Sophos Labs Intelix

sophoslabs intelix is a threat intelligence and analysis platform this connector integrates sophoslabs intelix's rest api with swimlane turbine to analyze urls, ips, and files for threats prerequisites to use this api, you must have an aws account and be subscribed to sophoslabs intelix you will need the client id and client secret generated from this to set up your asset capabilities this connector currently supports the following capabilities dynamic file analysis submit file get a report by file hash get report by job id static file analysis submit file get report by file hash get report by job id static url analysis submit url get url report by file hash get url report by job id file hash lookup get file hash lookup url category lookup and so on limitations this connector currently does not support intelix's android apk lookup api configurations sophoslabs intelix oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string optional client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions dynamic analysis get a report by file hash get a report by file hash endpoint url /analysis/file/dynamic/v1/reports method get input argument name type required description sha256 string required the sha256 hash of the file report format string optional the requested report format headers object optional http headers for the request x correlation id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource malicious activity object output field malicious activity suspicious array output field suspicious network array output field network signature array output field signature files object output field files written array output field written path string output field path process string output field process pid number unique identifier deleted array output field deleted path string output field path example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] dynamic analysis get report by job id get a file report by job id endpoint url /analysis/file/dynamic/v1/reports/{{job id}} method get input argument name type required description job id string required the job id obtained in the submit call report format string optional the requested report format headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource malicious activity object output field malicious activity suspicious array output field suspicious network array output field network signature array output field signature malicious classifications array output field malicious classifications classification string output field classification classification type string type of the resource artifact string output field artifact artifact type string type of the resource threat name string name of the resource pid number unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] dynamic analysis submit file submit a file for dynamic analysis endpoint url /analysis/file/dynamic/v1 method post input argument name type required description form data object required response data file array required file to be uploaded file name string required name of the resource file string required parameter for dynamic analysis submit file report format string optional the requested report format passwords array optional passwords can be provided in case of a password protected file submission as a list of strings headers object optional http headers for the request x correlation id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource malicious activity object output field malicious activity suspicious array output field suspicious network array output field network signature array output field signature malicious classifications array output field malicious classifications classification string output field classification classification type string type of the resource artifact string output field artifact artifact type string type of the resource threat name string name of the resource pid number unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] get file hash lookup get information on known malicious files, by file hash, from sophoslabs endpoint url /lookup/files/v1/{{sha256}} method get input argument name type required description sha256 string required the sha256 hash of the requested file headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier reputationscore number score value detectionname string name of the resource ttl number output field ttl example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "reputationscore" 18, "detectionname" "mal/generic s", "ttl" 3600 } } ] get ip category lookup get ip information from sophoslabs endpoint url /lookup/ips/v1/{{ip}} method get input argument name type required description ip string required the queried ip address currently only ip v4 is supported headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier category array output field category ttl number output field ttl example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "category" \[], "ttl" 300 } } ] get lookup url categorization get url information from sophoslabs endpoint url /lookup/urls/v1/{{url}} method get input argument name type required description url string required the url encoded url to look up headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier productivitycategory string output field productivitycategory productivityscore number score value securitycategory string output field securitycategory securityscore number score value risklevel string output field risklevel ttl number output field ttl example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "productivitycategory" "prod spyware and malware", "productivityscore" 0, "securitycategory" "sec malware repository", "securityscore" 0, "risklevel" "high", "ttl" 300 } } ] static analysis get report by file hash get a report by file hash endpoint url /analysis/file/static/v1/reports method get input argument name type required description sha256 string required the sha256 hash of the file report format string optional the requested report format headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource target object output field target sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource analysis summary array output field analysis summary name string name of the resource description string output field description severity number output field severity container analysis object output field container analysis children count number count value detection object output field detection example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {} } } ] static analysis get report by job id get a report by job id endpoint url /analysis/file/static/v1/reports/{{job id}} method get input argument name type required description job id string required the job id obtained in the submit call report format string optional the requested report format headers object optional http headers for the request x correlation id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase jobid string unique identifier correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource analysis summary array output field analysis summary name string name of the resource description string output field description severity number output field severity container analysis object output field container analysis children count number count value detection object output field detection sophos string output field sophos sophos ml string output field sophos ml positives number output field positives example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "ml filepath" {}, "ml inputs" {}, "pe analysis" {}, "reputation" {} }, "jobid" "949607c0b63a4a6fa2daad228380eca4" } ] static analysis get url report by file hash get a report by url sha256 hash endpoint url /analysis/url/static/v1/reports method get input argument name type required description sha256 string required the sha256 hash of the normalized url report format string optional the requested report format headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource url string url endpoint for the request productivity category string output field productivity category risk level string output field risk level ml url object url endpoint for the request calibrated score number score value raw score number score value model version string output field model version url analysis object url endpoint for the request dns info object output field dns info a records array output field a records aaaa records array output field aaaa records example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] static analysis get url report by job id get a url report by job id endpoint url /analysis/url/static/v1/reports/{{job id}} method get input argument name type required description job id string required the job id obtained in the submit call report format string optional the requested report format headers object optional http headers for the request x correlation id string optional an optional caller provided identifier which will be included in the response object output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource url string url endpoint for the request productivity category string output field productivity category risk level string output field risk level ml url object url endpoint for the request calibrated score number score value raw score number score value model version string output field model version url analysis object url endpoint for the request dns info object output field dns info a records array output field a records aaaa records array output field aaaa records example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] static analysis submit file submit a file for static analysis endpoint url /analysis/file/static/v1 method post input argument name type required description form data object required response data file array required file to be uploaded file name string required name of the resource file string required parameter for static analysis submit file report format string optional the requested report format passwords array optional passwords can be provided in case of a password protected file submission as a list of strings url string optional the source url for the html file (required for html file analysis) headers object optional http headers for the request x correlation id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource target object output field target sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource analysis summary array output field analysis summary name string name of the resource description string output field description severity number output field severity container analysis object output field container analysis children count number count value detection object output field detection example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] static analysis submit url submit a url for static analysis endpoint url /analysis/url/static/v1 method post input argument name type required description url string required url to be submitted report format string optional an optional caller provided identifier which will be included in the response object headers object optional http headers for the request x correlation id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase correlationid string unique identifier requestid string unique identifier jobstatus string status value report object output field report submission string output field submission analysis type string type of the resource object type string type of the resource score number score value analysis subject object output field analysis subject sha1 string output field sha1 sha256 string output field sha256 mimetype string type of the resource url string url endpoint for the request productivity category string output field productivity category risk level string output field risk level ml url object url endpoint for the request calibrated score number score value raw score number score value model version string output field model version url analysis object url endpoint for the request dns info object output field dns info a records array output field a records aaaa records array output field aaaa records example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "correlationid" "11111111 2222 3333 4444 555555555555", "requestid" "1f44cdb5 d3a0 43d1 8a3d 597a9ab18cc3", "jobstatus" "success", "report" {}, "jobid" "949607c0b63a4a6fa2daad228380eca4" } } ] notes for more information on cisco identity services engine(ise) registration information from sophoslabs can be found here https //api labs sophos com/doc/index html#registration howtosophoslabs api authentication https //api labs sophos com/doc/authenticationsophoslabs api documentation for list of services https //api labs sophos com/doc/