From bc4b16d241ef324e45577acde77eb9cb2cdd639d Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 16 Apr 2024 22:59:13 +0100 Subject: [PATCH 01/18] Create README.md --- .../Trellix Detection as a Service/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Plugins/Community Based Plugins/Trellix Detection as a Service/README.md diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md new file mode 100644 index 00000000..9f6ad922 --- /dev/null +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -0,0 +1,18 @@ +# Copilot for Security Custom Plugin - API - Trellix Detection as a Service + +#### Copilot for Security Plugin to retrieve sandbox reports for uploaded files and URLs using the Trellix Detection as a Service API + +### Pre-requisites + +* [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +* [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) +* [API Key](https://fireeye.dev/docs/detection-on-demand/dod-portal/#api-key-management) from dod-portal.marketplace.apps.fireeye.com. + +### Instructions +#### Upload the Custom Plugin + +1. Obtain the file [API-GetAbuseIPDBIP.yaml](https://github.com/Azure/Copilot-For-Security/blob/main/Plugins/Community%20Based%20Plugins/AbuseIPDB/API-GetAbuseIPDBIP.yaml) from this directory. +2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's activated. +3. After plugin upload put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). + +![CopilotForSecurity](https://learn.microsoft.com/en-us/security-copilot/media/add-plugin-button.png) From a1f51d2253180c1319199b4f1380c5fe3be03098 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 16 Apr 2024 23:04:03 +0100 Subject: [PATCH 02/18] Create API-TrellixDoD.yaml --- .../API-TrellixDoD.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 Plugins/Community Based Plugins/Trellix Detection as a Service/API-TrellixDoD.yaml diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/API-TrellixDoD.yaml b/Plugins/Community Based Plugins/Trellix Detection as a Service/API-TrellixDoD.yaml new file mode 100644 index 00000000..5eba42cc --- /dev/null +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/API-TrellixDoD.yaml @@ -0,0 +1,16 @@ +Descriptor: + Name: Trellix Detection as a Service + DisplayName: Get Trellix DoD Sandbox Reports + Description: Get detailed sandbox analysis reports from Trellix DoD + SupportedAuthTypes: + - ApiKey + Authorization: + Type: APIKey + Key: feye-auth-key + Location: Header + AuthScheme: '' + +SkillGroups: + - Format: API + Settings: + OpenApiSpecUrl: https://fireeye.dev/static/858367bd0d40a8a8cf20484dcf09e21e/detection_on_demand.yml From ae01c6838af3f531d1421a3b266ae5803cad87c3 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 16 Apr 2024 23:06:58 +0100 Subject: [PATCH 03/18] Update README.md --- .../Trellix Detection as a Service/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md index 9f6ad922..0be9689e 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -11,7 +11,7 @@ ### Instructions #### Upload the Custom Plugin -1. Obtain the file [API-GetAbuseIPDBIP.yaml](https://github.com/Azure/Copilot-For-Security/blob/main/Plugins/Community%20Based%20Plugins/AbuseIPDB/API-GetAbuseIPDBIP.yaml) from this directory. +1. Obtain the file [API-TrellixDoD.yaml](https://github.com/alfonso-greenbrook/Copilot-For-Security-Fork/blob/a1f51d2253180c1319199b4f1380c5fe3be03098/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/API-TrellixDoD.yaml) from this directory. 2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's activated. 3. After plugin upload put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). From a017493e3853db8ed7e5e4425a39de289e12e04e Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 7 May 2024 19:47:47 +0100 Subject: [PATCH 04/18] Update README.md --- .../Trellix Detection as a Service/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md index 0be9689e..e03bf74d 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -11,7 +11,7 @@ ### Instructions #### Upload the Custom Plugin -1. Obtain the file [API-TrellixDoD.yaml](https://github.com/alfonso-greenbrook/Copilot-For-Security-Fork/blob/a1f51d2253180c1319199b4f1380c5fe3be03098/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/API-TrellixDoD.yaml) from this directory. +1. Obtain the file [API-TrellixDoD.yaml](https://github.com/Azure/Copilot-For-Security/blob/ae01c6838af3f531d1421a3b266ae5803cad87c3/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/API-TrellixDoD.yaml) from this directory. 2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's activated. 3. After plugin upload put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). From f995076f312b90809eb33ecd260d8928b05ffb91 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 7 May 2024 20:02:48 +0100 Subject: [PATCH 05/18] Create OpenAPI-TrellixDoD.yml --- .../OpenAPI/OpenAPI-TrellixDoD.yml | 2230 +++++++++++++++++ 1 file changed, 2230 insertions(+) create mode 100644 Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml new file mode 100644 index 00000000..80300863 --- /dev/null +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml @@ -0,0 +1,2230 @@ +openapi: 3.0.0 +info: + title: Detection On Demand + description: | + FireEye offers a best-in-class virtual execution engine in many of its core products, including our Network Security, Email Security, and File Analysis solutions. Now our customers can interact with and consume those capabilities directly via a scalable and performant web service. Use the new RESTful API to submit files for malware analysis, search hash values for past analysis results, get full reports for your file submissions, and integrate into your existing toolsets and workflows. + + [How to import this API into Postman](http://fireeye.dev/docs/detection-on-demand/postman/) + termsOfService: "https://www.fireeye.com/company/legal.html" + contact: + name: "Developer Relations Team" + email: "developers@fireeye.com" + version: "1.4.1" +servers: + - description: Detection On Demand Production Server + url: https://feapi.marketplace.apps.fireeye.com + variables: {} +paths: + /files: + post: + tags: + - Files + summary: Submit a single file for analysis + description: | + This endpoint submits a binary file for analysis. **Your file must be less than 50 MB. Files greater than 50 MB will receive a 403 Forbidden.** + + This endpoint uses the `multipart/form-data` request type in order to support the uploading of files. **It does not accept a JSON body**. Here is an example in cURL: + ``` + curl --location --request POST 'https://feapi.marketplace.apps.fireeye.com/files' \ + --header 'feye-auth-key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb2...sTxC7tUkEYBMQyj18kP0' \ + --header 'Content-Type: multipart/form-data' \ + --form 'file=@/home/user/Downloads/default.aspx' \ + --form 'screenshot=true' \ + --form 'video=true' \ + --form 'file_extraction=true' + ``` + operationId: postFile + requestBody: + required: true + content: + multipart/form-data: + schema: + required: + - file + type: object + properties: + file: + type: string + format: binary + description: This is the binary file that you want to submit for malware analysis + file_name: + type: string + description: Custom name for the submitted file to be used in the report + password: + type: string + description: Password to be used by the detection engine to decrypt a password protected file + param: + type: string + description: Command line parameter(s) to be used by detection engine when running the file. Mainly applicable to .exe files. For example, setting param to "start -h localhost -p 5555" will make the detection engine run a file named "malicious.exe" as "malicious.exe start -h localhost -p 5555" + screenshot: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api + video: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api + file_extraction: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api + memory_dump: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api + pcap: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api + analysis_mode: + type: string + description: Analysis mode for submission (sandbox or live) + example: sandbox + profiles: + type: string + description: Profiles to be used for dynamic analysis. ["win7x64-sp1m", "win7-sp1m"] + force_analyze: + type: boolean + enum: [true, false] + default: false + example: false + description: Force submission for this file even if found as duplicate + externalDocs: + description: "Learn more about posting files by this API at the site below:" + url: "https://fireeye.dev/docs/detection-on-demand/#files" + responses: + 202: + description: "Accepted." + content: + application/json: + schema: + required: + - status + - report_id + - md5 + properties: + status: + type: string + example: "success" + description: "This means that your file has been received and stored successfully. This does not mean your analysis has started or was completed--you will need to check the report for this report ID to see the analysis status." + report_id: + type: string + example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" + description: "This is the analysis job ID of your file submission. Use this value as the `report_id` parameter in `GET /reports/{report_id}. You will need to keep your own database of your report IDs to view your reports and their status as the report IDs cannot be retrieved at a later time." + md5: + type: string + example: "4ba739fd8c216809e485e7972597c995" + description: "This is an MD5 hash of the file you submitted." + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not the request properly" + message: + type: string + example: "url list is empty" + description: "This is the error message returned from the server." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /urls: + post: + tags: + - Urls + summary: Submit one or more URLs for analysis + description: | + This endpoint submits a list of URLs for analysis. The limit is 5 URLs in a single call. + + This endpoint uses the `multipart/form-data` request type. **It does not accept a JSON body**. Here is an example in cURL: + ``` + curl --location --request POST 'https://feapi.marketplace.apps.fireeye.com/urls' \ + --header 'feye-auth-key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ...3NDh9.XuADzMOS0G-jOwmx9AVVudhsTxC7tUkEYBMQyj18kP0' \ + --form 'urls=["http://s.securefileshares.com/2513501.doc/8e5aa3/e08d1cea-fdb4-4a50-8b19-095c0d47757c/?"]' + ``` + operationId: postUrl + requestBody: + required: true + content: + multipart/form-data: + schema: + required: + - urls + type: object + properties: + urls: + type: string + description: This is the list of URLs to submit for analysis in the form of ['url1','url2',...]. Maximum of 10 URLs allowed. + example: ['http://www.example.com','www.google.com'] + extract_gif: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api + extract_video: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api + file_extraction_enabled: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api + memory_dump_extraction_enabled: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api + extract_pcaps: + type: boolean + enum: [true, false] + default: false + example: false + description: Extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api + force_analyze: + type: boolean + enum: [true, false] + default: false + example: false + description: Force submission for this url even if found as duplicate + analysis_mode: + type: string + description: Analysis mode for submission(live). If analysis mode is set to live then profiles have to be provided + example: live + profiles: + type: string + description: Profiles to be used if analysis_mode is set to live + example: "[\"win7x64-sp1m\", \"win7-sp1m\", \"winxp-sp3m\", \"win10x64m\", \"centos-7.2\", \"osx-10.8.2\", \"osx-10.11.3\"]" + enable_prefetch: + type: boolean + enum: [true, false] + default: false + example: false + description: Download and analyze any file that the url points to. + responses: + 202: + description: "Accepted." + content: + application/json: + schema: + required: + - status + - report_id + - md5 + properties: + status: + type: string + example: "success" + description: "This means that your file has been received and stored successfully. This does not mean your analysis has started or was completed--you will need to check the report for this report ID to see the analysis status." + report_id: + type: string + example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" + description: "This is the analysis job ID of your file submission. Use this value as the `report_id` parameter in `GET /reports/{report_id}. You will need to keep your own database of your report IDs to view your reports and their status as the report IDs cannot be retrieved at a later time." + md5: + type: string + example: "NA" + description: "Returned NA in case of urls" + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not send a file with your request." + message: + type: string + example: "File not provided" + description: "This is the error message returned from the server." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 415: + description: "Unsupported Media Type" + content: + application/json: + schema: + $ref: "#/components/schemas/UnsupportedMediaType" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /reports/search: + get: + tags: + - Reports + summary: Get a single report by connector and file ID + description: This endpoint is used as an alternate way to find a report that was submitted by a configured connector, like Box or Microsoft Teams. You must supply the connector type and the file ID that the connector uses to identify the file. If the file in question was submitted multiple times by the connector, only the latest report for that file will be returned. + operationId: getReports + parameters: + - in: query + name: extended + schema: + type: boolean + enum: [true, false] + example: false + description: "Setting extended to true will allow you to see all malware engine reports." + - in: query + name: connector_type + required: true + schema: + type: string + enum: [ box, teams ] + example: box + description: "The type of connector for which you want to search using file_id." + - in: query + name: file_id + required: true + schema: + type: string + example: 12345678 + description: "The file_id to search for a specific connector." + responses: + 200: + description: "OK" + content: + application/json: + schema: + oneOf: + - $ref: "#/components/schemas/ReportNotExtended" + - $ref: "#/components/schemas/ReportExtended" + example: + report_id: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + overall_status: DONE + is_malicious: true + started_at: '2020-07-06 18:15:13' + completed_at: '2020-07-06 18:17:54' + duration: 161 + file_name: payment_2019.exe + file_size: 17920 + file_extension: exe + name: payment_2019.exe + type: exe + size: 17920 + md5: 968a89bf69338b6e0332a9d5d300cd5a + sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b + sha1: a68621e31c08a4fff8d4c4a49364b386acd769fa + magic: PE32 executable (GUI) Intel 80386, for MS Windows\012- data + extracted_objects: + - submission_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + name: payment_2019.exe + type: exe + complete_time: '2020-07-06 18:17:54.473953' + analyses_start_time: '2020-07-06 18:15:13.540694' + verdict: MALICIOUS + md5: 968a89bf69338b6e0332a9d5d300cd5a + sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b + status: SUCCESS + size: 17920 + is_malicious: true + results: + - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + analysis_results: + - engine: AVS LOOOKUP + weight: 100 + signature_name: FireEye.Malware.exe + - weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + engine: 'Bale ENGINE ' + job_id: 2487 + - weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + engine: 'Bale ENGINE ' + job_id: 2486 + - anomaly_types: + - FEBETA + os_info: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 + engine: Dynamic Analysis + job_id: 2487 + weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + - anomaly_types: + - FEBETA + os_info: Microsoft Windows7 64-bit 6.1 sp1 17.0112 + engine: Dynamic Analysis + job_id: 2486 + weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + - engine: Malware Guard + weight: 100 + signature_name: fe_ml_heuristic + - engine: Static Analysis + weight: 100 + signature_name: fe_ml_heuristic + - engine: Static Analysis - YARA + weight: 0 + signature_name: fe_ml_heuristic + - first_seen: '2019-09-17T00:34:00' + last_seen: '2019-12-08T04:53:00' + engine: global_cache + signature_name: Trojan.Small.FEC3 + weight: 100 + scan_count: 31 + scan_match: 30 + artifacts_info: + - object_artifact_details: + - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + artifact_details: + - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.flv + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.zip + pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.pcap + job_id: 2487 + profilename: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 + - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.flv + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.zip + pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.pcap + job_id: 2486 + profilename: Microsoft Windows7 64-bit 6.1 sp1 17.0112 + os_changes: true + os_changes_type: json + vm_artifacts_type: zip + screenshot: true + vm_artifacts: true + artifact_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + screenshot_type: gif + engine_results: + dynamic_analysis: + uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + is_malicious: true + analysis_info: {} + files_analyzed: 0 + overall_weight: 0 + total_duration: 0 + av_lookup: + verdict: not_found + signature_name: [] + avs_lookup: + verdict: not_found + signature_name: [] + dti_lookup: + verdict: not_found + signature_name: [] + mitre_mapping: + - id: T1204.002 + name: Malicious File + tactic: + - execution + - id: T1566.001 + name: Spearphishing Attachment + tactic: + - initial_access + - id: T1203 + name: Exploitation for Client Execution + tactic: + - execution + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a report ID." + message: + type: string + example: "Report ID not provided." + description: "This means that you did not provide a report ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /reports/{report_id}: + get: + tags: + - Reports + summary: Get single report + description: This endpoint fetches the results of a single file submission, known as a report. + operationId: getReport + parameters: + - in: path + name: report_id + required: true + schema: + type: string + example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" + description: "The report ID returned after successfully submitting a file." + - in: query + name: extended + schema: + type: boolean + enum: [true, false] + example: false + description: "Setting extended to true will allow you to see all malware engine reports." + externalDocs: + description: "Learn more about reading reports below:" + url: "https://fireeye.dev/docs/detection-on-demand/#reports" + responses: + 200: + description: "OK" + content: + application/json: + schema: + oneOf: + - $ref: "#/components/schemas/ReportNotExtended" + - $ref: "#/components/schemas/ReportExtended" + example: + report_id: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + overall_status: DONE + is_malicious: true + started_at: '2020-07-06 18:15:13' + completed_at: '2020-07-06 18:17:54' + duration: 161 + file_name: payment_2019.exe + file_size: 17920 + file_extension: exe + name: payment_2019.exe + type: exe + size: 17920 + md5: 968a89bf69338b6e0332a9d5d300cd5a + sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b + sha1: a68621e31c08a4fff8d4c4a49364b386acd769fa + magic: PE32 executable (GUI) Intel 80386, for MS Windows\012- data + extracted_objects: + - submission_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + name: payment_2019.exe + type: exe + complete_time: '2020-07-06 18:17:54.473953' + analyses_start_time: '2020-07-06 18:15:13.540694' + verdict: MALICIOUS + md5: 968a89bf69338b6e0332a9d5d300cd5a + sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b + status: SUCCESS + size: 17920 + is_malicious: true + results: + - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + analysis_results: + - engine: AVS LOOOKUP + weight: 100 + signature_name: FireEye.Malware.exe + - weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + engine: 'Bale ENGINE ' + job_id: 2487 + - weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + engine: 'Bale ENGINE ' + job_id: 2486 + - anomaly_types: + - FEBETA + os_info: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 + engine: Dynamic Analysis + job_id: 2487 + weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + - anomaly_types: + - FEBETA + os_info: Microsoft Windows7 64-bit 6.1 sp1 17.0112 + engine: Dynamic Analysis + job_id: 2486 + weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + - engine: Malware Guard + weight: 100 + signature_name: fe_ml_heuristic + - engine: Static Analysis + weight: 100 + signature_name: fe_ml_heuristic + - engine: Static Analysis - YARA + weight: 0 + signature_name: fe_ml_heuristic + - first_seen: '2019-09-17T00:34:00' + last_seen: '2019-12-08T04:53:00' + engine: global_cache + signature_name: Trojan.Small.FEC3 + weight: 100 + scan_count: 31 + scan_match: 30 + artifacts_info: + - object_artifact_details: + - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + artifact_details: + - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.flv + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.zip + pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.pcap + job_id: 2487 + profilename: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 + - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.flv + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.zip + pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.pcap + job_id: 2486 + profilename: Microsoft Windows7 64-bit 6.1 sp1 17.0112 + os_changes: true + os_changes_type: json + vm_artifacts_type: zip + screenshot: true + vm_artifacts: true + artifact_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + screenshot_type: gif + engine_results: + dynamic_analysis: + uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + is_malicious: true + analysis_info: {} + files_analyzed: 0 + overall_weight: 0 + total_duration: 0 + av_lookup: + verdict: not_found + signature_name: [] + avs_lookup: + verdict: not_found + signature_name: [] + dti_lookup: + verdict: not_found + signature_name: [] + mitre_mapping: + - id: T1204.002 + name: Malicious File + tactic: + - execution + - id: T1566.001 + name: Spearphishing Attachment + tactic: + - initial_access + - id: T1203 + name: Exploitation for Client Execution + tactic: + - execution + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a report ID." + message: + type: string + example: "Report ID not provided." + description: "This means that you did not provide a report ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /reports/{hash}: + get: + tags: + - Reports + summary: Get single report by md5 or sha256 hash + description: This endpoint fetches the latest results for file submission with the provided md5 or sha256 hash. + operationId: getReportsMD5 + parameters: + - in: path + name: hash + required: true + schema: + type: string + example: "a32a382b8a5a906e03a83b4f3e5b7a9b" + description: "MD5 or SHA256 hash of a submitted file" + - in: query + name: extended + schema: + type: boolean + enum: [true, false] + example: false + description: "Setting extended to true will allow you to see all malware engine reports." + responses: + 200: + description: "OK" + content: + application/json: + schema: + oneOf: + - $ref: "#/components/schemas/ReportNotExtended" + - $ref: "#/components/schemas/ReportExtended" + example: + report_id: 1737d302-600e-431c-96eb-9c688ee0af98 + overall_status: DONE + is_malicious: true + started_at: '2020-07-06 18:15:13' + completed_at: '2020-07-06 18:17:54' + duration: 161 + file_name: payment_2019.exe + file_size: 17920 + file_extension: exe + name: payment_2019.exe + type: exe + size: 17920 + md5: a32a382b8a5a906e03a83b4f3e5b7a9b + sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b + sha1: a68621e31c08a4fff8d4c4a49364b386acd769fa + magic: PE32 executable (GUI) Intel 80386, for MS Windows\012- data + extracted_objects: + - submission_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + name: payment_2019.exe + type: exe + complete_time: '2020-07-06 18:17:54.473953' + analyses_start_time: '2020-07-06 18:15:13.540694' + verdict: MALICIOUS + md5: 968a89bf69338b6e0332a9d5d300cd5a + sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b + status: SUCCESS + size: 17920 + is_malicious: true + results: + - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + analysis_results: + - engine: AVS LOOOKUP + weight: 100 + signature_name: FireEye.Malware.exe + - weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + engine: 'Bale ENGINE ' + job_id: 2487 + - weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + engine: 'Bale ENGINE ' + job_id: 2486 + - anomaly_types: + - FEBETA + os_info: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 + engine: Dynamic Analysis + job_id: 2487 + weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + - anomaly_types: + - FEBETA + os_info: Microsoft Windows7 64-bit 6.1 sp1 17.0112 + engine: Dynamic Analysis + job_id: 2486 + weight: 200 + signature_name: fe_ml_heuristic + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + - engine: Malware Guard + weight: 100 + signature_name: fe_ml_heuristic + - engine: Static Analysis + weight: 100 + signature_name: fe_ml_heuristic + - engine: Static Analysis - YARA + weight: 0 + signature_name: fe_ml_heuristic + - first_seen: '2019-09-17T00:34:00' + last_seen: '2019-12-08T04:53:00' + engine: global_cache + signature_name: Trojan.Small.FEC3 + weight: 100 + scan_count: 31 + scan_match: 30 + artifacts_info: + - object_artifact_details: + - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + artifact_details: + - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.flv + dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c + memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.zip + pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.pcap + job_id: 2487 + profilename: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 + - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.flv + dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f + memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.zip + pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.pcap + job_id: 2486 + profilename: Microsoft Windows7 64-bit 6.1 sp1 17.0112 + os_changes: true + os_changes_type: json + vm_artifacts_type: zip + screenshot: true + vm_artifacts: true + artifact_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + screenshot_type: gif + engine_results: + dynamic_analysis: + uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe + is_malicious: true + analysis_info: {} + files_analyzed: 0 + overall_weight: 0 + total_duration: 0 + av_lookup: + verdict: not_found + signature_name: [] + avs_lookup: + verdict: not_found + signature_name: [] + dti_lookup: + verdict: not_found + signature_name: [] + mitre_mapping: + - id: T1204.002 + name: Malicious File + tactic: + - execution + - id: T1566.001 + name: Spearphishing Attachment + tactic: + - initial_access + - id: T1203 + name: Exploitation for Client Execution + tactic: + - execution + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a report ID." + md5: + type: string + example: "a32a382b8a5a906e03a83b4f3e5b7a9b" + description: "This means that you did not provide a report ID." + message: + type: string + example: "No data available" + description: "This means that you did not provide a report ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /presigned-url/{report_id}: + get: + tags: + - Presigned-url + summary: Get a presigned URL + description: This endpoint fetches a presigned URL link to a browser viewable report. + operationId: getPresignedUrl + parameters: + - in: path + name: report_id + required: true + schema: + type: string + example: 874da611-f82a-4331-afde-5943f4facb92 + description: "The report ID returned after successfully submitting a file." + - in: query + name: expiry + schema: + type: integer + example: 1 + description: "Expiry (in hours) for browser viewable report presigned URL link. Default value is 72 hours. Minimum is 1 hour, and maximum is 8760 hours (365 days)." + externalDocs: + description: "Learn more about generating presigned URLs below:" + url: "https://fireeye.dev/docs/detection-on-demand/#presigned-urls" + responses: + 200: + description: "OK" + content: + application/json: + schema: + properties: + status: + type: string + example: "success" + description: "This means the API was able to successfully generate a presigned URL for your report" + presigned_report_url: + type: string + example: "https://public-feapi.marketplace.apps.fireeye.com/reports/874da611-f82a-4331-afde-5943f4facb92?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXBvcnup67QiOiJlZWE4NmM1Yi01YWJiLTQ3MmItYWEwYi0zYjY3NDkxM2MwZmIiLCJleHAiOjE1ODc5MjM4ODJ9.qVx5iTZKBPsbRLIc1iIiLj3BI9nzimPaSB087AHPn1Y" + description: "Signed URL that will open the report in browser" + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a report ID." + message: + type: string + example: "Report ID not provided." + description: "This means that you did not provide a report ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /health: + get: + tags: + - Health + summary: Health status of service, subscription and API key + description: This endpoint provide health status of Service, subscription and API key + operationId: getHealth + responses: + 200: + description: "OK" + content: + application/json: + schema: + properties: + status: + type: string + enum: ["success", "failed"] + example: "success" + description: "Determines if the API key is valid and able to check the status of the service" + service_status: + type: string + example: "RUNNING" + enum: ["RUNNING","DOWN", "DEGRADED"] + description: "The status of the Detection on Demand service" + api_key_valid: + type: boolean + example: true + enum: [true, false] + description: "True if the API key is valid" + subscription_start_date: + type: string + example: "2020-03-31 21:20:19" + description: "Start date of subscription in UTC" + subscription_end_date: + type: string + example: "2021-03-31 21:20:19" + description: "End date of subscription in UTC" + files_api_quota_total: + type: integer + example: 1000 + description: "Total number of file submissions allowed for the API key" + files_api_quota_remaining: + type: integer + example: 1000 + description: "Remaining file submissions for the API key" + files_api_quota_monthly: + type: integer + example: 300 + description: "Total file submissions allowed for each month for the API key. -1 if no limit on monthly submissions." + files_api_quota_monthly_remaining: + type: integer + example: 100 + description: "Remaining file submissions allowed for the current month for the API key. -1 if no limit on monthly submissions." + files_api_quota_daily: + type: integer + example: 300 + description: "Total file submissions allowed for each day for the API key. -1 if no limit on daily submissions." + files_api_quota_daily_remaining: + type: integer + example: 100 + description: "Remaining file submissions allowed for the current day for the API key. -1 if no limit on daily submissions." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /hashes/{hash_id}: + get: + tags: + - Hashes + summary: Get hash analysis results + description: This endpoint fetches the results of a file submission by its MD5 hash. + operationId: getHashById + parameters: + - in: path + name: hash_id + required: true + schema: + type: string + example: "4ba739fd8c216809e485e7972597c995" + description: "The MD5 hash of a file you would like to request the malware analysis results for." + responses: + 200: + description: "OK" + content: + application/json: + schema: + properties: + md5: + type: string + example: "4ba739fd8c216809e485e7972597c995" + description: "This is an MD5 hash." + is_malicious: + type: boolean + example: true + enum: [true, false] + description: "This is FireEye's final determination if the file is malicious or not." + engine_results: + type: object + properties: + dynamic_analysis: + type: object + properties: + verdict: + type: string + enum: ["found", "not_found"] + example: "not_found" + av_lookup: + type: object + properties: + first_seen: + type: string + example: "2019-08-31T20:36:39" + description: "When this file was first seen by the av_lookup engine." + last_seen: + type: string + example: "2019-09-18T15:46:00" + description: "When this file was last seen by the av_lookup engine." + signature_name: + type: array + items: + type: string + example: + [ + "Trojan.Grp.FEC3", + "Trojan.Genkryptik", + "fe_ml_heuristic", + "Trojan.Win.DYRE", + ] + verdict: + type: string + example: "malicious" + dti_lookup: + type: object + properties: + first_seen: + type: string + example: "N/A" + industry: + type: array + items: + type: string + overall_weight: + type: integer + example: 100 + display_message: + type: array + items: + type: string + example: ["msg1", "msg2"] + signature_name: + type: array + items: + type: string + example: ["Trojan.Grp.FEC3", "Trojan.Genkryptik"] + verdict: + type: string + example: "malicious" + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a hash ID." + message: + type: string + example: "Hash not provided." + description: "This means that you did not provide a hash ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /hashes/{hash}: + get: + tags: + - Hashes + summary: Get md5 or sha256 hash analysis results + description: This endpoint fetches the results of a file submission by its md5 or sha256 hash. + operationId: getSHA256HashById + parameters: + - in: path + name: hash + required: true + schema: + type: string + example: "75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346" + description: "The MD5 or SHA256 hash of a file you would like to request the malware analysis results for." + responses: + 200: + description: "OK" + content: + application/json: + schema: + properties: + sha256: + type: string + example: "75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346" + description: "This is an SHA256 hash." + is_malicious: + type: boolean + example: true + enum: [true, false] + description: "This is FireEye's final determination if the file is malicious or not." + engine_results: + type: object + properties: + dynamic_analysis: + type: object + properties: + verdict: + type: string + enum: ["found", "not_found"] + example: "not_found" + av_lookup: + type: object + properties: + first_seen: + type: string + example: "2019-08-31T20:36:39" + description: "When this file was first seen by the av_lookup engine." + last_seen: + type: string + example: "2019-09-18T15:46:00" + description: "When this file was last seen by the av_lookup engine." + signature_name: + type: array + items: + type: string + example: + [ + "Trojan.Grp.FEC3", + "Trojan.Genkryptik", + "fe_ml_heuristic", + "Trojan.Win.DYRE", + ] + verdict: + type: string + example: "malicious" + dti_lookup: + type: object + properties: + first_seen: + type: string + example: "N/A" + industry: + type: array + items: + type: string + overall_weight: + type: integer + example: 100 + display_message: + type: array + items: + type: string + example: ["msg1", "msg2"] + signature_name: + type: array + items: + type: string + example: ["Trojan.Grp.FEC3", "Trojan.Genkryptik"] + verdict: + type: string + example: "malicious" + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a hash ID." + message: + type: string + example: "Hash not provided." + description: "This means that you did not provide a hash ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /artifacts/{report_id}: + get: + tags: + - Artifacts + summary: Get artifacts for given report_id + description: This endpoint fetches artifacts, like a screenshot gif file, for the given report_id + operationId: getArtifacts + parameters: + - in: path + name: report_id + required: true + schema: + type: string + example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" + description: "The report ID returned after successfully submitting a file." + - in: query + name: artifact_uuid + schema: + type: string + example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" + description: "Submitted sample can have more that one artifacts each artifact will have its on artifact uuid which is reported as part of reports api. User need to grab artifacts uuid from reports endpoint." + - in : query + name: type + required: true + schema: + type: string + enum: [screenshot,os_changes,vm_artifacts] + example: screenshot + description: "Type of artifact to download." + responses: + 200: + description: "OK" + content: + binary/octet-stream: + schema: + type: string + format: binary + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that you did not provide a report ID." + message: + type: string + example: "Report ID not provided." + description: "This means that you did not provide a report ID." + report_id: + type: string + example: "371163d6-1c32-4467-9562-870d84150091" + description: "The report ID you used when trying to get the artifact" + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" + /telemetry: + get: + tags: + - Telemetry + summary: Pull results metadata in batches + description: This endpoint fetches metadata of completed submissions for given time interval. API also support pagination if number of records for given time period are more than 1000. + operationId: getTelemetry + parameters: + - in: query + name: size + schema: + type: integer + example: 100 + description: "Count of records requested. Default value is 1000" + - in: query + name: type + schema: + type: string + enum: [ malicious,non-malicious,all ] + example: malicious + description: "Type of submissions to fetch. Default value is 'malicious'" + - in: query + name: from + schema: + type: integer + example: 10 + description: "Starting index. Default is 0" + - in: query + name: time_field + schema: + type: string + enum: [completed_at,started_at] + example: completed_at + description: "Field to use for start_time and end_time. Default is 'completed_at'" + - in: query + name: start_time + schema: + type: integer + example: 1599020028 + description: "Epoch Timestamp for starting." + - in: query + name: end_time + schema: + type: integer + example: 1599192828 + description: "Epoch Timestamp for ending." + - in: query + name: connector_type + schema: + type: string + enum: [box,slack,teams,s3,api,all] + example: box + description: "connector type specified, default is 'all', to get api submissions use 'api' " + - in: query + name: ioc + schema: + type: boolean + enum: [ true, false ] + example: false + description: "Return IOC information along with telemetry metadata" + responses: + 200: + description: "OK" + content: + application/json: + schema: + properties: + status: + type: string + example: "success" + description: "This is the status of response." + count: + type: integer + example: 1 + description: "This is the count of overall records found for given conditions." + data: + type: array + items: + type: object + properties: + subscription_id: + type: string + example: "amkt-example" + description: "Subscription id of customer." + is_malicious: + type: boolean + example: true + enum: [true, false] + description: "This is FireEye's final determination if the file is malicious or not." + completed_at: + type: integer + example: 1599128761 + description: "This is FireEye's time when analysis was completed for submission." + urls: + type: array + items: + type: string + example: + [ + "example.com", + ] + description: "These are the urls in case of url submissions. Empty if no url" + report_id: + type: string + example: "24b5b4c4-5877-453f-a9e7-88ad7dc94699" + description: "This is the report id for submission" + verdict: + type: string + example: "MALICIOUS" + enum: ["NON-MALICIOUS", "MALICIOUS"] + description: "This is the FireEye's final verdict for submission " + overall_status: + type: string + example: "DONE" + enum: [ "DONE", "RUNNING", "FAILED" ] + description: "This is the FireEye's final status for submission " + signature_name: + type: array + items: + type: string + example: + [ + "Trojan.Grp.FEC3", + "Trojan.Genkryptik", + "fe_ml_heuristic", + "Trojan.Win.DYRE", + ] + description: "These are the FireEye's final signatures for submission " + started_at: + type: integer + example: 1599128761 + description: "This is FireEye's time when analysis was started for submission." + file_extension: + type: string + example: "exe" + description: "This is extension of file submitted" + file_name: + type: string + example: "sample.exe" + description: "This is the name of file submitted" + file_size: + type: integer + example: 100 + description: "This is the size of file submitted in bytes" + md5: + type: string + example: "bc527343c7ffc103111f3a694b004e2f" + description: "This is the md5 hash of file submitted" + sha1: + type: string + example: "f6c32e81615adcd58786e45ba1031b2ae7c4da04" + description: "This is the sha1 hash of file submitted" + sha256: + type: string + example: "24e0b2bea368d3e9ac374a7ec05db6ded6e4f86e6a3652d9a709fccaa3e49daf" + description: "This is the sha256 hash of file submitted" + file_magic: + type: string + example: "PE32 executable (GUI) Intel 80386, for MS Windows\\012- data" + description: "This is the lib magic of file submitted" + connector_information: + description: "This is meta information about the submitted sample, will be empty for api submissions" + type: object + properties: + file_path: + type: string + example: "sample/folder1" + description: "Path of file in cconenctor." + file_name: + type: string + example: "sample.exe" + description: "Name of submitted file." + file_id: + type: string + example: "12345678" + description: "Id of file, if provided by integration." + connector_type: + type: string + example: "box" + description: "Type of connector." + 400: + description: "Bad Request" + content: + application/json: + schema: + properties: + status: + type: string + example: "failed" + description: "This means that some field is incorrect." + message: + type: string + example: "invalid 'size'" + enum: [ invalid 'size' ,invalid 'from', invalid 'start_time', invalid 'end_time'] + description: "This means that you did not provide a hash ID." + 401: + description: "Unauthorized" + content: + application/json: + schema: + $ref: "#/components/schemas/Unauthorized" + 403: + description: "Forbidden" + content: + application/json: + schema: + $ref: "#/components/schemas/Forbidden" + 429: + description: "Too Many Requests" + content: + application/json: + schema: + $ref: "#/components/schemas/RateLimitExceeded" + 500: + description: "Internal Server Error" + content: + application/json: + schema: + $ref: "#/components/schemas/InternalServerError" +components: + securitySchemes: + FireEyeAPIKey: + type: apiKey + name: feye-auth-key + in: header + description: | + See the [docs](https://fireeye.dev/docs/detection-on-demand/#prerequisites) for information on generating an API key. + schemas: + RateLimitExceeded: + properties: + status: + type: string + example: "failed" + description: "You have hit the rate limit for the account containing your API key and your request has not gone through." + message: + type: string + example: "api key limit exhausted" + description: "You have hit the rate limit for the account containing your API key and your request has not gone through." + InternalServerError: + properties: + message: + type: string + example: "Internal server error." + description: "Something went wrong on our end." + Unauthorized: + properties: + status: + type: string + example: "failed" + description: "You did not provide an API key." + message: + type: string + example: "Internal server error." + description: "You did not provide an API key." + Forbidden: + properties: + status: + type: string + example: "failed" + description: "You provided an invalid API key." + message: + type: string + example: "Invalid api key" + description: "You provided an invalid API key." + UnsupportedMediaType: + properties: + status: + type: string + example: "failed" + description: "The input may have been empty or malformed" + message: + type: string + example: "url list is empty" + description: "The array of URLs is empty" + ReportNotExtended: + required: + - report_id + - overall_status + - is_malicious + - started_at + - completed_at + - duration + - md5 + - sha256 + properties: + report_id: + description: Unique identifier for a submission or an object + type: string + overall_status: + description: Status of submission FAILED/RUNNING/DONE + enum: [FAILED,RUNNING,DONE] + type: string + api_key_name: + description: Name of the key, which is used while submission + type: string + analysis_mode: + description: Analysis mode for submission (sandbox or live) + type: string + retro: + description: retro triggered for submission + type: boolean + is_malicious: + description: Malicious flag for submission + type: boolean + started_at: + description: Sample submitted time in UTC + type: string + completed_at: + description: Sample completed time in UTC + type: string + duration: + description: duration take by sample for submission + type: integer + file_name: + description: Sample name, for urls, it is complete url + type: string + file_size: + description: In case of file submission, it is the size of file in bytes + type: integer + file_extension: + description: File extension of a submitted sample, in case of urls, it is url + type: string + signatures: + description: Comma separated list of Signatures + type: string + type: + description: File extension of a submitted sample, in case of urls, it is url + type: string + name: + description: Sample name, for urls, it is complete url + type: string + size: + description: In case of file submission, it is the size of file in bytes + type: integer + md5: + description: md5sum of a submission object + type: string + sha256: + description: sha256 of a submission object + type: string + sha1: + description: sha1 of a submission object + type: string + magic: + description: lib magic of file submitted + type: string + verdict: + description: overall verdict of submission it can be - MALICIOUS, NON-MALICIOUS, + RISKWARE, CUSTOM MALICIOUS, CUSTOM RISKWARE + enum: [MALICIOUS,NON-MALICIOUS,RISKWARE,CUSTOM MALICIOUS,CUSTOM RISKWARE] + type: string + retro_by: + description: list of names of engines for which retro triggered + type: array + required: + - name + items: + type: string + connector_information: + description: connector information for connector submission + type: object + required: + - connector_type + - connector_registration_id + properties: + connector_type: + description: connector type of submission + type: string + connector_registration_id: + description: connector registration id for the submission + type: integer + file_name: + description: file name of submission + type: string + file_version_id: + description: file_version_id of the file. Applicable for box integration + type: string + urls: + description: urls of submission + type: array + required: + - url + items: + type: string + signature_name: + description: List of signatures extracted by all engines + type: array + required: + - name + items: + type: string + email_context: + description: email context for email submission + type: object + properties: + subject: + description: Subject of email + type: string + header_size: + description: size of header of email + type: integer + email_from: + description: email address of sender + type: string + email_to: + description: email address of receiver + type: string + extracted_urls: + description: Count of url extracted from email + type: integer + extracted_attachments: + description: Count of attachments extracted from email + type: integer + queue_id: + description: queueid of email + type: string + messageid: + description: message id of email + type: string + ReportExtended: + required: + - report_id + - overall_status + - is_malicious + - started_at + - completed_at + - duration + - md5 + - sha256 + properties: + report_id: + description: Unique identifier for a submission or an object + type: string + overall_status: + description: Status of submission FAILED/RUNNING/DONE + enum: [FAILED,RUNNING,DONE] + type: string + api_key_name: + description: Name of the key, which is used while submission + type: string + analysis_mode: + description: Analysis mode for submission (sandbox or live) + type: string + retro: + description: retro triggered for submission + type: boolean + is_malicious: + description: Malicious flag for submission + type: boolean + started_at: + description: Sample submitted time in UTC + type: string + completed_at: + description: Sample completed time in UTC + type: string + duration: + description: duration take by sample for submission + type: integer + file_name: + description: Sample name, for urls, it is complete url + type: string + file_size: + description: In case of file submission, it is the size of file in bytes + type: integer + file_extension: + description: File extension of a submitted sample, in case of urls, it is url + type: string + signatures: + description: Comma separated list of Signatures + type: string + type: + description: File extension of a submitted sample, in case of urls, it is url + type: string + name: + description: Sample name, for urls, it is complete url + type: string + size: + description: In case of file submission, it is the size of file in bytes + type: integer + md5: + description: md5sum of a submission object + type: string + sha256: + description: sha256 of a submission object + type: string + sha1: + description: sha1 of a submission object + type: string + magic: + description: lib magic of file submitted + type: string + verdict: + description: overall verdict of submission it can be - MALICIOUS, NON-MALICIOUS, + RISKWARE, CUSTOM MALICIOUS, CUSTOM RISKWARE + enum: [MALICIOUS,NON-MALICIOUS,RISKWARE,CUSTOM MALICIOUS,CUSTOM RISKWARE] + type: string + retro_by: + description: list of names of engines for which retro triggered + type: array + required: + - name + items: + type: string + connector_information: + description: connector information for connector submission + type: object + required: + - connector_type + - connector_registration_id + properties: + connector_type: + description: connector type of submission + type: string + connector_registration_id: + description: connector registration id for the submission + type: integer + file_name: + description: file name of submission + type: string + file_version_id: + description: file_version_id of the file. Applicable for box integration + type: string + urls: + description: urls of submission + type: array + required: + - url + items: + type: string + signature_name: + description: List of signatures extracted by all engines + type: array + required: + - name + items: + type: string + email_context: + description: email context for email submission + type: object + properties: + subject: + description: Subject of email + type: string + header_size: + description: size of header of email + type: integer + email_from: + description: email address of sender + type: string + email_to: + description: email address of receiver + type: string + extracted_urls: + description: Count of url extracted from email + type: integer + extracted_attachments: + description: Count of attachments extracted from email + type: integer + queue_id: + description: queueid of email + type: string + messageid: + description: message id of email + type: string + extracted_objects: + description: Extracted urls or child objects within a submission + type: array + items: + title: Analysis Object + description: Details about each extracted object or url within a submission + type: object + required: + - object_uuid + - md5 + - sha256 + - verdict + properties: + object_uuid: + description: Unique identifier for extracted object + type: string + analyses_start_time: + description: Sample submitted time in UTC + type: string + md5: + description: md5sum of an extracted object + type: string + sha256: + description: sha256 of an extracted object + type: string + verdict: + description: 'Analysis verdict of an object: it can be - MALICIOUS, NON-MALICIOUS, + RISKWARE, CUSTOM MALICIOUS, CUSTOM RISKWARE' + type: string + url_normalized: + description: Normalized for of url + type: string + submission_uuid: + description: Unique identifier for submission + type: string + status: + description: 'Analysis status: FAILED, IN-PROGRESS, SUCCESS' + type: string + type: + description: File extension of an extracted object, for url - url + type: string + object_type: + description: File extension of an extracted object, for url - url + type: string + name: + description: File name of an extracted object + type: string + size: + description: File size in Bytes + type: integer + complete_time: + description: Timestamp in UTC when object analysis completed + type: string + signature_name: + description: Signature name derived from analysis results + type: string + is_malicious: + description: Malicious flag for extracted object + type: boolean + anomaly_types: + description: 'Anomalies triggered for an object during analysis: RISKWARE + etc' + type: array + items: + type: string + uniqueItems: true + additional_info: + description: Signature name derived based on all the results, from both + Static Analysis and Dynamic Analysis of an extracted object , any other + additional information about extracted object + type: object + properties: {} + results: + description: Static & Dynamic Analysis results for both extracted objects and + as well for submission in a form of JSON array + type: array + items: + title: Analysis Result + description: Each extracted object's analysis result + type: object + required: + - object_uuid + - analysis_results + properties: + object_uuid: + description: Analysis objects' unique identifier for which the results are + generated for + type: string + analysis_results: + description: Both SA & DA analysis results + type: array + items: + title: Analysis Result + description: SA/DA Analysis result, along with BALE correlation results + type: object + required: + - engine + properties: + object_uuid: + description: Analysis objects' unique identifier for which the results + are generated for + type: string + engine: + description: 'Analysis engine name: yara, av-match, OSChanges, NetworkAnomaly, + VmSigMatch and BALE etc' + type: string + signature_name: + description: Signature that got triggered + type: integer + job_id: + description: 'Dynamic Analysis job or result uuid: Usually will be + present for OsChanges, NetworkAnomaly VmSigMatch and BALE engines' + type: string + dynamic_analysis_uuid: + description: 'Dynamic Analysis job or result uuid: Usually will be + present for OsChanges, NetworkAnomaly VmSigMatch and BALE engines' + type: string + weight: + description: Assigned weight for a job. Any weight >=100 will be malicious, + otherwise non-malicious + type: integer + minimum: 0 + signature_id: + description: Signature Id defined for signature name. Mostly the field + will be blank or null. + type: integer + os_info: + description: OS name on which the dynamic analysis is performed (Profile) + type: string + channel: + description: channel encoded in base64 + type: string + anomaly_types: + description: Anomalies triggered for an OSChange job + type: array + items: + type: string + uniqueItems: true + additional_info: + description: Additional details of a static or dynamic job + type: object + properties: {} + artifacts_info: + description: Details of artifacts generated for submission + type: array + items: + title: Object's Artifacts Info + description: Each object's Artifacts Info + type: object + properties: + artifact_uuid: + description: Artifact uuid of object to be used in artifacts api + type: string + os_changes: + description: Field to check if os_changes present + type: boolean + os_changes_type: + description: type of os changes file + type: boolean + vm_artifacts: + description: Field to check if vm_artifacts present + type: boolean + vm_artifacts_type: + description: 'type of vm_artifacts file ' + type: boolean + screenshot: + description: Field to check if screenshot present + type: boolean + screenshot_type: + description: type of screenshot file + type: boolean + object_artifact_details: + title: Artifact object details + type: object + properties: + object_uuid: + description: unique identifier for object + type: string + artifact_details: + title: Object's Artifacts Info + description: Each object's Artifacts Info + type: object + properties: + video_path: + description: path of video file, NA if not present + type: string + dynamic_analysis_uuid: + description: dynamic analysis unique id + type: string + memory_and_file_dump: + description: path of memory dump file,NA if not present + type: string + pcap_path: + description: path of pcap file , NA if not present + type: string + profilename: + description: vm profile generating artifacts + type: string + mitre_mapping: + description: Mitre mapping in a form of JSON array + type: array + items: + title: Mitre Attack Mapping + description: Names and Tactics from Mitre attack database + type: object + required: + - id + - name + - tactic + properties: + id: + description: ID of the Mitre attack tactic + type: string + name: + description: Name of the Mitre attack tactic + type: string + tactic: + description: Mitre attack tactic + type: array + items: + type: string + example: + [ + "initial_access", + "execution", + "defense_evasion" + ] +security: + - FireEyeAPIKey: [] +tags: + - name: Files + description: Upload files to Detection On Demand + - name: Reports + description: Retrieve malware reports of your uploaded files + - name: Presigned-url + description: Retrieve presigned URL link to a browser viewable report + - name: Hashes + description: Retrieve malware results of a given MD5 hash + - name: Artifacts + description: Retrieve artifact for given report_id From c0d513f176540529fde0e10d9d00cd850433788e Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 7 May 2024 20:03:55 +0100 Subject: [PATCH 06/18] Rename API-TrellixDoD.yaml to TrellixDoD.yaml --- .../{API-TrellixDoD.yaml => TrellixDoD.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Plugins/Community Based Plugins/Trellix Detection as a Service/{API-TrellixDoD.yaml => TrellixDoD.yaml} (100%) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/API-TrellixDoD.yaml b/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml similarity index 100% rename from Plugins/Community Based Plugins/Trellix Detection as a Service/API-TrellixDoD.yaml rename to Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml From 32afd37f71c93e99e214efbce76c267b16a0a12c Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 7 May 2024 20:11:44 +0100 Subject: [PATCH 07/18] Update README.md --- .../Trellix Detection as a Service/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md index e03bf74d..6773ec34 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -11,7 +11,7 @@ ### Instructions #### Upload the Custom Plugin -1. Obtain the file [API-TrellixDoD.yaml](https://github.com/Azure/Copilot-For-Security/blob/ae01c6838af3f531d1421a3b266ae5803cad87c3/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/API-TrellixDoD.yaml) from this directory. +1. Obtain the file [TrellixDoD.yaml](https://github.com/Azure/Copilot-For-Security/blob/c0d513f176540529fde0e10d9d00cd850433788e/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/TrellixDoD.yaml) from this directory. 2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's activated. 3. After plugin upload put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). From b16112859247da2f2be18bfd657b889931aa6490 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 7 May 2024 20:39:14 +0100 Subject: [PATCH 08/18] Update README.md --- .../Trellix Detection as a Service/README.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md index 6773ec34..cc0f22a9 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -1,4 +1,4 @@ -# Copilot for Security Custom Plugin - API - Trellix Detection as a Service +# Trellix Detection as a Service API Plugin #### Copilot for Security Plugin to retrieve sandbox reports for uploaded files and URLs using the Trellix Detection as a Service API @@ -12,7 +12,18 @@ #### Upload the Custom Plugin 1. Obtain the file [TrellixDoD.yaml](https://github.com/Azure/Copilot-For-Security/blob/c0d513f176540529fde0e10d9d00cd850433788e/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/TrellixDoD.yaml) from this directory. -2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's activated. -3. After plugin upload put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). +2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's been activated. +3. After the plugin has been uploaded, put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). ![CopilotForSecurity](https://learn.microsoft.com/en-us/security-copilot/media/add-plugin-button.png) + +#### Utilization of the plugin +- **getReports:** Get a single report by the connector and file ID - this is used as an alternate way to find a report that was submitted by a configured connector, like Box or Microsoft Teams. You must supply the connector type and the file ID that the connector uses to identify the file. If the file in question was submitted multiple times by the connector, only the latest report for that file will be returned. +- **getReport:** Get single report - this fetches the results of a single file submission, known as a report. +- **getReportsMD5:** Get a single report by md5 or sha256 hash - this fetches the latest results for file submission with the provided md5 or sha256 hash. +- **getPresignedUrl:** Get a pre-signed URL - this fetches a pre-signed URL link to a browser-viewable report. +- **getHealth:** The health status of service, subscription and API key - this provides the health status of Service, subscription and API key +- **getHashById:** Get hash analysis results - this fetches the results of a file submission by its MD5 hash. +- **getSHA256HashById:** Get md5 or sha256 hash analysis results - this fetches the results of a file submission by its md5 or sha256 hash. +- **getArtifacts:** Get artefacts for given report_id - this fetches artefacts, like a screenshot gif file, for the given report_id +- **getTelemetry:** Pull results metadata in batches - this fetches metadata of completed submissions for a given time interval. API also support pagination if number of records for given time period are more than 1000. From 7ef6c3f98919a4abcaf4f6072445f47228cea722 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 6 Jun 2024 21:33:03 +0100 Subject: [PATCH 09/18] Update OpenAPI-TrellixDoD.yml --- .../OpenAPI/OpenAPI-TrellixDoD.yml | 501 ------------------ 1 file changed, 501 deletions(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml index 80300863..9e998499 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml @@ -15,507 +15,6 @@ servers: url: https://feapi.marketplace.apps.fireeye.com variables: {} paths: - /files: - post: - tags: - - Files - summary: Submit a single file for analysis - description: | - This endpoint submits a binary file for analysis. **Your file must be less than 50 MB. Files greater than 50 MB will receive a 403 Forbidden.** - - This endpoint uses the `multipart/form-data` request type in order to support the uploading of files. **It does not accept a JSON body**. Here is an example in cURL: - ``` - curl --location --request POST 'https://feapi.marketplace.apps.fireeye.com/files' \ - --header 'feye-auth-key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb2...sTxC7tUkEYBMQyj18kP0' \ - --header 'Content-Type: multipart/form-data' \ - --form 'file=@/home/user/Downloads/default.aspx' \ - --form 'screenshot=true' \ - --form 'video=true' \ - --form 'file_extraction=true' - ``` - operationId: postFile - requestBody: - required: true - content: - multipart/form-data: - schema: - required: - - file - type: object - properties: - file: - type: string - format: binary - description: This is the binary file that you want to submit for malware analysis - file_name: - type: string - description: Custom name for the submitted file to be used in the report - password: - type: string - description: Password to be used by the detection engine to decrypt a password protected file - param: - type: string - description: Command line parameter(s) to be used by detection engine when running the file. Mainly applicable to .exe files. For example, setting param to "start -h localhost -p 5555" will make the detection engine run a file named "malicious.exe" as "malicious.exe start -h localhost -p 5555" - screenshot: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api - video: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api - file_extraction: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api - memory_dump: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api - pcap: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api - analysis_mode: - type: string - description: Analysis mode for submission (sandbox or live) - example: sandbox - profiles: - type: string - description: Profiles to be used for dynamic analysis. ["win7x64-sp1m", "win7-sp1m"] - force_analyze: - type: boolean - enum: [true, false] - default: false - example: false - description: Force submission for this file even if found as duplicate - externalDocs: - description: "Learn more about posting files by this API at the site below:" - url: "https://fireeye.dev/docs/detection-on-demand/#files" - responses: - 202: - description: "Accepted." - content: - application/json: - schema: - required: - - status - - report_id - - md5 - properties: - status: - type: string - example: "success" - description: "This means that your file has been received and stored successfully. This does not mean your analysis has started or was completed--you will need to check the report for this report ID to see the analysis status." - report_id: - type: string - example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" - description: "This is the analysis job ID of your file submission. Use this value as the `report_id` parameter in `GET /reports/{report_id}. You will need to keep your own database of your report IDs to view your reports and their status as the report IDs cannot be retrieved at a later time." - md5: - type: string - example: "4ba739fd8c216809e485e7972597c995" - description: "This is an MD5 hash of the file you submitted." - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not the request properly" - message: - type: string - example: "url list is empty" - description: "This is the error message returned from the server." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /urls: - post: - tags: - - Urls - summary: Submit one or more URLs for analysis - description: | - This endpoint submits a list of URLs for analysis. The limit is 5 URLs in a single call. - - This endpoint uses the `multipart/form-data` request type. **It does not accept a JSON body**. Here is an example in cURL: - ``` - curl --location --request POST 'https://feapi.marketplace.apps.fireeye.com/urls' \ - --header 'feye-auth-key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ...3NDh9.XuADzMOS0G-jOwmx9AVVudhsTxC7tUkEYBMQyj18kP0' \ - --form 'urls=["http://s.securefileshares.com/2513501.doc/8e5aa3/e08d1cea-fdb4-4a50-8b19-095c0d47757c/?"]' - ``` - operationId: postUrl - requestBody: - required: true - content: - multipart/form-data: - schema: - required: - - urls - type: object - properties: - urls: - type: string - description: This is the list of URLs to submit for analysis in the form of ['url1','url2',...]. Maximum of 10 URLs allowed. - example: ['http://www.example.com','www.google.com'] - extract_gif: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts api - extract_video: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract video activity during dynamic analysis if true, which later can be downloaded with artifacts api - file_extraction_enabled: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts api - memory_dump_extraction_enabled: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts api - extract_pcaps: - type: boolean - enum: [true, false] - default: false - example: false - description: Extract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts api - force_analyze: - type: boolean - enum: [true, false] - default: false - example: false - description: Force submission for this url even if found as duplicate - analysis_mode: - type: string - description: Analysis mode for submission(live). If analysis mode is set to live then profiles have to be provided - example: live - profiles: - type: string - description: Profiles to be used if analysis_mode is set to live - example: "[\"win7x64-sp1m\", \"win7-sp1m\", \"winxp-sp3m\", \"win10x64m\", \"centos-7.2\", \"osx-10.8.2\", \"osx-10.11.3\"]" - enable_prefetch: - type: boolean - enum: [true, false] - default: false - example: false - description: Download and analyze any file that the url points to. - responses: - 202: - description: "Accepted." - content: - application/json: - schema: - required: - - status - - report_id - - md5 - properties: - status: - type: string - example: "success" - description: "This means that your file has been received and stored successfully. This does not mean your analysis has started or was completed--you will need to check the report for this report ID to see the analysis status." - report_id: - type: string - example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" - description: "This is the analysis job ID of your file submission. Use this value as the `report_id` parameter in `GET /reports/{report_id}. You will need to keep your own database of your report IDs to view your reports and their status as the report IDs cannot be retrieved at a later time." - md5: - type: string - example: "NA" - description: "Returned NA in case of urls" - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not send a file with your request." - message: - type: string - example: "File not provided" - description: "This is the error message returned from the server." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 415: - description: "Unsupported Media Type" - content: - application/json: - schema: - $ref: "#/components/schemas/UnsupportedMediaType" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /reports/search: - get: - tags: - - Reports - summary: Get a single report by connector and file ID - description: This endpoint is used as an alternate way to find a report that was submitted by a configured connector, like Box or Microsoft Teams. You must supply the connector type and the file ID that the connector uses to identify the file. If the file in question was submitted multiple times by the connector, only the latest report for that file will be returned. - operationId: getReports - parameters: - - in: query - name: extended - schema: - type: boolean - enum: [true, false] - example: false - description: "Setting extended to true will allow you to see all malware engine reports." - - in: query - name: connector_type - required: true - schema: - type: string - enum: [ box, teams ] - example: box - description: "The type of connector for which you want to search using file_id." - - in: query - name: file_id - required: true - schema: - type: string - example: 12345678 - description: "The file_id to search for a specific connector." - responses: - 200: - description: "OK" - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/ReportNotExtended" - - $ref: "#/components/schemas/ReportExtended" - example: - report_id: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - overall_status: DONE - is_malicious: true - started_at: '2020-07-06 18:15:13' - completed_at: '2020-07-06 18:17:54' - duration: 161 - file_name: payment_2019.exe - file_size: 17920 - file_extension: exe - name: payment_2019.exe - type: exe - size: 17920 - md5: 968a89bf69338b6e0332a9d5d300cd5a - sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b - sha1: a68621e31c08a4fff8d4c4a49364b386acd769fa - magic: PE32 executable (GUI) Intel 80386, for MS Windows\012- data - extracted_objects: - - submission_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - name: payment_2019.exe - type: exe - complete_time: '2020-07-06 18:17:54.473953' - analyses_start_time: '2020-07-06 18:15:13.540694' - verdict: MALICIOUS - md5: 968a89bf69338b6e0332a9d5d300cd5a - sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b - status: SUCCESS - size: 17920 - is_malicious: true - results: - - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - analysis_results: - - engine: AVS LOOOKUP - weight: 100 - signature_name: FireEye.Malware.exe - - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - engine: 'Bale ENGINE ' - job_id: 2487 - - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - engine: 'Bale ENGINE ' - job_id: 2486 - - anomaly_types: - - FEBETA - os_info: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 - engine: Dynamic Analysis - job_id: 2487 - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - - anomaly_types: - - FEBETA - os_info: Microsoft Windows7 64-bit 6.1 sp1 17.0112 - engine: Dynamic Analysis - job_id: 2486 - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - - engine: Malware Guard - weight: 100 - signature_name: fe_ml_heuristic - - engine: Static Analysis - weight: 100 - signature_name: fe_ml_heuristic - - engine: Static Analysis - YARA - weight: 0 - signature_name: fe_ml_heuristic - - first_seen: '2019-09-17T00:34:00' - last_seen: '2019-12-08T04:53:00' - engine: global_cache - signature_name: Trojan.Small.FEC3 - weight: 100 - scan_count: 31 - scan_match: 30 - artifacts_info: - - object_artifact_details: - - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - artifact_details: - - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.flv - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.zip - pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.pcap - job_id: 2487 - profilename: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 - - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.flv - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.zip - pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.pcap - job_id: 2486 - profilename: Microsoft Windows7 64-bit 6.1 sp1 17.0112 - os_changes: true - os_changes_type: json - vm_artifacts_type: zip - screenshot: true - vm_artifacts: true - artifact_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - screenshot_type: gif - engine_results: - dynamic_analysis: - uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - is_malicious: true - analysis_info: {} - files_analyzed: 0 - overall_weight: 0 - total_duration: 0 - av_lookup: - verdict: not_found - signature_name: [] - avs_lookup: - verdict: not_found - signature_name: [] - dti_lookup: - verdict: not_found - signature_name: [] - mitre_mapping: - - id: T1204.002 - name: Malicious File - tactic: - - execution - - id: T1566.001 - name: Spearphishing Attachment - tactic: - - initial_access - - id: T1203 - name: Exploitation for Client Execution - tactic: - - execution - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a report ID." - message: - type: string - example: "Report ID not provided." - description: "This means that you did not provide a report ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" /reports/{report_id}: get: tags: From c69da11cd12be8b2e62c134019a4fc5f51ff26cd Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 6 Jun 2024 21:35:20 +0100 Subject: [PATCH 10/18] Update TrellixDoD.yaml --- .../Trellix Detection as a Service/TrellixDoD.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml b/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml index 5eba42cc..cd50e8c5 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml @@ -13,4 +13,4 @@ Descriptor: SkillGroups: - Format: API Settings: - OpenApiSpecUrl: https://fireeye.dev/static/858367bd0d40a8a8cf20484dcf09e21e/detection_on_demand.yml + OpenApiSpecUrl: https://raw.githubusercontent.com/alfonso-greenbrook/Copilot-For-Security-Fork/main/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/OpenAPI/OpenAPI-TrellixDoD.yml From 5632ba01e2e2d7b62e14b62f73a1b5f0a26cb20a Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 6 Jun 2024 21:36:48 +0100 Subject: [PATCH 11/18] Update README.md --- .../Trellix Detection as a Service/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md index cc0f22a9..4b1746d5 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -18,7 +18,6 @@ ![CopilotForSecurity](https://learn.microsoft.com/en-us/security-copilot/media/add-plugin-button.png) #### Utilization of the plugin -- **getReports:** Get a single report by the connector and file ID - this is used as an alternate way to find a report that was submitted by a configured connector, like Box or Microsoft Teams. You must supply the connector type and the file ID that the connector uses to identify the file. If the file in question was submitted multiple times by the connector, only the latest report for that file will be returned. - **getReport:** Get single report - this fetches the results of a single file submission, known as a report. - **getReportsMD5:** Get a single report by md5 or sha256 hash - this fetches the latest results for file submission with the provided md5 or sha256 hash. - **getPresignedUrl:** Get a pre-signed URL - this fetches a pre-signed URL link to a browser-viewable report. From 31a3b040516e97b749baf5a1fecb50f5a50b7530 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 6 Jun 2024 21:38:49 +0100 Subject: [PATCH 12/18] Update README.md --- .../Trellix Detection as a Service/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md index 4b1746d5..0025e722 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md @@ -11,7 +11,7 @@ ### Instructions #### Upload the Custom Plugin -1. Obtain the file [TrellixDoD.yaml](https://github.com/Azure/Copilot-For-Security/blob/c0d513f176540529fde0e10d9d00cd850433788e/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/TrellixDoD.yaml) from this directory. +1. Obtain the file [TrellixDoD.yaml](https://raw.githubusercontent.com/alfonso-greenbrook/Copilot-For-Security-Fork/main/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/TrellixDoD.yaml) from this directory. 2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's been activated. 3. After the plugin has been uploaded, put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). From bd8cd5bde0c1530146d3e1c03397c4aeb520d366 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Mon, 10 Jun 2024 17:33:58 +0100 Subject: [PATCH 13/18] Update TrellixDoD.yaml --- .../Trellix Detection as a Service/TrellixDoD.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml b/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml index cd50e8c5..eadac132 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml @@ -1,7 +1,7 @@ Descriptor: Name: Trellix Detection as a Service - DisplayName: Get Trellix DoD Sandbox Reports - Description: Get detailed sandbox analysis reports from Trellix DoD + DisplayName: Trellix Detection as a Service + Description: Get detailed sandbox analysis reports from Trellix Detection as a Service SupportedAuthTypes: - ApiKey Authorization: From a6fe4fa45be0e369a84ba744445e9997f3951f67 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Mon, 10 Jun 2024 17:37:10 +0100 Subject: [PATCH 14/18] Update OpenAPI-TrellixDoD.yml --- .../OpenAPI/OpenAPI-TrellixDoD.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml index 9e998499..e356a569 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml @@ -872,7 +872,7 @@ paths: type: string enum: [screenshot,os_changes,vm_artifacts] example: screenshot - description: "Type of artifact to download." + description: "Available values are screenshot, os_changes, vm_artifacts" responses: 200: description: "OK" From 5d5988a8c95908e2f9f24c69da11c1a2ceea9c9a Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Mon, 10 Jun 2024 17:41:12 +0100 Subject: [PATCH 15/18] Update OpenAPI-TrellixDoD.yml --- .../OpenAPI/OpenAPI-TrellixDoD.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml index e356a569..9e998499 100644 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml +++ b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml @@ -872,7 +872,7 @@ paths: type: string enum: [screenshot,os_changes,vm_artifacts] example: screenshot - description: "Available values are screenshot, os_changes, vm_artifacts" + description: "Type of artifact to download." responses: 200: description: "OK" From 2be87ef89d91234bc5ad8cec9d49548cf256ed26 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:00:59 +0000 Subject: [PATCH 16/18] Create Domain Name Investigation Promptbook.md --- .../Domain Name Investigation Promptbook.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 Promptbook samples/Domain Name Investigation Promptbook.md diff --git a/Promptbook samples/Domain Name Investigation Promptbook.md b/Promptbook samples/Domain Name Investigation Promptbook.md new file mode 100644 index 00000000..8b013bd9 --- /dev/null +++ b/Promptbook samples/Domain Name Investigation Promptbook.md @@ -0,0 +1,53 @@ +![Security CoPilot Logo](https://github.com/Azure/Copilot-For-Security/blob/main/Images/ic_fluent_copilot_64_64%402x.png) +# Domain Name Investigation Promptbook (MDTI) + +**Description**: Get threat intelligence details for a fully qualified domain name (FQDN), including the MDTI reputation, WHOIS and subdomain resolutions, and web components. + +**Required Plugin**: Microsoft Threat intelligence + +**Required Input**: + +1. Get the latest reputation score + ``` +Give me the Microsoft Defender Threat Intelligence reputation score for . Present this information as a short summary paragraph, followed by bullet points. + ``` +2. Get Whois record + ``` +Give me the WHOIS record for . Present this information as a short summary paragraph, followed by bullet points. +``` +3. Get IP resolutions + ``` +Give me the resolutions for . Present this information as a short summary paragraph, followed by a table. + ``` +4. Get subdomains + ``` +Give me details of the subdomains for . Present this information as a short summary paragraph, followed by a table. + ``` +5. Get web components + ``` +Give me details of the web components for . Present this information as a short summary paragraph, followed by a table. +``` +6. Generate threat bulletin + ``` +/SummarizeData I am a threat intelligence analyst writing a threat bulletin about this domain. Based on the above investigation, generate a threat bulletin that summarises the above intelligence. The response should include a short introduction, bullet points of the key information, and a conclusion. + ``` + +## Promptbook JSON Format +``` +{"name":"Domain Name Investigation (MDTI)", +"description":"Get threat intelligence details for a fully qualified domain name (FQDN), including the MDTI reputation, WHOIS and subdomain resolutions, and web components.", +"prompts": +[ + {"promptType":"Prompt","content":"Give me the Microsoft Defender Threat Intelligence reputation score for . Present this information as short summary paragraph, followed by bullet points."}, + {"promptType":"Prompt","content":"Give me the WHOIS record for . Present this information as a short summary paragraph, followed by bullet points."}, + {"promptType":"Prompt","content":"Give me the resolutions for . Present this information as a short summary paragraph, followed by a table."}, + {"promptType":"Prompt","content":"Give me details of the subdomains for . Present this information as a short summary paragraph, followed by a table."}, + {"promptType":"Prompt","content":"Give me details of the web components for . Present this information as a short summary paragraph, followed by a table."}, + {"promptType":"Prompt","content":"/SummarizeData I am a threat intelligence analyst writing a threat bulletin about this domain. Based on the above investigation, generate a threat bulletin that summarises the above intelligence. The response should include a short introduction, bullet points of the key information, and a conclusion."} +], +"promptbookinputs": +[ + {"name":"DOMAIN_NAME","description":"User input"} +], +"visibility":"Private","tags":"MDTI"} +``` From 217d3f4a9f29c7e49e28cca6ef3f2a5962a4625c Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:10:48 +0000 Subject: [PATCH 17/18] Create IP Address Investigation Promptbook.md --- .../IP Address Investigation Promptbook.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 Promptbook samples/IP Address Investigation Promptbook.md diff --git a/Promptbook samples/IP Address Investigation Promptbook.md b/Promptbook samples/IP Address Investigation Promptbook.md new file mode 100644 index 00000000..4ef8c87e --- /dev/null +++ b/Promptbook samples/IP Address Investigation Promptbook.md @@ -0,0 +1,53 @@ +![Security CoPilot Logo](https://github.com/Azure/Copilot-For-Security/blob/main/Images/ic_fluent_copilot_64_64%402x.png) +# IP Address Investigation Promptbook (MDTI) + +**Description**: Get threat intelligence details for an IP address, including the MDTI reputation, WHOIS and DNS records, and web and service components. + +**Required Plugin**: Microsoft Threat intelligence + +**Required Input**: + +1. Get the latest reputation score + ``` +Give me the Microsoft Defender Threat Intelligence reputation score for . Present this information as short summary paragraph, followed by bullet points. + ``` +2. Get Whois record + ``` +Give me the WHOIS record for . Present this information as a short summary paragraph, followed by bullet points. +``` +3. Get reverse DNS records + ``` +Give me the reverse DNS record for . Present this information as a short summary paragraph, followed by a table. + ``` +4. Get web components + ``` +Give me details of the web components for . Present this information as a short summary paragraph, followed by a table. + ``` +5. Get services + ``` +Give me details of the services for . Present this information as a short summary paragraph, followed by a table. +``` +6. Generate threat bulletin + ``` +/SummarizeData I am a threat intelligence analyst writing a threat bulletin about this IP address. Based on the above investigation, generate a threat bulletin that summarises the above intelligence. The response should include a short introduction, bullet points of the key information, and a conclusion. + ``` + +## Promptbook JSON Format +``` +{"name":"IP Address Investigation (MDTI)", +"description":"Get threat intelligence details for an IP address, including the MDTI reputation, WHOIS and DNS records, and web and service components.", +"prompts": +[ + {"promptType":"Prompt","content":"Give me the Microsoft Defender Threat Intelligence reputation score for . Present this information as short summary paragraph, followed by bullet points."}, + {"promptType":"Prompt","content":"Give me the WHOIS record for . Present this information as a short summary paragraph, followed by bullet points."}, + {"promptType":"Prompt","content":"Give me the reverse DNS record for . Present this information as a short summary paragraph, followed by a table."}, + {"promptType":"Prompt","content":"Give me details of the web components for . Present this information as a short summary paragraph, followed by a table."}, + {"promptType":"Prompt","content":"Give me details of the services for . Present this information as a short summary paragraph, followed by a table."}, + {"promptType":"Prompt","content":"/SummarizeData I am a threat intelligence analyst writing a threat bulletin about this IP address. Based on the above investigation, generate a threat bulletin that summarises the above intelligence. The response should include a short introduction, bullet points of the key information, and a conclusion."} +], +"promptbookinputs": +[ + {"name":"IP_ADDRESS","description":"User input"} +], +"visibility":"Private","tags":"MDTI"} +``` From 982ca5864f21279a450a4c5bc81b2f621cd7ed32 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:12:44 +0000 Subject: [PATCH 18/18] Delete Plugins/Community Based Plugins/Trellix Detection as a Service directory --- .../OpenAPI/OpenAPI-TrellixDoD.yml | 1729 ----------------- .../Trellix Detection as a Service/README.md | 28 - .../TrellixDoD.yaml | 16 - 3 files changed, 1773 deletions(-) delete mode 100644 Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml delete mode 100644 Plugins/Community Based Plugins/Trellix Detection as a Service/README.md delete mode 100644 Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml b/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml deleted file mode 100644 index 9e998499..00000000 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/OpenAPI/OpenAPI-TrellixDoD.yml +++ /dev/null @@ -1,1729 +0,0 @@ -openapi: 3.0.0 -info: - title: Detection On Demand - description: | - FireEye offers a best-in-class virtual execution engine in many of its core products, including our Network Security, Email Security, and File Analysis solutions. Now our customers can interact with and consume those capabilities directly via a scalable and performant web service. Use the new RESTful API to submit files for malware analysis, search hash values for past analysis results, get full reports for your file submissions, and integrate into your existing toolsets and workflows. - - [How to import this API into Postman](http://fireeye.dev/docs/detection-on-demand/postman/) - termsOfService: "https://www.fireeye.com/company/legal.html" - contact: - name: "Developer Relations Team" - email: "developers@fireeye.com" - version: "1.4.1" -servers: - - description: Detection On Demand Production Server - url: https://feapi.marketplace.apps.fireeye.com - variables: {} -paths: - /reports/{report_id}: - get: - tags: - - Reports - summary: Get single report - description: This endpoint fetches the results of a single file submission, known as a report. - operationId: getReport - parameters: - - in: path - name: report_id - required: true - schema: - type: string - example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" - description: "The report ID returned after successfully submitting a file." - - in: query - name: extended - schema: - type: boolean - enum: [true, false] - example: false - description: "Setting extended to true will allow you to see all malware engine reports." - externalDocs: - description: "Learn more about reading reports below:" - url: "https://fireeye.dev/docs/detection-on-demand/#reports" - responses: - 200: - description: "OK" - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/ReportNotExtended" - - $ref: "#/components/schemas/ReportExtended" - example: - report_id: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - overall_status: DONE - is_malicious: true - started_at: '2020-07-06 18:15:13' - completed_at: '2020-07-06 18:17:54' - duration: 161 - file_name: payment_2019.exe - file_size: 17920 - file_extension: exe - name: payment_2019.exe - type: exe - size: 17920 - md5: 968a89bf69338b6e0332a9d5d300cd5a - sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b - sha1: a68621e31c08a4fff8d4c4a49364b386acd769fa - magic: PE32 executable (GUI) Intel 80386, for MS Windows\012- data - extracted_objects: - - submission_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - name: payment_2019.exe - type: exe - complete_time: '2020-07-06 18:17:54.473953' - analyses_start_time: '2020-07-06 18:15:13.540694' - verdict: MALICIOUS - md5: 968a89bf69338b6e0332a9d5d300cd5a - sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b - status: SUCCESS - size: 17920 - is_malicious: true - results: - - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - analysis_results: - - engine: AVS LOOOKUP - weight: 100 - signature_name: FireEye.Malware.exe - - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - engine: 'Bale ENGINE ' - job_id: 2487 - - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - engine: 'Bale ENGINE ' - job_id: 2486 - - anomaly_types: - - FEBETA - os_info: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 - engine: Dynamic Analysis - job_id: 2487 - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - - anomaly_types: - - FEBETA - os_info: Microsoft Windows7 64-bit 6.1 sp1 17.0112 - engine: Dynamic Analysis - job_id: 2486 - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - - engine: Malware Guard - weight: 100 - signature_name: fe_ml_heuristic - - engine: Static Analysis - weight: 100 - signature_name: fe_ml_heuristic - - engine: Static Analysis - YARA - weight: 0 - signature_name: fe_ml_heuristic - - first_seen: '2019-09-17T00:34:00' - last_seen: '2019-12-08T04:53:00' - engine: global_cache - signature_name: Trojan.Small.FEC3 - weight: 100 - scan_count: 31 - scan_match: 30 - artifacts_info: - - object_artifact_details: - - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - artifact_details: - - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.flv - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.zip - pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.pcap - job_id: 2487 - profilename: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 - - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.flv - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.zip - pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.pcap - job_id: 2486 - profilename: Microsoft Windows7 64-bit 6.1 sp1 17.0112 - os_changes: true - os_changes_type: json - vm_artifacts_type: zip - screenshot: true - vm_artifacts: true - artifact_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - screenshot_type: gif - engine_results: - dynamic_analysis: - uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - is_malicious: true - analysis_info: {} - files_analyzed: 0 - overall_weight: 0 - total_duration: 0 - av_lookup: - verdict: not_found - signature_name: [] - avs_lookup: - verdict: not_found - signature_name: [] - dti_lookup: - verdict: not_found - signature_name: [] - mitre_mapping: - - id: T1204.002 - name: Malicious File - tactic: - - execution - - id: T1566.001 - name: Spearphishing Attachment - tactic: - - initial_access - - id: T1203 - name: Exploitation for Client Execution - tactic: - - execution - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a report ID." - message: - type: string - example: "Report ID not provided." - description: "This means that you did not provide a report ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /reports/{hash}: - get: - tags: - - Reports - summary: Get single report by md5 or sha256 hash - description: This endpoint fetches the latest results for file submission with the provided md5 or sha256 hash. - operationId: getReportsMD5 - parameters: - - in: path - name: hash - required: true - schema: - type: string - example: "a32a382b8a5a906e03a83b4f3e5b7a9b" - description: "MD5 or SHA256 hash of a submitted file" - - in: query - name: extended - schema: - type: boolean - enum: [true, false] - example: false - description: "Setting extended to true will allow you to see all malware engine reports." - responses: - 200: - description: "OK" - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/ReportNotExtended" - - $ref: "#/components/schemas/ReportExtended" - example: - report_id: 1737d302-600e-431c-96eb-9c688ee0af98 - overall_status: DONE - is_malicious: true - started_at: '2020-07-06 18:15:13' - completed_at: '2020-07-06 18:17:54' - duration: 161 - file_name: payment_2019.exe - file_size: 17920 - file_extension: exe - name: payment_2019.exe - type: exe - size: 17920 - md5: a32a382b8a5a906e03a83b4f3e5b7a9b - sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b - sha1: a68621e31c08a4fff8d4c4a49364b386acd769fa - magic: PE32 executable (GUI) Intel 80386, for MS Windows\012- data - extracted_objects: - - submission_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - name: payment_2019.exe - type: exe - complete_time: '2020-07-06 18:17:54.473953' - analyses_start_time: '2020-07-06 18:15:13.540694' - verdict: MALICIOUS - md5: 968a89bf69338b6e0332a9d5d300cd5a - sha256: 105f7022adcfeec2cc698f500c2a83c3436822f7372177ffa2ed3d3ae7b3a80b - status: SUCCESS - size: 17920 - is_malicious: true - results: - - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - analysis_results: - - engine: AVS LOOOKUP - weight: 100 - signature_name: FireEye.Malware.exe - - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - engine: 'Bale ENGINE ' - job_id: 2487 - - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - engine: 'Bale ENGINE ' - job_id: 2486 - - anomaly_types: - - FEBETA - os_info: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 - engine: Dynamic Analysis - job_id: 2487 - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - - anomaly_types: - - FEBETA - os_info: Microsoft Windows7 64-bit 6.1 sp1 17.0112 - engine: Dynamic Analysis - job_id: 2486 - weight: 200 - signature_name: fe_ml_heuristic - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - - engine: Malware Guard - weight: 100 - signature_name: fe_ml_heuristic - - engine: Static Analysis - weight: 100 - signature_name: fe_ml_heuristic - - engine: Static Analysis - YARA - weight: 0 - signature_name: fe_ml_heuristic - - first_seen: '2019-09-17T00:34:00' - last_seen: '2019-12-08T04:53:00' - engine: global_cache - signature_name: Trojan.Small.FEC3 - weight: 100 - scan_count: 31 - scan_match: 30 - artifacts_info: - - object_artifact_details: - - object_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - artifact_details: - - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.flv - dynamic_analysis_uuid: 17d6d69a-74d6-4b73-bc34-b610689b399c - memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.zip - pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/17d6d69a-74d6-4b73-bc34-b610689b399c.pcap - job_id: 2487 - profilename: Microsoft WindowsXP 32-bit 5.1 sp3 17.0112 - - video_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.flv - dynamic_analysis_uuid: 5c9237d4-759f-4183-91a8-08f191bdcf8f - memory_dump: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.zip - pcap_path: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe/5c9237d4-759f-4183-91a8-08f191bdcf8f.pcap - job_id: 2486 - profilename: Microsoft Windows7 64-bit 6.1 sp1 17.0112 - os_changes: true - os_changes_type: json - vm_artifacts_type: zip - screenshot: true - vm_artifacts: true - artifact_uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - screenshot_type: gif - engine_results: - dynamic_analysis: - uuid: 4dfa1e0b-0e33-4ac7-ac24-e2680a0bcdbe - is_malicious: true - analysis_info: {} - files_analyzed: 0 - overall_weight: 0 - total_duration: 0 - av_lookup: - verdict: not_found - signature_name: [] - avs_lookup: - verdict: not_found - signature_name: [] - dti_lookup: - verdict: not_found - signature_name: [] - mitre_mapping: - - id: T1204.002 - name: Malicious File - tactic: - - execution - - id: T1566.001 - name: Spearphishing Attachment - tactic: - - initial_access - - id: T1203 - name: Exploitation for Client Execution - tactic: - - execution - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a report ID." - md5: - type: string - example: "a32a382b8a5a906e03a83b4f3e5b7a9b" - description: "This means that you did not provide a report ID." - message: - type: string - example: "No data available" - description: "This means that you did not provide a report ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /presigned-url/{report_id}: - get: - tags: - - Presigned-url - summary: Get a presigned URL - description: This endpoint fetches a presigned URL link to a browser viewable report. - operationId: getPresignedUrl - parameters: - - in: path - name: report_id - required: true - schema: - type: string - example: 874da611-f82a-4331-afde-5943f4facb92 - description: "The report ID returned after successfully submitting a file." - - in: query - name: expiry - schema: - type: integer - example: 1 - description: "Expiry (in hours) for browser viewable report presigned URL link. Default value is 72 hours. Minimum is 1 hour, and maximum is 8760 hours (365 days)." - externalDocs: - description: "Learn more about generating presigned URLs below:" - url: "https://fireeye.dev/docs/detection-on-demand/#presigned-urls" - responses: - 200: - description: "OK" - content: - application/json: - schema: - properties: - status: - type: string - example: "success" - description: "This means the API was able to successfully generate a presigned URL for your report" - presigned_report_url: - type: string - example: "https://public-feapi.marketplace.apps.fireeye.com/reports/874da611-f82a-4331-afde-5943f4facb92?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXBvcnup67QiOiJlZWE4NmM1Yi01YWJiLTQ3MmItYWEwYi0zYjY3NDkxM2MwZmIiLCJleHAiOjE1ODc5MjM4ODJ9.qVx5iTZKBPsbRLIc1iIiLj3BI9nzimPaSB087AHPn1Y" - description: "Signed URL that will open the report in browser" - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a report ID." - message: - type: string - example: "Report ID not provided." - description: "This means that you did not provide a report ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /health: - get: - tags: - - Health - summary: Health status of service, subscription and API key - description: This endpoint provide health status of Service, subscription and API key - operationId: getHealth - responses: - 200: - description: "OK" - content: - application/json: - schema: - properties: - status: - type: string - enum: ["success", "failed"] - example: "success" - description: "Determines if the API key is valid and able to check the status of the service" - service_status: - type: string - example: "RUNNING" - enum: ["RUNNING","DOWN", "DEGRADED"] - description: "The status of the Detection on Demand service" - api_key_valid: - type: boolean - example: true - enum: [true, false] - description: "True if the API key is valid" - subscription_start_date: - type: string - example: "2020-03-31 21:20:19" - description: "Start date of subscription in UTC" - subscription_end_date: - type: string - example: "2021-03-31 21:20:19" - description: "End date of subscription in UTC" - files_api_quota_total: - type: integer - example: 1000 - description: "Total number of file submissions allowed for the API key" - files_api_quota_remaining: - type: integer - example: 1000 - description: "Remaining file submissions for the API key" - files_api_quota_monthly: - type: integer - example: 300 - description: "Total file submissions allowed for each month for the API key. -1 if no limit on monthly submissions." - files_api_quota_monthly_remaining: - type: integer - example: 100 - description: "Remaining file submissions allowed for the current month for the API key. -1 if no limit on monthly submissions." - files_api_quota_daily: - type: integer - example: 300 - description: "Total file submissions allowed for each day for the API key. -1 if no limit on daily submissions." - files_api_quota_daily_remaining: - type: integer - example: 100 - description: "Remaining file submissions allowed for the current day for the API key. -1 if no limit on daily submissions." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /hashes/{hash_id}: - get: - tags: - - Hashes - summary: Get hash analysis results - description: This endpoint fetches the results of a file submission by its MD5 hash. - operationId: getHashById - parameters: - - in: path - name: hash_id - required: true - schema: - type: string - example: "4ba739fd8c216809e485e7972597c995" - description: "The MD5 hash of a file you would like to request the malware analysis results for." - responses: - 200: - description: "OK" - content: - application/json: - schema: - properties: - md5: - type: string - example: "4ba739fd8c216809e485e7972597c995" - description: "This is an MD5 hash." - is_malicious: - type: boolean - example: true - enum: [true, false] - description: "This is FireEye's final determination if the file is malicious or not." - engine_results: - type: object - properties: - dynamic_analysis: - type: object - properties: - verdict: - type: string - enum: ["found", "not_found"] - example: "not_found" - av_lookup: - type: object - properties: - first_seen: - type: string - example: "2019-08-31T20:36:39" - description: "When this file was first seen by the av_lookup engine." - last_seen: - type: string - example: "2019-09-18T15:46:00" - description: "When this file was last seen by the av_lookup engine." - signature_name: - type: array - items: - type: string - example: - [ - "Trojan.Grp.FEC3", - "Trojan.Genkryptik", - "fe_ml_heuristic", - "Trojan.Win.DYRE", - ] - verdict: - type: string - example: "malicious" - dti_lookup: - type: object - properties: - first_seen: - type: string - example: "N/A" - industry: - type: array - items: - type: string - overall_weight: - type: integer - example: 100 - display_message: - type: array - items: - type: string - example: ["msg1", "msg2"] - signature_name: - type: array - items: - type: string - example: ["Trojan.Grp.FEC3", "Trojan.Genkryptik"] - verdict: - type: string - example: "malicious" - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a hash ID." - message: - type: string - example: "Hash not provided." - description: "This means that you did not provide a hash ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /hashes/{hash}: - get: - tags: - - Hashes - summary: Get md5 or sha256 hash analysis results - description: This endpoint fetches the results of a file submission by its md5 or sha256 hash. - operationId: getSHA256HashById - parameters: - - in: path - name: hash - required: true - schema: - type: string - example: "75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346" - description: "The MD5 or SHA256 hash of a file you would like to request the malware analysis results for." - responses: - 200: - description: "OK" - content: - application/json: - schema: - properties: - sha256: - type: string - example: "75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346" - description: "This is an SHA256 hash." - is_malicious: - type: boolean - example: true - enum: [true, false] - description: "This is FireEye's final determination if the file is malicious or not." - engine_results: - type: object - properties: - dynamic_analysis: - type: object - properties: - verdict: - type: string - enum: ["found", "not_found"] - example: "not_found" - av_lookup: - type: object - properties: - first_seen: - type: string - example: "2019-08-31T20:36:39" - description: "When this file was first seen by the av_lookup engine." - last_seen: - type: string - example: "2019-09-18T15:46:00" - description: "When this file was last seen by the av_lookup engine." - signature_name: - type: array - items: - type: string - example: - [ - "Trojan.Grp.FEC3", - "Trojan.Genkryptik", - "fe_ml_heuristic", - "Trojan.Win.DYRE", - ] - verdict: - type: string - example: "malicious" - dti_lookup: - type: object - properties: - first_seen: - type: string - example: "N/A" - industry: - type: array - items: - type: string - overall_weight: - type: integer - example: 100 - display_message: - type: array - items: - type: string - example: ["msg1", "msg2"] - signature_name: - type: array - items: - type: string - example: ["Trojan.Grp.FEC3", "Trojan.Genkryptik"] - verdict: - type: string - example: "malicious" - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a hash ID." - message: - type: string - example: "Hash not provided." - description: "This means that you did not provide a hash ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /artifacts/{report_id}: - get: - tags: - - Artifacts - summary: Get artifacts for given report_id - description: This endpoint fetches artifacts, like a screenshot gif file, for the given report_id - operationId: getArtifacts - parameters: - - in: path - name: report_id - required: true - schema: - type: string - example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" - description: "The report ID returned after successfully submitting a file." - - in: query - name: artifact_uuid - schema: - type: string - example: "992694b3-20ab-4245-9b4c-8f3a1b7ec3b6" - description: "Submitted sample can have more that one artifacts each artifact will have its on artifact uuid which is reported as part of reports api. User need to grab artifacts uuid from reports endpoint." - - in : query - name: type - required: true - schema: - type: string - enum: [screenshot,os_changes,vm_artifacts] - example: screenshot - description: "Type of artifact to download." - responses: - 200: - description: "OK" - content: - binary/octet-stream: - schema: - type: string - format: binary - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that you did not provide a report ID." - message: - type: string - example: "Report ID not provided." - description: "This means that you did not provide a report ID." - report_id: - type: string - example: "371163d6-1c32-4467-9562-870d84150091" - description: "The report ID you used when trying to get the artifact" - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" - /telemetry: - get: - tags: - - Telemetry - summary: Pull results metadata in batches - description: This endpoint fetches metadata of completed submissions for given time interval. API also support pagination if number of records for given time period are more than 1000. - operationId: getTelemetry - parameters: - - in: query - name: size - schema: - type: integer - example: 100 - description: "Count of records requested. Default value is 1000" - - in: query - name: type - schema: - type: string - enum: [ malicious,non-malicious,all ] - example: malicious - description: "Type of submissions to fetch. Default value is 'malicious'" - - in: query - name: from - schema: - type: integer - example: 10 - description: "Starting index. Default is 0" - - in: query - name: time_field - schema: - type: string - enum: [completed_at,started_at] - example: completed_at - description: "Field to use for start_time and end_time. Default is 'completed_at'" - - in: query - name: start_time - schema: - type: integer - example: 1599020028 - description: "Epoch Timestamp for starting." - - in: query - name: end_time - schema: - type: integer - example: 1599192828 - description: "Epoch Timestamp for ending." - - in: query - name: connector_type - schema: - type: string - enum: [box,slack,teams,s3,api,all] - example: box - description: "connector type specified, default is 'all', to get api submissions use 'api' " - - in: query - name: ioc - schema: - type: boolean - enum: [ true, false ] - example: false - description: "Return IOC information along with telemetry metadata" - responses: - 200: - description: "OK" - content: - application/json: - schema: - properties: - status: - type: string - example: "success" - description: "This is the status of response." - count: - type: integer - example: 1 - description: "This is the count of overall records found for given conditions." - data: - type: array - items: - type: object - properties: - subscription_id: - type: string - example: "amkt-example" - description: "Subscription id of customer." - is_malicious: - type: boolean - example: true - enum: [true, false] - description: "This is FireEye's final determination if the file is malicious or not." - completed_at: - type: integer - example: 1599128761 - description: "This is FireEye's time when analysis was completed for submission." - urls: - type: array - items: - type: string - example: - [ - "example.com", - ] - description: "These are the urls in case of url submissions. Empty if no url" - report_id: - type: string - example: "24b5b4c4-5877-453f-a9e7-88ad7dc94699" - description: "This is the report id for submission" - verdict: - type: string - example: "MALICIOUS" - enum: ["NON-MALICIOUS", "MALICIOUS"] - description: "This is the FireEye's final verdict for submission " - overall_status: - type: string - example: "DONE" - enum: [ "DONE", "RUNNING", "FAILED" ] - description: "This is the FireEye's final status for submission " - signature_name: - type: array - items: - type: string - example: - [ - "Trojan.Grp.FEC3", - "Trojan.Genkryptik", - "fe_ml_heuristic", - "Trojan.Win.DYRE", - ] - description: "These are the FireEye's final signatures for submission " - started_at: - type: integer - example: 1599128761 - description: "This is FireEye's time when analysis was started for submission." - file_extension: - type: string - example: "exe" - description: "This is extension of file submitted" - file_name: - type: string - example: "sample.exe" - description: "This is the name of file submitted" - file_size: - type: integer - example: 100 - description: "This is the size of file submitted in bytes" - md5: - type: string - example: "bc527343c7ffc103111f3a694b004e2f" - description: "This is the md5 hash of file submitted" - sha1: - type: string - example: "f6c32e81615adcd58786e45ba1031b2ae7c4da04" - description: "This is the sha1 hash of file submitted" - sha256: - type: string - example: "24e0b2bea368d3e9ac374a7ec05db6ded6e4f86e6a3652d9a709fccaa3e49daf" - description: "This is the sha256 hash of file submitted" - file_magic: - type: string - example: "PE32 executable (GUI) Intel 80386, for MS Windows\\012- data" - description: "This is the lib magic of file submitted" - connector_information: - description: "This is meta information about the submitted sample, will be empty for api submissions" - type: object - properties: - file_path: - type: string - example: "sample/folder1" - description: "Path of file in cconenctor." - file_name: - type: string - example: "sample.exe" - description: "Name of submitted file." - file_id: - type: string - example: "12345678" - description: "Id of file, if provided by integration." - connector_type: - type: string - example: "box" - description: "Type of connector." - 400: - description: "Bad Request" - content: - application/json: - schema: - properties: - status: - type: string - example: "failed" - description: "This means that some field is incorrect." - message: - type: string - example: "invalid 'size'" - enum: [ invalid 'size' ,invalid 'from', invalid 'start_time', invalid 'end_time'] - description: "This means that you did not provide a hash ID." - 401: - description: "Unauthorized" - content: - application/json: - schema: - $ref: "#/components/schemas/Unauthorized" - 403: - description: "Forbidden" - content: - application/json: - schema: - $ref: "#/components/schemas/Forbidden" - 429: - description: "Too Many Requests" - content: - application/json: - schema: - $ref: "#/components/schemas/RateLimitExceeded" - 500: - description: "Internal Server Error" - content: - application/json: - schema: - $ref: "#/components/schemas/InternalServerError" -components: - securitySchemes: - FireEyeAPIKey: - type: apiKey - name: feye-auth-key - in: header - description: | - See the [docs](https://fireeye.dev/docs/detection-on-demand/#prerequisites) for information on generating an API key. - schemas: - RateLimitExceeded: - properties: - status: - type: string - example: "failed" - description: "You have hit the rate limit for the account containing your API key and your request has not gone through." - message: - type: string - example: "api key limit exhausted" - description: "You have hit the rate limit for the account containing your API key and your request has not gone through." - InternalServerError: - properties: - message: - type: string - example: "Internal server error." - description: "Something went wrong on our end." - Unauthorized: - properties: - status: - type: string - example: "failed" - description: "You did not provide an API key." - message: - type: string - example: "Internal server error." - description: "You did not provide an API key." - Forbidden: - properties: - status: - type: string - example: "failed" - description: "You provided an invalid API key." - message: - type: string - example: "Invalid api key" - description: "You provided an invalid API key." - UnsupportedMediaType: - properties: - status: - type: string - example: "failed" - description: "The input may have been empty or malformed" - message: - type: string - example: "url list is empty" - description: "The array of URLs is empty" - ReportNotExtended: - required: - - report_id - - overall_status - - is_malicious - - started_at - - completed_at - - duration - - md5 - - sha256 - properties: - report_id: - description: Unique identifier for a submission or an object - type: string - overall_status: - description: Status of submission FAILED/RUNNING/DONE - enum: [FAILED,RUNNING,DONE] - type: string - api_key_name: - description: Name of the key, which is used while submission - type: string - analysis_mode: - description: Analysis mode for submission (sandbox or live) - type: string - retro: - description: retro triggered for submission - type: boolean - is_malicious: - description: Malicious flag for submission - type: boolean - started_at: - description: Sample submitted time in UTC - type: string - completed_at: - description: Sample completed time in UTC - type: string - duration: - description: duration take by sample for submission - type: integer - file_name: - description: Sample name, for urls, it is complete url - type: string - file_size: - description: In case of file submission, it is the size of file in bytes - type: integer - file_extension: - description: File extension of a submitted sample, in case of urls, it is url - type: string - signatures: - description: Comma separated list of Signatures - type: string - type: - description: File extension of a submitted sample, in case of urls, it is url - type: string - name: - description: Sample name, for urls, it is complete url - type: string - size: - description: In case of file submission, it is the size of file in bytes - type: integer - md5: - description: md5sum of a submission object - type: string - sha256: - description: sha256 of a submission object - type: string - sha1: - description: sha1 of a submission object - type: string - magic: - description: lib magic of file submitted - type: string - verdict: - description: overall verdict of submission it can be - MALICIOUS, NON-MALICIOUS, - RISKWARE, CUSTOM MALICIOUS, CUSTOM RISKWARE - enum: [MALICIOUS,NON-MALICIOUS,RISKWARE,CUSTOM MALICIOUS,CUSTOM RISKWARE] - type: string - retro_by: - description: list of names of engines for which retro triggered - type: array - required: - - name - items: - type: string - connector_information: - description: connector information for connector submission - type: object - required: - - connector_type - - connector_registration_id - properties: - connector_type: - description: connector type of submission - type: string - connector_registration_id: - description: connector registration id for the submission - type: integer - file_name: - description: file name of submission - type: string - file_version_id: - description: file_version_id of the file. Applicable for box integration - type: string - urls: - description: urls of submission - type: array - required: - - url - items: - type: string - signature_name: - description: List of signatures extracted by all engines - type: array - required: - - name - items: - type: string - email_context: - description: email context for email submission - type: object - properties: - subject: - description: Subject of email - type: string - header_size: - description: size of header of email - type: integer - email_from: - description: email address of sender - type: string - email_to: - description: email address of receiver - type: string - extracted_urls: - description: Count of url extracted from email - type: integer - extracted_attachments: - description: Count of attachments extracted from email - type: integer - queue_id: - description: queueid of email - type: string - messageid: - description: message id of email - type: string - ReportExtended: - required: - - report_id - - overall_status - - is_malicious - - started_at - - completed_at - - duration - - md5 - - sha256 - properties: - report_id: - description: Unique identifier for a submission or an object - type: string - overall_status: - description: Status of submission FAILED/RUNNING/DONE - enum: [FAILED,RUNNING,DONE] - type: string - api_key_name: - description: Name of the key, which is used while submission - type: string - analysis_mode: - description: Analysis mode for submission (sandbox or live) - type: string - retro: - description: retro triggered for submission - type: boolean - is_malicious: - description: Malicious flag for submission - type: boolean - started_at: - description: Sample submitted time in UTC - type: string - completed_at: - description: Sample completed time in UTC - type: string - duration: - description: duration take by sample for submission - type: integer - file_name: - description: Sample name, for urls, it is complete url - type: string - file_size: - description: In case of file submission, it is the size of file in bytes - type: integer - file_extension: - description: File extension of a submitted sample, in case of urls, it is url - type: string - signatures: - description: Comma separated list of Signatures - type: string - type: - description: File extension of a submitted sample, in case of urls, it is url - type: string - name: - description: Sample name, for urls, it is complete url - type: string - size: - description: In case of file submission, it is the size of file in bytes - type: integer - md5: - description: md5sum of a submission object - type: string - sha256: - description: sha256 of a submission object - type: string - sha1: - description: sha1 of a submission object - type: string - magic: - description: lib magic of file submitted - type: string - verdict: - description: overall verdict of submission it can be - MALICIOUS, NON-MALICIOUS, - RISKWARE, CUSTOM MALICIOUS, CUSTOM RISKWARE - enum: [MALICIOUS,NON-MALICIOUS,RISKWARE,CUSTOM MALICIOUS,CUSTOM RISKWARE] - type: string - retro_by: - description: list of names of engines for which retro triggered - type: array - required: - - name - items: - type: string - connector_information: - description: connector information for connector submission - type: object - required: - - connector_type - - connector_registration_id - properties: - connector_type: - description: connector type of submission - type: string - connector_registration_id: - description: connector registration id for the submission - type: integer - file_name: - description: file name of submission - type: string - file_version_id: - description: file_version_id of the file. Applicable for box integration - type: string - urls: - description: urls of submission - type: array - required: - - url - items: - type: string - signature_name: - description: List of signatures extracted by all engines - type: array - required: - - name - items: - type: string - email_context: - description: email context for email submission - type: object - properties: - subject: - description: Subject of email - type: string - header_size: - description: size of header of email - type: integer - email_from: - description: email address of sender - type: string - email_to: - description: email address of receiver - type: string - extracted_urls: - description: Count of url extracted from email - type: integer - extracted_attachments: - description: Count of attachments extracted from email - type: integer - queue_id: - description: queueid of email - type: string - messageid: - description: message id of email - type: string - extracted_objects: - description: Extracted urls or child objects within a submission - type: array - items: - title: Analysis Object - description: Details about each extracted object or url within a submission - type: object - required: - - object_uuid - - md5 - - sha256 - - verdict - properties: - object_uuid: - description: Unique identifier for extracted object - type: string - analyses_start_time: - description: Sample submitted time in UTC - type: string - md5: - description: md5sum of an extracted object - type: string - sha256: - description: sha256 of an extracted object - type: string - verdict: - description: 'Analysis verdict of an object: it can be - MALICIOUS, NON-MALICIOUS, - RISKWARE, CUSTOM MALICIOUS, CUSTOM RISKWARE' - type: string - url_normalized: - description: Normalized for of url - type: string - submission_uuid: - description: Unique identifier for submission - type: string - status: - description: 'Analysis status: FAILED, IN-PROGRESS, SUCCESS' - type: string - type: - description: File extension of an extracted object, for url - url - type: string - object_type: - description: File extension of an extracted object, for url - url - type: string - name: - description: File name of an extracted object - type: string - size: - description: File size in Bytes - type: integer - complete_time: - description: Timestamp in UTC when object analysis completed - type: string - signature_name: - description: Signature name derived from analysis results - type: string - is_malicious: - description: Malicious flag for extracted object - type: boolean - anomaly_types: - description: 'Anomalies triggered for an object during analysis: RISKWARE - etc' - type: array - items: - type: string - uniqueItems: true - additional_info: - description: Signature name derived based on all the results, from both - Static Analysis and Dynamic Analysis of an extracted object , any other - additional information about extracted object - type: object - properties: {} - results: - description: Static & Dynamic Analysis results for both extracted objects and - as well for submission in a form of JSON array - type: array - items: - title: Analysis Result - description: Each extracted object's analysis result - type: object - required: - - object_uuid - - analysis_results - properties: - object_uuid: - description: Analysis objects' unique identifier for which the results are - generated for - type: string - analysis_results: - description: Both SA & DA analysis results - type: array - items: - title: Analysis Result - description: SA/DA Analysis result, along with BALE correlation results - type: object - required: - - engine - properties: - object_uuid: - description: Analysis objects' unique identifier for which the results - are generated for - type: string - engine: - description: 'Analysis engine name: yara, av-match, OSChanges, NetworkAnomaly, - VmSigMatch and BALE etc' - type: string - signature_name: - description: Signature that got triggered - type: integer - job_id: - description: 'Dynamic Analysis job or result uuid: Usually will be - present for OsChanges, NetworkAnomaly VmSigMatch and BALE engines' - type: string - dynamic_analysis_uuid: - description: 'Dynamic Analysis job or result uuid: Usually will be - present for OsChanges, NetworkAnomaly VmSigMatch and BALE engines' - type: string - weight: - description: Assigned weight for a job. Any weight >=100 will be malicious, - otherwise non-malicious - type: integer - minimum: 0 - signature_id: - description: Signature Id defined for signature name. Mostly the field - will be blank or null. - type: integer - os_info: - description: OS name on which the dynamic analysis is performed (Profile) - type: string - channel: - description: channel encoded in base64 - type: string - anomaly_types: - description: Anomalies triggered for an OSChange job - type: array - items: - type: string - uniqueItems: true - additional_info: - description: Additional details of a static or dynamic job - type: object - properties: {} - artifacts_info: - description: Details of artifacts generated for submission - type: array - items: - title: Object's Artifacts Info - description: Each object's Artifacts Info - type: object - properties: - artifact_uuid: - description: Artifact uuid of object to be used in artifacts api - type: string - os_changes: - description: Field to check if os_changes present - type: boolean - os_changes_type: - description: type of os changes file - type: boolean - vm_artifacts: - description: Field to check if vm_artifacts present - type: boolean - vm_artifacts_type: - description: 'type of vm_artifacts file ' - type: boolean - screenshot: - description: Field to check if screenshot present - type: boolean - screenshot_type: - description: type of screenshot file - type: boolean - object_artifact_details: - title: Artifact object details - type: object - properties: - object_uuid: - description: unique identifier for object - type: string - artifact_details: - title: Object's Artifacts Info - description: Each object's Artifacts Info - type: object - properties: - video_path: - description: path of video file, NA if not present - type: string - dynamic_analysis_uuid: - description: dynamic analysis unique id - type: string - memory_and_file_dump: - description: path of memory dump file,NA if not present - type: string - pcap_path: - description: path of pcap file , NA if not present - type: string - profilename: - description: vm profile generating artifacts - type: string - mitre_mapping: - description: Mitre mapping in a form of JSON array - type: array - items: - title: Mitre Attack Mapping - description: Names and Tactics from Mitre attack database - type: object - required: - - id - - name - - tactic - properties: - id: - description: ID of the Mitre attack tactic - type: string - name: - description: Name of the Mitre attack tactic - type: string - tactic: - description: Mitre attack tactic - type: array - items: - type: string - example: - [ - "initial_access", - "execution", - "defense_evasion" - ] -security: - - FireEyeAPIKey: [] -tags: - - name: Files - description: Upload files to Detection On Demand - - name: Reports - description: Retrieve malware reports of your uploaded files - - name: Presigned-url - description: Retrieve presigned URL link to a browser viewable report - - name: Hashes - description: Retrieve malware results of a given MD5 hash - - name: Artifacts - description: Retrieve artifact for given report_id diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md b/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md deleted file mode 100644 index 0025e722..00000000 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# Trellix Detection as a Service API Plugin - -#### Copilot for Security Plugin to retrieve sandbox reports for uploaded files and URLs using the Trellix Detection as a Service API - -### Pre-requisites - -* [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) -* [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) -* [API Key](https://fireeye.dev/docs/detection-on-demand/dod-portal/#api-key-management) from dod-portal.marketplace.apps.fireeye.com. - -### Instructions -#### Upload the Custom Plugin - -1. Obtain the file [TrellixDoD.yaml](https://raw.githubusercontent.com/alfonso-greenbrook/Copilot-For-Security-Fork/main/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/TrellixDoD.yaml) from this directory. -2. [Upload the custom plugin](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) and verify it's been activated. -3. After the plugin has been uploaded, put in your [DoD API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1). - -![CopilotForSecurity](https://learn.microsoft.com/en-us/security-copilot/media/add-plugin-button.png) - -#### Utilization of the plugin -- **getReport:** Get single report - this fetches the results of a single file submission, known as a report. -- **getReportsMD5:** Get a single report by md5 or sha256 hash - this fetches the latest results for file submission with the provided md5 or sha256 hash. -- **getPresignedUrl:** Get a pre-signed URL - this fetches a pre-signed URL link to a browser-viewable report. -- **getHealth:** The health status of service, subscription and API key - this provides the health status of Service, subscription and API key -- **getHashById:** Get hash analysis results - this fetches the results of a file submission by its MD5 hash. -- **getSHA256HashById:** Get md5 or sha256 hash analysis results - this fetches the results of a file submission by its md5 or sha256 hash. -- **getArtifacts:** Get artefacts for given report_id - this fetches artefacts, like a screenshot gif file, for the given report_id -- **getTelemetry:** Pull results metadata in batches - this fetches metadata of completed submissions for a given time interval. API also support pagination if number of records for given time period are more than 1000. diff --git a/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml b/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml deleted file mode 100644 index eadac132..00000000 --- a/Plugins/Community Based Plugins/Trellix Detection as a Service/TrellixDoD.yaml +++ /dev/null @@ -1,16 +0,0 @@ -Descriptor: - Name: Trellix Detection as a Service - DisplayName: Trellix Detection as a Service - Description: Get detailed sandbox analysis reports from Trellix Detection as a Service - SupportedAuthTypes: - - ApiKey - Authorization: - Type: APIKey - Key: feye-auth-key - Location: Header - AuthScheme: '' - -SkillGroups: - - Format: API - Settings: - OpenApiSpecUrl: https://raw.githubusercontent.com/alfonso-greenbrook/Copilot-For-Security-Fork/main/Plugins/Community%20Based%20Plugins/Trellix%20Detection%20as%20a%20Service/OpenAPI/OpenAPI-TrellixDoD.yml