Fireeye Detection On Demand

fireeye detection on demand is a cloud based service that provides advanced threat detection and malware analysis fireeye detection on demand is a cloud based threat detection service that provides advanced malware analysis capabilities this connector allows swimlane turbine users to automate the submission and retrieval of file analysis reports, enhancing threat detection and response workflows by integrating with fireeye detection on demand, users can efficiently manage malware analysis tasks, retrieve detailed reports using various identifiers, and upload files for comprehensive threat assessment this integration empowers security teams to streamline their operations, reduce manual effort, and improve response times to potential threats prerequisites before you can use the fireeye detection on demand connector for turbine, you'll need access to the fireeye api this requires the following an api key authentication using the following parameters url the endpoint url for accessing fireeye detection on demand services fireeye auth key a unique key provided by fireeye for authenticating api requests capabilities this connector provides the following capabilities upload files to detection on demand get single report by connector and file id get single report get single report by md5 or sha256 action limitations for the upload file action, your file must be less than 20 mb files greater than 20 mb will receive a playbook error notes for more information https //fireeye dev/apis/detection on demand/ additional documentation https //docs swimlane com/connectors/fireeye detection on demand https //fireeye dev/apis/detection on demand/ configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required feye auth key auth key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get single report retrieve the results of a single file submission report in fireeye detection on demand using the report id as a path parameter endpoint url /reports/{{report id}} method get input argument name type required description path parameters report id string required the report id returned after successfully submitting a file parameters extended boolean optional setting extended to true will allow you to see all malware engine reports input example {"parameters" {"extended"\ true},"path parameters" {"report id" "992694b3 20ab 4245 9b4c 8f3a1b7ec3b6"}} output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects extracted objects submission uuid string unique identifier extracted objects object uuid string unique identifier extracted objects name string name of the resource extracted objects type string type of the resource extracted objects complete time string time value extracted objects analyses start time string time value extracted objects verdict string output field extracted objects verdict extracted objects md5 string output field extracted objects md5 output example {"report id" "4dfa1e0b 0e33 4ac7 ac24 e2680a0bcdbe","overall status" "done","is malicious"\ true,"started at" "2020 07 06 18 15 13","completed at" "2020 07 06 18 17 54","duration" 161,"file name" "payment 2019 exe","file size" 17920,"file extension" "exe","name" "payment 2019 exe","type" "exe","size" 17920,"md5" "968a89bf69338b6e0332a9d5d300cd5a","sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b","sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa"} get single report by connector and file id retrieve a single report from fireeye detection on demand using the connector type and file id this is an alternative method to locate reports submitted via configured connectors like box or microsoft teams endpoint url /reports/search method get input argument name type required description parameters extended boolean optional parameters for the get single report by connector and file id action parameters connector type string required parameters for the get single report by connector and file id action parameters file id string required parameters for the get single report by connector and file id action input example {"parameters" {"extended"\ true,"connector type" "box","file id" "12345678"}} output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects extracted objects submission uuid string unique identifier extracted objects object uuid string unique identifier extracted objects name string name of the resource extracted objects type string type of the resource extracted objects complete time string time value extracted objects analyses start time string time value extracted objects verdict string output field extracted objects verdict extracted objects md5 string output field extracted objects md5 output example {"report id" "4dfa1e0b 0e33 4ac7 ac24 e2680a0bcdbe","overall status" "done","is malicious"\ true,"started at" "2020 07 06 18 15 13","completed at" "2020 07 06 18 17 54","duration" 161,"file name" "payment 2019 exe","file size" 17920,"file extension" "exe","name" "payment 2019 exe","type" "exe","size" 17920,"md5" "968a89bf69338b6e0332a9d5d300cd5a","sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b","sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa"} get single repory by hash retrieve the latest report for a file submission using its md5 or sha256 hash in fireeye detection on demand endpoint url /reports/{{hash}} method get input argument name type required description path parameters hash string required md5 or sha256 hash of a submitted file parameters extended boolean optional setting extended to true will allow you to see all malware engine reports input example {"parameters" {"extended"\ true},"path parameters" {"hash" "a32a382b8a5a906e03a83b4f3e5b7a9b"}} output parameter type description report id string unique identifier overall status string status value is malicious boolean output field is malicious started at string output field started at completed at string output field completed at duration number output field duration file name string name of the resource file size number output field file size file extension string output field file extension name string name of the resource type string type of the resource size number output field size md5 string output field md5 sha256 string output field sha256 sha1 string output field sha1 magic string output field magic extracted objects array output field extracted objects extracted objects submission uuid string unique identifier extracted objects object uuid string unique identifier extracted objects name string name of the resource extracted objects type string type of the resource extracted objects complete time string time value extracted objects analyses start time string time value extracted objects verdict string output field extracted objects verdict extracted objects md5 string output field extracted objects md5 output example {"report id" "1737d302 600e 431c 96eb 9c688ee0af98","overall status" "done","is malicious"\ true,"started at" "2020 07 06 18 15 13","completed at" "2020 07 06 18 17 54","duration" 161,"file name" "payment 2019 exe","file size" 17920,"file extension" "exe","name" "payment 2019 exe","type" "exe","size" 17920,"md5" "a32a382b8a5a906e03a83b4f3e5b7a9b","sha256" "105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b","sha1" "a68621e31c08a4fff8d4c4a49364b386acd769fa"} upload files upload files to fireeye detection on demand for analysis this action requires a binary file in the form body endpoint url /files method post input argument name type required description form data object optional response data form data file object required this is the binary file that you want to submit for malware analysis form data file file string required response data form data file file name string required response data form data file name string optional custom name for the submitted file to be used in the report form data password string optional password to be used by the detection engine to decrypt a password protected file form data param string optional command line parameter(s) to be used by detection engine when running the file mainly applicable to exe files for example, setting param to "start h localhost p 5555" will make the detection engine run a file named "malicious exe" as "malicious exe start h localhost p 5555" form data screenshot boolean optional extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api form data video boolean optional extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api form data file extraction boolean optional extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api form data memory dump boolean optional extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api form data pcap boolean optional extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api form data analysis mode string optional analysis mode for submission (sandbox or live) form data profiles string optional profiles to be used for dynamic analysis \["win7x64 sp1m", "win7 sp1m"] form data force analyze boolean optional force submission for this file even if found as duplicate input example {"form data" {"file" \[{"file" "","file name" "sample txt"}],"password" "sample123","param" "start h localhost p 5555","screenshot"\ true,"video"\ true,"file extraction"\ true,"memory dump"\ true,"pcap"\ true,"analysis mode" "sandbox","profiles" "win7x64 sp1m","force analyze"\ true}} output parameter type description status string status value report id string unique identifier md5 string output field md5 output example {"status" "success","report id" "992694b3 20ab 4245 9b4c 8f3a1b7ec3b6","md5" "4ba739fd8c216809e485e7972597c995"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt