ReversingLabs A1000 for analysis.  
Get Report using File Hash Retrieves a report from ReversingLabs A1000 for the sample that you have submitted based on the SHA1 of the sample.  
Re-analyze Sample using File Hash Requests ReversingLabs A1000 to re-analyze a previously submitted sample based on the SHA1 of the previously submitted sample.  

operation: Upload Sample

Input parameters

Notes:

Parameter Description
File IRI List of File IRI. File IRI used to access the file directly from the FortiSOAR™ Attachments module <br />In the playbook, this defaults to the {{vars.file_iri_list}} value.

Output

The JSON output contains the following:

Following image displays a sample output:

operation: Get Report using File Hash

Input parameters

Parameter Description
File Hash Single file hash or a list of file hash based on which you want to retrieve a report from ReversingLabs A1000.

Output

A JSON output containing the report from ReversingLabs A1000 for a sample based on the specified file hash or SHA1 of the sample.

Note: The not_found parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.

Following image displays a sample output:

operation: Re-analyze Sample using File Hash

Input parameters

Parameter Description
File Hash Single file hash or a list of file hash based on which you want to request ReversingLabs A1000 to reanalyze a previously submitted sample.

Output

The JSON contains the report from ReversingLabs A1000 for a sample that has been reanalyzed based on the specified file hash or SHA1 of the previously submitted sample.

Note: The not_found parameter of the JSON object contains a list of file hash for a sample that is not found on the ReversingLabs A1000 server.

Following image displays a sample output:

Included playbooks

The Sample - ReversingLabs A1000 - 1.0.0 playbook collection comes bundled with the ReversingLabs A1000 connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ReversingLabs A1000 connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.