About the connector
MetaDefender is a cybersecurity platform for preventing and detecting cybersecurity threats on multiple data channels.
This document provides information about the Metadefender Cloud connector, which facilitates automated interactions, with a Metadefender server using FortiSOAR™ playbooks. Add the Metadefender Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputation information of a specific IP address or file hash and retrieving a scan result from Metadefender for a submitted file.
Version information
Connector Version: 1.1.0
Authored By: Community
Certified: No
Release Notes for version 1.1.0
Following enhancements have been made to the Metadefender Cloud connector in version 1.1.0:
- Renamed the connector to Metadefender Cloud from Metadefender.
- Added the following new operations and playbooks:
- Submit File
- Get Scan With Sandbox
- Get Sandbox Lookup
- Get Hash Lookup With Sandbox
Installing the connector
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-metadefender
Prerequisites to configuring the connector
- You must have the URL of the Metadefender server to which you will connect and perform the automated operations and the API key configured for your account to access that Metadefender server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Metadefender Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Metadefender server to which you will connect and perform the automated operations. |
| API Key |
API key that is configured for your account for the Metadefender server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get IP Reputation |
Retrieves details and reputation of the IP address that you have specified from the Metadefender server. |
get_ip_reputation
Investigation |
| Get Filehash Reputation |
Retrieves details and reputation of the file hash that you have specified from the Metadefender server. |
get_hash_reputation
Investigation |
| Get Scan File Result |
Retrieves a scan result containing details and reputation of a file hash that you had previously submitted on the Metadefender server. The information is retrieved from the Metadefender server based on the Data ID that you have specified. |
get_scan_file_result
Investigation |
| Submit File |
Submits a file that is present in FortiSOAR™ for analysis to Metadefender based on the ID or attachment IRI of the file. |
submit_file
Investigation |
| Get Scan With Sandbox |
Retrieves a scan result containing details of a file, that belongs to a specific sandbox. The scan results are retrieved for a file that you had previously submitted on the Metadefender server. The information is retrieved from the Metadefender server based on the Data ID and sandbox that you have specified. |
get_scan_with_sandbox
Investigation |
| Get Sandbox Lookup |
Retrieves lookup details of the sandbox from the Metadefender server based on the sandbox ID that you have specified |
get_sandbox_lookup
Investigation |
| Get Hash Lookup With Sandbox |
Retrieves details of the sandbox hash lookup of a file from the Metadefender server based on the hash value that you have specified. |
get_hash_lookup_with_sandbox
Investigation |
operation: Get IP Reputation
Input parameters
| Parameter |
Description |
| IP Address |
IP address for which you want to retrieve reputation information from the Metadefender server. |
Output
The JSON output contains all information, including reputation information, for the IP address that you have specified, retrieved from the Metadefender server.
The output contains the following populated JSON schema:
{
"data": {
"start_time": "",
"scan_results": [
{
"source": "",
"results": [
{
"alternativeid": "",
"detecttime": "",
"updatetime": "",
"assessment": "",
"result": "",
"confident": ""
}
]
}
],
"address": "",
"detected_by": "",
"geo_info": {
"country_code": "",
"region_name": "",
"city": "",
"country_name": "",
"region_code": "",
"ip": "",
"longitude": "",
"latitude": ""
}
}
}
operation: Get Filehash Reputation
Input parameters
| Parameter |
Description |
| File Hash |
Hash value of the file for which you want to retrieve reputation information from the Metadefender server. |
Output
The JSON output contains all information, including reputation information, for the file hash that you have specified, retrieved from the Metadefender server.
The output contains the following populated JSON schema:
{
"data": {
"scan_result_history_length": "",
"file_info": {
"sha1": "",
"file_type_category": "",
"md5": "",
"upload_timestamp": "",
"file_size": "",
"file_type_description": "",
"sha256": "",
"file_type_extension": "",
"display_name": ""
},
"share_file": "",
"process_info": {
"progress_percentage": "",
"profile": "",
"post_processing": {
"actions_ran": "",
"actions_failed": "",
"converted_to": "",
"converted_destination": "",
"copy_move_destination": ""
},
"file_type_skipped_scan": "",
"blocked_reason": "",
"result": "",
"user_agent": ""
},
"votes": {
"up": "",
"down": ""
},
"rest_version": "",
"file_id": "",
"archived": "",
"scan_results": {
"start_time": "",
"total_avs": "",
"total_detected_avs": "",
"scan_all_result_i": "",
"total_time": "",
"progress_percentage": "",
"rescan_available": "",
"scan_details": {},
"data_id": "",
"scan_all_result_a": "",
"in_queue": ""
},
"data_id": "",
"top_threat": ""
}
}
operation: Get Scan File Result
Input parameters
| Parameter |
Description |
| Data ID |
Data ID of file, which you had previously submitted to Metadefender, and for which you want to retrieve reputation information from the Metadefender server. Data ID is similar to a file hash value. |
Output
The JSON output contains all information, including reputation information for the file, which you had previously submitted to Metadefender, retrieved from the Metadefender server, based on the Data ID that you have specified.
The output contains the following populated JSON schema:
{
"data": {
"scan_results": {
"start_time": "",
"total_avs": "",
"total_detected_avs": "",
"scan_all_result_i": "",
"total_time": "",
"progress_percentage": "",
"rescan_available": "",
"scan_details": {},
"data_id": "",
"scan_all_result_a": "",
"in_queue": ""
},
"votes": {
"up": "",
"down": ""
},
"file_id": "",
"archived": "",
"top_threat": "",
"scan_result_history_length": "",
"file_info": {
"sha1": "",
"file_type_category": "",
"md5": "",
"upload_timestamp": "",
"file_size": "",
"file_type_description": "",
"sha256": "",
"file_type_extension": "",
"display_name": ""
},
"process_info": {
"progress_percentage": "",
"profile": "",
"post_processing": {
"actions_ran": "",
"actions_failed": "",
"converted_to": "",
"converted_destination": "",
"copy_move_destination": ""
},
"file_type_skipped_scan": "",
"blocked_reason": "",
"result": "",
"user_agent": ""
},
"rest_version": "",
"data_id": "",
"original_file": {
"progress_percentage": "",
"data_id": "",
"scan_result_i": "",
"detected_by": ""
},
"share_file": ""
}
}
operation: Submit File
Input parameters
| Parameter |
Description |
| FortiSOAR File/Attachment IRI |
ID or Attachment IRI of the FortiSOAR file that you want to submit to Metadefender for analysis. |
Output
The output contains the following populated JSON schema:
{
"data": {
"status": "",
"in_queue": "",
"sha1": "",
"queue_priority": "",
"data_id": "",
"sha256": ""
}
}
operation: Get Scan With Sandbox
Input parameters
| Parameter |
Description |
| Data ID |
Data ID of file, which you had previously submitted to Metadefender, and for which you want to retrieve information from the Metadefender server. Data ID is similar to a file hash value. |
| Sandbox |
Sandbox that contains the file whose information you want to retrieve from the Metadefender server. You can choose between windows7 or windows10. |
Output
The output contains the following populated JSON schema:
{
"data": {
"sha1": "",
"md5": "",
"sandbox_id": "",
"rescan_available": "",
"data_id": "",
"sha256": ""
}
}
operation: Get Sandbox Lookup
Input parameters
| Parameter |
Description |
| Sandbox ID |
ID of the sandbox for which you want to retrieve lookup information from the Metadefender server. |
Output
The output contains the following populated JSON schema:
{
"data": {
"sha1": "",
"md5": "",
"sandbox_id": "",
"rescan_available": "",
"data_id": "",
"sha256": ""
}
}
operation: Get Hash Lookup With Sandbox
Input parameters
| Parameter |
Description |
| Hash |
Hash value of the file for which you want to retrieve sandbox hash lookup information from the Metadefender server. |
Output
The output contains the following populated JSON schema:
{
"data": {
"scan_in_progress": ""
}
}
Included playbooks
The Sample - Metadefender Cloud - 1.1.0 playbook collection comes bundled with the Metadefender Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Metadefender Cloud connector.
- Get Filehash Reputation
- Get Filehash Lookup With Sandbox
- Get IP Reputation
- Get Sandbox Lookup
- Get Scan File Result
- Get Scan With Sandbox
- Submit File
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
