ReversingLabs A1000 v2
This Integration is part of the ReversingLabs A1000 Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
ReversingLabs A1000 advanced Malware Analysis Platform.
Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see the release notes for this version.
Configure ReversingLabs A1000 v2 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for ReversingLabs A1000 v2.
Click Add instance to create and configure a new integration instance.
Parameter Required ReversingLabs A1000 instance URL True API Token True Verify host certificates False Reliability False Wait time between report fetching retries (seconds). Deafult is 2 seconds. False Number of report fetching retries. Default is 30. False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
reversinglabs-a1000-get-results#
Retrieve sample analysis results
Base Command#
reversinglabs-a1000-get-results
Input#
Argument Name | Description | Required |
---|---|---|
hash | file hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The Entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | MD5 hash of the file. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.a1000_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-get-results hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
Context Example#
Human Readable Output#
ReversingLabs A1000 results for: a94775deb818a4d68635eeed3d16abc7f7b8bdd6#
Type: Binary/Archive
Size: 607237 bytes
MD5: a322205db6c3b1c451725b84f1d010cc
SHA1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6
SHA256: d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2
SHA512: d1fd72d5a52d75f23836016772e8895d901fa5a1cb1f9b25ba455db6cccbd97e9daf43fde4f8bb77b43c0b5c4937405d51dece20cda7fa7db7600715c7769554
ID: 3065
Malware status: malicious
Local first seen: 2022-12-19T11:39:10.929115Z
Local last seen: 2022-12-20T17:37:24.670052Z
First seen: 2022-12-19T11:39:11Z
Last seen: 2022-12-20T17:37:29Z
DBot score: 3
Risk score: 10
Threat name: Win32.Trojan.Delf
Category: archive
Classification origin: {'sha1': 'aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad', 'sha256': '43d51f009bf94707556031b9688e84bb85df2c59854fba8fcb90be6c0d19e1d1', 'sha512': '8a1c9512fa167b938ea31c047a48dd6ec36d9b22443bc4ee6b97a116e16ff33427645ac76349f531cd9a672b4fffc3c4c92d1c82d2a71241915c1499336fd221', 'md5': '8521e64c683e47c1db64d80577513016', 'imphash': 'c57e34b759dff2e57f71960b2fdb93da'}
Classification reason: antivirus
Aliases: aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad.rl.zip
Extracted file count: 85
Identification name: ZIP
Identification version: Generic
reversinglabs-a1000-upload-sample#
Upload sample to A1000 for analysis
Base Command#
reversinglabs-a1000-upload-sample
Input#
Argument Name | Description | Required |
---|---|---|
entryId | The file entry to upload. | Required |
comment | A comment to add to the file. | Optional |
tags | List of tags for the file. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_upload_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-upload-sample entryId="6343@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag"
Context Example#
Human Readable Output#
ReversingLabs A1000 upload sample#
Message: Done.
ID: 73
SHA1: 4501a9f42e2b52a67bdefbd9d1c07e446d559d0c
Created: 2022-12-20T17:37:32.103792Z
reversinglabs-a1000-upload-sample-and-get-results#
Upload sample to A1000 and retrieve analysis results
Base Command#
reversinglabs-a1000-upload-sample-and-get-results
Input#
Argument Name | Description | Required |
---|---|---|
entryId | The file entry to upload. | Required |
comment | A comment to add to the file. | Optional |
tags | List of tags for the file. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The Entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | MD5 hash of the file. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.a1000_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-upload-sample-and-get-results entryId="6343@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag"
Context Example#
Human Readable Output#
ReversingLabs A1000 results for: 4501a9f42e2b52a67bdefbd9d1c07e446d559d0c#
Type: Image/None
Size: 240336 bytes
MD5: 267218e9952b7448984995629891e9a3
SHA1: 4501a9f42e2b52a67bdefbd9d1c07e446d559d0c
SHA256: bf54c9d48e0db04676518bdc699a999f868f023ef5fdc30bbf77c73892363fd7
SHA512: 19908bee916323c7713950f7e319c34b042329550e4da47ccda6b416e4cda28d2f15621151dbf1ead6948d2d34b3f1c02affc46477b35117f56a7e4a54b78f6c
ID: 3076
Malware status: unknown
Local first seen: 2022-12-20T17:37:33.147453Z
Local last seen: 2022-12-20T17:37:33.147453Z
First seen: None
Last seen: None
DBot score: 0
Risk score: 5Category: media
Classification origin: None
Classification reason: reason is unknown
Aliases: ytm.jpg
Extracted file count: 1
Identification name: JPEG
Identification version: Generic
reversinglabs-a1000-delete-sample#
Delete an uploaded sample from A1000
Base Command#
reversinglabs-a1000-delete-sample
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash to delete. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_delete_report | Unknown | A1000 file delete report |
Command example#
!reversinglabs-a1000-delete-sample hash="024e73a62d01e3a9c030c5e8aafa8a02cdbe17c9"
Context Example#
Human Readable Output#
ReversingLabs A1000 delete sample#
Message: Sample deleted successfully.
MD5: bd3891cf722dfea02dee568b90ccfc86
SHA1: 024e73a62d01e3a9c030c5e8aafa8a02cdbe17c9
SHA256: c6b7b99272d3d9eeb591f3ecfab0bca4da5af50669e4a941f421b94676378886
reversinglabs-a1000-list-extracted-files#
List files extracted from a sample
Base Command#
reversinglabs-a1000-list-extracted-files
Input#
Argument Name | Description | Required |
---|---|---|
hash | The sample hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_list_extracted_report | Unknown | A1000 list extracted files report |
Command example#
!reversinglabs-a1000-list-extracted-files hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"