ReversingLabs A1000

this connector intgrates reversinglabs a1000 module api and python sdk with swimlane turbine prerequisites this connector requires either an api key or username and password for authentication capabilities this connector suppports the following tasks advanced search v2 get classification v3 get detailed report v2 get submitted url report get summary report v2 get titanium core report v2 network domain report network files from ip network ip address report network ip to domain network url report network urls from ip upload sample from file upload sample from url configurations api token authentication authenticates using an api token configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 password grant authenticates using oauth 2 0 password credentials configuration parameters parameter description type required url a url to the target host string required token url string optional oauth2 username the username for authentication string required oauth2 password the password for authentication string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions advanced search v2 sends a query string to the a1000 advanced search api v2 endpoint url /api/samples/v2/search/ method post input argument name type required description query string required parameter for advanced search v2 ticloud boolean optional parameter for advanced search v2 page number optional parameter for advanced search v2 records per page number optional parameter for advanced search v2 sort string optional parameter for advanced search v2 output parameter type description status code number http status code of the response reason string response reason phrase rl object output field rl web search api object output field web search api total count number count value next page number output field next page more pages boolean output field more pages sample count number count value entries array output field entries example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "1272", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 06 52 36 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "post, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" { "rl" {} } } ] get classification v3 get classification for one sample input argument name type required description sample hash string required parameter for get classification v3 local only boolean optional parameter for get classification v3 av scanners boolean optional parameter for get classification v3 output parameter type description json object output field json classification string output field classification riskscore number score value first seen string output field first seen last seen string output field last seen classification result string result of the operation classification reason string response reason phrase classification origin object output field classification origin cloud last lookup string output field cloud last lookup data source string response data sha1 string output field sha1 sha256 string output field sha256 md5 string output field md5 example \[ { "json" { "classification" "malicious", "riskscore" 10, "first seen" "2020 01 22t19 20 00z", "last seen" "2022 07 13t05 08 32z", "classification result" "win32 worm mira", "classification reason" "antivirus", "classification origin" null, "cloud last lookup" "2023 10 08t10 50 18z", "data source" "local", "sha1" "2efae02ecb7cfc279b704ac102763e6d184e26b0", "sha256" "de7b7d7084069ac1a093ae67044765dc2b02d36e9e3101dc9dc75f29ca00d26a", "md5" "76d5338503dcb59cb4449be24654ebca" } } ] get detailed report v2 accepts a single hash or a list of hashes and returns a detailed analysis report for the selected samples input argument name type required description sample hashes array required parameter for get detailed report v2 retry boolean optional parameter for get detailed report v2 fields string optional comma separated list of report fields to include in the response skip reanalysis boolean optional parameter for get detailed report v2 output parameter type description json object output field json count number count value next object output field next previous object output field previous results array result of the operation aliases array output field aliases category string output field category classification string output field classification classification origin object output field classification origin classification reason string response reason phrase classification result string result of the operation classification source number output field classification source extracted file count number count value file size number output field file size file subtype string type of the resource file type string type of the resource id number unique identifier identification name string unique identifier identification version string unique identifier local first seen string output field local first seen local last seen string output field local last seen md5 string output field md5 riskscore number score value sha1 string output field sha1 sha256 string output field sha256 example \[ { "json" { "count" 1, "next" null, "previous" null, "results" \[] } } ] get submitted url report accepts a task id returned by upload sample from url and returns a response containing processing status and report if the report is ready endpoint url /api/uploads/v2/url samples/{{task id}} method get input argument name type required description task id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "1272", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 06 52 36 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "post, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" {} } ] get summary report v2 accepts a single hash or a list of hashes and returns json containing a summary report for each of them input argument name type required description sample hashes array required parameter for get summary report v2 retry boolean optional parameter for get summary report v2 skip reanalysis boolean optional parameter for get summary report v2 fields string optional comma separated list of report fields to include in the response include networkthreatintelligence boolean optional parameter for get summary report v2 output parameter type description json object output field json count number count value next object output field next previous object output field previous results array result of the operation aliases array output field aliases category string output field category classification string output field classification classification origin object output field classification origin classification reason string response reason phrase classification result string result of the operation classification source number output field classification source extracted file count number count value file size number output field file size file subtype string type of the resource file type string type of the resource id number unique identifier identification name string unique identifier identification version string unique identifier local first seen string output field local first seen local last seen string output field local last seen md5 string output field md5 riskscore number score value sha1 string output field sha1 sha256 string output field sha256 example \[ { "json" { "count" 1, "next" null, "previous" null, "results" \[] } } ] get titanium core report v2 accepts a single hash string and gets the full titaniumcore static analysis report for the requested sample the requested sample must be present on the appliance input argument name type required description sample hash string required parameter for get titanium core report v2 fields string optional a string of comma separated titaniumcore 'fields' to query output parameter type description json object output field json application object output field application attack array output field attack file name string name of the resource file string output field file behaviour object output field behaviour certificate object output field certificate classification object output field classification propagated boolean output field propagated classification number output field classification factor number output field factor result string result of the operation scan results array result of the operation ignored boolean output field ignored type number type of the resource classification number output field classification factor number output field factor name string name of the resource version string output field version result string result of the operation document object output field document email object output field email imphash string output field imphash indicators array output field indicators file name string name of the resource example \[ { "json" { "application" {}, "attack" \[], "behaviour" {}, "certificate" {}, "classification" {}, "document" {}, "email" {}, "imphash" "", "indicators" \[], "info" {}, "interesting strings" \[], "md5" "76d5338503dcb59cb4449be24654ebca", "media" {}, "mobile" {}, "protection" {} } } ] network domain report accepts a domain string and returns a report about the requested domain input argument name type required description domain string required parameter for network domain report output parameter type description json object output field json last dns records array output field last dns records type string type of the resource value string value for the parameter provider string unique identifier last dns records time string time value third party reputations object output field third party reputations sources array output field sources detection string output field detection source string output field source update time string time value detect time string time value statistics object output field statistics total number output field total malicious number output field malicious undetected number output field undetected clean number output field clean top threats array output field top threats threat name string name of the resource files count number count value risk score number score value modified time string time value downloaded files statistics object output field downloaded files statistics unknown number output field unknown suspicious number output field suspicious example \[ { "json" { "last dns records" \[], "last dns records time" "2023 10 09t08 51 25", "third party reputations" {}, "top threats" \[], "modified time" "2023 10 09t08 51 38", "downloaded files statistics" {}, "requested domain" "www google com" } } ] network files from ip accepts an ip address string and returns a list of hashes and classifications for files found on the requested ip address endpoint url /api/network threat intel/ip/{{ip}}/downloaded files/ method get input argument name type required description ip string required parameter for network files from ip page string optional sha for next page to be displayed page size number optional parameter for network files from ip extended boolean optional parameter for network files from ip classification string optional parameter for network files from ip output parameter type description status code number http status code of the response reason string response reason phrase next page string output field next page downloaded files array output field downloaded files sha1 string output field sha1 last download url string url endpoint for the request classification string output field classification first download string output field first download last seen string output field last seen sample size number output field sample size sample available boolean output field sample available last download string output field last download first seen string output field first seen sha256 string output field sha256 md5 string output field md5 risk score number score value sample type string type of the resource threat name object name of the resource malware family object output field malware family malware type object type of the resource platform object output field platform subplatform object output field subplatform requested ip string output field requested ip example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "576", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 10 23 38 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "get, head, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" { "next page" "0083a1c9ddb79e9d7d4cd331050d62531c06d702", "downloaded files" \[], "requested ip" "8 8 8 8" } } ] network ip address report accepts an ip address string and returns a report about the requested ip address input argument name type required description ip addr string required parameter for network ip address report output parameter type description json object output field json third party reputations object output field third party reputations statistics object output field statistics total number output field total malicious number output field malicious undetected number output field undetected clean number output field clean sources array output field sources detection string output field detection update time string time value detect time object time value category object output field category source string output field source downloaded files statistics object output field downloaded files statistics total number output field total unknown number output field unknown suspicious number output field suspicious malicious number output field malicious goodware number output field goodware top threats array output field top threats file name string name of the resource file string output field file requested ip string output field requested ip modified time string time value example \[ { "json" { "third party reputations" {}, "downloaded files statistics" {}, "top threats" \[], "requested ip" "8 8 8 8", "modified time" "2023 10 09t08 30 46" } } ] network ip to domain accepts an ip address string and returns a list of ip to domain mappings endpoint url /api/network threat intel/ip/{{ip}}/resolutions/ method get input argument name type required description ip string required parameter for network ip to domain page string optional sha for next page to be displayed page size number optional parameter for network ip to domain output parameter type description status code number http status code of the response reason string response reason phrase next page object output field next page resolutions array output field resolutions provider string unique identifier last resolution time string time value host name string name of the resource requested ip string output field requested ip example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "813", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 10 34 49 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "get, head, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" { "next page" null, "resolutions" \[], "requested ip" "142 251 40 110" } } ] network url report accepts a url string and returns a report about the requested url input argument name type required description requested url string optional url endpoint for the request output parameter type description json object output field json third party reputations object output field third party reputations sources array output field sources detection string output field detection source string output field source update time string time value statistics object output field statistics total number output field total malicious number output field malicious clean number output field clean undetected number output field undetected reason string response reason phrase classification string output field classification analysis object output field analysis analysis history array output field analysis history domain string output field domain final url string url endpoint for the request http response code number output field http response code analysis id string unique identifier availability status string status value serving ip address string output field serving ip address analysis time string time value last analysis object output field last analysis domain string output field domain final url string url endpoint for the request example \[ { "json" { "third party reputations" {}, "reason" "whitelist", "classification" "goodware", "analysis" {}, "requested url" "www google com" } } ] network urls from ip accepts an ip address string and returns a list of urls hosted on the requested ip address endpoint url /api/network threat intel/ip/{{ip}}/urls/ method get input argument name type required description ip string required parameter for network urls from ip page string optional sha for next page to be displayed page size number optional parameter for network urls from ip output parameter type description status code number http status code of the response reason string response reason phrase next page object output field next page urls array url endpoint for the request url string url endpoint for the request requested ip string output field requested ip example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "4376", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 10 41 15 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "get, head, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" { "next page" null, "urls" \[], "requested ip" "142 251 40 110" } } ] upload sample from file accepts a file and returns a response containing the analysis task id endpoint url /api/uploads/ method post input argument name type required description form data object required response data file object required binary file that you want to submit file string required parameter for upload sample from file file name string required name of the resource archive password string optional parameter for upload sample from file rl cloud sandbox platform string optional parameter for upload sample from file comment string optional parameter for upload sample from file tags string optional parameter for upload sample from file analysis string optional parameter for upload sample from file output parameter type description status code number http status code of the response reason string response reason phrase detail object output field detail id string unique identifier example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "1272", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 06 52 36 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "post, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" { "detail" {} } } ] upload sample from url accepts a url and returns a response containing the analysis task id endpoint url /api/uploads/ method post input argument name type required description data body object required response data url string required url endpoint for the request archive password string optional parameter for upload sample from url rl cloud sandbox platform string optional parameter for upload sample from url crawler string optional parameter for upload sample from url output parameter type description status code number http status code of the response reason string response reason phrase detail object output field detail id string unique identifier example \[ { "status code" 200, "response headers" { "connection" "keep alive", "content length" "1272", "cache control" "max age=0, no cache, no store, must revalidate, private", "content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'", "server" "nginx", "content encoding" "gzip", "x xss protection" "1; mode=block", "expect ct" "enforce, max age=7776000", "accept ranges" "bytes", "expires" "mon, 09 oct 2023 06 52 36 gmt", "x content type options" "nosniff, nosniff", "via" "1 1 varnish, 1 1 varnish", "allow" "post, options", "x frame options" "deny", "referrer policy" "same origin" }, "reason" "ok", "json body" { "detail" {} } } ] response headers header description example accept ranges http response header accept ranges bytes allow http response header allow get, head, options cache control directives for caching mechanisms max age=0, no cache, no store, must revalidate, private connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 1272 content security policy http response header content security policy default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval' content type the media type of the resource application/json date the date and time at which the message was originated mon, 09 oct 2023 10 23 39 gmt expect ct http response header expect ct enforce, max age=7776000 expires the date/time after which the response is considered stale mon, 09 oct 2023 06 52 36 gmt referrer policy http response header referrer policy same origin server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=300 vary http response header vary cookie, accept encoding via http response header via 1 1 varnish, 1 1 varnish x cache http response header x cache miss, miss x cache hits http response header x cache hits 0, 0 x content type options http response header x content type options nosniff, nosniff x frame options http response header x frame options deny x served by http response header x served by cache hyd1100029 hyd, cache hyd1100029 hyd x timer http response header x timer s1696834355 599659,vs0,ve1797 x xss protection http response header x xss protection 1; mode=block