Intezer Analyze

intezer analyze is a cybersecurity platform that provides advanced malware analysis and threat intelligence through genetic code analysis intezer analyze is a powerful malware analysis platform that provides deep insights into the genetic origins of software, identifying code reuse and detecting threats this connector allows swimlane turbine users to automate the submission and analysis of files and hashes, retrieve analysis results, and manage files within intezer analyze by integrating with intezer analyze, swimlane turbine users can enhance their security operations with automated malware analysis, enabling faster threat detection and response, and improving overall security posture the intezer analyze connector integrates with swimlane to perform malware analysis of suspicious files and a variety of automated investigation process operations asset setup or prerequisites before you can use the intezer analyze connector for turbine, you'll need access to the intezer analyze api this requires the following an api key authentication using the following parameters url the endpoint url for accessing intezer analyze services api key a unique key provided by intezer for authenticating api requests capabilities this plugin provides the following capabilities analyze file analyze by hash delete file by hash delete index by hash download file generate vaccine get alert by id get analysis result get latest hash result get root analysis related samples get sub analysis related samples get sub analysis ids get sub analyses metadata index uploaded file label file and so on notes for more information on intezer analyze connector is found at intezer analyze main site https //analyze intezer com/api docs html#/ for more information on intezer analyze authentication, check here https //analyze intezer com/api docs html#/operations/app/get access token configurations intezer analyze api key authentication authenticates using an intezer analyze api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions analyze by hash submit a file's hash to intezer analyze for analysis without uploading the actual file requires the hash in json body endpoint url /api/v2 0/analyze by hash method post input argument name type required description hash string optional parameter for analyze by hash file name string optional name of the resource code item type string optional type of the resource disable dynamic execution boolean optional parameter for analyze by hash disable static extraction boolean optional parameter for analyze by hash sandbox command line arguments string optional parameter for analyze by hash input example {"json body" {"hash" "stringstringstringstringstringst","file name" "malicious exe","code item type" "file","disable dynamic execution"\ false,"disable static extraction"\ false,"sandbox command line arguments" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"status" "succeeded","result url" "string","result"\ null}} analyze file submit a file for analysis in intezer analyze using the provided attachments endpoint url /api/v2 0/analyze method post input argument name type required description attachments object required parameter for analyze file input example {"attachments" {}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"status" "succeeded","result url" "string","result"\ null}} delete file by hash delete a private file from intezer's storage using its hash value endpoint url /api/v2 0/files/{{hash value}} method delete input argument name type required description path parameters hash value string required parameters for the delete file by hash action input example {"path parameters" {"hash value" "sha256"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"status" "succeeded","result url" "string","result"\ null}} delete index by hash delete the private indexing for a file in intezer analyze using its sha256 hash endpoint url /api/v2 0/files/{{sha256}}/index method delete input argument name type required description path parameters sha256 string required parameters for the delete index by hash action input example {"path parameters" {"sha256" "sha256"}} output parameter type description status code number http status code of the response reason string response reason phrase result url string url endpoint for the request output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result url" "/tasks/5ffa5925 b651 4cca 9e15 92ee84ea4ad3"}} download a file download the sha256 equivalent of a file from intezer analyze for further investigation requires path parameter 'sha256' endpoint url /api/v2 0/files/{{sha256}}/download method get input argument name type required description headers object optional http headers for the request headers accept string optional http headers for the request path parameters sha256 string required parameters for the download a file action input example {"headers" {"accept" "application/octet stream"},"path parameters" {"sha256" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {}} generate vaccine generate a vaccine for a specific file in intezer analyze using the analysis id as a path parameter endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/generate vaccine method post input argument name type required description path parameters analysis id string required parameters for the generate vaccine action format string optional parameter for generate vaccine input example {"json body" {"format" "yara"},"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" "rule intezer vaccine bf293bda73c5b4c1ec66561ad20d7e2bc6692d051282d35ce8b7b7020c7 ","result url" "/analyses/0833e33b 2dcd 4d48 a853 8b4822675911/sub analyses/e1aba630 e390 4964 b ","status" "succeeded"}} get alert by id retrieve triage and response information for an ingested alert in intezer analyze using its alert id endpoint url /api/v2 0/alerts/get by id method post input argument name type required description alert id string optional the unique identifier of the alert to retrieve input example {"json body" {"alert id" "ed638299999999862495 1864999299"}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result alert id string unique identifier result intezer alert url string url endpoint for the request result alert object result of the operation result alert alert id string unique identifier result alert alert title string result of the operation result alert alert url string url endpoint for the request result alert creation time string result of the operation result alert creation time display string result of the operation result alert severity string result of the operation result alert severity display string result of the operation result alert is mitigated boolean result of the operation result alert mitigation status display string status value result alert device object result of the operation result alert device id string unique identifier result alert device hostname string name of the resource result alert device os type string type of the resource result alert device os name string name of the resource result triage result object result of the operation result triage result alert verdict string result of the operation result triage result alert verdict display string result of the operation result triage result risk level string result of the operation result triage result risk level display string result of the operation output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"alert id" "ed638299999999862495 1864999299","intezer alert url" "https //analyze intezer com/alerts/ed638299999999862495 1864999299","alert" {},"triage result" {},"source" "cs","source display" "crowdstrike","source type" "edr","status" "done"},"status" "succeeded"}} get analysis result retrieve a summary of file analysis results in intezer analyze using the analysis id path parameter endpoint url /api/v2 0/analyses/{{analysis id}} method get input argument name type required description path parameters analysis id string required parameters for the get analysis result action input example {"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result analysis id string unique identifier result analysis time string result of the operation result analysis url string url endpoint for the request result family id string unique identifier result family name string name of the resource result file name string name of the resource result is private boolean result of the operation result labels array result of the operation result sha256 string result of the operation result sub verdict string result of the operation result verdict string result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"analysis id" "0833e33b 2dcd 4d48 a853 8b4822675911","analysis time" "wed, 17 oct 2018 15 16 45 gmt","analysis url" "https //analyze intezer com/analyses/0833e33b 2dcd 4d48 a853 8b4822675911","family id" "0b13c0d4 7779 4c06 98fa 4d33ca98f8a9","family name" "wannacry","file name" "file exe","is private"\ true,"labels" \[],"sha25 get latest hash result retrieve the latest analysis results for a file in intezer analyze by specifying its hash value endpoint url /api/v2 0/files/{{hash value}} method get input argument name type required description path parameters hash value string required parameters for the get latest hash result action should get only private analysis string optional parameter for get latest hash result should get only composed analysis string optional parameter for get latest hash result input example {"json body" {"should get only private analysis" "false","should get only composed analysis" "true"},"path parameters" {"hash value" "sha256"}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result analysis id string unique identifier result analysis time string result of the operation result analysis url string url endpoint for the request result family id string unique identifier result family name string name of the resource result file name string name of the resource result is private boolean result of the operation result labels array result of the operation result sha256 string result of the operation result sub verdict string result of the operation result verdict string result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"analysis id" "0833e33b 2dcd 4d48 a853 8b4822675911","analysis time" "wed, 17 oct 2018 15 16 45 gmt","analysis url" "https //analyze intezer com/analyses/0833e33b 2dcd 4d48 a853 8b4822675911","family id" "0b13c0d4 7779 4c06 98fa 4d33ca98f8a9","family name" "wannacry","file name" "file exe","is private"\ true,"labels" \[],"sha25 get root analysis related samples get a list of public samples from the intezer genome database that share code with the detected family in the analyzed file requires analysis id and family id as path parameters endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/code reuse/families/{{family id}}/find related files method post input argument name type required description path parameters analysis id string required parameters for the get root analysis related samples action path parameters family id string required parameters for the get root analysis related samples action input example {"path parameters" {"analysis id" "string","family id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result files array result of the operation result files reused gene count number result of the operation result files sha256 string result of the operation result files size in bytes number result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"files" \[]},"result url" "/analyses/513555bd 1113 4079 80ff c968e40bea16/sub analyses/479d81e8 b6ba 4c13 8 ","status" "succeeded"}} get sub analyses metadata get the root analysis sample's metadata in intezer analyze using the analysis id as a path parameter endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/metadata method get input argument name type required description path parameters analysis id string required parameters for the get sub analyses metadata action input example {"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase architecture string output field architecture company string output field company compilation timestamp string output field compilation timestamp file type string type of the resource md5 string output field md5 original filename string name of the resource product string output field product product version string output field product version sha1 string output field sha1 sha256 string output field sha256 size in bytes number output field size in bytes ssdeep string output field ssdeep indicators array output field indicators indicators name string name of the resource indicators classification string output field indicators classification indicators additional info string output field indicators additional info output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"architecture" "i386","company" "microsoft corporation","compilation timestamp" "2014 02 06 12 37 44+00 00","file type" "pe","md5" "ec7e3cfaeaac0401316d66e964be684e","original filename" "cryptsp dll","product" "microsoft\u00ae windows\u00ae operating system","product version" "6 1 7600 16385","sha1" "dbda26c8dfbd511fd048a89a0d0dd300df3 get sub analysis ids retrieve a list of sub analysis ids for a given analysis id in intezer analyze, including the root file's sub analysis id requires the analysis id as a path parameter endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses method get input argument name type required description path parameters analysis id string required parameters for the get sub analysis ids action input example {"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase sub analyses array output field sub analyses sub analyses sha256 string output field sub analyses sha256 sub analyses source string output field sub analyses source sub analyses sub analysis id string unique identifier sub analyses extraction info object output field sub analyses extraction info sub analyses extraction info dropped path string output field sub analyses extraction info dropped path sub analyses extraction info parent file sha256 string output field sub analyses extraction info parent file sha256 output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"sub analyses" \[{"sha256" "14ca4a614156e924d077e1bf6709cd24796a1ddc92aa1ac9c0b85103fea943bd","source" "root","sub analysis id" "ae0ad225 4f37 43ce 8ffd a7771b896a36"},{"extraction info" {"collected from" "memory","processes" \[{"module path" "c \\\users\\\wmji\\\appdata\\\roaming\\\microsoft\\\windows\\\start menu\\\programs\\\startup\\\ddnvojbl get sub analysis related samples retrieve a list of public samples from the intezer genome database that share code with the detected family in the analyzed file requires analysis id, family id, and sub analysis id endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/{{sub analysis id}}/code reuse/families/{{family id}}/find related files method post input argument name type required description path parameters analysis id string required parameters for the get sub analysis related samples action path parameters family id string required parameters for the get sub analysis related samples action path parameters sub analysis id string required parameters for the get sub analysis related samples action input example {"path parameters" {"analysis id" "","family id" "","sub analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result files array result of the operation result files reused gene count number result of the operation result files sha256 string result of the operation result files size in bytes number result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"files" \[]},"result url" "/analyses/513555bd 1113 4079 80ff c968e40bea16/sub analyses/479d81e8 b6ba 4c13 8 ","status" "succeeded"}} index uploaded file upload a file to intezer analyze and index it into your private genome database supported classifications include malicious and trusted endpoint url /api/v2 0/files/index method post input argument name type required description attachments object required file that you want to submit or upload input example {"attachments" {}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {},"result url" "/files/index/7c9b8902 7176 41f8 bcaf b0fd4c395f78","status" "succeeded"}} label file set a private label for a file in intezer analyze using the sha256 path parameter and label in the json body endpoint url /api/v2 0/files/{{sha256}}/label method put input argument name type required description path parameters sha256 string required parameters for the label file action label string optional parameter for label file input example {"json body" {"label" ""},"path parameters" {"sha256" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result url string url endpoint for the request output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result url" "/tasks/5ffa5925 b651 4cca 9e15 92ee84ea4ad3"}} post index hash index a file into your private genome database in intezer analyze using the sha256 hash and specify how to index it endpoint url /api/v2 0/files/{{sha256}}/index method post input argument name type required description path parameters sha256 string required parameters for the post index hash action index as string optional parameter for post index hash family name string optional name of the resource input example {"json body" {"index as" "trusted","family name" "good fam"},"path parameters" {"sha256" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {},"result url" "/files/index/7c9b8902 7176 41f8 bcaf b0fd4c395f78","status" "succeeded"}} search incidents search for incidents in intezer analyze using provided incident ids and retrieve their triage and response details endpoint url /api/v2 0/incidents/search method post input argument name type required description incident ids array optional list of incident ids to search for in intezer analyze input example {"json body" {"incident ids" \["incident 1234"]}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result incident count number unique identifier result incidents array unique identifier result incidents incident id string unique identifier result incidents intezer incident url string url endpoint for the request result incidents alert count number unique identifier result incidents alert ids array unique identifier result incidents creation time string unique identifier result incidents creation time display string unique identifier result incidents status string unique identifier result incidents triage result object unique identifier result incidents triage result risk level string unique identifier result incidents triage result risk level display string unique identifier result incidents triage result risk category string unique identifier result incidents triage result risk category display string unique identifier result incidents triage result risk score number unique identifier result incidents source string unique identifier result incidents source display string unique identifier result incidents source type string unique identifier status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"incident count" 1,"incidents" \[]},"status" "succeeded"}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt