SecondWrite Malware sandbox provides a service that analyzes suspicious file samples and URLs, and gets the reputation of submitted entities.
This document provides information about the SecondWrite connector, which facilitates automated interactions, with a SecondWrite server using FortiSOAR™ playbooks. Add the SecondWrite connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports for files and URLs that you had submitted to SecondWrite.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with SecondWrite Versions: v 2.0 and later.
Following enhancement have been made to the SecondWrite connector in version 1.0.1:
Renamed the User Key configuration parameter to API Key.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the SecondWrite connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the SecondWrite sandbox server to which you will connect and perform the automated operations. |
API Key | API key to access the SecondWrite sandbox server. |
Verify SSL | Verify SSL connection to the SecondWrite sandbox server. Defaults to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File | Submits a sample file to the SecondWrite server for analysis. | submit_sample Investigation |
Submit URL | Scans and analyzes URLs submitted to SecondWrite to determine if they are suspicious. | submit_url Investigation |
Get Report | Retrieves a report for previously submitted files or URLs from VirusTotal and determine the reputation of the submitted files or URLs. | get_reputation Investigation |
Using this operation, you can submit file samples that are available in the FortiSOAR™ Attachments
module to SecondWrite.
Following file types are currently supported by SecondWrite:
Note: The file types that are supported can be updated. Refer to SecondWrite resources for the latest list of supported file types.
Parameter | Description |
---|---|
File IRI | File IRI used to access the file directly from the FortiSOAR™ Attachments module In the playbook, this defaults to the {{vars.file_iri}} value. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains the UUID and SecondWrite report link for the submitted file. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted sample.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL that you want to submit to the SecondWrite sandbox for analysis. |
The JSON output contains the UUID and SecondWrite report link for the submitted URL. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted URL.
Following image displays a sample output:
Parameter | Description |
---|---|
UUID | UUID of the submitted sample or URL based on which you want to retrieve a SecondWrite report. |
The JSON contains the report from SecondWrite based on the UUID of previously submitted samples or URLs. You can use this report to determine the reputation of the submitted files or URLs.
Following image displays a sample output:
The Sample - SecondWrite - 1.0.1
playbook collection comes bundled with the SecondWrite connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SecondWrite connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
SecondWrite Malware sandbox provides a service that analyzes suspicious file samples and URLs, and gets the reputation of submitted entities.
This document provides information about the SecondWrite connector, which facilitates automated interactions, with a SecondWrite server using FortiSOAR™ playbooks. Add the SecondWrite connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports for files and URLs that you had submitted to SecondWrite.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with SecondWrite Versions: v 2.0 and later.
Following enhancement have been made to the SecondWrite connector in version 1.0.1:
Renamed the User Key configuration parameter to API Key.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the SecondWrite connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the SecondWrite sandbox server to which you will connect and perform the automated operations. |
API Key | API key to access the SecondWrite sandbox server. |
Verify SSL | Verify SSL connection to the SecondWrite sandbox server. Defaults to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File | Submits a sample file to the SecondWrite server for analysis. | submit_sample Investigation |
Submit URL | Scans and analyzes URLs submitted to SecondWrite to determine if they are suspicious. | submit_url Investigation |
Get Report | Retrieves a report for previously submitted files or URLs from VirusTotal and determine the reputation of the submitted files or URLs. | get_reputation Investigation |
Using this operation, you can submit file samples that are available in the FortiSOAR™ Attachments
module to SecondWrite.
Following file types are currently supported by SecondWrite:
Note: The file types that are supported can be updated. Refer to SecondWrite resources for the latest list of supported file types.
Parameter | Description |
---|---|
File IRI | File IRI used to access the file directly from the FortiSOAR™ Attachments module In the playbook, this defaults to the {{vars.file_iri}} value. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains the UUID and SecondWrite report link for the submitted file. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted sample.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL that you want to submit to the SecondWrite sandbox for analysis. |
The JSON output contains the UUID and SecondWrite report link for the submitted URL. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted URL.
Following image displays a sample output:
Parameter | Description |
---|---|
UUID | UUID of the submitted sample or URL based on which you want to retrieve a SecondWrite report. |
The JSON contains the report from SecondWrite based on the UUID of previously submitted samples or URLs. You can use this report to determine the reputation of the submitted files or URLs.
Following image displays a sample output:
The Sample - SecondWrite - 1.0.1
playbook collection comes bundled with the SecondWrite connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SecondWrite connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.