Intezer
- Jonas Gonzalez
Intezer is a platform built to analyze and investigate every alert like an experienced security analyst and reverse engineer.
Connect Intezer with Devo SOAR
Navigate to Automations > Integrations.
Search for Intezer.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Intezer API Key: API Key for Intezer.
After you've entered all the details, click Connect.
Get Latest Hash Result
This endpoint enables you to retrieve the latest available results of a previously analyze file by specifying its hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Hash Value | Jinja-templated text containing the hash value | Required |
Should Only Get Private Analyses | Jinja-templated text containing the boolean. Default is 'false' | Optional |
Should Only Get Composed Analyses | Jinja-templated text containing the boolean. Default is 'true' | Optional |
Output
JSON containing the following items:
``` {json}{ "result":{ "analysis_id":"7e812ee9-701b-4bd2-9c48-asdfasdf6afb", "analysis_time":"Wed, 30 Aug 2023 12:15:50 GMT", "analysis_url":"https://analyze.intezer.com/analyses/7e812ee9-701b-4bd2-9c48-asdfasdfasdfafb", "file_name":"c8ed1easdfasdfasdfd4fe98a7", "is_private":true, "sha256":"844491c8asdfasdfasdfasdfsadfa72696eb4b41bbe", "sub_verdict":"inconclusive", "verdict":"unknown" }, "has_error":false, "error":null, "status":"succeeded", "result_url":"/analyses/7e812ee9-701b-4bd2-9c48-asdfasdasdfafb" }
## Analyze a File
This endpoint enables you to submit a file to be analyzed.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :---------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| File Id | [Jinja-templated](doc:jinja-template) text containing the file id. | Required |
| Additional Fields | [Jinja-templated](doc:jinja-template) JSON containing the additional fields to be passed on Intezer API. Example '{"code_item_type":"file","disable_dynamic_execution":"false"}' | Optional |
### Output
JSON containing the following items:
``` {json}{
"result_url":"/analyses/7e812ee9-701b-4bd2-9c48-asdfasdfasdafb",
"error":null,
"has_error":false
}Get Analysis Result
This endpoint retrieves a summary of a file analysis, the summary provides high-level analysis results.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Analysis Id | Jinja-templated text containing the analysis Id. | Required |
Output
JSON containing the following items:
``` {json}{ "result":{ "analysis_id":"9ca16018-abb5-4d39-b16a-asdfasdfsdf992", "analysis_time":"Wed, 30 Aug 2023 11:45:26 GMT", "analysis_url":"https://analyze.intezer.com/analyses/9ca16018-abb5-4d39-b16a-asdfasdfasdf992", "file_name":"a8bb5f931f8b446fab071cbe6c58196f", "is_private":true, "sha256":"844491c83df1asdfasdfasdfasdfsadfasdfecdccd7955a72696eb4b41bbe", "sub_verdict":"inconclusive", "verdict":"unknown" }, "has_error":false, "error":null, "status":"succeeded", "result_url":"/analyses/9ca16018-abb5-4d39-b16a-asdfasdf992" }
## Download PCAP
Download the PCAP file of a specific analysis.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :---------- | :--------------------------------------------------------------------- | :------- |
| Analysis Id | [Jinja-templated](doc:jinja-template) text containing the analysis Id. | Required |
### Output
JSON containing the following items:
``` {json}{
"fileId":"20335089f4bb4ccasdfasdfsadf06be.pcap",
"error":null,
"has_error":false
}Get File Metadata
Get the root analysis sample's metadata.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Analysis Id | Jinja-templated text containing the analysis Id. | Required |
Output
JSON containing the following items:
``` {json}{ "sha1":"eff2883619ff1asdfasdfasdfsadfef634f", "sha256":"844491c83df175a63e2f7asdfasdfasdfasdf72696eb4b41bbe", "has_error":false, "size_in_bytes":873, "md5":"c47ba7e012asdfasdfasdf7daf", "error":null, "ssdeep":"12:XKNzeiilnuPf5yblaB+qjptPf5asdfasdfasdfasdfasdfasdfasfdsadfsadfKFe8sblaTsbZ1UwJuBamLuNDqDkGHSB", "indicators":[ { "classification":"informative", "name":"non_executable" } ], "file_type":"non executable" }
## Analyze A URL
Submits a URL to be analyzed.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :-------------------------------------------------------------------- | :------- |
| URL | [Jinja-templated](doc:jinja-template) text containing URL to analyze. | Required |
### Output
JSON containing the following items:
``` {json}{
"result_url": "/url/0833e33b-2dcd-4d48-a853-8b4822675911",
"error": null,
"has_error": false
}Get URL Analysis Result
This endpoint retrieves a summary of the analysis of a URL analysis, the summary provides high-level analysis results
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Analysis Id | Jinja-templated text containing the analysis Id. | Required |
Output
JSON containing the following items:
``` {json}{ "result": { "analysis_id": "0833e33b-2dcd-4d48-a853-8b4822675911", "analysis_time": "Wed, 17 Oct 2018 15:16:45 GMT", "analysis_url": "https://analyze.intezer.com/url/0833e33b-2dcd-4d48-a853-8b4822675911", "api_void_risk_score": 0, "domain_info": { "creation_date": "1997-08-13 04:00:00.000000", "domain_name": "string", "registrar": "TUCOWS, INC." }, "downloaded_file": { "analysis_id": "string", "analysis_summary": { "verdict_description": "string", "verdict_name": "malicious", "verdict_type": "malicious" }, "sha256": "string" }, "indicators": [ { "classification": "string", "text": "string" } ], "ip": "string", "redirect_chain": [ { "response_status": 0, "url": "string" } ], "scanned_url": "https://www.intezer.com", "submitted_url": "www.intezer.com", "summary": { "main_connection_gene_count": 0, "main_connection_gene_percentage": 0, "title": "string", "verdict_name": "phishing", "verdict_type": "malicious" } }, "result_url": "/analyses/0833e33b-2dcd-4d48-a853-8b4822675911", "status": "succeeded", "error": null, "has_error": false }
Get Family Artifacts
Generate artifacts by family report
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Family Id | Jinja-templated text containing the family Id. | Required |
First Seen | Jinja-templated text containing the first seen filtering artifacts in range of first_seen until current timestamp. Example: '1652083866' | Optional |
Output
JSON containing the following items:
``` {json}{ "result_url": "/families/0833e33b-2dcd-4d48-a853-8b4822675911/artifacts", "status": "string", "error": null, "has_error": false }
Get Code Reuse
Get code reuse findings for the root analysis
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Analysis Id | Jinja-templated text containing the analysis Id. | Required |
Output
JSON containing the following items:
{json}{
"common_gene_count": 399,
"gene_count": 396,
"gene_type": "native_windows",
"unique_gene_count": 23,
"families": [
{
"family_id": "f547e65e-3160-4f50-8f12-781679173ba4,",
"family_name": "Longhorn,",
"family_type": "malware,",
"reused_gene_count": 220
},
{
"family_id": "0d4b51b7-c4cf-4969-adf6-1291f1a507ea,",
"family_name": "Plexor,",
"family_type": "malware,",
"reused_gene_count": 4
},
{
"family_id": "94c0fcf1-b017-46af-a01e-9c2791f27c7b,",
"family_name": "The Qt Company Ltd,",
"family_type": "library,",
"reused_gene_count": 72
},
{
"family_id": "d803322d-e659-44fd-a198-bc8b42397b04,",
"family_name": "Microsoft Visual C/C++ Libraries,",
"family_type": "library,",
"reused_gene_count": 63
}
],
"error": null,
"has_error": false
}
Release Notes
v1.1.3- Updated the description ofAnalyze a File.v1.1.1- Added 6 new actions:Analyze A URL,Get URL Analysis Result,Get Quota Usage,Get Family Artifacts,Get An Artifacts By Family ReportandGet Code Reuse.v1.0.1- Introduced integration with actions:Get Latest Hash Result,Analyze a File,Get Analysis Result,Download PCAPandGet File Metadata.