Opswat Metadefender

the opswat metadefender connector integrates with swimlane to retrieve information from opswat prerequisites the opswat metadefender asset requires an api key capabilities the opswat metadefender connector has the following capabilities get exif lookup get pe info lookup get apk manifest lookup download sanitize file get ip lookup analyze file retrieving webhook status retrieving scan reports using data hash fetch analysis result additional information about the api's endpoints can be found https //onlinehelp opswat com/mdcloud/ this connector was last tested against product version api v4 configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions analyze file in this action scan is done asynchronously and each scan request is tracked by data id of which result can be retrieved by api fetch scan result endpoint url v4/file method post input argument name type required description headers object required http headers for the request headers content type string required specify the http content type, it can be multipart/form data (when doing multipart upload) or application/octet stream (when doing binary upload) when using multipart/form data the file key in body section must have a name headers filename string optional file name is mainly for the descriptive purpose file name does not affect the analysis however, it is recommended to provide this info in order for you to associate the result with the actual file from the ui headers archivepwd string optional if the submitted file is a password protected archive, the value provided will be used to unlock the file this information is removed once analysis is done headers filepassword string optional if the submitted file is a password protected document file, the value provided will be used to unlock the file this information is removed once analysis is done headers samplesharing string optional by default, it is enabled (1) if enabled, opt in to share the file with the malware research community or internal malware research team to investigate further, especially when the file is considered either false positive or potential outbreak malware only paid customers can exclude this file from our sample sharing algorithm if disabled (0), the file will be deleted immediately once the analysis is done allowed values are 0 (disable), 1 (enable) headers privateprocessing string optional by default, it is disabled (0) if enabled (1), the file will be immediately removed after analysis is done, and analysis results are only available to the owner, who submits the file for analysis if disabled, the analysis results will be viewable to the public, and the samplesharing parameter will determine the malware sharing allowed values are 0 (disable) , 1 (enable) headers downloadfrom string optional link to download file, allow the user to scan file by link before actually downloading it allowed values only direct downloads, no redirects headers rule string optional multiscanning will be performed by default if no value is set for the rule header you can combine multiple workflows but listing them and separating them with a "," however, multiscanning will not be performed by default if you elect to do a sandbox scan (see sandbox header below) if you want to perform multiscanning in addition to a sandbox scan, you will need to enable the multiscan rule allowed values are multiscan (performs multiscanning), sanitize (performs both multiscanning and file sanitization), cdr (file sanitization without multiscan), unarchive (performs both unarchiving and multiscanning) headers sandbox string optional also request a sandbox scan for the uploaded file allowed values are windows7, windows10 headers sandbox timeout string optional specifies for how long the file should be analyzed on the sandbox short=150s, long=300s allowed values are short,long headers sandbox browser string optional what browser to use when uploading html/javascript files or analyzing urls allowed values are os default, chrome, firefox headers callbackurl string optional specify a valid, publicly accessible url where we can send the scan results when finished (asynchronous scanning, similar to webhooks) allowed values valid urls headers rescan count string optional defines how many times the file should be rescanned allowed values 1 720 (the full schedule should fit into 720 hours) headers rescan interval string optional defines how many hours should pass between two consecutive scans allowed values 1 720 (the full schedule should fit into 720 hours) data body string optional response data input example {"data body" "@/path/to/data file"} output parameter type description status code number http status code of the response reason string response reason phrase data id string response data status string status value in queue number output field in queue queue priority string output field queue priority output example {"status code" 200,"response headers" {"date" "thu, 21 sep 2023 06 27 30 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","etag" "\\"440 /zswc/nzucc+1kgadonhhwxyjjy\\"","x response time" "115ms","content encoding" "gzip","x ratelimit for" "reputation api","x ratelimit limit" "4000","x ratelimit used" "1", apk manifest lookup this action looks up the apk manifest analysis of a hash by md5, sha1 or sha256 endpoint url v4/hash/{{apk hash}}/apk manifest method get input argument name type required description path parameters apk hash string required the md5, sha1 or sha256 hash containing the android manifest information input example {"path parameters" {"apk hash" "9d4c04c49eb66aeab21ea688ba3b979616e6cd22b43e8208e5c29142910bae44"}} output parameter type description status code number http status code of the response reason string response reason phrase application object output field application application useslibraries array output field application useslibraries application useslibraries required boolean output field application useslibraries required application useslibraries name string name of the resource application providers array unique identifier application providers pathpermissions array unique identifier application providers pathpermissions file name string unique identifier application providers pathpermissions file string unique identifier application providers metadata array response data application providers metadata file name string response data application providers metadata file string response data application providers granturipermissions array unique identifier application providers granturipermissions file name string unique identifier application providers granturipermissions file string unique identifier application providers initorder number unique identifier application providers authorities string unique identifier application providers exported boolean unique identifier application providers name string unique identifier application receivers array output field application receivers application receivers metadata array response data application receivers metadata file name string response data application receivers metadata file string response data application receivers intentfilters array output field application receivers intentfilters output example {"application" {"useslibraries" \[{}],"providers" \[{}],"receivers" \[{}],"services" \[{}],"launcheractivities" \[{}],"activityaliases" \[{}],"activities" \[{}],"supportsrtl"\ true,"largeheap"\ true,"hardwareaccelerated"\ true,"allowbackup"\ true,"name" "example name","icon" "string","label" "string","theme" "string"},"supportsgltextures" \[{"file name" "example name","file" "string"}],"compatiblescreens" \[{"file name" "example name","file" "string"}],"supportsscreens" {"xlargescreens"\ true,"resizeable"\ tru download sanitized files download sanitized files endpoint url v4/file/converted/{{dataid}} method get input argument name type required description path parameters dataid string required the data id assigned to the file that underwent data sanitization input example {"path parameters" {"dataid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase sanitizedfilepath string output field sanitizedfilepath output example {"sanitizedfilepath" "https //s3 us west 2 amazonaws com/p files metadefender com/dt%3d190122/rkss9asn "} exif lookup this action looks up the exif of a hash by md5, sha1 or sha256 endpoint url v4/hash/{{exif hash}}/exif method get input argument name type required description path parameters exif hash string required the md5, sha1 or sha256 hash that you need exif info for input example {"path parameters" {"exif hash" "6e078fc7d85adfff1de55eebb5a79645d5998add"}} output parameter type description status code number http status code of the response reason string response reason phrase exiftoolversion number output field exiftoolversion filename string name of the resource filesize string output field filesize filetype string type of the resource filetypeextension string type of the resource mimetype string type of the resource jfifversion number output field jfifversion resolutionunit string output field resolutionunit xresolution number output field xresolution yresolution number output field yresolution imagewidth number unique identifier imageheight number output field imageheight encodingprocess string output field encodingprocess bitspersample number output field bitspersample colorcomponents number output field colorcomponents ycbcrsubsampling string output field ycbcrsubsampling imagesize string output field imagesize megapixels number output field megapixels output example {"status code" 200,"response headers" {"date" "wed, 20 sep 2023 17 23 12 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","etag" "\\"439 qgveufpxu5mu/wxegrghzqbko4w\\"","x response time" "4ms","content encoding" "gzip","x authenticated" "by apikey","x account type" "registered","cache control" "no cache, fetch analysis result this action retrieves scan results scan is done asynchronously and each scan request is tracked by a dataid endpoint url v4/file/{{dataid}} method get input argument name type required description headers object required http headers for the request headers x file metadata number required retrieves file metadata and hash results path parameters dataid string required the dataid that the file you uploaded was assigned input example {"path parameters" {"dataid" "zte2mtiynkhkegs5welsnhhimvfglvluyk85lq"}} output parameter type description status code number http status code of the response reason string response reason phrase scan result history length number result of the operation sandbox boolean output field sandbox malware family string output field malware family malware type array type of the resource threat name string name of the resource file id string unique identifier data id string response data scan results object result of the operation scan results scan details object result of the operation scan results scan details lavasoft object result of the operation scan results scan details lavasoft scan time number result of the operation scan results scan details lavasoft def time string result of the operation scan results scan details lavasoft scan result i number result of the operation scan results scan details lavasoft threat found string result of the operation scan results scan details stopzilla object result of the operation scan results scan details stopzilla scan time number result of the operation scan results scan details stopzilla def time string result of the operation scan results scan details stopzilla scan result i number result of the operation scan results scan details stopzilla threat found string result of the operation scan results scan all result i number result of the operation scan results start time string result of the operation scan results total time number result of the operation scan results total avs number result of the operation output example {"status code" 200,"response headers" {"date" "thu, 21 sep 2023 15 36 58 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","etag" "\\"1577 /rwl3jwfe150yyeotmpyue4gtdu\\"","x response time" "14ms","content encoding" "gzip","x authenticated" "by apikey","x account type" "registered","cache control" "no cache ip lookup this action retrieves information about given ip (ipv4 + ipv6) from a cif server endpoint url v4/ip/{{observable ip}} method get input argument name type required description path parameters observable ip string required ip address that you want to scan input example {"path parameters" {"observable ip" "109 229 210 250"}} output parameter type description status code number http status code of the response reason string response reason phrase address string output field address lookup results object result of the operation lookup results start time string result of the operation lookup results detected by number result of the operation lookup results sources array result of the operation lookup results sources provider string unique identifier lookup results sources assessment string result of the operation lookup results sources detect time string result of the operation lookup results sources update time string result of the operation lookup results sources status number status value geo info object output field geo info geo info country object output field geo info country geo info country name string name of the resource geo info city object output field geo info city geo info city name string name of the resource geo info location object output field geo info location geo info location latitude number output field geo info location latitude geo info location longitude number output field geo info location longitude geo info subdivisions array output field geo info subdivisions geo info subdivisions name string name of the resource output example {"status code" 200,"response headers" {"date" "thu, 21 sep 2023 06 27 30 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","etag" "\\"440 /zswc/nzucc+1kgadonhhwxyjjy\\"","x response time" "115ms","content encoding" "gzip","x ratelimit for" "reputation api","x ratelimit limit" "4000","x ratelimit used" "1", pe info lookup this action looks up the pe (portable executable file format) info of a hash by md5, sha1 or sha256 endpoint url v4/hash/{{peinfo hash}}/peinfo method get input argument name type required description path parameters peinfo hash string required the md5, sha1 or sha256 hash that you need pe info for input example {"path parameters" {"peinfo hash" "8952089536c5489c5b38ee426450adfc"}} output parameter type description status code number http status code of the response reason string response reason phrase signature object output field signature signature invalid boolean unique identifier signature countersigner object output field signature countersigner signature countersigner signing time string time value signature countersigner serial string output field signature countersigner serial signature countersigner issuer string output field signature countersigner issuer signature signer object output field signature signer signature signer more info string output field signature signer more info signature signer program name string name of the resource signature signer serial string output field signature signer serial signature signer issuer string output field signature signer issuer signature certificates array output field signature certificates signature certificates valid to string unique identifier signature certificates valid from string unique identifier signature certificates serial string output field signature certificates serial signature certificates issuer string output field signature certificates issuer signature certificates subject string output field signature certificates subject signature authenticode sections object output field signature authenticode sections signature authenticode sections certtable array output field signature authenticode sections certtable signature authenticode sections datadir certtable array response data signature authenticode sections checksum array output field signature authenticode sections checksum resource info array output field resource info resource info resource ids array unique identifier output example {"signature" {"invalid"\ true,"countersigner" {"signing time" "string","serial" "string","issuer" "string"},"signer" {"more info" "string","program name" "example name","serial" "string","issuer" "string"},"certificates" \[{}],"authenticode sections" {"certtable" \[],"datadir certtable" \[],"checksum" \[]}},"resource info" \[{"resource ids" \[],"name" "example name"}],"exported functions" \["string"],"imported dlls" \[{"functions" \[],"name" "example name"}],"section headers" \[{"characteristics" \[],"point retrieving scan reports using datahash this action retrieves scan reports by looking up a hash using md5, sha1 or sha256 endpoint url v4/hash/{{hash}} method get input argument name type required description path parameters hash string required retrieve scan reports by looking up a hash using md5, sha1 or sha256 input example {"path parameters" {"hash" "a5c19d9ffe8804586e8f4c0dfcc66de"}} output parameter type description status code number http status code of the response reason string response reason phrase scan result history length number result of the operation file id string unique identifier data id string response data sanitized object output field sanitized sanitized reason string response reason phrase sanitized result string result of the operation process info object output field process info process info result string result of the operation process info profile string output field process info profile process info post processing object output field process info post processing process info post processing copy move destination string output field process info post processing copy move destination process info post processing converted to string output field process info post processing converted to process info post processing converted destination string output field process info post processing converted destination process info post processing actions ran string output field process info post processing actions ran process info post processing actions failed string output field process info post processing actions failed process info file type skipped scan boolean type of the resource process info blocked reason string response reason phrase scan results object result of the operation scan results scan details object result of the operation scan results scan details zillya! object result of the operation scan results scan details zillya! threat found string result of the operation scan results scan details zillya! scan time number result of the operation scan results scan details zillya! scan result i number result of the operation output example {"scan result history length" 123,"file id" "string","data id" "string","sanitized" {"result" "string"},"process info" {"result" "string","profile" "string","post processing" {"copy move destination" "string","converted to" "string","converted destination" "string","actions ran" "string","actions failed" "string"},"file type skipped scan"\ true,"blocked reason" "string"},"scan results" {"scan details" {"zillya!" {},"xvirus personal guard" {},"virusblokada" {},"trendmicro house call" {},"trendmicr retrieving webhook status using this endpoint, after uploading a file with the 'callbackurl' header, the status of the webhook callback can be checked endpoint url v4/file/webhooks/{{dataid}} method get input argument name type required description path parameters dataid string required the dataid received on upload (optional) if omitted, returns all the latest webhook calls in the last 12 hours input example {"path parameters" {"dataid" "zte2mtiynkhkegs5welsnhhimvfglvluyk85lq"}} output parameter type description status code number http status code of the response output example {"status code" 200,"response headers" {"date" "thu, 21 sep 2023 15 15 14 gmt","content type" "application/json; charset=utf 8","content length" "61","connection" "keep alive","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x response time" "2ms","x authenticated" "by apikey","x account type" "registered","cache control" "no cache, no store, must revalidate","pragma" "no cache","x content type options" "nosniff"}} response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 68 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 21 sep 2023 15 15 14 gmt etag an identifier for a specific version of a resource "439 qgveufpxu5mu/wxegrghzqbko4w" pragma http response header pragma no cache strict transport security http response header strict transport security max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x account type http response header x account type registered x authenticated http response header x authenticated by apikey x content type options http response header x content type options nosniff x ratelimit for http response header x ratelimit for reputation api x ratelimit interval http response header x ratelimit interval 86400 x ratelimit limit the number of requests allowed in the current rate limit window 4000 x ratelimit remaining the number of requests remaining in the current rate limit window 3999 x ratelimit reset in http response header x ratelimit reset in 86400s x ratelimit used http response header x ratelimit used 1 x redis partial cache http response header x redis partial cache true x response time http response header x response time 2ms