FireEye Detection On Demand

this connector submits files for malware analysis, searches hash values for past analysis results, and gets full reports for your file submissions prerequisites get the api key from fireeye and add it to the asset in order to connect with the service capabilities this connector provides the following capabilities upload files to detection on demand get single report by connector and file id get single report get single report by md5 or sha256 action limitations for the upload file action, your file must be less than 20 mb files greater than 20 mb will receive a playbook error notes for more information https //fireeye dev/apis/detection on demand/ configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required feye auth key auth key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get single report get single report this action fetches the results of a single file submission, known as a report endpoint url /reports/{{report id}} method get input argument name type required description path parameters report id string required the report id returned after successfully submitting a file parameters extended boolean optional setting extended to true will allow you to see all malware engine reports input example {"parameters" {"extended"\ true},"path parameters" {"report id" "992694b3 20ab 4245 9b4c 8f3a1b7ec3b6"}} output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects extracted objects submission uuid string unique identifier extracted objects object uuid string unique identifier extracted objects name string name of the resource extracted objects type string type of the resource extracted objects complete time string time value extracted objects analyses start time string time value extracted objects verdict string output field extracted objects verdict extracted objects md5 string output field extracted objects md5 output example {"report id" "4dfa1e0b 0e33 4ac7 ac24 e2680a0bcdbe","overall status" "done","is malicious"\ true,"started at" "2020 07 06 18 15 13","completed at" "2020 07 06 18 17 54","duration" 161,"file name" "payment 2019 exe","file size" 17920,"file extension" "exe","name" "payment 2019 exe","type" "exe","size" 17920,"md5" "968a89bf69338b6e0332a9d5d300cd5a","sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b","sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa"} get single report by connector and file id get a single report by connector and file id this action is used as an alternate way to find a report that was submitted by a configured connector, like box or microsoft teams endpoint url /reports/search method get input argument name type required description parameters extended boolean optional parameters for the get single report by connector and file id action parameters connector type string required parameters for the get single report by connector and file id action parameters file id string required parameters for the get single report by connector and file id action input example {"parameters" {"extended"\ true,"connector type" "box","file id" "12345678"}} output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects extracted objects submission uuid string unique identifier extracted objects object uuid string unique identifier extracted objects name string name of the resource extracted objects type string type of the resource extracted objects complete time string time value extracted objects analyses start time string time value extracted objects verdict string output field extracted objects verdict extracted objects md5 string output field extracted objects md5 output example {"report id" "4dfa1e0b 0e33 4ac7 ac24 e2680a0bcdbe","overall status" "done","is malicious"\ true,"started at" "2020 07 06 18 15 13","completed at" "2020 07 06 18 17 54","duration" 161,"file name" "payment 2019 exe","file size" 17920,"file extension" "exe","name" "payment 2019 exe","type" "exe","size" 17920,"md5" "968a89bf69338b6e0332a9d5d300cd5a","sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b","sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa"} get single repory by hash get single report by md5 or sha256 hash this action fetches the latest results for file submission with the provided md5 or sha256 hash endpoint url /reports/{{hash}} method get input argument name type required description path parameters hash string required md5 or sha256 hash of a submitted file parameters extended boolean optional setting extended to true will allow you to see all malware engine reports input example {"parameters" {"extended"\ true},"path parameters" {"hash" "a32a382b8a5a906e03a83b4f3e5b7a9b"}} output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects extracted objects submission uuid string unique identifier extracted objects object uuid string unique identifier extracted objects name string name of the resource extracted objects type string type of the resource extracted objects complete time string time value extracted objects analyses start time string time value extracted objects verdict string output field extracted objects verdict extracted objects md5 string output field extracted objects md5 output example {"report id" "1737d302 600e 431c 96eb 9c688ee0af98","overall status" "done","is malicious"\ true,"started at" "2020 07 06 18 15 13","completed at" "2020 07 06 18 17 54","duration" 161,"file name" "payment 2019 exe","file size" 17920,"file extension" "exe","name" "payment 2019 exe","type" "exe","size" 17920,"md5" "a32a382b8a5a906e03a83b4f3e5b7a9b","sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b","sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa"} upload files upload files to detection on demand this action submits a binary file for analysis endpoint url /files method post input argument name type required description form data object optional response data form data file object required this is the binary file that you want to submit for malware analysis form data file file string required response data form data file file name string required response data form data file name string optional custom name for the submitted file to be used in the report form data password string optional password to be used by the detection engine to decrypt a password protected file form data param string optional command line parameter(s) to be used by detection engine when running the file mainly applicable to exe files for example, setting param to "start h localhost p 5555" will make the detection engine run a file named "malicious exe" as "malicious exe start h localhost p 5555" form data screenshot boolean optional extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api form data video boolean optional extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api form data file extraction boolean optional extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api form data memory dump boolean optional extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api form data pcap boolean optional extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api form data analysis mode string optional analysis mode for submission (sandbox or live) form data profiles string optional profiles to be used for dynamic analysis \["win7x64 sp1m", "win7 sp1m"] form data force analyze boolean optional force submission for this file even if found as duplicate input example {"form data" {"file" \[{"file" "","file name" "sample txt"}],"password" "sample123","param" "start h localhost p 5555","screenshot"\ true,"video"\ true,"file extraction"\ true,"memory dump"\ true,"pcap"\ true,"analysis mode" "sandbox","profiles" "win7x64 sp1m","force analyze"\ true}} output parameter type description status string status value report id string unique identifier md5 string output field md5 output example {"status" "success","report id" "992694b3 20ab 4245 9b4c 8f3a1b7ec3b6","md5" "4ba739fd8c216809e485e7972597c995"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt