Dela via


ReversingLabs A1000 (Preview)

ReversingLabs A1000 Malware Analysis Appliance integrates the ReversingLabs TitaniumCore automated static analysis technology and the TitaniumCloud File Reputation Service database. The REST Services APIs enable analysts to input samples, access unpacked files and view extracted Proactive Threat Indicators. The platform performs an in-depth static analysis of a comprehensive array of file types including Windows, Linux, Mac OS, iOS, Android, email attachments, documents and firmware.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name ReversingLabs support
URL https://support.reversinglabs.com/
Email support@reversinglabs.com
Connector Metadata
Publisher ReversingLabs
Website https://www.reversinglabs.com/
Privacy policy https://www.reversinglabs.com/privacy-policy
Categories Security

This connector allows users of the ReversingLabs A1000 to access the API functions of the appliance. Actions such as submitting a file for analysis, retrieving results, and checking the reputation of a file are supported. Refer to the A1000 user guide in the appliance's web interface for further information about the API.

Prerequisites

In order to use this connector one must have an A1000 that is reachable from the cloud, the URL of the A1000 appliance, and an A1000 API key.

How to get credentials

Authentication to the A1000 API is performed with an API key. This key can be configured by users with administrative access to the appliance's web interface. To create an API key refer to the help file in the A1000's web GUI interface.

Get started with your connector

To get started with the A1000 connector, begin by configuring a new connection. The connector configuration will ask for a connection name and an API key value. Ensure you enter the API key value in the format Token <apikey>, where <apikey> is the actual API token.
After configuring the API connection, select from the available actions and provide the required inputs.

Common errors and remedies

  • 403 error: "Authentication credentials were not provided."
    • Ensure that you have configured the API connection using the format mentioned above.

FAQ

  • Q1. How long should I wait for the results of a file I submitted for analysis?

    • A1. Processing time will vary depending upon the load on the appliance, size, and complexity of the file. It is best practice to create a loop that sleeps and checks the status.
  • Q2. Where can I find documentation on the A1000 API or any other A1000 topic?

    • A2. Complete product documentation is available in the A1000 interface. After logging into the web interface click the Help menu in the upper right corner. interface. After logging into the web interface click the Help menu in the upper right corner.

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Token securestring Your A1000 token True
A1000 host URL string A1000 host URL (Example: https://a1000.reversinglabs.com). If not specified, host URL will be defaulted to https://a1000.reversinglabs.com.

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Check PDF report creation status

Check the creation status of a requested PDF report.

Create PDF report

Create a PDF sample analysis report.

Download PDF Report

Download the generated PDF analysis Report.

Perform advanced search

Search for samples available on the local A1000 instance and TitaniumCloud using the Advanced Search capabilities.

Retrieve a list of files from the IP address

Provides a list of hashes and classifications for files found on the submitted IP address.

Retrieve classification for a sample

Retrieve classification status for a sample.

Retrieve information for a domain

Returns network threat intelligence about the provided domain.

Retrieve information for a URL

Returns network threat intelligence about the provided URL.

Retrieve information for an IP address

Returns network threat intelligence about the provided IP address.

Retrieve IP address resolutions

Provides a list of IP-to-domain mappings.

Retrieve processing status for files

Check status of submitted files.

Retrieve processing status for URL-s

Check status of submitted URL-s.

Retrieve summary analysis report

Retrieve a summary analysis report for local samples.

Retrieve the detailed analysis report

Retrieve a detailed analysis report for local samples.

Retrieve the dynamic analysis report

Create and download a PDF or HTLM report for samples that have gone through dynamic analysis in the ReversingLabs Cloud Sandbox.

Retrieve the static analysis report

Retrieve TitaniumCore analysis results for a local sample.

Retrieve URL-s hosted on the IP address

Returns a list of URLs hosted on the submitted IP address.

Submit a sample for analysis

Submit a sample for analysis from a local directory or from a URL.

Check PDF report creation status

Check the creation status of a requested PDF report.

Parameters

Name Key Required Type Description
Hash
hash True string

Hash string

Create PDF report

Create a PDF sample analysis report.

Parameters

Name Key Required Type Description
Hash
hash True string

Hash string

Download PDF Report

Download the generated PDF analysis Report.

Parameters

Name Key Required Type Description
Hash
hash True string

Hash string

Search for samples available on the local A1000 instance and TitaniumCloud using the Advanced Search capabilities.

Parameters

Name Key Required Type Description
query
query string

query

page
page integer

Page number.

records_per_page
records_per_page integer

records_per_page

sort
sort string

Sorting criteria.

Retrieve a list of files from the IP address

Provides a list of hashes and classifications for files found on the submitted IP address.

Parameters

Name Key Required Type Description
Ip
ip True string

IP address string

Page
page string

SHA1 hash of the next page of results,

Page Size
page_size integer

Results per page

Extended
extended boolean

Include additional information on downloaded files.

Classification
classification string

Return only samples with this classification

Retrieve classification for a sample

Retrieve classification status for a sample.

Parameters

Name Key Required Type Description
Hash Value
hash_value True string

Hash string

Localonly
localonly integer

If set to 1, the request will only look for local samples on the appliance.

AV Scanners
av_scanners integer

Include AV scanners summary information in the response.

Retrieve information for a domain

Returns network threat intelligence about the provided domain.

Parameters

Name Key Required Type Description
Domain
domain True string

Domain string

Retrieve information for a URL

Returns network threat intelligence about the provided URL.

Parameters

Name Key Required Type Description
Url
url True string

URL string

Retrieve information for an IP address

Returns network threat intelligence about the provided IP address.

Parameters

Name Key Required Type Description
Ip
ip True string

IP address string

Retrieve IP address resolutions

Provides a list of IP-to-domain mappings.

Parameters

Name Key Required Type Description
Ip
ip True string

IP address string

Page
page string

SHA1 hash of the next page of results.

Page Size
page_size integer

Results per page

Retrieve processing status for files

Check status of submitted files.

Parameters

Name Key Required Type Description
Status
status string

Filter hashes by their status. Consult the documentation for available values.

hash_values
hash_values True array of string

hash_values

Retrieve processing status for URL-s

Check status of submitted URL-s.

Parameters

Name Key Required Type Description
Id
ID True integer

Identification number of the URL submission task.

Retrieve summary analysis report

Retrieve a summary analysis report for local samples.

Parameters

Name Key Required Type Description
hash_values
hash_values True array of string

hash_values

fields
fields array of string

Consult the A1000 API documentation for the supported values in the 'fields' parameter. If the 'include_networkthreatintelligence' parameter is set to 'true', 'networkthreatintelligence' and 'domainthreatintelligence' have to be included in the 'fields' parameter.

include_networkthreatintelligence
include_networkthreatintelligence string

Lowercase stringified boolean. Consult the A1000 API documentation for the supported values in the 'fields' parameter. If the 'include_networkthreatintelligence' parameter is set to 'true', 'networkthreatintelligence' and 'domainthreatintelligence' have to be included in the 'fields' parameter.

skip_reanalysis
skip_reanalysis string

Lowercase stringified boolean.

Retrieve the detailed analysis report

Retrieve a detailed analysis report for local samples.

Parameters

Name Key Required Type Description
hash_values
hash_values True array of string

hash_values

fields
fields array of string

Fields that will be returned in the report. Consult the A1000 API documentation for the supported values in the 'fields' parameter.

skip_reanalysis
skip_reanalysis string

Lowercase stringified boolean

Retrieve the dynamic analysis report

Create and download a PDF or HTLM report for samples that have gone through dynamic analysis in the ReversingLabs Cloud Sandbox.

Parameters

Name Key Required Type Description
Hash Value
hash_value True string

The hash value must be a SHA-1 string.

Format
format True string

Analysis report format

Endpoint
endpoint True string

Select a task type.

Retrieve the static analysis report

Retrieve TitaniumCore analysis results for a local sample.

Parameters

Name Key Required Type Description
Hash Value
hash_value True string

Hash string

Fields
fields array

Fields that will be returned in the report. Consult the A1000 API documentation for the supported values in the 'fields' parameter.

Retrieve URL-s hosted on the IP address

Returns a list of URLs hosted on the submitted IP address.

Parameters

Name Key Required Type Description
Ip
ip True string

IP address string

Page
page string

SHA1 hash of the next page of results.

Page Size
page_size integer

Results per page

Submit a sample for analysis

Submit a sample for analysis from a local directory or from a URL.

Parameters

Name Key Required Type Description
File
file file

Submit a sample from a file. Required but mutually exclusive with the 'url' parameter.

Url
url string

Submit a sample from a URL. Required but mutually exclusive with the 'file' parameter.

Filename
filename string

Custom file name. Works only with the 'file' parameter.

Analysis
analysis string

Select analysis type.

Tags
tags string

Set custom tags. Works only with the 'file' parameter.

Comment
comment string

Set a custom comment. Works only with the 'file' parameter.

Crawler
crawler string

Select a crawler type. Works only with the 'url' parameter.

Archive Password
archive_password string

Password for an archive.

RL Cloud Sandbox Platform
rl_cloud_sandbox_platform string

Cloud sandbox platform.