Opswat Metadefender

the opswat metadefender connector integrates with swimlane to retrieve information from opswat prerequisites the opswat metadefender asset requires an api key capabilities the opswat metadefender connector has the following capabilities get exif lookup get pe info lookup get apk manifest lookup download sanitize file get ip lookup analyze file retrieving webhook status retrieving scan reports using data hash fetch analysis result additional information about the api's endpoints can be found here https //onlinehelp opswat com/mdcloud/ this connector was last tested against product version api v4 configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions analyze file in this action scan is done asynchronously and each scan request is tracked by data id of which result can be retrieved by api fetch scan result endpoint url v4/file method post input argument name type required description headers object required http headers for the request content type string required specify the http content type, it can be multipart/form data (when doing multipart upload) or application/octet stream (when doing binary upload) when using multipart/form data the file key in body section must have a name filename string optional file name is mainly for the descriptive purpose file name does not affect the analysis however, it is recommended to provide this info in order for you to associate the result with the actual file from the ui archivepwd string optional if the submitted file is a password protected archive, the value provided will be used to unlock the file this information is removed once analysis is done filepassword string optional if the submitted file is a password protected document file, the value provided will be used to unlock the file this information is removed once analysis is done samplesharing string optional by default, it is enabled (1) if enabled, opt in to share the file with the malware research community or internal malware research team to investigate further, especially when the file is considered either false positive or potential outbreak malware only paid customers can exclude this file from our sample sharing algorithm if disabled (0), the file will be deleted immediately once the analysis is done allowed values are 0 (disable), 1 (enable) privateprocessing string optional by default, it is disabled (0) if enabled (1), the file will be immediately removed after analysis is done, and analysis results are only available to the owner, who submits the file for analysis if disabled, the analysis results will be viewable to the public, and the samplesharing parameter will determine the malware sharing allowed values are 0 (disable) , 1 (enable) downloadfrom string optional link to download file, allow the user to scan file by link before actually downloading it allowed values only direct downloads, no redirects rule string optional multiscanning will be performed by default if no value is set for the rule header you can combine multiple workflows but listing them and separating them with a "," however, multiscanning will not be performed by default if you elect to do a sandbox scan (see sandbox header below) if you want to perform multiscanning in addition to a sandbox scan, you will need to enable the multiscan rule allowed values are multiscan (performs multiscanning), sanitize (performs both multiscanning and file sanitization), cdr (file sanitization without multiscan), unarchive (performs both unarchiving and multiscanning) sandbox string optional also request a sandbox scan for the uploaded file allowed values are windows7, windows10 sandbox timeout string optional specifies for how long the file should be analyzed on the sandbox short=150s, long=300s allowed values are short,long sandbox browser string optional what browser to use when uploading html/javascript files or analyzing urls allowed values are os default, chrome, firefox callbackurl string optional specify a valid, publicly accessible url where we can send the scan results when finished (asynchronous scanning, similar to webhooks) allowed values valid urls rescan count string optional defines how many times the file should be rescanned allowed values 1 720 (the full schedule should fit into 720 hours) rescan interval string optional defines how many hours should pass between two consecutive scans allowed values 1 720 (the full schedule should fit into 720 hours) data body string optional response data output parameter type description status code number http status code of the response reason string response reason phrase data id string response data status string status value in queue number output field in queue queue priority string output field queue priority example \[ { "status code" 200, "response headers" { "date" "thu, 21 sep 2023 06 27 30 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "etag" "\\"440 /zswc/nzucc+1kgadonhhwxyjjy\\"", "x response time" "115ms", "content encoding" "gzip", "x ratelimit for" "reputation api", "x ratelimit limit" "4000", "x ratelimit used" "1", "x ratelimit remaining" "3999", "x ratelimit reset in" "85730s" }, "reason" "ok", "json body" { "data id" "zze2mteymlmxmkq1u0dmr3hyetz3nvnhr01s", "status" "inqueue", "in queue" 2, "queue priority" "normal" } } ] apk manifest lookup this action looks up the apk manifest analysis of a hash by md5, sha1 or sha256 endpoint url v4/hash/{{apk hash}}/apk manifest method get input argument name type required description apk hash string required the md5, sha1 or sha256 hash containing the android manifest information output parameter type description status code number http status code of the response reason string response reason phrase application object output field application useslibraries array output field useslibraries required boolean output field required name string name of the resource providers array unique identifier pathpermissions array output field pathpermissions file name string name of the resource file string output field file metadata array response data file name string name of the resource file string output field file granturipermissions array output field granturipermissions file name string name of the resource file string output field file initorder number output field initorder authorities string output field authorities exported boolean output field exported name string name of the resource receivers array output field receivers metadata array response data file name string name of the resource file string output field file intentfilters array output field intentfilters example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "application" {}, "supportsgltextures" \[], "compatiblescreens" \[], "supportsscreens" {}, "usesfeatures" \[], "usesconfiguration" {}, "usessdk" {}, "instrumentation" {}, "permissiongroups" \[], "permissiontrees" \[], "permissions" \[], "usespermissions" \[], "platformbuildversionname" 123, "platformbuildversioncode" 123, "package" "string" } } ] download sanitized files download sanitized files endpoint url v4/file/converted/{{dataid}} method get input argument name type required description dataid string required the data id assigned to the file that underwent data sanitization output parameter type description status code number http status code of the response reason string response reason phrase sanitizedfilepath string output field sanitizedfilepath example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "sanitizedfilepath" "string" } } ] exif lookup this action looks up the exif of a hash by md5, sha1 or sha256 endpoint url v4/hash/{{exif hash}}/exif method get input argument name type required description exif hash string required the md5, sha1 or sha256 hash that you need exif info for output parameter type description status code number http status code of the response reason string response reason phrase exiftoolversion number output field exiftoolversion filename string name of the resource filesize string output field filesize filetype string type of the resource filetypeextension string type of the resource mimetype string type of the resource jfifversion number output field jfifversion resolutionunit string output field resolutionunit xresolution number output field xresolution yresolution number output field yresolution imagewidth number unique identifier imageheight number output field imageheight encodingprocess string output field encodingprocess bitspersample number output field bitspersample colorcomponents number output field colorcomponents ycbcrsubsampling string output field ycbcrsubsampling imagesize string output field imagesize megapixels number output field megapixels example \[ { "status code" 200, "response headers" { "date" "wed, 20 sep 2023 17 23 12 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "etag" "\\"439 qgveufpxu5mu/wxegrghzqbko4w\\"", "x response time" "4ms", "content encoding" "gzip", "x authenticated" "by apikey", "x account type" "registered", "cache control" "no cache, no store, must revalidate", "pragma" "no cache" }, "reason" "ok", "json body" { "exiftoolversion" 10 53, "filename" "\<div>\<b>internal pentest\</b>images jpeg", "filesize" "\<div>\<b>internal pentest\</b>13 kb", "filetype" "\<u>internal pentest\</u>jpeg", "filetypeextension" "\<html>\<img> >< img src=x onerror=confirm(1)//\<span>\<b>internal pentest\</b>\<p>\<c ", "mimetype" "\<div>\<b>internal pentest\</b>image/jpeg", "jfifversion" 1 01, "resolutionunit" "\<div>\<b>internal pentest\</b> none", "xresolution" 1, "yresolution" 1, "imagewidth" 275, "imageheight" 183, "encodingprocess" "\<div>\<b>internal pentest\</b> baseline dct, huffman coding", "bitspersample" 8, "colorcomponents" 3 } } ] fetch analysis result this action retrieves scan results scan is done asynchronously and each scan request is tracked by a dataid endpoint url v4/file/{{dataid}} method get input argument name type required description headers object required http headers for the request x file metadata number required retrieves file metadata and hash results dataid string required the dataid that the file you uploaded was assigned output parameter type description status code number http status code of the response reason string response reason phrase scan result history length number result of the operation sandbox boolean output field sandbox malware family string output field malware family malware type array type of the resource threat name string name of the resource file id string unique identifier data id string response data scan results object result of the operation scan details object output field scan details lavasoft object output field lavasoft scan time number time value def time string time value scan result i number result of the operation threat found string output field threat found stopzilla object output field stopzilla scan time number time value def time string time value scan result i number result of the operation threat found string output field threat found scan all result i number result of the operation start time string time value total time number time value total avs number output field total avs example \[ { "status code" 200, "response headers" { "date" "thu, 21 sep 2023 15 36 58 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "etag" "\\"1577 /rwl3jwfe150yyeotmpyue4gtdu\\"", "x response time" "14ms", "content encoding" "gzip", "x authenticated" "by apikey", "x account type" "registered", "cache control" "no cache, no store, must revalidate", "pragma" "no cache" }, "reason" "ok", "json body" { "scan result history length" 200, "sandbox" true, "malware family" "hacktool", "malware type" \[], "threat name" "tool/hacktool!hczr3alj", "file id" "zte2mtiynkhkegs5welsnhg", "data id" "zte2mtiynkhkegs5welsnhhimvfglvluyk85lq", "scan results" {}, "file info" {}, "share file" 1, "rest version" "3", "newer" "bziymdqwn180b1vyaxfantlktm5ss2s4awo1", "additional info" \[], "votes" {}, "stored" true } } ] ip lookup this action retrieves information about given ip (ipv4 + ipv6) from a cif server endpoint url v4/ip/{{observable ip}} method get input argument name type required description observable ip string required ip address that you want to scan output parameter type description status code number http status code of the response reason string response reason phrase address string output field address lookup results object result of the operation start time string time value detected by number output field detected by sources array output field sources provider string unique identifier assessment string output field assessment detect time string time value update time string time value status number status value geo info object output field geo info country object output field country name string name of the resource city object output field city name string name of the resource location object output field location latitude number output field latitude longitude number output field longitude subdivisions array output field subdivisions name string name of the resource example \[ { "status code" 200, "response headers" { "date" "thu, 21 sep 2023 06 27 30 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "etag" "\\"440 /zswc/nzucc+1kgadonhhwxyjjy\\"", "x response time" "115ms", "content encoding" "gzip", "x ratelimit for" "reputation api", "x ratelimit limit" "4000", "x ratelimit used" "1", "x ratelimit remaining" "3999", "x ratelimit reset in" "85730s" }, "reason" "ok", "json body" { "address" "109 229 210 250", "lookup results" {}, "geo info" {} } } ] pe info lookup this action looks up the pe (portable executable file format) info of a hash by md5, sha1 or sha256 endpoint url v4/hash/{{peinfo hash}}/peinfo method get input argument name type required description peinfo hash string required the md5, sha1 or sha256 hash that you need pe info for output parameter type description status code number http status code of the response reason string response reason phrase signature object output field signature invalid boolean unique identifier countersigner object output field countersigner signing time string time value serial string output field serial issuer string output field issuer signer object output field signer more info string output field more info program name string name of the resource serial string output field serial issuer string output field issuer certificates array output field certificates valid to string unique identifier valid from string unique identifier serial string output field serial issuer string output field issuer subject string output field subject authenticode sections object output field authenticode sections certtable array output field certtable datadir certtable array response data checksum array output field checksum resource info array output field resource info resource ids array unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "signature" {}, "resource info" \[], "exported functions" \[], "imported dlls" \[], "section headers" \[], "optional headers" {}, "headers" {}, "vs version info" {}, "pehash" "string", "imphash" "string" } } ] retrieving scan reports using datahash this action retrieves scan reports by looking up a hash using md5, sha1 or sha256 endpoint url v4/hash/{{hash}} method get input argument name type required description hash string required retrieve scan reports by looking up a hash using md5, sha1 or sha256 output parameter type description status code number http status code of the response reason string response reason phrase scan result history length number result of the operation file id string unique identifier data id string response data sanitized object output field sanitized reason string response reason phrase result string result of the operation process info object output field process info result string result of the operation profile string output field profile post processing object output field post processing copy move destination string output field copy move destination converted to string output field converted to converted destination string output field converted destination actions ran string output field actions ran actions failed string output field actions failed file type skipped scan boolean type of the resource blocked reason string response reason phrase scan results object result of the operation scan details object output field scan details zillya! object output field zillya! threat found string output field threat found scan time number time value scan result i number result of the operation example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "scan result history length" 123, "file id" "string", "data id" "string", "sanitized" {}, "process info" {}, "scan results" {}, "file info" {}, "share file" 123, "rest version" "string", "additional info" \[], "votes" {} } } ] retrieving webhook status using this endpoint, after uploading a file with the 'callbackurl' header, the status of the webhook callback can be checked endpoint url v4/file/webhooks/{{dataid}} method get input argument name type required description dataid string required the dataid received on upload (optional) if omitted, returns all the latest webhook calls in the last 12 hours output parameter type description status code number http status code of the response example \[ { "status code" 200, "response headers" { "date" "thu, 21 sep 2023 15 15 14 gmt", "content type" "application/json; charset=utf 8", "content length" "61", "connection" "keep alive", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x response time" "2ms", "x authenticated" "by apikey", "x account type" "registered", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "x content type options" "nosniff" } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 61 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated wed, 20 sep 2023 17 36 40 gmt etag an identifier for a specific version of a resource "439 qgveufpxu5mu/wxegrghzqbko4w" pragma http response header pragma no cache strict transport security http response header strict transport security max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x account type http response header x account type registered x authenticated http response header x authenticated by apikey x content type options http response header x content type options nosniff x ratelimit for http response header x ratelimit for reputation api x ratelimit interval http response header x ratelimit interval 86400 x ratelimit limit the number of requests allowed in the current rate limit window 4000 x ratelimit remaining the number of requests remaining in the current rate limit window 3999 x ratelimit reset in http response header x ratelimit reset in 86400s x ratelimit used http response header x ratelimit used 1 x redis partial cache http response header x redis partial cache true x response time http response header x response time 2ms