Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

SecondWrite Malware sandbox provides a service that analyzes suspicious file samples and URLs, and gets the reputation of submitted entities.

This document provides information about the SecondWrite connector, which facilitates automated interactions, with a SecondWrite server using FortiSOAR™ playbooks. Add the SecondWrite connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports for files and URLs that you had submitted to SecondWrite.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with SecondWrite Versions: v 2.0 and later.

 

Release Notes for version 1.0.1

Following enhancement have been made to the SecondWrite connector in version 1.0.1:

  • Renamed the User Key configuration parameter to API Key.

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the SecondWrite sandbox server to which you will connect and perform the automated operations.
  • You must also have the user key to access the SecondWrite sandbox server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the SecondWrite connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the SecondWrite sandbox server to which you will connect and perform the automated operations.
API Key API key to access the SecondWrite sandbox server.
Verify SSL Verify SSL connection to the SecondWrite sandbox server.
Defaults to True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Submit File Submits a sample file to the SecondWrite server for analysis. submit_sample
Investigation
Submit URL Scans and analyzes URLs submitted to SecondWrite to determine if they are suspicious. submit_url
Investigation
Get Report Retrieves a report for previously submitted files or URLs from VirusTotal and determine the reputation of the submitted files or URLs. get_reputation
Investigation

 

 

operation: Submit File

Input parameters

Using this operation, you can submit file samples that are available in the FortiSOAR™ Attachments module to SecondWrite.

Following file types are currently supported by SecondWrite:

  • PE32 executables.
  • 32 bit DLLs
  • 32 bit .NET executables
  • PDF
  • MS Word (.doc and .docx)
  • MS Excel (xls and xlsx)
  • HTML (URLs)
  • Archives (.zip, .rar, 7z, .iso, .tar, .gz,.bz2)

Note: The file types that are supported can be updated. Refer to SecondWrite resources for the latest list of supported file types.

 

Parameter Description
File IRI File IRI used to access the file directly from the FortiSOAR™ Attachments module
In the playbook, this defaults to the {{vars.file_iri}} value.

 

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The JSON output contains the UUID and SecondWrite report link for the submitted file. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted sample.

Following image displays a sample output:

 

Sample output of the Submit File operation

 

operation: Submit URL

Input parameters

 

Parameter Description
URL URL that you want to submit to the SecondWrite sandbox for analysis.

 

Output

The JSON output contains the UUID and SecondWrite report link for the submitted URL. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted URL.

Following image displays a sample output:

 

Sample output of the Submit URL operation

 

operation: Get Report

Input parameters

 

Parameter Description
UUID UUID of the submitted sample or URL based on which you want to retrieve a SecondWrite report.

 

Output

The JSON contains the report from SecondWrite based on the UUID of previously submitted samples or URLs. You can use this report to determine the reputation of the submitted files or URLs.

Following image displays a sample output:

 

Sample output of the Get Report operation

 

Included playbooks

The Sample - SecondWrite - 1.0.1 playbook collection comes bundled with the SecondWrite connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SecondWrite connector.

  • Submit File to SecondWrite
  • Submit URL to SecondWrite
  • Get Report for Submitted Sample

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

SecondWrite Malware sandbox provides a service that analyzes suspicious file samples and URLs, and gets the reputation of submitted entities.

This document provides information about the SecondWrite connector, which facilitates automated interactions, with a SecondWrite server using FortiSOAR™ playbooks. Add the SecondWrite connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports for files and URLs that you had submitted to SecondWrite.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with SecondWrite Versions: v 2.0 and later.

 

Release Notes for version 1.0.1

Following enhancement have been made to the SecondWrite connector in version 1.0.1:

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the SecondWrite connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the SecondWrite sandbox server to which you will connect and perform the automated operations.
API Key API key to access the SecondWrite sandbox server.
Verify SSL Verify SSL connection to the SecondWrite sandbox server.
Defaults to True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Submit File Submits a sample file to the SecondWrite server for analysis. submit_sample
Investigation
Submit URL Scans and analyzes URLs submitted to SecondWrite to determine if they are suspicious. submit_url
Investigation
Get Report Retrieves a report for previously submitted files or URLs from VirusTotal and determine the reputation of the submitted files or URLs. get_reputation
Investigation

 

 

operation: Submit File

Input parameters

Using this operation, you can submit file samples that are available in the FortiSOAR™ Attachments module to SecondWrite.

Following file types are currently supported by SecondWrite:

Note: The file types that are supported can be updated. Refer to SecondWrite resources for the latest list of supported file types.

 

Parameter Description
File IRI File IRI used to access the file directly from the FortiSOAR™ Attachments module
In the playbook, this defaults to the {{vars.file_iri}} value.

 

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The JSON output contains the UUID and SecondWrite report link for the submitted file. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted sample.

Following image displays a sample output:

 

Sample output of the Submit File operation

 

operation: Submit URL

Input parameters

 

Parameter Description
URL URL that you want to submit to the SecondWrite sandbox for analysis.

 

Output

The JSON output contains the UUID and SecondWrite report link for the submitted URL. You can use this UUID in future to query and retrieve analyzed reports from SecondWrite for this submitted URL.

Following image displays a sample output:

 

Sample output of the Submit URL operation

 

operation: Get Report

Input parameters

 

Parameter Description
UUID UUID of the submitted sample or URL based on which you want to retrieve a SecondWrite report.

 

Output

The JSON contains the report from SecondWrite based on the UUID of previously submitted samples or URLs. You can use this report to determine the reputation of the submitted files or URLs.

Following image displays a sample output:

 

Sample output of the Get Report operation

 

Included playbooks

The Sample - SecondWrite - 1.0.1 playbook collection comes bundled with the SecondWrite connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SecondWrite connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.