Intezer Analyze

the intezer analyze connector integrates with swimlane to perform malware analysis of suspicious files and a variety of automated investigation process operations asset setup or prerequisites the intezer analyze connector requires an api key for authentication capabilities this plugin provides the following capabilities analyze file analyze by hash delete file by hash delete index by hash download file generate vaccine get analysis result get latest hash result get root analysis related samples get sub analysis related samples get sub analysis ids get sub analyses metadata index uploaded file label file post index hash notes for more information on intezer analyze connector is found at https //analyze intezer com/api docs html#/ for more information on intezer analyze authentication, https //analyze intezer com/api docs html#/operations/app/get access token configurations intezer analyze api key authentication authenticates using an intezer analyze api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions analyze by hash submits the hash of a file to be analyzed only the hash of the file is submitted this endpoint enables you to analyze a file without actually submitting it endpoint url /api/v2 0/analyze by hash method post input argument name type required description hash string optional parameter for analyze by hash file name string optional name of the resource code item type string optional type of the resource disable dynamic execution boolean optional parameter for analyze by hash disable static extraction boolean optional parameter for analyze by hash sandbox command line arguments string optional parameter for analyze by hash input example {"json body" {"hash" "stringstringstringstringstringst","file name" "malicious exe","code item type" "file","disable dynamic execution"\ false,"disable static extraction"\ false,"sandbox command line arguments" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"status" "succeeded","result url" "string","result"\ null}} analyze file submits a file to be analyzed endpoint url /api/v2 0/analyze method post input argument name type required description attachments object required parameter for analyze file input example {"attachments" {}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"status" "succeeded","result url" "string","result"\ null}} delete file by hash delete a file enables you to delete a private file uploaded by the user from intezer's storage endpoint url /api/v2 0/files/{{hash value}} method delete input argument name type required description path parameters hash value string required parameters for the delete file by hash action input example {"path parameters" {"hash value" "sha256"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"status" "succeeded","result url" "string","result"\ null}} delete index by hash enables you to delete the private indexing that was previously set for the file endpoint url /api/v2 0/files/{{sha256}}/index method delete input argument name type required description path parameters sha256 string required parameters for the delete index by hash action input example {"path parameters" {"sha256" "sha256"}} output parameter type description status code number http status code of the response reason string response reason phrase result url string url endpoint for the request output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result url" "/tasks/5ffa5925 b651 4cca 9e15 92ee84ea4ad3"}} download a file enables you to download the sha256 equivalent of a file for further investigation endpoint url /api/v2 0/files/{{sha256}}/download method get input argument name type required description headers object optional http headers for the request headers accept string optional http headers for the request path parameters sha256 string required parameters for the download a file action input example {"headers" {"accept" "application/octet stream"},"path parameters" {"sha256" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {}} generate vaccine generate vaccine enables you to generate a vaccine for a specific file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/generate vaccine method post input argument name type required description path parameters analysis id string required parameters for the generate vaccine action format string optional parameter for generate vaccine input example {"json body" {"format" "yara"},"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" "rule intezer vaccine bf293bda73c5b4c1ec66561ad20d7e2bc6692d051282d35ce8b7b7020c7 ","result url" "/analyses/0833e33b 2dcd 4d48 a853 8b4822675911/sub analyses/e1aba630 e390 4964 b ","status" "succeeded"}} get analysis result this endpoint retrieves a summary of a file analysis, the summary provides high level analysis results endpoint url /api/v2 0/analyses/{{analysis id}} method get input argument name type required description path parameters analysis id string required parameters for the get analysis result action input example {"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result analysis id string unique identifier result analysis time string result of the operation result analysis url string url endpoint for the request result family id string unique identifier result family name string name of the resource result file name string name of the resource result is private boolean result of the operation result labels array result of the operation result sha256 string result of the operation result sub verdict string result of the operation result verdict string result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"analysis id" "0833e33b 2dcd 4d48 a853 8b4822675911","analysis time" "wed, 17 oct 2018 15 16 45 gmt","analysis url" "https //analyze intezer com/analyses/0833e33b 2dcd 4d48 a853 8b4822675911","family id" "0b13c0d4 7779 4c06 98fa 4d33ca98f8a9","family name" "wannacry","file name" "file exe","is private"\ true,"labels" \[],"sha25 get latest hash result this endpoint enables you to retrieve the latest available results of a previously analyze file by specifying its hash endpoint url /api/v2 0/files/{{hash value}} method get input argument name type required description path parameters hash value string required parameters for the get latest hash result action should get only private analysis string optional parameter for get latest hash result should get only composed analysis string optional parameter for get latest hash result input example {"json body" {"should get only private analysis" "false","should get only composed analysis" "true"},"path parameters" {"hash value" "sha256"}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result analysis id string unique identifier result analysis time string result of the operation result analysis url string url endpoint for the request result family id string unique identifier result family name string name of the resource result file name string name of the resource result is private boolean result of the operation result labels array result of the operation result sha256 string result of the operation result sub verdict string result of the operation result verdict string result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"analysis id" "0833e33b 2dcd 4d48 a853 8b4822675911","analysis time" "wed, 17 oct 2018 15 16 45 gmt","analysis url" "https //analyze intezer com/analyses/0833e33b 2dcd 4d48 a853 8b4822675911","family id" "0b13c0d4 7779 4c06 98fa 4d33ca98f8a9","family name" "wannacry","file name" "file exe","is private"\ true,"labels" \[],"sha25 get root analysis related samples gets a list of various public samples stored in the intezer genome database that share code with the family detected in the analyzed file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/code reuse/families/{{family id}}/find related files method post input argument name type required description path parameters analysis id string required parameters for the get root analysis related samples action path parameters family id string required parameters for the get root analysis related samples action input example {"path parameters" {"analysis id" "string","family id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result files array result of the operation result files reused gene count number result of the operation result files sha256 string result of the operation result files size in bytes number result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"files" \[]},"result url" "/analyses/513555bd 1113 4079 80ff c968e40bea16/sub analyses/479d81e8 b6ba 4c13 8 ","status" "succeeded"}} get sub analyses metadata get the root analysis sample's metadata endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/metadata method get input argument name type required description path parameters analysis id string required parameters for the get sub analyses metadata action input example {"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase architecture string output field architecture company string output field company compilation timestamp string output field compilation timestamp file type string type of the resource md5 string output field md5 original filename string name of the resource product string output field product product version string output field product version sha1 string output field sha1 sha256 string output field sha256 size in bytes number output field size in bytes ssdeep string output field ssdeep indicators array output field indicators indicators name string name of the resource indicators classification string output field indicators classification indicators additional info string output field indicators additional info output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"architecture" "i386","company" "microsoft corporation","compilation timestamp" "2014 02 06 12 37 44+00 00","file type" "pe","md5" "ec7e3cfaeaac0401316d66e964be684e","original filename" "cryptsp dll","product" "microsoft\u00ae windows\u00ae operating system","product version" "6 1 7600 16385","sha1" "dbda26c8dfbd511fd048a89a0d0dd300df3 get sub analysis ids gets the list of sub analysis ids of a specific analysis id, including the sub analysis id of the root file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses method get input argument name type required description path parameters analysis id string required parameters for the get sub analysis ids action input example {"path parameters" {"analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase sub analyses array output field sub analyses sub analyses sha256 string output field sub analyses sha256 sub analyses source string output field sub analyses source sub analyses sub analysis id string unique identifier sub analyses extraction info object output field sub analyses extraction info sub analyses extraction info dropped path string output field sub analyses extraction info dropped path sub analyses extraction info parent file sha256 string output field sub analyses extraction info parent file sha256 output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"sub analyses" \[{"sha256" "14ca4a614156e924d077e1bf6709cd24796a1ddc92aa1ac9c0b85103fea943bd","source" "root","sub analysis id" "ae0ad225 4f37 43ce 8ffd a7771b896a36"},{"extraction info" {"collected from" "memory","processes" \[{"module path" "c \\\users\\\wmji\\\appdata\\\roaming\\\microsoft\\\windows\\\start menu\\\programs\\\startup\\\ddnvojbl get sub analysis related samples gets a list of various public samples stored in the intezer genome database that share code with the family detected in the analyzed file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/{{sub analysis id}}/code reuse/families/{{family id}}/find related files method post input argument name type required description path parameters analysis id string required parameters for the get sub analysis related samples action path parameters family id string required parameters for the get sub analysis related samples action path parameters sub analysis id string required parameters for the get sub analysis related samples action input example {"path parameters" {"analysis id" "","family id" "","sub analysis id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result files array result of the operation result files reused gene count number result of the operation result files sha256 string result of the operation result files size in bytes number result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {"files" \[]},"result url" "/analyses/513555bd 1113 4079 80ff c968e40bea16/sub analyses/479d81e8 b6ba 4c13 8 ","status" "succeeded"}} index uploaded file enables you to upload a file and index it into your private genome database currently, the only supported classifications are malicious and trusted endpoint url /api/v2 0/files/index method post input argument name type required description attachments object required file that you want to submit or upload input example {"attachments" {}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {},"result url" "/files/index/7c9b8902 7176 41f8 bcaf b0fd4c395f78","status" "succeeded"}} label file set a private label for a file endpoint url /api/v2 0/files/{{sha256}}/label method put input argument name type required description path parameters sha256 string required parameters for the label file action label string optional parameter for label file input example {"json body" {"label" ""},"path parameters" {"sha256" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result url string url endpoint for the request output example {"status code" 201,"reason" "created","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result url" "/tasks/5ffa5925 b651 4cca 9e15 92ee84ea4ad3"}} post index hash enables you to index the file into your private genome database endpoint url /api/v2 0/files/{{sha256}}/index method post input argument name type required description path parameters sha256 string required parameters for the post index hash action index as string optional parameter for post index hash family name string optional name of the resource input example {"json body" {"index as" "trusted","family name" "good fam"},"path parameters" {"sha256" ""}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request status string status value output example {"status code" 200,"reason" "ok","response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"json body" {"result" {},"result url" "/files/index/7c9b8902 7176 41f8 bcaf b0fd4c395f78","status" "succeeded"}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt