FireEye Malware Analysis

Cyware Orchestrate

FireEye Malware Analysis

App Vendor: FireEye

App Category: Data Enrichment & Threat Intelligence, Forensics & Malware Analysis

Connector Version: 1.0.0

API Version: 1.0.0

About App

FireEye Malware Analysis is a forensic analysis solution that provides a secure environment to test, replay, characterize, and document advanced malicious activities. The FireEye Malware Analysis (AX) app enables security teams to integrate with the FireEye Malware Analysis enterprise application to execute, manage, and monitor analysis of malicious URLs and files.

The FireEye Malware Analysis (AX) app is configured with the Orchestrate application to perform the following actions:

Action Name	Description
Get Submission Result	This action retrieves the result of a submission.
Get Submission Status	This action retrieves the status of a submission.
Submit URL	This action submits a URL for scanning.
Submit a File	This action submits a file for analysis.
Get Yararules	This action retrieves a list of yararule files.
Get Alerts	This action retrieves a list of alerts.
Get Alert	This action retrieves the details of an alert.
Get Artifacts Data (zip) via Alert ID	This action retrieves an artifact data in zip format using the alert ID.
Get Artifacts Data (zip) via UUID	This action retrieves an artifact data in zip format using the UUID.
Get Artifacts Metadata via Alert ID	This action retrieves the metadata of an artifact via using the alert ID.
Get Artifacts Metadata via UUID	This action retrieves the metadata of an artifact via using the UUID.

Configuration Parameters

The following configuration parameters are required for the FireEye Malware Analysis (AX) app to communicate with the FireEye Malware Analysis (AX) enterprise application. The parameters can be configured by creating instances in the app.

Parameter	Description	Field Type	Required/Optional	Comments
Base URL	Enter the base URL.	Text	Required
Username	Enter the username.	Text	Required
Password	Enter the password.	Password	Required
Client Token	Enter the client token.	Text	Optional
Port	Enter the port number for endpoint access.	Text	Optional	Default value: 443
SSL Verify	Optional preference to either verify or skip the SSL certificate verification.	Boolean	Optional	Allowed values: True False Default value: False
API Version	Enter the API version.	Text	Optional	Allowed values: v1.1.0 v2.0.0 Default value: "v1.1.0"

Action: Get Submission Result

This action retrieves the result of a submission.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Submission ID

Enter the submission ID.

Text

Required

Information Level

Enter the information level.

Text

Optional

Allowed values:

normal
extended

Default value:

"normal"

Action: Get Submission Status

This action retrieves the status of a submission.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Submission ID	Enter the submission ID.	Text	Required

Action: Submit URL

This action submits a URL for scanning.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
URLs	Enter the list of URLs.	List	Required
Profiles	Enter the list of profiles. Example: [win7-sp1]	List	Required
Application ID	Enter the application ID.	Text	Required
Analysis Type	Enter the analysis type.	Text	Optional	Allowed values: 1 (live) 2 (sandbox) Default value: "1"
Priority	Enter the priority.	Integer	Optional	Allowed values: 0 (normal) 1 (urgent) Default value: 0
Force	Optional preference to either force or not force analysis.	Boolean	Optional	Allowed values: true (force analysis) false (do not analyze duplicate URLs) Default value: false
Prefetch	Enter the prefetch preference.	Integer	Optional	Allowed values: 0 (No) 1 (Yes) Default value: 0
Time Out	Enter the timeout in seconds.	Text	Optional	Default value: "500"

Action: Submit a File

This action submits a file for analysis.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
File Path	Enter the file path.	Text	Required
Profiles	Enter the list of profiles. Example: [win7-sp1]	List	Required
Application ID	Enter the application ID.	Text	Required
Analysis Type	Enter the analysis type.	Text	Optional	Allowed values: 1 (live) 2 (sandbox) Default value: "1"
Priority	Enter the priority.	Text	Optional	Allowed values: 0 (normal) 1 (urgent) Default value: "0"
Force	Optional preference to either force or not force analysis.	Boolean	Optional	Allowed values: true (force analysis) false (do not analyze duplicate URLs) Default value: false
Prefetch	Enter the prefetch preference.	Text	Optional	Allowed values: 0 (No) 1 (Yes) Default value: "0"
Time out	Enter the timeout in seconds.	Text	Optional	Default value: "500"
Extra Params	Enter the extra parameters in key-value pairs.	Key Value	Optional	Allowed values: enable_vnc (bool): Default value: false (only api >v2) properties (str) application_context: arguments file name file path parent path file owner or creator permissions guest_config: guest images configuration artifact_extract_config: artifact extraction parameters

Action: Get Yararules

This action retrieves a list of yararule files.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Yara Type	Enter the yara type.	Text	Optional	Allowed values: active_content: Extracts the macros from files and executes special. base: If the file contains a macro, it does not extract and analyze macros. all: Does both. Default value: "base"
Extra params	Enter the extra parameters in key-value pairs.	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Yara Type

Enter the yara type.

Text

Optional

Allowed values:

active_content: Extracts the macros from files and executes special.
base: If the file contains a macro, it does not extract and analyze macros.
all: Does both.

Default value: "base"

Extra params

Enter the extra parameters in key-value pairs.

Key Value

Optional

Action: Get Alerts

This action retrieves a list of alerts.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Extra Params	Enter the extra parameters in key-value pairs.	Key Value	Optional	Allowed values: alert_id (id) callback_domain (domain): FQDN dst_ip (ip) duration (time_interval): start_time, end_time, 1_hour, 12_hour. Example: duration=1_hour& start_time=2017-06-21t16:30:00.000-07:00& end_time=2017-06-21t16:30:00.000-07:00 start_time (time): duration, start_time. Example: duration=1_hour&start_time=2017-06-21t16:30:00.000-07:00 end_time (time): duration and end_time. Example: duration=1_hour&end_time=2017-06-21t16:30:00.000-07:00 - file_name (str) file_type (str) info_level (str): concise normal extended malware_name (str) malware_type (str): domain_match malware_callback malware_object web_infection infection_match md5 recipient_email sender_email src_ip (ip) url (uri)

Action: Get Alert

This action retrieves the details of an alert.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Alert ID	Enter the alert ID.	Text	Required

Action: Get Artifacts Data (zip) via Alert ID

This action retrieves an artifact data in zip format using the alert ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID.

Text

Required

Alert Type

Enter the alert type.

Example:

"malwareobject"

Text

Required

Action: Get Artifacts Data (zip) via UUID

This action retrieves an artifact data in zip format using the UUID.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
UUID	Enter the UUID.	Text	Required

Action: Get Artifacts Metadata via Alert ID

This action retrieves the metadata of an artifact via using the alert ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID.

Text

Required

Alert Type

Enter the alert type.

Example:

"malwareobject"

Text

Required

Action: Get Artifacts Metadata via UUID

This action retrieves the metadata of an artifact via using the UUID.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
UUID	Enter the UUID.	Text	Required

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.

Cyware Orchestrate

FireEye Malware Analysis

About App

Configuration Parameters

Action: Get Submission Result

Action: Get Submission Status

Action: Submit URL

Action: Submit a File

Action: Get Yararules

Action: Get Alerts

Action: Get Alert

Action: Get Artifacts Data (zip) via Alert ID

Action: Get Artifacts Data (zip) via UUID

Action: Get Artifacts Metadata via Alert ID

Action: Get Artifacts Metadata via UUID

Search results