Intezer Analyze

the intezer analyze connector integrates with swimlane to perform malware analysis of suspicious files and a variety of automated investigation process operations asset setup or prerequisites the intezer analyze connector requires an api key for authentication capabilities this plugin provides the following capabilities analyze file analyze by hash delete file by hash delete index by hash download file generate vaccine get analysis result get latest hash result get root analysis related samples get sub analysis related samples get sub analysis ids get sub analyses metadata index uploaded file label file post index hash configurations intezer analyze api key authentication authenticates using an intezer analyze api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions analyze by hash submits the hash of a file to be analyzed only the hash of the file is submitted this endpoint enables you to analyze a file without actually submitting it endpoint url /api/v2 0/analyze by hash method post input argument name type required description hash string required parameter for analyze by hash file name string optional name of the resource code item type string optional type of the resource disable dynamic execution boolean optional parameter for analyze by hash disable static extraction boolean optional parameter for analyze by hash sandbox command line arguments string optional parameter for analyze by hash output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation example \[ { "status code" 201, "reason" "created", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "status" "succeeded", "result url" "string", "result" null } } ] analyze file submits a file to be analyzed endpoint url /api/v2 0/analyze method post input argument name type required description attachments object required parameter for analyze file output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation example \[ { "status code" 201, "reason" "created", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "status" "succeeded", "result url" "string", "result" null } } ] delete file by hash delete a file enables you to delete a private file uploaded by the user from intezer's storage endpoint url /api/v2 0/files/{{hash value}} method delete input argument name type required description hash value string required value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase status string status value result url string url endpoint for the request result object result of the operation example \[ { "status code" 201, "reason" "created", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "status" "succeeded", "result url" "string", "result" null } } ] delete index by hash enables you to delete the private indexing that was previously set for the file endpoint url /api/v2 0/files/{{sha256}}/index method delete input argument name type required description sha256 string required parameter for delete index by hash output parameter type description status code number http status code of the response reason string response reason phrase result url string url endpoint for the request example \[ { "status code" 201, "reason" "created", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result url" "/tasks/5ffa5925 b651 4cca 9e15 92ee84ea4ad3" } } ] download a file enables you to download the sha256 equivalent of a file for further investigation endpoint url /api/v2 0/files/{{sha256}}/download method get input argument name type required description headers object optional http headers for the request accept string optional parameter for download a file sha256 string required parameter for download a file output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" {} } ] generate vaccine generate vaccine enables you to generate a vaccine for a specific file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/generate vaccine method post input argument name type required description analysis id string required unique identifier format string optional parameter for generate vaccine output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" "rule intezer vaccine bf293bda73c5b4c1ec66561ad20d7e2bc6692d051282d35ce8b7b7020c7 ", "result url" "/analyses/0833e33b 2dcd 4d48 a853 8b4822675911/sub analyses/e1aba630 e390 4964 b ", "status" "succeeded" } } ] get analysis result this endpoint retrieves a summary of a file analysis, the summary provides high level analysis results endpoint url /api/v2 0/analyses/{{analysis id}} method get input argument name type required description analysis id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation analysis id string unique identifier analysis time string time value analysis url string url endpoint for the request family id string unique identifier family name string name of the resource file name string name of the resource is private boolean output field is private labels array output field labels sha256 string output field sha256 sub verdict string output field sub verdict verdict string output field verdict result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" {}, "result url" "/analyses/0833e33b 2dcd 4d48 a853 8b4822675911", "status" "succeeded" } } ] get latest hash result this endpoint enables you to retrieve the latest available results of a previously analyze file by specifying its hash endpoint url /api/v2 0/files/{{hash value}} method get input argument name type required description hash value string required value for the parameter should get only private analysis string optional parameter for get latest hash result should get only composed analysis string optional parameter for get latest hash result output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation analysis id string unique identifier analysis time string time value analysis url string url endpoint for the request family id string unique identifier family name string name of the resource file name string name of the resource is private boolean output field is private labels array output field labels sha256 string output field sha256 sub verdict string output field sub verdict verdict string output field verdict result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" {}, "result url" "/analyses/0833e33b 2dcd 4d48 a853 8b4822675911", "status" "succeeded" } } ] get root analysis related samples gets a list of various public samples stored in the intezer genome database that share code with the family detected in the analyzed file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/code reuse/families/{{family id}}/find related files method post input argument name type required description analysis id string required unique identifier family id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation files array output field files reused gene count number count value sha256 string output field sha256 size in bytes number output field size in bytes result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" {}, "result url" "/analyses/513555bd 1113 4079 80ff c968e40bea16/sub analyses/479d81e8 b6ba 4c13 8 ", "status" "succeeded" } } ] get sub analyses metadata get the root analysis sample's metadata endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/root/metadata method get input argument name type required description analysis id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase architecture string output field architecture company string output field company compilation timestamp string output field compilation timestamp file type string type of the resource md5 string output field md5 original filename string name of the resource product string output field product product version string output field product version sha1 string output field sha1 sha256 string output field sha256 size in bytes number output field size in bytes ssdeep string output field ssdeep indicators array output field indicators name string name of the resource classification string output field classification additional info string output field additional info example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "architecture" "i386", "company" "microsoft corporation", "compilation timestamp" "2014 02 06 12 37 44+00 00", "file type" "pe", "md5" "ec7e3cfaeaac0401316d66e964be684e", "original filename" "cryptsp dll", "product" "microsoft\u00ae windows\u00ae operating system", "product version" "6 1 7600 16385", "sha1" "dbda26c8dfbd511fd048a89a0d0dd300df385e55", "sha256" "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356", "size in bytes" 260096, "ssdeep" "6144\ pbnycjzyikvnvaznzshtmzolvqfyp+opuy9iju9cr\ pbsqenvqnzsht1qopda", "indicators" \[] } } ] get sub analysis ids gets the list of sub analysis ids of a specific analysis id, including the sub analysis id of the root file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses method get input argument name type required description analysis id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase sub analyses array output field sub analyses sha256 string output field sha256 source string output field source sub analysis id string unique identifier extraction info object output field extraction info dropped path string output field dropped path parent file sha256 string output field parent file sha256 example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "sub analyses" \[] } } ] get sub analysis related samples gets a list of various public samples stored in the intezer genome database that share code with the family detected in the analyzed file endpoint url /api/v2 0/analyses/{{analysis id}}/sub analyses/{{sub analysis id}}/code reuse/families/{{family id}}/find related files method post input argument name type required description analysis id string required unique identifier family id string required unique identifier sub analysis id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation files array output field files reused gene count number count value sha256 string output field sha256 size in bytes number output field size in bytes result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" {}, "result url" "/analyses/513555bd 1113 4079 80ff c968e40bea16/sub analyses/479d81e8 b6ba 4c13 8 ", "status" "succeeded" } } ] index uploaded file enables you to upload a file and index it into your private genome database currently, the only supported classifications are malicious and trusted endpoint url /api/v2 0/files/index method post input argument name type required description attachments object required file that you want to submit or upload output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" {}, "result url" "/files/index/7c9b8902 7176 41f8 bcaf b0fd4c395f78", "status" "succeeded" } } ] label file set a private label for a file endpoint url /api/v2 0/files/{{sha256}}/label method put input argument name type required description sha256 string required parameter for label file label string required parameter for label file output parameter type description status code number http status code of the response reason string response reason phrase result url string url endpoint for the request example \[ { "status code" 201, "reason" "created", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result url" "/tasks/5ffa5925 b651 4cca 9e15 92ee84ea4ad3" } } ] post index hash enables you to index the file into your private genome database endpoint url /api/v2 0/files/{{sha256}}/index method post input argument name type required description sha256 string required parameter for post index hash index as string required parameter for post index hash family name string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request status string status value example \[ { "status code" 200, "reason" "ok", "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "json body" { "result" {}, "result url" "/files/index/7c9b8902 7176 41f8 bcaf b0fd4c395f78", "status" "succeeded" } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt notes for more information on intezer analyze connector is found at intezer analyze main site https //analyze intezer com/api docs html#/ for more information on intezer analyze authentication, check here https //analyze intezer com/api docs html#/operations/app/get access token