ReversingLabs A1000 v2
This Integration is part of the ReversingLabs A1000 Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Overview#
This integration supports using ReversingLabs Advanced File Analysis to 'detonate file' on the A1000 Advanced Malware Analysis Appliance.
The A1000 appliance is a powerful threat detection and file analysis platform that integrates other ReversingLabs technologies (TitaniumCore - the automated static analysis solution, and TitaniumCloud File Reputation Service) to provide detailed information on each file's status and threat capabilities.
The A1000 makes it easy to upload multiple samples for analysis. It can process, unpack, and classify them in a matter of milliseconds, and display detailed analysis reports. Historical analysis results are preserved in a database to enable in-depth searching, and malware samples are continually reanalyzed to ensure the most up-to-date file reputation status.
Prerequisites#
You need to obtain the following ReversingLabs A1000 platform information.
- A1000 instance
- A1000 API Token
Configure ReversingLabs A1000 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for ReversingLabs A1000.
Click Add instance to create and configure a new integration instance.
Parameter Required ReversingLabs A1000 instance URL True API Token True Verify host certificates True (default: False) Reliability True (default: C - Fairly reliable) Click Test to validate connection.
Commands#
You can execute these commands from the XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. For all commands, full report is saved as a part of the context and also returned as a downloadable file.
- reversinglabs-a1000-upload-sample
- reversinglabs-a1000-reanalyze
- reversinglabs-a1000-download-sample
- reversinglabs-a1000-download-extracted-files
- reversinglabs-a1000-list-extracted-files
- reversinglabs-a1000-delete-sample
- reversinglabs-a1000-get-results
- reversinglabs-a1000-upload-sample-and-get-results
- reversinglabs-a1000-get-classification
- reversinglabs-a1000-advanced-search
reversinglabs-a1000-upload-sample#
Upload sample to A1000 appliance for analysis.Â
Command Example#
!reversinglabs-a1000-upload-sample entryId="3212@1651bd83-3242-43e4-8084-26de8937ca81"
Input#
Argument Name | Description | Required |
---|---|---|
entryId | Entry ID of the sample to be uploaded | True |
comment | A comment for the file to be uploaded | True |
tags | A comma separated list of tags for the file | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
ReversingLabs.a1000_upload_report | Full report in JSON |
Context Example:
reversinglabs-a1000-reanalyze#
Schedule a sample that were previously uploaded to the A1000 appliance to be reanalyzed.
Command Example#
!reversinglabs-a1000-reanalyze hash="277d75e0593937034e12ed185c91b6bb9bbdc3c5"
 Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a previously uploaded sample. Supported hash types: SHA1, SHA256, SHA512, MD5 | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
ReversingLabs.a1000_reanalyze_report | Full report in JSON |
Context Example:
reversinglabs-a1000-download-sample#
Download sample from A1000 appliance. Returns file binary.
Command Example#
!reversinglabs-a1000-download-sample hash="277d75e0593937034e12ed185c91b6bb9bbdc3c5"
 Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a previously uploaded sample. Supported hash types: SHA1, SHA256, SHA512, MD5 | True |
Human Readable Output#
reversinglabs-a1000-download-extracted#
Download files extracted from the requested sample. The files are obtained through the unpacking process during sample analysis with the TitaniumCore static analysis engine. Extracted files are downloaded in a single compressed archive file.
Command Example#
!reversinglabs-a1000-download-extracted hash="277d75e0593937034e12ed185c91b6bb9bbdc3c5"
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a previously uploaded sample. Supported hash types: SHA1, SHA256, SHA512, MD5 | True |
Human Readable Output#
reversinglabs-a1000-list-extracted-files#
Get a list of all files the TitaniumCore engine extracted from the requested sample during static analysis.
Command Example#
!reversinglabs-a1000-download-extracted-files hash="277d75e0593937034e12ed185c91b6bb9bbdc3c5"
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a previously uploaded sample. Supported hash types: SHA1, SHA256, SHA512, MD5 | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
ReversingLabs.a1000_list_extracted_report | Full report in JSON |
Context Example:
reversinglabs-a1000-delete-sample#
Delete the sample with the requested hash value. All related data, including extracted samples and metadata, will be deleted from the current A1000 instance.
Command Example#
!reversinglabs-delete hash="942d85abb2e94a4e5205eae7efdc5677ee6a0881"
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a previously uploaded sample. Supported hash types: SHA1, SHA256, SHA512, MD5 | True |
Human Readable Output#
Context Output#
Path | Description |
---|---|
ReversingLabs.a1000_delete_report | Full report in JSON |
Context Example:
reversinglabs-a1000-get-results#
Retrieve analysis report from A1000 appliance.
Command Example#
!reversinglabs-a1000-get-results hash="277d75e0593937034e12ed185c91b6bb9bbdc3c5"
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a previously uploaded sample. Supported hash types: SHA1, SHA256, SHA512, MD5 | True |
Human Readable Output:#
Context Output#
Path | Description |
---|---|
File | File indicator |
DBotScore | Score |
ReversingLabs.a1000_report | Full report in JSON |