FireEye Detection On Demand

this connector submits files for malware analysis, searches hash values for past analysis results, and gets full reports for your file submissions prerequisites get the api key from fireeye and add it to the asset in order to connect with the service capabilities this connector provides the following capabilities upload files to detection on demand get single report by connector and file id get single report get single report by md5 or sha256 action limitations for the upload file action, your file must be less than 20 mb files greater than 20 mb will receive a playbook error configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required feye auth key auth key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get single report get single report this action fetches the results of a single file submission, known as a report endpoint url /reports/{{report id}} method get input argument name type required description report id string required the report id returned after successfully submitting a file extended boolean optional setting extended to true will allow you to see all malware engine reports output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects submission uuid string unique identifier object uuid string unique identifier name string name of the resource type string type of the resource complete time string time value analyses start time string time value verdict string output field verdict md5 string output field md5 example \[ { "report id" "4dfa1e0b 0e33 4ac7 ac24 e2680a0bcdbe", "overall status" "done", "is malicious" true, "started at" "2020 07 06 18 15 13", "completed at" "2020 07 06 18 17 54", "duration" 161, "file name" "payment 2019 exe", "file size" 17920, "file extension" "exe", "name" "payment 2019 exe", "type" "exe", "size" 17920, "md5" "968a89bf69338b6e0332a9d5d300cd5a", "sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b", "sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa" } ] get single report by connector and file id get a single report by connector and file id this action is used as an alternate way to find a report that was submitted by a configured connector, like box or microsoft teams endpoint url /reports/search method get input argument name type required description extended boolean optional parameter for get single report by connector and file id connector type string required type of the resource file id string required unique identifier output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects submission uuid string unique identifier object uuid string unique identifier name string name of the resource type string type of the resource complete time string time value analyses start time string time value verdict string output field verdict md5 string output field md5 example \[ { "report id" "4dfa1e0b 0e33 4ac7 ac24 e2680a0bcdbe", "overall status" "done", "is malicious" true, "started at" "2020 07 06 18 15 13", "completed at" "2020 07 06 18 17 54", "duration" 161, "file name" "payment 2019 exe", "file size" 17920, "file extension" "exe", "name" "payment 2019 exe", "type" "exe", "size" 17920, "md5" "968a89bf69338b6e0332a9d5d300cd5a", "sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b", "sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa" } ] get single repory by hash get single report by md5 or sha256 hash this action fetches the latest results for file submission with the provided md5 or sha256 hash endpoint url /reports/{{hash}} method get input argument name type required description hash string required md5 or sha256 hash of a submitted file extended boolean optional setting extended to true will allow you to see all malware engine reports output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects submission uuid string unique identifier object uuid string unique identifier name string name of the resource type string type of the resource complete time string time value analyses start time string time value verdict string output field verdict md5 string output field md5 example \[ { "report id" "1737d302 600e 431c 96eb 9c688ee0af98", "overall status" "done", "is malicious" true, "started at" "2020 07 06 18 15 13", "completed at" "2020 07 06 18 17 54", "duration" 161, "file name" "payment 2019 exe", "file size" 17920, "file extension" "exe", "name" "payment 2019 exe", "type" "exe", "size" 17920, "md5" "a32a382b8a5a906e03a83b4f3e5b7a9b", "sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b", "sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa" } ] upload files upload files to detection on demand this action submits a binary file for analysis endpoint url /files method post input argument name type required description form data object optional response data file object required this is the binary file that you want to submit for malware analysis file string required parameter for upload files file name string required name of the resource file name string optional custom name for the submitted file to be used in the report password string optional password to be used by the detection engine to decrypt a password protected file param string optional command line parameter(s) to be used by detection engine when running the file mainly applicable to exe files for example, setting param to "start h localhost p 5555" will make the detection engine run a file named "malicious exe" as "malicious exe start h localhost p 5555" screenshot boolean optional extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api video boolean optional extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api file extraction boolean optional extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api memory dump boolean optional extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api pcap boolean optional extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api analysis mode string optional analysis mode for submission (sandbox or live) profiles string optional profiles to be used for dynamic analysis \["win7x64 sp1m", "win7 sp1m"] force analyze boolean optional force submission for this file even if found as duplicate output parameter type description status string status value report id string unique identifier md5 string output field md5 example \[ { "status" "success", "report id" "992694b3 20ab 4245 9b4c 8f3a1b7ec3b6", "md5" "4ba739fd8c216809e485e7972597c995" } ] notes for more information click here https //fireeye dev/apis/detection on demand/