Sophos Labs Intelix

sophoslabs intelix is a threat intelligence and analysis platform this connector integrates sophoslabs intelix's rest api with swimlane turbine to analyze urls, ips, and files for threats prerequisites to use this api, you must have an aws account and be subscribed to sophoslabs intelix you will need the client id and client secret generated from this to set up your asset capabilities this connector currently supports the following capabilities dynamic file analysis submit file get a report by file hash get report by job id static file analysis submit file get report by file hash get report by job id static url analysis submit url get url report by file hash get url report by job id file hash lookup get file hash lookup url category lookup and so on limitations this connector currently does not support intelix's android apk lookup api notes for more information on cisco identity services engine(ise) https //api labs sophos com/doc/index html#registration howto https //api labs sophos com/doc/authentication https //api labs sophos com/doc/ configurations sophoslabs intelix oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string optional client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions dynamic analysis get a report by file hash get a report by file hash endpoint url /analysis/file/dynamic/v1/reports method get input argument name type required description parameters sha256 string required the sha256 hash of the file parameters report format string optional the requested report format headers object optional http headers for the request headers x correlation id string optional http headers for the request input example {"parameters" {"sha256" "6db36450e8fe2934106be5e653a160bec044c1ac552cdd04a300d7a9e2ddbf88","report format" "json"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report malicious activity object output field report malicious activity report malicious activity suspicious array output field report malicious activity suspicious report malicious activity network array output field report malicious activity network report malicious activity signature array output field report malicious activity signature report files object output field report files report files written array output field report files written report files written path string output field report files written path report files written process string output field report files written process report files written pid number unique identifier report files deleted array output field report files deleted report files deleted path string output field report files deleted path output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"malicious activity" {},"files" {},"processes" \[],"registry" {},"network" {},"screenshots" \[],"activity tree" {},"mitre overlay" {}},"jobid" "949607c0b63a4a6fa2daad228380eca4"}} dynamic analysis get report by job id get a file report by job id endpoint url /analysis/file/dynamic/v1/reports/{{job id}} method get input argument name type required description path parameters job id string required the job id obtained in the submit call parameters report format string optional the requested report format headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"parameters" {"report format" "json"},"path parameters" {"job id" "949607c0b63a4a6fa2daad228380eca4"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report malicious activity object output field report malicious activity report malicious activity suspicious array output field report malicious activity suspicious report malicious activity network array output field report malicious activity network report malicious activity signature array output field report malicious activity signature report malicious classifications array output field report malicious classifications report malicious classifications classification string output field report malicious classifications classification report malicious classifications classification type string type of the resource report malicious classifications artifact string output field report malicious classifications artifact report malicious classifications artifact type string type of the resource report malicious classifications threat name string name of the resource report malicious classifications pid number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"malicious activity" {},"malicious classifications" \[],"detonation info" {},"files" {},"registry" {},"network" {},"screenshots" \[],"activity tree" {},"mitre overlay" {}},"jobid" "9 dynamic analysis submit file submit a file for dynamic analysis endpoint url /analysis/file/dynamic/v1 method post input argument name type required description form data object required response data form data file array required file to be uploaded form data file file name string required response data form data file file string required response data form data report format string optional the requested report format form data passwords array optional passwords can be provided in case of a password protected file submission as a list of strings headers object optional http headers for the request headers x correlation id string optional http headers for the request input example {"form data" {"file" \[{"file name" "test import ssp","file" "test import ssp"}],"report format" "json","passwords" \["abc123"]},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report malicious activity object output field report malicious activity report malicious activity suspicious array output field report malicious activity suspicious report malicious activity network array output field report malicious activity network report malicious activity signature array output field report malicious activity signature report malicious classifications array output field report malicious classifications report malicious classifications classification string output field report malicious classifications classification report malicious classifications classification type string type of the resource report malicious classifications artifact string output field report malicious classifications artifact report malicious classifications artifact type string type of the resource report malicious classifications threat name string name of the resource report malicious classifications pid number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"malicious activity" {},"malicious classifications" \[],"detonation info" {},"files" {},"processes" \[],"registry" {},"network" {},"screenshots" \[],"activity tree" {}},"jobid" "94960 get file hash lookup get information on known malicious files, by file hash, from sophoslabs endpoint url /lookup/files/v1/{{sha256}} method get input argument name type required description path parameters sha256 string required the sha256 hash of the requested file headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"path parameters" {"sha256" "6db36450e8fe2934106be5e653a160bec044c1ac552cdd04a300d7a9e2ddbf88"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier reputationscore number score value detectionname string name of the resource ttl number output field ttl output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","reputationscore" 18,"detectionname" "mal/generic s","ttl" 3600}} get ip category lookup get ip information from sophoslabs endpoint url /lookup/ips/v1/{{ip}} method get input argument name type required description path parameters ip string required the queried ip address currently only ip v4 is supported headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"path parameters" {"ip" "192 168 2 2"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier category array output field category ttl number output field ttl output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","category" \["spammers"],"ttl" 300}} get lookup url categorization get url information from sophoslabs endpoint url /lookup/urls/v1/{{url}} method get input argument name type required description path parameters url string required the url encoded url to look up headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"path parameters" {"url" "https//www sophos com/fen us/flp/free security scan aspx"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier productivitycategory string output field productivitycategory productivityscore number score value securitycategory string output field securitycategory securityscore number score value risklevel string output field risklevel ttl number output field ttl output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","productivitycategory" "prod spyware and malware","productivityscore" 0,"securitycategory" "sec malware repository","securityscore" 0,"risklevel" "high","ttl" 300}} static analysis get report by file hash get a report by file hash endpoint url /analysis/file/static/v1/reports method get input argument name type required description parameters sha256 string required the sha256 hash of the file parameters report format string optional the requested report format headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"parameters" {"sha256" "6db36450e8fe2934106be5e653a160bec044c1ac552cdd04a300d7a9e2ddbf88","report format" "json"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report target object output field report target report target sha1 string output field report target sha1 report target sha256 string output field report target sha256 report target mimetype string type of the resource report analysis summary array output field report analysis summary report analysis summary name string name of the resource report analysis summary description string output field report analysis summary description report analysis summary severity number output field report analysis summary severity report container analysis object output field report container analysis report container analysis children count number count value report detection object output field report detection output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"target" {},"analysis summary" \[],"container analysis" {},"detection" {},"ml aggregate results" {},"ml file" {},"ml filepath" {},"ml inputs" {},"pe analysis" {},"jobid" "949607c0b6 static analysis get report by job id get a report by job id endpoint url /analysis/file/static/v1/reports/{{job id}} method get input argument name type required description path parameters job id string required the job id obtained in the submit call parameters report format string optional the requested report format headers object optional http headers for the request headers x correlation id string optional http headers for the request input example {"parameters" {"report format" "application/json"},"path parameters" {"job id" "949607c0b63a4a6fa2daad228380eca4"},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase jobid string unique identifier correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report analysis summary array output field report analysis summary report analysis summary name string name of the resource report analysis summary description string output field report analysis summary description report analysis summary severity number output field report analysis summary severity report container analysis object output field report container analysis report container analysis children count number count value report detection object output field report detection report detection sophos string output field report detection sophos report detection sophos ml string output field report detection sophos ml report detection positives number output field report detection positives output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"analysis summary" \[],"container analysis" {},"detection" {},"document analysis" {},"ml aggregate results" {},"ml file" {},"analyzed counts" {},"overall score" 0 0789779,"overall s static analysis get url report by file hash get a report by url sha256 hash endpoint url /analysis/url/static/v1/reports method get input argument name type required description parameters sha256 string required the sha256 hash of the normalized url parameters report format string optional the requested report format headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"parameters" {"sha256" "d70a85f3ef7494f85a6bf35e60c666c8e2335563c7ad7e6d8ae69f058173ce2b","report format" "json"},"headers" {"x correlation id" "yxzxz124l"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report analysis subject url string url endpoint for the request report productivity category string output field report productivity category report risk level string output field report risk level report ml url object url endpoint for the request report ml url calibrated score number url endpoint for the request report ml url raw score number url endpoint for the request report ml url model version string url endpoint for the request report url analysis object url endpoint for the request report url analysis dns info object url endpoint for the request report url analysis dns info a records array url endpoint for the request report url analysis dns info aaaa records array url endpoint for the request output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"productivity category" "prod spyware and malware","risk level" "high","ml url" {},"url analysis" {}},"jobid" "949607c0b63a4a6fa2daad228380eca4"}} static analysis get url report by job id get a url report by job id endpoint url /analysis/url/static/v1/reports/{{job id}} method get input argument name type required description path parameters job id string required the job id obtained in the submit call parameters report format string optional the requested report format headers object optional http headers for the request headers x correlation id string optional an optional caller provided identifier which will be included in the response object input example {"parameters" {"report format" "json"},"path parameters" {"job id" "949607c0b63a4a6fa2daad228380eca4"},"headers" {"x correlation id" "yabc123ijl"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report analysis subject url string url endpoint for the request report productivity category string output field report productivity category report risk level string output field report risk level report ml url object url endpoint for the request report ml url calibrated score number url endpoint for the request report ml url raw score number url endpoint for the request report ml url model version string url endpoint for the request report url analysis object url endpoint for the request report url analysis dns info object url endpoint for the request report url analysis dns info a records array url endpoint for the request report url analysis dns info aaaa records array url endpoint for the request output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"productivity category" "prod spyware and malware","risk level" "high","ml url" {},"url analysis" {}},"jobid" "949607c0b63a4a6fa2daad228380eca4"}} static analysis submit file submit a file for static analysis endpoint url /analysis/file/static/v1 method post input argument name type required description form data object required response data form data file array required file to be uploaded form data file file name string required response data form data file file string required response data form data report format string optional the requested report format form data passwords array optional passwords can be provided in case of a password protected file submission as a list of strings form data url string optional the source url for the html file (required for html file analysis) headers object optional http headers for the request headers x correlation id string optional http headers for the request input example {"form data" {"file" \[{"file name" "test import ssp","file" "test import ssp"}]},"headers" {"x correlation id" "y3f2dgpja2c"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report target object output field report target report target sha1 string output field report target sha1 report target sha256 string output field report target sha256 report target mimetype string type of the resource report analysis summary array output field report analysis summary report analysis summary name string name of the resource report analysis summary description string output field report analysis summary description report analysis summary severity number output field report analysis summary severity report container analysis object output field report container analysis report container analysis children count number count value report detection object output field report detection output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"target" {},"analysis summary" \[],"container analysis" {},"detection" {},"document analysis" {},"ml aggregate results" {},"ml file" {},"ml filepath" {},"ml inputs" {},"pe analysis" static analysis submit url submit a url for static analysis endpoint url /analysis/url/static/v1 method post input argument name type required description headers object optional http headers for the request headers x correlation id string optional http headers for the request url string optional url to be submitted report format string optional an optional caller provided identifier which will be included in the response object input example {"json body" {"url" "https //www sophoslabs com/malware","report format" "html"},"headers" {"x correlation id" "yabcxy123il"}} output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report report submission string output field report submission report analysis type string type of the resource report object type string type of the resource report score number score value report analysis subject object output field report analysis subject report analysis subject sha1 string output field report analysis subject sha1 report analysis subject sha256 string output field report analysis subject sha256 report analysis subject mimetype string type of the resource report analysis subject url string url endpoint for the request report productivity category string output field report productivity category report risk level string output field report risk level report ml url object url endpoint for the request report ml url calibrated score number url endpoint for the request report ml url raw score number url endpoint for the request report ml url model version string url endpoint for the request report url analysis object url endpoint for the request report url analysis dns info object url endpoint for the request report url analysis dns info a records array url endpoint for the request report url analysis dns info aaaa records array url endpoint for the request output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"correlationid" "11111111 2222 3333 4444 555555555555","requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3","jobstatus" "success","report" {"submission" "2018 03 14t16 13 48z","analysis type" "static","object type" "file","score" 0,"analysis subject" {},"productivity category" "prod spyware and malware","risk level" "high","ml url" {},"url analysis" {}},"jobid" "949607c0b63a4a6fa2daad228380eca4"}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt