Fortinet Document Library

Version:


Table of Contents

1.1.0
Copy Link

About the connector

MetaDefender is a cybersecurity platform for preventing and detecting cybersecurity threats on multiple data channels.

This document provides information about the Metadefender Cloud connector, which facilitates automated interactions, with a Metadefender server using FortiSOAR™ playbooks. Add the Metadefender Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputation information of a specific IP address or file hash and retrieving a scan result from Metadefender for a submitted file.

Version information

Connector Version: 1.1.0

Authored By: Community

Certified: No

Release Notes for version 1.1.0

Following enhancements have been made to the Metadefender Cloud connector in version 1.1.0:

  • Renamed the connector to Metadefender Cloud from Metadefender. 
  • Added the following new operations and playbooks:
    • Submit File
    • Get Scan With Sandbox
    • Get Sandbox Lookup
    • Get Hash Lookup With Sandbox

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-metadefender

Prerequisites to configuring the connector

  • You must have the URL of the Metadefender server to which you will connect and perform the automated operations and the API key configured for your account to access that Metadefender server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Metadefender Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the Metadefender server to which you will connect and perform the automated operations.
API Key API key that is configured for your account for the Metadefender server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get IP Reputation Retrieves details and reputation of the IP address that you have specified from the Metadefender server. get_ip_reputation
Investigation
Get Filehash Reputation Retrieves details and reputation of the file hash that you have specified from the Metadefender server. get_hash_reputation
Investigation
Get Scan File Result Retrieves a scan result containing details and reputation of a file hash that you had previously submitted on the Metadefender server. The information is retrieved from the Metadefender server based on the Data ID that you have specified. get_scan_file_result
Investigation
Submit File Submits a file that is present in FortiSOAR™ for analysis to Metadefender based on the ID or attachment IRI of the file. submit_file
Investigation
Get Scan With Sandbox Retrieves a scan result containing details of a file, that belongs to a specific sandbox. The scan results are retrieved for a file that you had previously submitted on the Metadefender server. The information is retrieved from the Metadefender server based on the Data ID and sandbox that you have specified. get_scan_with_sandbox
Investigation
Get Sandbox Lookup Retrieves lookup details of the sandbox from the Metadefender server based on the sandbox ID that you have specified get_sandbox_lookup
Investigation
Get Hash Lookup With Sandbox Retrieves details of the sandbox hash lookup of a file from the Metadefender server based on the hash value that you have specified. get_hash_lookup_with_sandbox
Investigation

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve reputation information from the Metadefender server.

Output

The JSON output contains all information, including reputation information, for the IP address that you have specified, retrieved from the Metadefender server.

The output contains the following populated JSON schema:
{
     "data": {
         "start_time": "",
         "scan_results": [
             {
                 "source": "",
                 "results": [
                     {
                         "alternativeid": "",
                         "detecttime": "",
                         "updatetime": "",
                         "assessment": "",
                         "result": "",
                         "confident": ""
                     }
                 ]
             }
         ],
         "address": "",
         "detected_by": "",
         "geo_info": {
             "country_code": "",
             "region_name": "",
             "city": "",
             "country_name": "",
             "region_code": "",
             "ip": "",
             "longitude": "",
             "latitude": ""
         }
     }
}

operation: Get Filehash Reputation

Input parameters

Parameter Description
File Hash Hash value of the file for which you want to retrieve reputation information from the Metadefender server.

Output

The JSON output contains all information, including reputation information, for the file hash that you have specified, retrieved from the Metadefender server.

The output contains the following populated JSON schema:


{
     "data": {
         "scan_result_history_length": "",
         "file_info": {
             "sha1": "",
             "file_type_category": "",
             "md5": "",
             "upload_timestamp": "",
             "file_size": "",
             "file_type_description": "",
             "sha256": "",
             "file_type_extension": "",
             "display_name": ""
         },
         "share_file": "",
         "process_info": {
             "progress_percentage": "",
             "profile": "",
             "post_processing": {
                 "actions_ran": "",
                 "actions_failed": "",
                 "converted_to": "",
                 "converted_destination": "",
                 "copy_move_destination": ""
             },
             "file_type_skipped_scan": "",
             "blocked_reason": "",
             "result": "",
             "user_agent": ""
         },
         "votes": {
             "up": "",
             "down": ""
         },
         "rest_version": "",
         "file_id": "",
         "archived": "",
         "scan_results": {
             "start_time": "",
             "total_avs": "",
             "total_detected_avs": "",
             "scan_all_result_i": "",
             "total_time": "",
             "progress_percentage": "",
             "rescan_available": "",
             "scan_details": {},
             "data_id": "",
             "scan_all_result_a": "",
             "in_queue": ""
         },
         "data_id": "",
         "top_threat": ""
     }
}

operation: Get Scan File Result

Input parameters

Parameter Description
Data ID Data ID of file, which you had previously submitted to Metadefender, and for which you want to retrieve reputation information from the Metadefender server. Data ID is similar to a file hash value.

Output

The JSON output contains all information, including reputation information for the file, which you had previously submitted to Metadefender, retrieved from the Metadefender server, based on the Data ID that you have specified.

The output contains the following populated JSON schema:
{
     "data": {
         "scan_results": {
             "start_time": "",
             "total_avs": "",
             "total_detected_avs": "",
             "scan_all_result_i": "",
             "total_time": "",
             "progress_percentage": "",
             "rescan_available": "",
             "scan_details": {},
             "data_id": "",
             "scan_all_result_a": "",
             "in_queue": ""
         },
         "votes": {
             "up": "",
             "down": ""
         },
         "file_id": "",
         "archived": "",
         "top_threat": "",
         "scan_result_history_length": "",
         "file_info": {
             "sha1": "",
             "file_type_category": "",
             "md5": "",
             "upload_timestamp": "",
             "file_size": "",
             "file_type_description": "",
             "sha256": "",
             "file_type_extension": "",
             "display_name": ""
         },
         "process_info": {
             "progress_percentage": "",
             "profile": "",
             "post_processing": {
                 "actions_ran": "",
                 "actions_failed": "",
                 "converted_to": "",
                 "converted_destination": "",
                 "copy_move_destination": ""
             },
             "file_type_skipped_scan": "",
             "blocked_reason": "",
             "result": "",
             "user_agent": ""
         },
         "rest_version": "",
         "data_id": "",
         "original_file": {
             "progress_percentage": "",
             "data_id": "",
             "scan_result_i": "",
             "detected_by": ""
         },
         "share_file": ""
     }
}

operation: Submit File

Input parameters

Parameter Description
FortiSOAR File/Attachment IRI ID or Attachment IRI of the FortiSOAR file that you want to submit to Metadefender for analysis.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "status": "",
         "in_queue": "",
         "sha1": "",
         "queue_priority": "",
         "data_id": "",
         "sha256": ""
     }
}

operation: Get Scan With Sandbox

Input parameters

Parameter Description
Data ID Data ID of file, which you had previously submitted to Metadefender, and for which you want to retrieve information from the Metadefender server. Data ID is similar to a file hash value.
Sandbox Sandbox that contains the file whose information you want to retrieve from the Metadefender server. You can choose between windows7 or windows10.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "sha1": "",
         "md5": "",
         "sandbox_id": "",
         "rescan_available": "",
         "data_id": "",
         "sha256": ""
     }
}

operation: Get Sandbox Lookup

Input parameters

Parameter Description
Sandbox ID ID of the sandbox for which you want to retrieve lookup information from the Metadefender server.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "sha1": "",
         "md5": "",
         "sandbox_id": "",
         "rescan_available": "",
         "data_id": "",
         "sha256": ""
     }
}

operation: Get Hash Lookup With Sandbox

Input parameters

Parameter Description
Hash Hash value of the file for which you want to retrieve sandbox hash lookup information from the Metadefender server.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "scan_in_progress": ""
     }
}

Included playbooks

The Sample - Metadefender Cloud - 1.1.0 playbook collection comes bundled with the Metadefender Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Metadefender Cloud connector.

  • Get Filehash Reputation
  • Get Filehash Lookup With Sandbox
  • Get IP Reputation
  • Get Sandbox Lookup
  • Get Scan File Result
  • Get Scan With Sandbox
  • Submit File

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

MetaDefender is a cybersecurity platform for preventing and detecting cybersecurity threats on multiple data channels.

This document provides information about the Metadefender Cloud connector, which facilitates automated interactions, with a Metadefender server using FortiSOAR™ playbooks. Add the Metadefender Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputation information of a specific IP address or file hash and retrieving a scan result from Metadefender for a submitted file.

Version information

Connector Version: 1.1.0

Authored By: Community

Certified: No

Release Notes for version 1.1.0

Following enhancements have been made to the Metadefender Cloud connector in version 1.1.0:

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-metadefender

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Metadefender Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the Metadefender server to which you will connect and perform the automated operations.
API Key API key that is configured for your account for the Metadefender server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get IP Reputation Retrieves details and reputation of the IP address that you have specified from the Metadefender server. get_ip_reputation
Investigation
Get Filehash Reputation Retrieves details and reputation of the file hash that you have specified from the Metadefender server. get_hash_reputation
Investigation
Get Scan File Result Retrieves a scan result containing details and reputation of a file hash that you had previously submitted on the Metadefender server. The information is retrieved from the Metadefender server based on the Data ID that you have specified. get_scan_file_result
Investigation
Submit File Submits a file that is present in FortiSOAR™ for analysis to Metadefender based on the ID or attachment IRI of the file. submit_file
Investigation
Get Scan With Sandbox Retrieves a scan result containing details of a file, that belongs to a specific sandbox. The scan results are retrieved for a file that you had previously submitted on the Metadefender server. The information is retrieved from the Metadefender server based on the Data ID and sandbox that you have specified. get_scan_with_sandbox
Investigation
Get Sandbox Lookup Retrieves lookup details of the sandbox from the Metadefender server based on the sandbox ID that you have specified get_sandbox_lookup
Investigation
Get Hash Lookup With Sandbox Retrieves details of the sandbox hash lookup of a file from the Metadefender server based on the hash value that you have specified. get_hash_lookup_with_sandbox
Investigation

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve reputation information from the Metadefender server.

Output

The JSON output contains all information, including reputation information, for the IP address that you have specified, retrieved from the Metadefender server.

The output contains the following populated JSON schema:
{
     "data": {
         "start_time": "",
         "scan_results": [
             {
                 "source": "",
                 "results": [
                     {
                         "alternativeid": "",
                         "detecttime": "",
                         "updatetime": "",
                         "assessment": "",
                         "result": "",
                         "confident": ""
                     }
                 ]
             }
         ],
         "address": "",
         "detected_by": "",
         "geo_info": {
             "country_code": "",
             "region_name": "",
             "city": "",
             "country_name": "",
             "region_code": "",
             "ip": "",
             "longitude": "",
             "latitude": ""
         }
     }
}

operation: Get Filehash Reputation

Input parameters

Parameter Description
File Hash Hash value of the file for which you want to retrieve reputation information from the Metadefender server.

Output

The JSON output contains all information, including reputation information, for the file hash that you have specified, retrieved from the Metadefender server.

The output contains the following populated JSON schema:


{
     "data": {
         "scan_result_history_length": "",
         "file_info": {
             "sha1": "",
             "file_type_category": "",
             "md5": "",
             "upload_timestamp": "",
             "file_size": "",
             "file_type_description": "",
             "sha256": "",
             "file_type_extension": "",
             "display_name": ""
         },
         "share_file": "",
         "process_info": {
             "progress_percentage": "",
             "profile": "",
             "post_processing": {
                 "actions_ran": "",
                 "actions_failed": "",
                 "converted_to": "",
                 "converted_destination": "",
                 "copy_move_destination": ""
             },
             "file_type_skipped_scan": "",
             "blocked_reason": "",
             "result": "",
             "user_agent": ""
         },
         "votes": {
             "up": "",
             "down": ""
         },
         "rest_version": "",
         "file_id": "",
         "archived": "",
         "scan_results": {
             "start_time": "",
             "total_avs": "",
             "total_detected_avs": "",
             "scan_all_result_i": "",
             "total_time": "",
             "progress_percentage": "",
             "rescan_available": "",
             "scan_details": {},
             "data_id": "",
             "scan_all_result_a": "",
             "in_queue": ""
         },
         "data_id": "",
         "top_threat": ""
     }
}

operation: Get Scan File Result

Input parameters

Parameter Description
Data ID Data ID of file, which you had previously submitted to Metadefender, and for which you want to retrieve reputation information from the Metadefender server. Data ID is similar to a file hash value.

Output

The JSON output contains all information, including reputation information for the file, which you had previously submitted to Metadefender, retrieved from the Metadefender server, based on the Data ID that you have specified.

The output contains the following populated JSON schema:
{
     "data": {
         "scan_results": {
             "start_time": "",
             "total_avs": "",
             "total_detected_avs": "",
             "scan_all_result_i": "",
             "total_time": "",
             "progress_percentage": "",
             "rescan_available": "",
             "scan_details": {},
             "data_id": "",
             "scan_all_result_a": "",
             "in_queue": ""
         },
         "votes": {
             "up": "",
             "down": ""
         },
         "file_id": "",
         "archived": "",
         "top_threat": "",
         "scan_result_history_length": "",
         "file_info": {
             "sha1": "",
             "file_type_category": "",
             "md5": "",
             "upload_timestamp": "",
             "file_size": "",
             "file_type_description": "",
             "sha256": "",
             "file_type_extension": "",
             "display_name": ""
         },
         "process_info": {
             "progress_percentage": "",
             "profile": "",
             "post_processing": {
                 "actions_ran": "",
                 "actions_failed": "",
                 "converted_to": "",
                 "converted_destination": "",
                 "copy_move_destination": ""
             },
             "file_type_skipped_scan": "",
             "blocked_reason": "",
             "result": "",
             "user_agent": ""
         },
         "rest_version": "",
         "data_id": "",
         "original_file": {
             "progress_percentage": "",
             "data_id": "",
             "scan_result_i": "",
             "detected_by": ""
         },
         "share_file": ""
     }
}

operation: Submit File

Input parameters

Parameter Description
FortiSOAR File/Attachment IRI ID or Attachment IRI of the FortiSOAR file that you want to submit to Metadefender for analysis.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "status": "",
         "in_queue": "",
         "sha1": "",
         "queue_priority": "",
         "data_id": "",
         "sha256": ""
     }
}

operation: Get Scan With Sandbox

Input parameters

Parameter Description
Data ID Data ID of file, which you had previously submitted to Metadefender, and for which you want to retrieve information from the Metadefender server. Data ID is similar to a file hash value.
Sandbox Sandbox that contains the file whose information you want to retrieve from the Metadefender server. You can choose between windows7 or windows10.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "sha1": "",
         "md5": "",
         "sandbox_id": "",
         "rescan_available": "",
         "data_id": "",
         "sha256": ""
     }
}

operation: Get Sandbox Lookup

Input parameters

Parameter Description
Sandbox ID ID of the sandbox for which you want to retrieve lookup information from the Metadefender server.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "sha1": "",
         "md5": "",
         "sandbox_id": "",
         "rescan_available": "",
         "data_id": "",
         "sha256": ""
     }
}

operation: Get Hash Lookup With Sandbox

Input parameters

Parameter Description
Hash Hash value of the file for which you want to retrieve sandbox hash lookup information from the Metadefender server.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "scan_in_progress": ""
     }
}

Included playbooks

The Sample - Metadefender Cloud - 1.1.0 playbook collection comes bundled with the Metadefender Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Metadefender Cloud connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.