ReversingLabs A1000

this connector intgrates reversinglabs a1000 module api and python sdk with swimlane turbine prerequisites this connector requires either an api key or username and password for authentication capabilities this connector suppports the following tasks advanced search v2 get classification v3 get detailed report v2 get submitted url report get summary report v2 get titanium core report v2 network domain report network files from ip network ip address report network ip to domain network url report network urls from ip upload sample from file upload sample from url configurations api token authentication authenticates using an api token configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 password grant authenticates using oauth 2 0 password credentials configuration parameters parameter description type required url a url to the target host string required token url string optional oauth2 username the username for authentication string required oauth2 password the password for authentication string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions advanced search v2 sends a query string to the a1000 advanced search api v2 endpoint url /api/samples/v2/search/ method post input argument name type required description query string optional parameter for advanced search v2 ticloud boolean optional parameter for advanced search v2 page number optional parameter for advanced search v2 records per page number optional parameter for advanced search v2 sort string optional parameter for advanced search v2 input example {"json body" {"query" "firstseen 2018 01 01t00 00 00z (av detection\ trojan and type\ binary not positives \[ to 3])","ticloud"\ false,"page" 1,"records per page" 10,"sort" "firstseen desc"}} output parameter type description status code number http status code of the response reason string response reason phrase rl object output field rl rl web search api object output field rl web search api rl web search api total count number count value rl web search api next page number output field rl web search api next page rl web search api more pages boolean output field rl web search api more pages rl web search api sample count number count value rl web search api entries array output field rl web search api entries output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "1272","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 06 52 36 gmt","x content type options" "nosniff, nosniff","v get classification v3 get classification for one sample input argument name type required description sample hash string required parameter for get classification v3 local only boolean optional parameter for get classification v3 av scanners boolean optional parameter for get classification v3 input example {"sample hash" "de6a74c6f259bd6e2eb5e725d9b37359ed129565","local only"\ false,"av scanners"\ false} output parameter type description json object output field json json classification string output field json classification json riskscore number score value json first seen string output field json first seen json last seen string output field json last seen json classification result string result of the operation json classification reason string response reason phrase json classification origin object output field json classification origin json cloud last lookup string output field json cloud last lookup json data source string response data json sha1 string output field json sha1 json sha256 string output field json sha256 json md5 string output field json md5 output example {"json" {"classification" "malicious","riskscore" 10,"first seen" "2020 01 22t19 20 00z","last seen" "2022 07 13t05 08 32z","classification result" "win32 worm mira","classification reason" "antivirus","classification origin"\ null,"cloud last lookup" "2023 10 08t10 50 18z","data source" "local","sha1" "2efae02ecb7cfc279b704ac102763e6d184e26b0","sha256" "de7b7d7084069ac1a093ae67044765dc2b02d36e9e3101dc9dc75f29ca00d26a","md5" "76d5338503dcb59cb4449be24654ebca"}} get detailed report v2 accepts a single hash or a list of hashes and returns a detailed analysis report for the selected samples input argument name type required description sample hashes array required parameter for get detailed report v2 retry boolean optional parameter for get detailed report v2 fields string optional comma separated list of report fields to include in the response skip reanalysis boolean optional parameter for get detailed report v2 input example {"sample hashes" \["2efae02ecb7cfc279b704ac102763e6d184e26b0"],"retry"\ true,"fields" "id,sha1,sha256,sha512","skip reanalysis"\ false} output parameter type description json object output field json json count number count value json next object output field json next json previous object output field json previous json results array result of the operation json results aliases array result of the operation json results category string result of the operation json results classification string result of the operation json results classification origin object result of the operation json results classification reason string response reason phrase json results classification result string result of the operation json results classification source number result of the operation json results extracted file count number result of the operation json results file size number result of the operation json results file subtype string type of the resource json results file type string type of the resource json results id number unique identifier json results identification name string unique identifier json results identification version string unique identifier json results local first seen string result of the operation json results local last seen string result of the operation json results md5 string result of the operation json results riskscore number result of the operation json results sha1 string result of the operation json results sha256 string result of the operation output example {"json" {"count" 1,"next"\ null,"previous"\ null,"results" \[{}]}} get submitted url report accepts a task id returned by upload sample from url and returns a response containing processing status and report if the report is ready endpoint url /api/uploads/v2/url samples/{{task id}} method get input argument name type required description path parameters task id string required parameters for the get submitted url report action input example {"path parameters" {"task id" "1234"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "1272","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 06 52 36 gmt","x content type options" "nosniff, nosniff","v get summary report v2 accepts a single hash or a list of hashes and returns json containing a summary report for each of them input argument name type required description sample hashes array required parameter for get summary report v2 retry boolean optional parameter for get summary report v2 skip reanalysis boolean optional parameter for get summary report v2 fields string optional comma separated list of report fields to include in the response include networkthreatintelligence boolean optional parameter for get summary report v2 input example {"sample hashes" \["2efae02ecb7cfc279b704ac102763e6d184e26b0"],"retry"\ true,"skip reanalysis"\ false,"fields" "id, sha1, sha256","include networkthreatintelligence"\ true} output parameter type description json object output field json json count number count value json next object output field json next json previous object output field json previous json results array result of the operation json results aliases array result of the operation json results category string result of the operation json results classification string result of the operation json results classification origin object result of the operation json results classification reason string response reason phrase json results classification result string result of the operation json results classification source number result of the operation json results extracted file count number result of the operation json results file size number result of the operation json results file subtype string type of the resource json results file type string type of the resource json results id number unique identifier json results identification name string unique identifier json results identification version string unique identifier json results local first seen string result of the operation json results local last seen string result of the operation json results md5 string result of the operation json results riskscore number result of the operation json results sha1 string result of the operation json results sha256 string result of the operation output example {"json" {"count" 1,"next"\ null,"previous"\ null,"results" \[{}]}} get titanium core report v2 accepts a single hash string and gets the full titaniumcore static analysis report for the requested sample the requested sample must be present on the appliance input argument name type required description sample hash string required parameter for get titanium core report v2 fields string optional a string of comma separated titaniumcore 'fields' to query input example {"sample hash" "2efae02ecb7cfc279b704ac102763e6d184e26b0","fields" "id, sha1, sha256"} output parameter type description json object output field json json application object output field json application json attack array output field json attack json attack file name string name of the resource json attack file string output field json attack file json behaviour object output field json behaviour json certificate object output field json certificate json classification object output field json classification json classification propagated boolean output field json classification propagated json classification classification number output field json classification classification json classification factor number output field json classification factor json classification result string result of the operation json classification scan results array result of the operation json classification scan results ignored boolean result of the operation json classification scan results type number type of the resource json classification scan results classification number result of the operation json classification scan results factor number result of the operation json classification scan results name string name of the resource json classification scan results version string result of the operation json classification scan results result string result of the operation json document object output field json document json email object output field json email json imphash string output field json imphash json indicators array output field json indicators json indicators file name string name of the resource output example {"json" {"application" {},"attack" \[],"behaviour" {},"certificate" {},"classification" {"propagated"\ false,"classification" 3,"factor" 10,"result" "win32 worm mira","scan results" \[]},"document" {},"email" {},"imphash" "","indicators" \[],"info" {"statistics" {},"file" {},"identification" {},"unpacking" {},"properties" \[]},"interesting strings" \[],"md5" "76d5338503dcb59cb4449be24654ebca","media" {},"mobile" {},"protection" {}}} network domain report accepts a domain string and returns a report about the requested domain input argument name type required description domain string required parameter for network domain report input example {"domain" "www swimlane com"} output parameter type description json object output field json json last dns records array output field json last dns records json last dns records type string type of the resource json last dns records value string value for the parameter json last dns records provider string unique identifier json last dns records time string time value json third party reputations object output field json third party reputations json third party reputations sources array output field json third party reputations sources json third party reputations sources detection string output field json third party reputations sources detection json third party reputations sources source string output field json third party reputations sources source json third party reputations sources update time string time value json third party reputations sources detect time string time value json third party reputations statistics object output field json third party reputations statistics json third party reputations statistics total number output field json third party reputations statistics total json third party reputations statistics malicious number output field json third party reputations statistics malicious json third party reputations statistics undetected number output field json third party reputations statistics undetected json third party reputations statistics clean number output field json third party reputations statistics clean json top threats array output field json top threats json top threats threat name string name of the resource json top threats files count number count value json top threats risk score number score value json modified time string time value json downloaded files statistics object output field json downloaded files statistics json downloaded files statistics unknown number output field json downloaded files statistics unknown json downloaded files statistics suspicious number output field json downloaded files statistics suspicious output example {"json" {"last dns records" \[{}],"last dns records time" "2023 10 09t08 51 25","third party reputations" {"sources" \[],"statistics" {}},"top threats" \[{"threat name" "document html trojan fakecomments","files count" 1,"risk score" 10},{"threat name" "document pdf phishing generic","files count" 1,"risk score" 10},{"threat name" "document html phishing generic","files count" 1,"risk score" 10}],"modified time" "2023 10 09t08 51 38","downloaded files statistics" {"unknown" 108,"suspicious" 0,"tota network files from ip accepts an ip address string and returns a list of hashes and classifications for files found on the requested ip address endpoint url /api/network threat intel/ip/{{ip}}/downloaded files/ method get input argument name type required description path parameters ip string required parameters for the network files from ip action parameters page string optional sha for next page to be displayed parameters page size number optional parameters for the network files from ip action parameters extended boolean optional parameters for the network files from ip action parameters classification string optional parameters for the network files from ip action input example {"parameters" {"page" "0083a1c9ddb79e9d7d4cd331050d62531c06d702","page size" 10,"extended"\ false,"classification" "malicious"},"path parameters" {"ip" "192 168 3 10"}} output parameter type description status code number http status code of the response reason string response reason phrase next page string output field next page downloaded files array output field downloaded files downloaded files sha1 string output field downloaded files sha1 downloaded files last download url string url endpoint for the request downloaded files classification string output field downloaded files classification downloaded files first download string output field downloaded files first download downloaded files last seen string output field downloaded files last seen downloaded files sample size number output field downloaded files sample size downloaded files sample available boolean output field downloaded files sample available downloaded files last download string output field downloaded files last download downloaded files first seen string output field downloaded files first seen downloaded files sha256 string output field downloaded files sha256 downloaded files md5 string output field downloaded files md5 downloaded files risk score number score value downloaded files sample type string type of the resource downloaded files threat name object name of the resource downloaded files malware family object output field downloaded files malware family downloaded files malware type object type of the resource downloaded files platform object output field downloaded files platform downloaded files subplatform object output field downloaded files subplatform requested ip string output field requested ip output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "576","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 10 23 38 gmt","x content type options" "nosniff, nosniff","vi network ip address report accepts an ip address string and returns a report about the requested ip address input argument name type required description ip addr string required parameter for network ip address report input example {"ip addr" "8 8 8 8"} output parameter type description json object output field json json third party reputations object output field json third party reputations json third party reputations statistics object output field json third party reputations statistics json third party reputations statistics total number output field json third party reputations statistics total json third party reputations statistics malicious number output field json third party reputations statistics malicious json third party reputations statistics undetected number output field json third party reputations statistics undetected json third party reputations statistics clean number output field json third party reputations statistics clean json third party reputations sources array output field json third party reputations sources json third party reputations sources detection string output field json third party reputations sources detection json third party reputations sources update time string time value json third party reputations sources detect time object time value json third party reputations sources category object output field json third party reputations sources category json third party reputations sources source string output field json third party reputations sources source json downloaded files statistics object output field json downloaded files statistics json downloaded files statistics total number output field json downloaded files statistics total json downloaded files statistics unknown number output field json downloaded files statistics unknown json downloaded files statistics suspicious number output field json downloaded files statistics suspicious json downloaded files statistics malicious number output field json downloaded files statistics malicious json downloaded files statistics goodware number output field json downloaded files statistics goodware json top threats array output field json top threats json top threats file name string name of the resource json top threats file string output field json top threats file json requested ip string output field json requested ip json modified time string time value output example {"json" {"third party reputations" {"statistics" {},"sources" \[]},"downloaded files statistics" {"total" 1776,"unknown" 1,"suspicious" 0,"malicious" 0,"goodware" 1775},"top threats" \[],"requested ip" "8 8 8 8","modified time" "2023 10 09t08 30 46"}} network ip to domain accepts an ip address string and returns a list of ip to domain mappings endpoint url /api/network threat intel/ip/{{ip}}/resolutions/ method get input argument name type required description path parameters ip string required parameters for the network ip to domain action parameters page string optional sha for next page to be displayed parameters page size number optional parameters for the network ip to domain action input example {"parameters" {"page" "0083a1c9ddb79e9d7d4cd331050d62531c06d702","page size" 10},"path parameters" {"ip" "192 168 3 10"}} output parameter type description status code number http status code of the response reason string response reason phrase next page object output field next page resolutions array output field resolutions resolutions provider string unique identifier resolutions last resolution time string time value resolutions host name string name of the resource requested ip string output field requested ip output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "813","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 10 34 49 gmt","x content type options" "nosniff, nosniff","vi network url report accepts a url string and returns a report about the requested url input argument name type required description requested url string optional url endpoint for the request input example {"requested url" "www google com"} output parameter type description json object output field json json third party reputations object output field json third party reputations json third party reputations sources array output field json third party reputations sources json third party reputations sources detection string output field json third party reputations sources detection json third party reputations sources source string output field json third party reputations sources source json third party reputations sources update time string time value json third party reputations statistics object output field json third party reputations statistics json third party reputations statistics total number output field json third party reputations statistics total json third party reputations statistics malicious number output field json third party reputations statistics malicious json third party reputations statistics clean number output field json third party reputations statistics clean json third party reputations statistics undetected number output field json third party reputations statistics undetected json reason string response reason phrase json classification string output field json classification json analysis object output field json analysis json analysis analysis history array output field json analysis analysis history json analysis analysis history domain string output field json analysis analysis history domain json analysis analysis history final url string url endpoint for the request json analysis analysis history http response code number output field json analysis analysis history http response code json analysis analysis history analysis id string unique identifier json analysis analysis history availability status string status value json analysis analysis history serving ip address string output field json analysis analysis history serving ip address json analysis analysis history analysis time string time value json analysis last analysis object output field json analysis last analysis json analysis last analysis domain string output field json analysis last analysis domain json analysis last analysis final url string url endpoint for the request output example {"json" {"third party reputations" {"sources" \[],"statistics" {}},"reason" "whitelist","classification" "goodware","analysis" {"analysis history" \[],"last analysis" {},"first analysis" "2023 10 02t12 31 04","analysis count" 6280,"statistics" {}},"requested url" "www google com"}} network urls from ip accepts an ip address string and returns a list of urls hosted on the requested ip address endpoint url /api/network threat intel/ip/{{ip}}/urls/ method get input argument name type required description path parameters ip string required parameters for the network urls from ip action parameters page string optional sha for next page to be displayed parameters page size number optional parameters for the network urls from ip action input example {"parameters" {"page" "0083a1c9ddb79e9d7d4cd331050d62531c06d702","page size" 10},"path parameters" {"ip" "192 168 3 10"}} output parameter type description status code number http status code of the response reason string response reason phrase next page object output field next page urls array url endpoint for the request urls url string url endpoint for the request requested ip string output field requested ip output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "4376","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 10 41 15 gmt","x content type options" "nosniff, nosniff","v upload sample from file accepts a file and returns a response containing the analysis task id endpoint url /api/uploads/ method post input argument name type required description form data object required response data form data file object required binary file that you want to submit form data file file string required response data form data file file name string required response data form data archive password string optional response data form data rl cloud sandbox platform string optional response data form data comment string optional response data form data tags string optional response data form data analysis string optional response data input example {"form data" {"file" {"file" "string","file name" "example name"},"archive password" "string","rl cloud sandbox platform" "string","comment" "string","tags" "string","analysis" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase detail object output field detail detail id string unique identifier output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "1272","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 06 52 36 gmt","x content type options" "nosniff, nosniff","v upload sample from url accepts a url and returns a response containing the analysis task id endpoint url /api/uploads/ method post input argument name type required description data body object required response data data body url string required response data data body archive password string optional response data data body rl cloud sandbox platform string optional response data data body crawler string optional response data input example {"data body" {"url" "www example com","archive password" "somerandompassword","rl cloud sandbox platform" "windows10","crawler" "local"}} output parameter type description status code number http status code of the response reason string response reason phrase detail object output field detail detail id string unique identifier output example {"status code" 200,"response headers" {"connection" "keep alive","content length" "1272","cache control" "max age=0, no cache, no store, must revalidate, private","content security policy" "default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval'","server" "nginx","content encoding" "gzip","x xss protection" "1; mode=block","expect ct" "enforce, max age=7776000","accept ranges" "bytes","expires" "mon, 09 oct 2023 06 52 36 gmt","x content type options" "nosniff, nosniff","v response headers header description example accept ranges http response header accept ranges bytes allow http response header allow post, options cache control directives for caching mechanisms max age=0, no cache, no store, must revalidate, private connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 813 content security policy http response header content security policy default src wss\ // hotjar com https data blob 'unsafe inline' 'unsafe eval' content type the media type of the resource application/json date the date and time at which the message was originated mon, 09 oct 2023 10 41 16 gmt expect ct http response header expect ct enforce, max age=7776000 expires the date/time after which the response is considered stale mon, 09 oct 2023 10 41 15 gmt referrer policy http response header referrer policy same origin server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=300 vary http response header vary cookie, accept encoding via http response header via 1 1 varnish, 1 1 varnish x cache http response header x cache miss, miss x cache hits http response header x cache hits 0, 0 x content type options http response header x content type options nosniff, nosniff x frame options http response header x frame options deny x served by http response header x served by cache bom4751 bom, cache bom4751 bom x timer http response header x timer s1696847688 768824,vs0,ve1764 x xss protection http response header x xss protection 1; mode=block