VMRay
This Integration is part of the VMRay Analyzer Pack.#
VMRay XSOAR Integration#
This integration enables users to design playbooks that involve analyzing a file in VMRay and retrieving the analysis results and associated threat intelligence.
The Playbooks accelerate incident response and make security operations more scalable and efficient.
Configure VMRay on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for VMRay.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL (e.g., https://cloud.vmray.com) True API Key True Use system proxy settings False Trust any certificate (not secure) False Click Test to validate the URLs, token, and connection.
Known Limitations#
- Non-ASCII characters in file names will be ignored when uploading.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- vmray-upload-sample: Submit a sample for analysis
- vmray-upload-url: Submit a URL for analysis
- vmray-get-analysis-by-sample: Get analysis details for a sample
- vmray-get-job-by-sample: Get job details for a sample
- vmray-get-submission: Get submission results
- vmray-get-sample: Get information for a sample
- vmray-get-sample-by-hash: Get information for a sample by hash
- vmray-get-threat-indicators: Get threat indicators
- vmray-add-tag: Add a tag to an analysis or submission
- vmray-delete-tag: Delete a tag from an analysis or submission
- vmray-get-iocs: Get IOCs for a sample
- vmray-get-job-by-id: Get information for a job
- vmray-get-summary: Download Summary JSON v2 for an analysis
vmray-upload-sample#
Submits a sample to VMRay for analysis.
Base Command#
vmray-upload-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| entry_id | Entry ID of the file to submit. | Required |
| document_password | Password of the document. | Optional |
| archive_password | Password of an archive. | Optional |
| sample_type | Force type of the file. | Optional |
| shareable | Whether the file is shareable. Possible values are: true, false. | Optional |
| max_jobs | Maximum number of jobs to create (number). Default is 1. | Optional |
| tags | A CSV list of tags to add to the sample. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of a new job |
| VMRay.Job.Created | Date | Timestamp of job creation. |
| VMRay.Job.SampleID | Number | ID of the sample. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Sample.SampleID | Number | ID of the sample. |
| VMRay.Sample.SampleURL | String | URL to sample page. |
| VMRay.Sample.Created | Date | Timestamp of sample creation. |
| VMRay.Submission.SubmissionID | Number | Submission ID. |
| VMRay.Submission.SubmissionURL | String | URL to submission page. |
Command Example#
Context Example#
Human Readable Output#
File submitted to VMRay
| Jobs ID | Samples ID | Submissions ID | Sample URL |
|---|---|---|---|
| 3908304 | 3902285 | 4569315 | https://cloud.vmray.com/user/sample/view?id=3902285 |
vmray-upload-url#
Submits a URL for analysis.
Base Command#
vmray-upload-url
Input#
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to analyze. For example: https://demisto.com. . | Required |
| shareable | Whether the analysis is shareable. Possible values are: true, false. | Optional |
| max_jobs | Maximum number of jobs to create (number). Default is 1. | Optional |
| tags | A CSV list of tags to add to the sample. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of a new job |
| VMRay.Job.Created | Date | Timestamp of job creation. |
| VMRay.Job.SampleID | Number | ID of the sample. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Sample.SampleID | Number | ID of the sample. |
| VMRay.Sample.SampleURL | String | URL to sample page. |
| VMRay.Sample.Created | Date | Timestamp of sample creation. |
| VMRay.Submission.SubmissionID | Number | Submission ID. |
| VMRay.Submission.SubmissionURL | String | URL to submission page. |
Command Example#
Human Readable Output#
URL submitted to VMRay
| Jobs ID | Samples ID | Submissions ID |
|---|---|---|
| 3908304 | 3902285 | 4569315 |
vmray-get-analysis-by-sample#
Retrieves all analysis details for a specified sample.
Base Command#
vmray-get-analysis-by-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_id | Sample ID. | Required |
| limit | Maximum number of results to return (number). | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Analysis.AnalysisID | Number | Analysis ID. |
| VMRay.Analysis.AnalysisURL | String | URL to analysis page. |
| VMRay.Analysis.SampleID | Number | Sample ID in the analysis. |
| VMRay.Analysis.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Analysis.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Analysis.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
| VMRay.Analysis.JobCreated | Date | Date when the analysis job started. |
| VMRay.Analysis.MD5 | String | MD5 hash of the sample. |
| VMRay.Analysis.SHA1 | String | SHA1 hash of the sample. |
| VMRay.Analysis.SHA256 | String | SHA256 hash of the sample. |
| VMRay.Analysis.SSDeep | String | ssdeep hash of the sample. |
Command Example#
Context Example#
Human Readable Output#
Analysis results from VMRay for ID 3902238:
| AnalysisID | SampleID | Verdict | AnalysisURL |
|---|---|---|---|
| 2779353 | 3902238 | Suspicious | https://cloud.vmray.com/user/sample/view?id=3902238 |
vmray-get-job-by-sample#
Retrieves details for all jobs for a specified sample.
Base Command#
vmray-get-job-by-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_id | Sample ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of the job. |
| VMRay.Job.SampleID | Number | Sample ID of the job. |
| VMRay.Job.SubmissionID | Number | ID of the submission. |
| VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
| VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
| VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
| VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Job.Status | String | Status of the job. |
Command Example#
Context Example#
Human Readable Output#
Job results for sample id: 3902238
| JobID | SampleID | VMName | VMID |
|---|---|---|---|
| 29208 | 3902238 | win7_32_sp1 | 3 |
vmray-get-submission#
Retrieves the results of a submission.
Base Command#
vmray-get-submission
Input#
| Argument Name | Description | Required |
|---|---|---|
| submission_id | ID of the submission. Can be obtained by running the 'vmray-upload-sample' or 'vmray-upload-url' command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Submission.IsFinished | Boolean | Whether the submission is finished (true or false). |
| VMRay.Submission.HasErrors | Boolean | Whether there are any errors in the submission (true or false). |
| VMRay.Submission.SubmissionID | Number | ID of the sample in the submission. |
| VMRay.Submission.SubmissionURL | String | URL of submission page. |
| VMRay.Submission.MD5 | String | MD5 hash of the sample in the submission. |
| VMRay.Submission.SHA1 | String | SHA1 hash of the sample in the submission. |
| VMRay.Submission.SHA256 | String | SHA256 hash of the sample in the submission. |
| VMRay.Submission.SSDeep | String | ssdeep hash of the sample in the submission. |
| VMRay.Submission.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Submission.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Submission.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
| VMRay.Submission.SampleID | Number | ID of the sample in the submission. |
Command Example#
Context Example#
Human Readable Output#
Submission results from VMRay for ID 3902238 with verdict of Malicious
| Attribute | Value |
|---|---|
| IsFinished | true |
| Verdict | Malicious |
| HasErrors | true |
| MD5 | 2e0499dc90c2d715a53e05b1890e0442 |
| SHA1 | 868a53c394f29f8d3aac7b0a20a371999045b6ed |
| SHA256 | b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66 |
| SSDeep | 1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH |
| SubmissionURL | https://cloud.vmray.com/user/sample/view?id=3902238 |
vmray-get-sample#
Retrieves a sample using the sample ID.
Base Command#
vmray-get-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_id | ID of the sample. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Sample.SampleID | Number | ID of the sample. |
| VMRay.Sample.SampleURL | String | URL to sample page. |
| VMRay.Sample.FileName | String | File name of the sample. |
| VMRay.Sample.MD5 | String | MD5 hash of the sample. |
| VMRay.Sample.SHA1 | String | SHA1 hash of the sample. |
| VMRay.Sample.SHA256 | String | SHA256 hash of the sample. |
| VMRay.Sample.SSDeep | String | ssdeep hash of the sample. |
| VMRay.Sample.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
| VMRay.Sample.Type | String | File type. |
| VMRay.Sample.Created | Date | Timestamp of sample creation. |
| VMRay.Sample.Classifications | String | Classifications of the sample. |
| VMRay.Sample.ChildSampleIDs | Number | List of child sample IDs. |
| VMRay.Sample.ParentSampleIDs | Number | List of parent sample IDs. |
Command Example#
Context Example#
Human Readable Output#
Results for sample id: 3902238 with verdict Malicious
| Attribute | Value |
|---|---|
| FileName | pafish.exe |
| Type | Windows Exe (x86-32) |
| MD5 | 2e0499dc90c2d715a53e05b1890e0442 |
| SHA1 | 868a53c394f29f8d3aac7b0a20a371999045b6ed |
| SHA256 | b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66 |
| SSDeep | 1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH |
| SampleURL | https://cloud.vmray.com/user/sample/view?id=3902238 |
vmray-get-sample-by-hash#
Retrieves sample information by hash.
Base Command#
vmray-get-sample-by-hash
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash | MD5, SHA1 or SHA256 hash of the sample. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.Name | String | The full file name (including file extension). |
| File.MD5 | String | The MD5 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SSDeep | String | The SSDeep hash of the file. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
| VMRay.Sample.SampleID | Number | ID of the sample. |
| VMRay.Sample.SampleURL | String | URL to sample page. |
| VMRay.Sample.FileName | String | File name of the sample. |
| VMRay.Sample.MD5 | String | MD5 hash of the sample. |
| VMRay.Sample.SHA1 | String | SHA1 hash of the sample. |
| VMRay.Sample.SHA256 | String | SHA256 hash of the sample. |
| VMRay.Sample.SSDeep | String | ssdeep hash of the sample. |
| VMRay.Sample.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
| VMRay.Sample.Type | String | File type. |
| VMRay.Sample.Created | Date | Timestamp of sample creation. |
| VMRay.Sample.Classifications | String | Classifications of the sample. |
| VMRay.Sample.ChildSampleIDs | Number | List of child sample IDs. |
| VMRay.Sample.ParentSampleIDs | Number | List of parent sample IDs. |
Command Example#
Context Example#
Human Readable Output#
Results for sha1 hash 124f46228d1e220d88ae5e9a24d6e713039a64f9:
| Attribute | Value |
|---|---|
| SampleID | 5948 |
| FileName | pafish.exe |
| Type | Windows Exe (x86-32) |
| Verdict | Malicious |
| SampleURL | https://cloud.vmray.com/user/sample/view?id=5948 |
vmray-get-threat-indicators#
Retrieves threat indicators (VTI).
Base Command#
vmray-get-threat-indicators
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_id | ID of the sample. Can be obtained from the 'VMRay.Sample.ID' output. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.ThreatIndicator.AnalysisID | Number | List of connected analysis IDs. |
| VMRay.ThreatIndicator.Category | String | Category of threat indicators. |
| VMRay.ThreatIndicator.Classification | String | Classifications of threat indicators. |
| VMRay.ThreatIndicator.ID | Number | ID of a threat indicator. |
| VMRay.ThreatIndicator.Operation | String | Operation the indicators caused. |
Command Example#
Context Output#
Omitted for brevity.
Human Readable Output#
Omitted for brevity.
vmray-add-tag#
Adds a tag to an analysis and/or a submission.
Base Command#
vmray-add-tag
Input#
| Argument Name | Description | Required |
|---|---|---|
| submission_id | ID of the submission to which to add tags. | Optional |
| analysis_id | ID of the analysis from which to add tags. | Optional |
| tag | Tag to add. | Optional |
Context Output#
There is no context output for this command.
Command Example#
Human Readable Output#
vmray-delete-tag#
Deletes tags from an analysis and/or a submission.
Base Command#
vmray-delete-tag
Input#
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | ID of the analysis from which to delete a tag. | Optional |
| submission_id | ID of the submission from which to delete a tag. | Optional |
| tag | Tag to delete. | Optional |
Context Output#
There is no context output for this command.
Command Example#
Human Readable Output#
vmray-get-iocs#
Retrieves Indicators of Compromise for a specified sample.
Base Command#
vmray-get-iocs
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_id | ID of the sample. | Required |
| all_artifacts | Whether all artifacts should be returned or only Indicators of Compromise. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
| Domain.Name | String | The domain name |
| IP.Address | String | IP address |
| URL.Data | String | The URL |
| Email.Address | String | The Email address |
| File.Path | String | The full file path. |
| File.MD5 | String | The MD5 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SSDeep | String | The SSDeep hash of the file. |
| VMRay.Sample.IOC.Domain.AnalysisID | Number | IDs of other analyses that contain the domain. |
| VMRay.Sample.IOC.Domain.Countries | String | Countries associated with the domain. |
| VMRay.Sample.IOC.Domain.CountryCodes | String | ISO 3166-1 two-letter country codes associated with the domain. |
| VMRay.Sample.IOC.Domain.Domain | String | Domain. |
| VMRay.Sample.IOC.Domain.ID | Number | ID of the domain. (deprecated; is always 0) |
| VMRay.Sample.IOC.Domain.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.Domain.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.Domain.IpAddresses | String | IP addresses associated with the domain. |
| VMRay.Sample.IOC.Domain.OriginalDomains | String | Original domains associated with the domain. |
| VMRay.Sample.IOC.Domain.ParentProcesses | String | Full commandline of processes where the domain was used. |
| VMRay.Sample.IOC.Domain.ParentProcessesNames | String | Names of processes where the domain was used. |
| VMRay.Sample.IOC.Domain.Protocols | String | The protocols used for the domain in a request. |
| VMRay.Sample.IOC.Domain.Sources | String | The sources where the domain was obtained from. |
| VMRay.Sample.IOC.Domain.Type | String | Type of domain. |
| VMRay.Sample.IOC.Domain.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.Domain.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.EmailAddress.AnalysisID | Number | IDs of other analyses that contain the email address. |
| VMRay.Sample.IOC.EmailAddress.Classifications | String | The classifications of the email address. |
| VMRay.Sample.IOC.EmailAddress.EmailAddress | String | The email address. |
| VMRay.Sample.IOC.EmailAddress.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.EmailAddress.IsRecipient | Boolean | Indicates whether this email address was used as a recipient email. |
| VMRay.Sample.IOC.EmailAddress.IsSender | Boolean | Indicates whether this email address was used as a sender email. |
| VMRay.Sample.IOC.EmailAddress.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.EmailAddress.Subjects | String | Email subjects this email address was used in. |
| VMRay.Sample.IOC.EmailAddress.ThreatNames | String | The threat names of the email address. |
| VMRay.Sample.IOC.EmailAddress.Type | String | Type of email address. |
| VMRay.Sample.IOC.EmailAddress.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.EmailAddress.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.Email.AnalysisID | Number | IDs of other analyses that contain the email. |
| VMRay.Sample.IOC.Email.AttachmentTypes | String | MIME types of attachments found in this email. |
| VMRay.Sample.IOC.Email.Classifications | String | The classifications of the email. |
| VMRay.Sample.IOC.Email.Hashes.MD5 | String | MD5 of given email. |
| VMRay.Sample.IOC.Email.Hashes.SSDeep | String | SSDeep of given email. |
| VMRay.Sample.IOC.Email.Hashes.SHA256 | String | SHA256 of given email. |
| VMRay.Sample.IOC.Email.Hashes.SHA1 | String | SHA1 of given email. |
| VMRay.Sample.IOC.Email.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.Email.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.Email.NrAttachments | Number | Number of attachments found in the email. |
| VMRay.Sample.IOC.Email.NrLinks | Number | Number of links found in the email. |
| VMRay.Sample.IOC.Email.Recipients | String | The email recipients. |
| VMRay.Sample.IOC.Email.Sender | String | Sender of the email. |
| VMRay.Sample.IOC.Email.Subject | String | Subject of the email. |
| VMRay.Sample.IOC.Email.ThreatNames | String | The threat names of the email. |
| VMRay.Sample.IOC.Email.Type | String | Type of email. |
| VMRay.Sample.IOC.Email.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.Email.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.Filename.AnalysisID | Number | IDs of other analyses that contain the filename. |
| VMRay.Sample.IOC.Filename.Categories | String | The filename categories. |
| VMRay.Sample.IOC.Filename.Classifications | String | The classifications of the filename. |
| VMRay.Sample.IOC.Filename.Filename | String | The filename. |
| VMRay.Sample.IOC.Filename.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.Filename.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.Filename.Operations | String | The filename operations that were performed, e.g., access, create, read, write, and delete. |
| VMRay.Sample.IOC.Filename.ThreatNames | String | The threat names of the filename. |
| VMRay.Sample.IOC.Filename.Type | String | Type of filename. |
| VMRay.Sample.IOC.Filename.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.Filename.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.File.AnalysisID | Number | IDs of other analyses that contain the file. |
| VMRay.Sample.IOC.File.Categories | String | The file categories. |
| VMRay.Sample.IOC.File.Classifications | String | The classifications of the file. |
| VMRay.Sample.IOC.File.FileSize | Number | The original size of the file in bytes. |
| VMRay.Sample.IOC.File.Filename | String | Name of the file. |
| VMRay.Sample.IOC.File.Filenames | String | All known names of the file. |
| VMRay.Sample.IOC.File.Hashes.MD5 | String | MD5 hash of the file. |
| VMRay.Sample.IOC.File.Hashes.SSDeep | String | SSDeep hash of the file. |
| VMRay.Sample.IOC.File.Hashes.SHA256 | String | SHA256 hash of the file. |
| VMRay.Sample.IOC.File.Hashes.SHA1 | String | SHA1 hash of the file. |
| VMRay.Sample.IOC.File.ID | Number | ID of the file. (deprecated; is always 0) |
| VMRay.Sample.IOC.File.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.File.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.File.MIMEType | String | The MIME type of the file. |
| VMRay.Sample.IOC.File.Name | String | Same as Filename. |
| VMRay.Sample.IOC.File.NormFilename | String | Normalized name of the file. |
| VMRay.Sample.IOC.File.Operation | String | Same as Operations, left in for backwards compatibility. |
| VMRay.Sample.IOC.File.Operations | String | The file operations which were performed, e.g., access, create, read, write, and delete. |
| VMRay.Sample.IOC.File.ParentFiles | String | Files where this file was contained in. |
| VMRay.Sample.IOC.File.ParentProcesses | String | Full commandline of processes where the file was referenced. |
| VMRay.Sample.IOC.File.ParentProcessesNames | String | Names of processes where the file was referenced. |
| VMRay.Sample.IOC.File.ResourceURL | String | URL of where the file was downloaded. |
| VMRay.Sample.IOC.File.ThreatNames | String | The threat names of the file. |
| VMRay.Sample.IOC.File.Type | String | Type of file. |
| VMRay.Sample.IOC.File.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.File.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.IP.AnalysisID | Number | IDs of other analyses that contain the IP address. |
| VMRay.Sample.IOC.IP.Countries | String | Countries associated with the IP address. |
| VMRay.Sample.IOC.IP.CountryCodes | String | ISO 3166-1 two-letter country codes associated with the IP address. |
| VMRay.Sample.IOC.IP.Domains | String | Domains associated with the IP address. |
| VMRay.Sample.IOC.IP.IP | String | The IP address. |
| VMRay.Sample.IOC.IP.ID | Number | ID of the IP address. (deprecated; is always 0) |
| VMRay.Sample.IOC.IP.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.IP.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.IP.Operation | String | Deprecated, always empty. |
| VMRay.Sample.IOC.IP.ParentProcesses | String | Full commandline of processes where the IP address was referenced. |
| VMRay.Sample.IOC.IP.ParentProcessesNames | String | Names of processes where the IP address was referenced. |
| VMRay.Sample.IOC.IP.Protocols | String | Protocols used in communication with this IP. |
| VMRay.Sample.IOC.IP.Sources | String | The sources where the IP address was obtained from. |
| VMRay.Sample.IOC.IP.Type | String | Type of IP address. |
| VMRay.Sample.IOC.IP.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.IP.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.Mutex.AnalysisID | Number | IDs of other analyses that contain the mutex. |
| VMRay.Sample.IOC.Mutex.Classifications | String | The mutex classifications. |
| VMRay.Sample.IOC.Mutex.ID | Number | ID of the mutex. (deprecated; is always 0) |
| VMRay.Sample.IOC.Mutex.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.Mutex.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.Mutex.Name | String | Name of the mutex. |
| VMRay.Sample.IOC.Mutex.Operation | String | Same as Operations, left in for backwards compatibility. |
| VMRay.Sample.IOC.Mutex.Operation | String | The mutex operations that were performed, e.g., access, create, read, write, and delete. |
| VMRay.Sample.IOC.Mutex.ParentProcesses | String | Full commandline of processes where the mutex was used. |
| VMRay.Sample.IOC.Mutex.ParentProcessesNames | unknown | Names of processes where the mutex was used. |
| VMRay.Sample.IOC.Mutex.ThreatNames | String | The threat names of the mutex. |
| VMRay.Sample.IOC.Mutex.Type | String | Type of mutex. |
| VMRay.Sample.IOC.Mutex.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.Mutex.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.Process.AnalysisID | Number | IDs of other analyses that contain the process. |
| VMRay.Sample.IOC.Process.Classifications | String | The process classifications. |
| VMRay.Sample.IOC.Process.CmdLine | String | Command line of the process. |
| VMRay.Sample.IOC.Process.ImageNames | String | Names of the process executable. |
| VMRay.Sample.IOC.Process.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.Process.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.Process.ParentProcesses | String | Full commandline of parent processes. |
| VMRay.Sample.IOC.Process.ParentProcessesNames | String | Names of parent processes. |
| VMRay.Sample.IOC.Process.ProcessNames | String | Names of the processes. |
| VMRay.Sample.IOC.Process.ThreatNames | String | The threat names of the process. |
| VMRay.Sample.IOC.Process.Type | String | Type of process. |
| VMRay.Sample.IOC.Process.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.Process.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.Registry.AnalysisID | Number | IDs of other analyses that contain the registry key. |
| VMRay.Sample.IOC.Registry.Classifications | String | The registry key classifications. |
| VMRay.Sample.IOC.Registry.ID | Number | ID of the registry key. (deprecated; is always 0) |
| VMRay.Sample.IOC.Registry.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
| VMRay.Sample.IOC.Registry.IOCType | String | Type of IOC. |
| VMRay.Sample.IOC.Registry.Name | String | The normalized registry key name. |
| VMRay.Sample.IOC.Registry.Operation | String | Same as Operations, left in for backwards compatibility. |
| VMRay.Sample.IOC.Registry.Operation | String | The registry operations that were performed, e.g., access, create, read, write, and delete. |
| VMRay.Sample.IOC.Registry.ParentProcesses | String | Full commandline of processes where the registry key was referenced. |
| VMRay.Sample.IOC.Registry.ParentProcessesNames | String | Names of processes where the registry key was referenced. |
| VMRay.Sample.IOC.Registry.ThreatNames | String | The threat names of the registry key. |
| VMRay.Sample.IOC.Registry.Type | String | Type of registry key. |
| VMRay.Sample.IOC.Registry.ValueTypes | String | The registry key value type. |
| VMRay.Sample.IOC.Registry.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.Registry.VerdictReason | String | Description of the Verdict Reason. |
| VMRay.Sample.IOC.URL.AnalysisID | Number | IDs of other analyses that contain the given URL. |
| VMRay.Sample.IOC.URL.Categories | String | The URL categories. |
| VMRay.Sample.IOC.URL.ContentTypes | String | Content types associated with the URL. |
| VMRay.Sample.IOC.URL.Countries | String | Countries associated with the URL. |
| VMRay.Sample.IOC.URL.CountryCodes | String | ISO 3166-1 two-letter country codes associated with the URL. |
| VMRay.Sample.IOC.URL.ID | Number | ID of the URL. (deprecated; is always 0) |
| VMRay.Sample.IOC.URL.IPAddresses | String | IP addresses associated with the URL. |
| VMRay.Sample.IOC.URL.Methods | String | Methods of HTTP requests directed at this URL. |
| VMRay.Sample.IOC.URL.Operation | String | Deprecated, always empty. |
| VMRay.Sample.IOC.URL.OriginalURLs | String | The origin URLs the malware used in the artifact operation. |
| VMRay.Sample.IOC.URL.ParentFiles | String | Names of files where the URL was referenced. |
| VMRay.Sample.IOC.URL.ParentProcesses | String | Full commandline of processes where the URL was referenced. |
| VMRay.Sample.IOC.URL.ParentProcessesNames | String | Names of processes where the URL was referenced. |
| VMRay.Sample.IOC.URL.Referrers | String | Other URLs that referred to this URL. |
| VMRay.Sample.IOC.URL.Source | String | The sources where the URL was obtained from. |
| VMRay.Sample.IOC.URL.Type | String | Type of the URL. |
| VMRay.Sample.IOC.URL.URL | String | The URL. |
| VMRay.Sample.IOC.URL.UserAgents | String | User agents used to connect to this URL. |
| VMRay.Sample.IOC.URL.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
| VMRay.Sample.IOC.URL.VerdictReason | String | Description of the Verdict Reason. |
Command Example#
Context Example#
Omitted for brevity.
Human Readable Output#
Omitted for brevity.
vmray-get-job-by-id#
Retrieves a job by job ID.
Base Command#
vmray-get-job-by-id
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | ID of a job. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of the job. |
| VMRay.Job.SampleID | Number | Sample ID of the job. |
| VMRay.Job.SubmissionID | Number | ID of the submission. |
| VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
| VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
| VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
| VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Job.Status | String | Status of the job. |
Command Example#
Context Example#
Human Readable Output#
Job results for job id: 365547
| Attribute | Value |
|---|---|
| JobID | 365547 |
| SampleID | 3902238 |
| VMName | win7_32_sp1 |
| VMID | 3 |
vmray-get-summary#
Retrieves the Summary JSON v2 for a specific analysis.
Base Command#
vmray-get-summary
Input#
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | ID of the analysis from which to retrieve the Summary JSON v2 from (analysis ID is returned e.g. from vmray-get-analysis-by-sample). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | Filename |
| InfoFile.EntryID | string | The EntryID of the Summary JSON v2 |
| InfoFile.Size | number | The file size of the Summary JSON v2 |
| InfoFile.Info | string | MIME type of the Summary JSON v2 |