Publisher: ReversingLabs
Connector Version: 1.1.1
Product Vendor: ReversingLabs
Product Name: A1000
Product Version Supported (regex): ".*"
Minimum Product Version: 5.5.0
App integrates with ReversingLabs A1000 Malware Analysis Appliance APIs
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a A1000 asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
url | required | string | A1000 url |
token | required | password | A1000 token |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
detonate file - Upload file to A1000
submit url - Detonate file from url
check submitted url status - Check submitted url status
create pdf report - Create pdf report
check pdf report creation - Check pdf report creation
download pdf report - Download pdf report
get titaniumcore report - Get TitaniumCore report
url reputation - Queries URL info
domain reputation - Queries domain info
ip reputation - Queries IP info
network ip to domain - Get a list of IP-to-domain mappings
network urls from ip - Get a list of URLs hosted on the requested IP address
network files from ip - Get a a list of hashes and classifications for files found on the requested IP address
advanced search - Search for samples using multi-part search criteria
advanced search ticloud - Search for samples available on the TitaniumCloud
advanced search local - Search for samples available on the A1000 appliance
create dynamic analysis report - Initiate the creation of dynamic analysis PDF report
check dynamic analysis report status - Get status of the report previously requested
download dynamic analysis report - Download previously requested dynamic analysis report in pdf
get summary report - Get a summary report for hash
get detailed report - Get detailed analysis report
get classification - Get classification for a sample
get user tags - List existing tags for the requested sample
create user tags - Add one or more user tags
delete user tags - Remove one or more user tags
set sample classification - Set the classification of a sample
delete sample classification - Delete the (user set) classification of a sample
yara get rulesets - Get a list of YARA rulesets that are on the A1000
yara get ruleset text - Get the full contents of the requested ruleset
yara get matches - Retrieve the list of YARA matches
yara create or update ruleset - Creates a new YARA ruleset if it doesn't exist
yara delete ruleset - Delete a specific YARA ruleset and its matches
yara enable or disable ruleset - Enable or disable a ruleset on the appliance
yara get synchronization time - Get the current synchronization time
yara set ruleset synchronization time - Modify the TiCloud sync time for TiCloud enabled rulesets
yara start or stop local retro scan - Allow users to start or stop the Local Retro scan on the appliance
yara manage cloud retro scan - Allow users to start, stop or clear a Cloud Retro scan
yara status retro scan local - Allow users to check the status of a Local Retro scan
yara status retro scan cloud - Allow users to check the status of Cloud Retro scan
list containers for hash - Get a list of containers from which the requested samples
delete sample - Delete the sample with the requested hash value
download extracted files - Download files extracted from local sample
reanalyze local samples - Submit a set of samples that already exist on the A1000
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
Validate the asset configuration for connectivity using supplied configuration.
No parameters are required for this action
No Output
Upload file to A1000
Type: investigate
Read only: True
Upload file to A1000.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
vault_id | required | Vault ID of file to detonate | string | vault_id |
file_name | optional | Filename to use | string | file name |
custom_file_name | optional | Custom file name for upload | string | file name |
archive_password | optional | password for the file if it is password protected | password | |
rl_cloud_sandbox_platform | optional | Cloud Sandbox platform | string | |
tags | optional | Comma separated list of tags to assign to sample | string | |
comment | optional | Comment to add to sample | string | |
cloud_analysis | optional | Use cloud analysis | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.vault_id | string | vault_id |
|
action_result.parameter.file_name | string | file name |
|
action_result.parameter.custom_file_name | string | file name |
|
action_result.parameter.rl_cloud_sandbox_platform | string | "windows7" "windows10" "macos_11" "windows11" "linux" | |
action_result.parameter.tags | string | ||
action_result.parameter.comment | string | ||
action_result.parameter.cloud_analysis | boolean | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Detonate file from url
Type: generic
Read only: False
Detonate file from url.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
file_url | required | URL from which the appliance should download the data | string | url |
crawler | optional | Crawler method (local or cloud) | password | |
archive_password | optional | Password, if file is a password-protected archive | string | |
rl_cloud_sandbox_platform | optional | Cloud Sandbox platform | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.file_url | string | url |
|
action_result.parameter.crawler | string | "local" "cloud" | |
action_result.parameter.rl_cloud_sandbox_platform | string | "windows7" "windows10" "macos_11" "windows11" "linux" | |
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Check submitted url status
Type: generic
Read only: False
Check submitted url status. Returns report if ready.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
task_id | required | Id of the task | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.task_id | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Create pdf report
Type: generic
Read only: False
Initiate pdf report creation.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Check pdf report creation
Type: generic
Read only: False
Check pdf report creation status.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Download pdf report
Type: generic
Read only: False
Download pdf report.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get TitaniumCore report
Type: generic
Read only: False
Accepts a single hash string and gets the full TitaniumCore static analysis report for the requested sample.The requested sample must be present on the appliance. If the optional fields parameter is not provided in the request, all available parts of the static analysis report are returned in the response.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Queries URL info
Type: investigate
Read only: True
Queries URL info.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to query | string | url |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.url | string | url |
|
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Queries domain info
Type: investigate
Read only: True
Queries domain info.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
domain | required | Domain to query | string | domain url |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.domain | string | domain url |
|
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Queries IP info
Type: investigate
Read only: True
Queries IP info.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP to query | string | ip |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.ip | string | ip |
|
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get a list of IP-to-domain mappings
Type: generic
Read only: False
Accepts an IP address string and returns a list of IP-to-domain mappings.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP address | string | ip |
page | optional | SHA1 hash of page | string | |
page_size | optional | Page size | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ip | string | ip |
|
action_result.parameter.page | string | ||
action_result.parameter.page_size | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get a list of URLs hosted on the requested IP address
Type: generic
Read only: False
Accepts an IP address string and returns a list of URLs hosted on the requested IP address.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP address | string | ip |
page | optional | SHA1 hash of page | string | |
page_size | optional | Page size | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ip | string | ip |
|
action_result.parameter.page | string | ||
action_result.parameter.page_size | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get a a list of hashes and classifications for files found on the requested IP address
Type: generic
Read only: False
Accepts an IP address string and returns a list of hashes and classifications for files found on the requested IP address.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP address | string | ip |
page | optional | SHA1 hash of page | string | |
page_size | optional | Page size | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ip | string | ip |
|
action_result.parameter.page | string | ||
action_result.parameter.page_size | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Search for samples using multi-part search criteria
Type: generic
Read only: True
Search for samples available on the local A1000 instance and TitaniumCloud using the Advanced Search capabilities.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
query | required | Advanced Search query | string | search query |
limit | optional | Maximum number of results | numeric | |
only_cloud_results | optional | Show only TiCloud results | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.query | string | search query |
"classification:malicious" |
action_result.parameter.limit | numeric | ||
action_result.parameter.only_cloud_results | boolean | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Search for samples available on the TitaniumCloud using the V3 endpoint
Type: generic
Read only: True
All restricted words and characters must be escaped with double quotation marks. This action will work only if A1000 is set up with the access to TiCloud.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
query | required | Advanced Search query | string | search query |
start_search_date | required | The starting date for the search (later date) | string | |
end_search_date | required | The ending date for the search (earlier date) | string | |
sorting_order | optional | Ascending or descending | string | |
sorting_criteria | optional | Sort results on this column | string | |
limit | optional | Get at most search results, if page is set max value is 100 | numeric | |
page | optional | Use pagination instead of aggregated getter, off by default, index starts at 1 | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.query | string | search query |
"classification:malicious" |
action_result.parameter.start_search_date | string | "2024-05-30" | |
action_result.parameter.end_search_date | string | "2024-05-01" | |
action_result.parameter.sorting_order | string | "asc" "desc" | |
action_result.parameter.sorting_criteria | string | "sha1" "firstseen" "threatname" "sampletype" "filecount" "size" | |
action_result.parameter.limit | numeric | ||
action_result.parameter.page | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Search for samples available on the A1000 appliance using the V3 endpoint
Type: generic
Read only: True
All restricted words and characters must be escaped with double quotation marks.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
query | required | Advanced Search query | string | search query |
sorting_order | optional | Ascending or descending | string | |
sorting_criteria | optional | Sort results on this column | string | |
limit | optional | Get at most search results, if page is set max value is 100 | numeric | |
page | optional | Use pagination instead of aggregated getter, off by default, index starts at 1 | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.query | string | search query |
"classification:malicious" |
action_result.parameter.sorting_order | string | "asc" "desc" | |
action_result.parameter.sorting_criteria | string | "sha1" "firstseen" "threatname" "sampletype" "filecount" "size" | |
action_result.parameter.limit | numeric | ||
action_result.parameter.page | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Initiate the creation of dynamic analysis PDF report
Type: generic
Read only: False
Accepts a single hash string and and a report format and initiates the creation of PDF or HTML reports for samples that have gone through dynamic analysis in the ReversingLabs Cloud Sandbox.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get status of the report previously requested
Type: generic
Read only: False
Accepts a single hash string and report format parameters that should correspond to the parameters used in the request with create_dynamic_analysis_report method. The response includes an informative message about the status of the report previously requested.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Download previously requested dynamic analysis report in pdf
Type: generic
Read only: False
Accepts a single hash string and report format parameters that should correspond to the parameters used in the request with create_dynamic_analysis_report method.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.hash | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get a summary report for hash
Type: generic
Read only: False
Get a summary report for hash.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | |
retry | optional | If set to False there will only be one try at obtaining the analysis report | boolean | |
fields | optional | List of A1000 report 'fields' to query | string | |
include_network_threat_intelligence | optional | Include network threat intelligence in the summary report | boolean | |
skip_reanalysis | optional | Skip sample reanalysis when fetching the summary report | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.fields | string | ||
action_result.parameter.hash | string | ||
action_result.parameter.include_network_threat_intelligence | boolean | ||
action_result.parameter.retry | boolean | ||
action_result.parameter.skip_reanalysis | boolean | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get detailed analysis report
Type: generic
Read only: False
Get detailed analysis report for sample.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | |
retry | optional | If set to False there will only be one try at obtaining the analysis report | boolean | |
fields | optional | List of A1000 report 'fields' to query | string | |
skip_reanalysis | optional | Skip sample reanalysis when fetching the summary report | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.fields | string | ||
action_result.parameter.hash | string | ||
action_result.parameter.retry | boolean | ||
action_result.parameter.skip_reanalysis | boolean | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get classification for a sample
Type: generic
Read only: False
Get classification for one sample. The default value of local_only is False, which, if not changed, will send a request to TitaniumCloud to get the sample. The av_scanners parameter decides if the AV scanner results will be included in the classification report.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | |
local_only | optional | Return only local samples without querying TitaniumCloud | boolean | |
av_scanners | optional | Return AV scanner results | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.parameter.av_scanners | boolean | ||
action_result.parameter.hash | string | ||
action_result.parameter.local_only | boolean | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
List existing tags for the requested sample
Type: generic
Read only: True
List existing tags for the requested sample, if there are any.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | sample hash | string | hash sha1 sha256 md5 |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Add one or more user tags
Type: generic
Read only: False
Add one or more User Tags to the sample, regardless of whether the sample already has any tags.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | hash sha1 sha256 md5 |
tags | required | List of comma separated tags | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.parameter.tags | string | tag1,tag2,tag3 | |
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Remove one or more user tags
Type: generic
Read only: False
Remove one or more User Tags from the requested sample.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | hash sha1 sha256 md5 |
tags | required | List of comm separated tags | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.parameter.tags | string | tag1,tag2,tag3 | |
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Set the classification of a sample
Type: generic
Read only: False
This API allows the user to set the classification of a sample, either in TitaniumCloud or locally on the A1000.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | hash sha1 sha256 md5 |
system | required | Where to set the classification | string | |
classification | required | Classification to set | string | |
risk_score | optional | Risk score to set for classification | string | |
threat_platform | optional | Threat platfrom to set, must be on the supported list | string | |
threat_type | optional | Threat type to set, must be on the supported list | string | |
threat_name | optional | Threat name to set, must be on the supported list | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.parameter.system | string | "cloud" "local" | |
action_result.parameter.classification | string | "goodware" "malicious" "suspicious" | |
action_result.parameter.risk_score | string | 0 <= risk_score <= 10 | |
action_result.parameter.threat_platform | string | ||
action_result.parameter.threat_type | string | ||
action_result.parameter.threat_name | string | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Delete the (user set) classification of a sample
Type: generic
Read only: False
This API allows the user to delete the classification of a sample, either in TitaniumCloud or locally on the A1000.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash | string | hash sha1 sha256 md5 |
system | required | Where to set the classification | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.parameter.system | string | "cloud" "local" | |
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get a list of YARA rulesets that are on the A1000
Type: generic
Read only: True
For every ruleset in the list, the output includes additional info such as: rule name, number of matches, last matched date, and more.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
type | optional | Owner type | string | |
status | optional | Status | string | |
source | optional | Source | string | |
page | optional | Page | numeric | |
page_size | optional | Page size | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.type | string | "my" "user" "system" "all" | |
action_result.parameter.status | string | "all" "error" "active" "disabled" "pending" "invalid" "capped" | |
action_result.parameter.source | string | "all" "local" "cloud" | |
action_result.parameter.page | numeric | ||
action_result.parameter.page_size | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get the full contents of the requested ruleset
Type: generic
Read only: True
Get the full contents of the requested ruleset in raw text. All rulesets can be retrieved.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | reuired | Ruleset name | string | ruleset name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset_name |
|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Retrieve the list of YARA matches
Type: investigate
Read only: True
Retrieve the list of YARA matches (local & cloud) for requested ruleset. Names are case-sensitive.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | required | Ruleset name | string | ruleset name |
page | optional | Page | numeric | |
page_size | optional | Page size | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset name |
|
action_result.parameter.page | numeric | ||
action_result.parameter.page_size | numeric | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Creates a new YARA ruleset if it doesn't exist
Type: generic
Read only: False
Creates a new YARA ruleset if it doesn't exist. If it exists a new revision is created. TiCloud rules cannot be updated using this API.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | required | Ruleset name | string | ruleset name |
ruleset_text | required | Text of the yara ruleset | string | |
publish | optional | Publish to C1000 in the same cluster | boolean | |
ticloud | optional | Sync with TiCloud | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset name |
|
action_result.parameter.ruleset_text | string | ||
action_result.parameter.publish | boolean | ||
action_result.parameter.ticloud | boolean | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Delete a specific YARA ruleset and its matches
Type: generic
Read only: False
Delete a specific YARA ruleset and its matches from the appliance.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | required | Ruleset name | string | ruleset name |
publish | optional | Publish to c1000 in the same cluster | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset name |
|
action_result.parameter.publish | boolean | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Enable or disable a ruleset on the appliance
Type: generic
Read only: False
Administrators can manage any ruleset while regular A1000 users can only manage their own.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | required | Ruleset name | string | ruleset name |
enabled | required | Enable or disable the ruleset | boolean | |
publish | optional | Publish to c1000 in the same cluster | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset name |
|
action_result.parameter.enabled | boolean | ||
action_result.parameter.publish | boolean | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get the current synchronization time
Type: generic
Read only: True
Provides information about the current synchronization status for TiCloud enabled rulesets.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Modify the TiCloud sync time for TiCloud enabled rulesets
Type: generic
Read only: False
Modify the TiCloud sync time for TiCloud enabled rulesets. Time parameter must be a UTC timestamp ."
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
time | required | Synchronization time | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.time | string | "2024-05-29 10:00:00" | |
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Allow users to start or stop the local Retro scan on the appliance
Type: generic
Read only: False
Allow users to start or stop the Local Retro scan on the appliance.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
operation | required | START or STOP | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.operation | string | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Allow users to start, stop or clear a Cloud Retro scan
Type: generic
Read only: False
Start/Stop or Clear a Cloud Retro scan for a specified ruleset on the A1000.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | required | Ruleset name | string | ruleset name |
operation | required | START, STOP or CLEAR | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset name |
|
action_result.parameter.operation | string | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Allow users to check the status of a Local Retro scan
Type: generic
Read only: True
The response indicates the current state of Local Retro scan, time and date when the latest Local Retro scan was started and/or stopped, and a list of previous Local Retro scans with the same details.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Allow users to check the status of Cloud Retro scan for specified ruleset
Type: generic
Read only: True
The response indicates the current state of Cloud Retro, time and date when the latest Cloud Retro scan was started and/or stopped, and a list of previous Cloud Retro scans with the same details.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ruleset_name | required | Ruleset name | string | ruleset name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ruleset_name | string | ruleset name |
|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get a list of containers from which the requested samples has been extracted
Type: investigate Read only: True
Get a list of all top-level containers from which the requested samples have been extracted during analysis. If a requested hash doesn't have a container, it will not be included in the response.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hashes | required | Comma separated list of hashes | string | hash sha1 sha256 md5 |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hashes | string | hash sha1 sha256 md5 |
|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Delete the sample with the requested hash value
Type: generic
Read only: False
All related data, including extracted samples and metadata, will be deleted from the current A1000 instance.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash of a sample to e deleted | string | hash sha1 sha256 md5 |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.data.*.results.code | numeric | ||
action_result.data.*.results.message | string | ||
action_result.data.*.results.detail.md5 | string | hash md5 |
|
action_result.data.*.results.detail.sha1 | string | hash sha1 |
|
action_result.data.*.results.detail.sha256 | string | hash sha256 |
|
action_result.data.*.results.detail.sha512 | string | hash sha512 |
|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Download files extracted from local sample
Type: generic
Read only: True
The files are obtained through the unpacking process during sample analysis with the TitaniumCore static analysis engine.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash of a sample to e deleted | string | hash sha1 sha256 md5 |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hash | string | hash sha1 sha256 md5 |
|
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Submit a set fo samples that already exist on the A1000
Type: investigate
Read only: False
Get classification for one sample. The default value of local_only is False, which, if not changed, will send a request to TitaniumCloud to get the sample. The av_scanners parameter decides if the AV scanner results will be included in the classification report.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hashes | required | Comma separated list of hashes | string | hash sha1 sha256 md5 |
titanium_cloud | optional | Titanium Cloud analysis | boolean | |
titanium_core | optional | Titanium Core analysis | boolean | |
rl_cloud_sandbox | optional | RL cloud sandbox analysis | boolean | |
cuckoo_sandbox | optional | Cuckoo sandbox analysis | boolean | |
fireeye | optional | FireEye analysis | boolean | |
joe_sandbox | optional | Joe sandbox analysis | boolean | |
cape | optional | Cape analysis | boolean | |
rl_cloud_sandbox_platform | optional | Platform on which the samples should be detonated | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.hashes | string | hash sha1 sha256 md5 |
|
action_result.parameter.titanium_cloud | boolean | ||
action_result.parameter.titanium_core | boolean | ||
action_result.parameter.rl_cloud_sandbox | boolean | ||
action_result.parameter.cuckoo_sandbox | boolean | ||
action_result.parameter.fireeye | boolean | ||
action_result.parameter.joe_sandbox | boolean | ||
action_result.parameter.cape | boolean | ||
action_result.parameter.rl_cloud_sandbox_platform | string | ||
action_result.status | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |