Publisher: VMRay
Connector Version: 2.3.0
Product Vendor: VMRay GmbH
Product Name: VMRay Platform
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.4
This app enables you to detonate files and URLs, and perform investigative actions, using the VMRay Platform, thereby giving you automated analysis and advanced threat detection through an agentless hypervisor-based sandbox
The app uses HTTP/HTTPS protocol for communicating with the VMRay Server. Below are the default ports used by Splunk SOAR.
Service Name | Transport Protocol | Port |
---|---|---|
http | tcp | 80 |
https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a VMRay Platform asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
vmray_server | required | string | Server IP/Hostname |
vmray_api_key | required | password | API Key |
disable_cert_verification | optional | boolean | Disable Certificate Verification |
test connectivity - Validate the asset configuration for connectivity
get file - Download a file from the VMRay Platform and add it to the vault
detonate file - Detonate file in the VMRay Platform
detonate url - Detonate a URL in the VMRay Platform
get report - Get the report(s) for a submission
get info - Get information of a specific sample
Validate the asset configuration for connectivity
Type: test
Read only: True
No parameters are required for this action
No Output
Download a file from the VMRay Platform and add it to the vault
Type: investigate
Read only: True
Downloads the file with the given hash from the VMRay Platform and adds it to the vault. This action returns a vault id which can be used to detonate the file.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | The hash of the file to be downloaded | string | hash sha256 sha1 md5 |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.hash | string | hash md5 sha1 sha256 |
action_result.data.*.vault_id | string | vault id |
action_result.status | string | |
action_result.message | string | |
action_result.summary.vault_id | string | vault id |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Detonate file in the VMRay Platform
Type: generic
Read only: False
The file_name parameter overrides the filename, if none is given the app tries to get the filename from the vaults metadata. The type overrides the automatic detection of the VMRay Platform. The config parameter specifies additional configuration options passed to the VMRay Platform (See user_config in the REST API documentation). With jobrules you can specify custom jobrule entries (See jobrule_enries in the REST API documentation).
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
vault_id | required | The vault_id of the file to be analyzed | string | vault id |
ioc_only | optional | Only import artifacts that are IOCs | boolean | |
file_name | optional | The file name to use | string | file name |
comment | optional | Comment for this submission | string | |
tags | optional | Tags for this submission | string | |
type | optional | The sample type | string | |
config | optional | Additional configuration | string | |
jobrules | optional | Jobrules | string |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.tags | string | |
action_result.parameter.ioc_only | boolean | |
action_result.parameter.vault_id | string | vault id |
action_result.parameter.type | string | |
action_result.parameter.jobrules | string | |
action_result.parameter.comment | string | |
action_result.parameter.config | string | |
action_result.parameter.file_name | string | file name |
action_result.data.*.analysis.analysis_analyzer_id | numeric | |
action_result.data.*.analysis.analysis_analyzer_name | string | |
action_result.data.*.analysis.analysis_analyzer_version | string | |
action_result.data.*.analysis.analysis_configuration_id | numeric | |
action_result.data.*.analysis.analysis_configuration_name | string | |
action_result.data.*.analysis.analysis_created | string | |
action_result.data.*.analysis.analysis_job_id | numeric | |
action_result.data.*.analysis.analysis_job_started | string | |
action_result.data.*.analysis.analysis_jobrule_id | numeric | |
action_result.data.*.analysis.analysis_jobrule_sampletype | string | |
action_result.data.*.analysis.analysis_prescript_id | numeric | |
action_result.data.*.analysis.analysis_priority | numeric | |
action_result.data.*.analysis.analysis_result_code | numeric | |
action_result.data.*.analysis.analysis_result_str | string | |
action_result.data.*.analysis.analysis_sample_id | numeric | vmray sample id |
action_result.data.*.analysis.analysis_sample_md5 | string | md5 |
action_result.data.*.analysis.analysis_sample_sha1 | string | sha1 |
action_result.data.*.analysis.analysis_sample_sha256 | string | sha256 |
action_result.data.*.analysis.analysis_verdict | string | |
action_result.data.*.analysis.analysis_size | numeric | |
action_result.data.*.analysis.analysis_snapshot_id | numeric | |
action_result.data.*.analysis.analysis_snapshot_name | string | |
action_result.data.*.analysis.analysis_submission_id | numeric | vmray submission id |
action_result.data.*.analysis.analysis_user_email | string | |
action_result.data.*.analysis.analysis_user_id | numeric | |
action_result.data.*.analysis.analysis_vm_id | numeric | |
action_result.data.*.analysis.analysis_vm_name | string | |
action_result.data.*.analysis.analysis_vmhost_id | numeric | |
action_result.data.*.analysis.analysis_vmhost_name | string | |
action_result.data.*.analysis.analysis_vti_built_in_rules_version | string | |
action_result.data.*.analysis.analysis_vti_custom_rules_hash | string | |
action_result.data.*.analysis.analysis_vti_score | numeric | |
action_result.data.*.analysis.analysis_webif_url | string | |
action_result.data.*.analysis.analysis_yara_latest_ruleset_date | string | |
action_result.data.*.analysis.analysis_yara_match_count | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_created | string | |
action_result.data.*.reputation_lookup.reputation_lookup_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_job_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_result_code | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_sample_id | numeric | vmray sample id |
action_result.data.*.reputation_lookup.reputation_lookup_sample_md5 | string | md5 |
action_result.data.*.reputation_lookup.reputation_lookup_sample_sha1 | string | sha1 |
action_result.data.*.reputation_lookup.reputation_lookup_sample_sha256 | string | sha256 |
action_result.data.*.reputation_lookup.reputation_lookup_verdict | string | |
action_result.data.*.reputation_lookup.reputation_lookup_submission_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_user_email | string | |
action_result.data.*.reputation_lookup.reputation_lookup_user_id | numeric | |
action_result.data.*.analysis.summary.extracted_files.*.md5_hash | string | md5 |
action_result.data.*.analysis.summary.extracted_files.*.sha1_hash | string | sha1 |
action_result.data.*.analysis.summary.extracted_files.*.sha256_hash | string | sha256 |
action_result.data.*.analysis.summary.extracted_files.*.norm_filename | string | file path |
action_result.data.*.analysis.summary.artifacts.ips.*.ip_address | string | ip |
action_result.data.*.analysis.summary.artifacts.urls.*.url | string | url |
action_result.data.*.analysis.summary.artifacts.mutexes.*.mutex_name | string | |
action_result.data.*.analysis.summary.artifacts.registry.*.reg_key_name | string | |
action_result.data.*.analysis.summary.artifacts.files.*.norm_filename | string | file path |
action_result.data.*.analysis.summary.artifacts.domains.*.domain | string | domain |
action_result.data.*.analysis.summary.artifacts.emails.*.sender | string | email |
action_result.data.*.analysis.summary.artifacts.emails.*.subject | string | |
action_result.data.*.analysis.summary.artifacts.processes.*.cmd_line | string | |
action_result.data.*.analysis.summary.mitre_attack.techniques.*.description | string | |
action_result.data.*.analysis.summary.mitre_attack.techniques.*.id | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.category_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.rule_score | numeric | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.operation_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.rule_classifications | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.technique_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.threat_names.*.name | string | |
action_result.data.*.analysis.analysis_id | numeric | vmray analysis id |
action_result.status | string | |
action_result.message | string | |
action_result.summary.submission_id | numeric | vmray submission id |
action_result.summary.submission_finished | boolean | |
action_result.summary.verdict | string | |
action_result.summary.url | string | |
action_result.summary.billing_type | string | |
action_result.summary.recursive_submission_ids.child_submission_ids.*.child_submission_id | numeric | vmray submission id |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Detonate a URL in the VMRay Platform
Type: generic
Read only: False
See detonate file for a detailed parameter description.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to detonate | string | url |
ioc_only | optional | Only import artifacts that are IOCs | boolean | |
comment | optional | Comment for this submission | string | |
tags | optional | Tags added for this submission | string | |
config | optional | Additional configuration | string | |
jobrules | optional | Jobrules | string |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.tags | string | |
action_result.parameter.jobrules | string | |
action_result.parameter.comment | string | |
action_result.parameter.config | string | |
action_result.parameter.url | string | url |
action_result.parameter.ioc_only | boolean | |
action_result.data.*.analysis.analysis_analyzer_id | numeric | |
action_result.data.*.analysis.analysis_analyzer_name | string | |
action_result.data.*.analysis.analysis_analyzer_version | string | |
action_result.data.*.analysis.analysis_configuration_id | numeric | |
action_result.data.*.analysis.analysis_configuration_name | string | |
action_result.data.*.analysis.analysis_created | string | |
action_result.data.*.analysis.analysis_id | numeric | vmray analysis id |
action_result.data.*.analysis.analysis_job_id | numeric | |
action_result.data.*.analysis.analysis_job_started | string | |
action_result.data.*.analysis.analysis_jobrule_id | numeric | |
action_result.data.*.analysis.analysis_jobrule_sampletype | string | |
action_result.data.*.analysis.analysis_prescript_id | numeric | |
action_result.data.*.analysis.analysis_priority | numeric | |
action_result.data.*.analysis.analysis_result_code | numeric | |
action_result.data.*.analysis.analysis_result_str | string | |
action_result.data.*.analysis.analysis_sample_id | numeric | vmray sample id |
action_result.data.*.analysis.analysis_sample_md5 | string | md5 |
action_result.data.*.analysis.analysis_sample_sha1 | string | sha1 |
action_result.data.*.analysis.analysis_sample_sha256 | string | sha256 |
action_result.data.*.analysis.analysis_verdict | string | |
action_result.data.*.analysis.analysis_size | numeric | |
action_result.data.*.analysis.analysis_snapshot_id | numeric | |
action_result.data.*.analysis.analysis_snapshot_name | string | |
action_result.data.*.analysis.analysis_submission_id | numeric | vmray submission id |
action_result.data.*.analysis.analysis_user_email | string | |
action_result.data.*.analysis.analysis_user_id | numeric | |
action_result.data.*.analysis.analysis_vm_id | numeric | |
action_result.data.*.analysis.analysis_vm_name | string | |
action_result.data.*.analysis.analysis_vmhost_id | numeric | |
action_result.data.*.analysis.analysis_vmhost_name | string | |
action_result.data.*.analysis.analysis_vti_built_in_rules_version | string | |
action_result.data.*.analysis.analysis_vti_custom_rules_hash | string | |
action_result.data.*.analysis.analysis_vti_score | numeric | |
action_result.data.*.analysis.analysis_webif_url | string | |
action_result.data.*.analysis.analysis_yara_latest_ruleset_date | string | |
action_result.data.*.analysis.analysis_yara_match_count | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_created | string | |
action_result.data.*.reputation_lookup.reputation_lookup_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_job_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_result_code | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_sample_id | numeric | vmray sample id |
action_result.data.*.reputation_lookup.reputation_lookup_sample_md5 | string | md5 |
action_result.data.*.reputation_lookup.reputation_lookup_sample_sha1 | string | sha1 |
action_result.data.*.reputation_lookup.reputation_lookup_sample_sha256 | string | sha256 |
action_result.data.*.reputation_lookup.reputation_lookup_verdict | string | |
action_result.data.*.reputation_lookup.reputation_lookup_submission_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_user_email | string | |
action_result.data.*.reputation_lookup.reputation_lookup_user_id | numeric | |
action_result.data.*.analysis.summary.extracted_files.*.md5_hash | string | md5 |
action_result.data.*.analysis.summary.extracted_files.*.sha1_hash | string | hash sha1 |
action_result.data.*.analysis.summary.extracted_files.*.sha256_hash | string | hash sha256 |
action_result.data.*.analysis.summary.extracted_files.*.norm_filename | string | file path |
action_result.data.*.analysis.summary.artifacts.ips.*.ip_address | string | ip |
action_result.data.*.analysis.summary.artifacts.urls.*.url | string | url |
action_result.data.*.analysis.summary.artifacts.mutexes.*.mutex_name | string | |
action_result.data.*.analysis.summary.artifacts.registry.*.reg_key_name | string | |
action_result.data.*.analysis.summary.artifacts.files.*.norm_filename | string | file path |
action_result.data.*.analysis.summary.artifacts.domains.*.domain | string | domain |
action_result.data.*.analysis.summary.artifacts.emails.*.sender | string | email |
action_result.data.*.analysis.summary.artifacts.emails.*.subject | string | |
action_result.data.*.analysis.summary.artifacts.processes.*.cmd_line | string | |
action_result.data.*.analysis.summary.mitre_attack.techniques.*.description | string | |
action_result.data.*.analysis.summary.mitre_attack.techniques.*.id | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.category_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.rule_score | numeric | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.operation_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.rule_classifications | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.technique_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.threat_names.*.name | string | |
action_result.status | string | |
action_result.message | string | |
action_result.summary.submission_id | numeric | vmray submission id |
action_result.summary.submission_finished | boolean | |
action_result.summary.verdict | string | |
action_result.summary.url | string | |
action_result.summary.billing_type | string | |
action_result.summary.recursive_submission_ids.child_submission_ids.*.child_submission_id | numeric | vmray submission id |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get the report(s) for a submission
Type: investigate
Read only: True
This action requires a submission_id. The timeout parameter specifies the time to wait for the report to be finished before aborting this action. The timeout is specified in seconds. Zero indicates no wait, hence the action will return immediately. If this option is not set it will default to a five-minute timeout.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
submission_id | required | The VMRay Platform submission ID | numeric | vmray submission id |
ioc_only | optional | Only import artifacts that are IOCs | boolean | |
timeout | optional | Timeout | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.submission_id | numeric | vmray submission id |
action_result.parameter.ioc_only | boolean | |
action_result.parameter.timeout | numeric | |
action_result.data.*.analysis.analysis_analyzer_id | numeric | |
action_result.data.*.analysis.analysis_analyzer_name | string | |
action_result.data.*.analysis.analysis_analyzer_version | string | |
action_result.data.*.analysis.analysis_configuration_id | numeric | |
action_result.data.*.analysis.analysis_configuration_name | string | |
action_result.data.*.analysis.analysis_created | string | |
action_result.data.*.analysis.analysis_id | numeric | vmray analysis id |
action_result.data.*.analysis.analysis_job_id | numeric | |
action_result.data.*.analysis.analysis_job_started | string | |
action_result.data.*.analysis.analysis_jobrule_id | numeric | |
action_result.data.*.analysis.analysis_jobrule_sampletype | string | |
action_result.data.*.analysis.analysis_prescript_id | numeric | |
action_result.data.*.analysis.analysis_priority | numeric | |
action_result.data.*.analysis.analysis_result_code | numeric | |
action_result.data.*.analysis.analysis_result_str | string | |
action_result.data.*.analysis.analysis_sample_id | numeric | vmray sample id |
action_result.data.*.analysis.analysis_sample_md5 | string | md5 |
action_result.data.*.analysis.analysis_sample_sha1 | string | sha1 |
action_result.data.*.analysis.analysis_sample_sha256 | string | sha256 |
action_result.data.*.analysis.analysis_verdict | string | |
action_result.data.*.analysis.analysis_size | numeric | |
action_result.data.*.analysis.analysis_snapshot_id | numeric | |
action_result.data.*.analysis.analysis_snapshot_name | string | |
action_result.data.*.analysis.analysis_submission_id | numeric | vmray submission id |
action_result.data.*.analysis.analysis_user_email | string | |
action_result.data.*.analysis.analysis_user_id | numeric | |
action_result.data.*.analysis.analysis_vm_id | numeric | |
action_result.data.*.analysis.analysis_vm_name | string | |
action_result.data.*.analysis.analysis_vmhost_id | numeric | |
action_result.data.*.analysis.analysis_vmhost_name | string | |
action_result.data.*.analysis.analysis_vti_built_in_rules_version | string | |
action_result.data.*.analysis.analysis_vti_custom_rules_hash | string | |
action_result.data.*.analysis.analysis_vti_score | numeric | |
action_result.data.*.analysis.analysis_webif_url | string | |
action_result.data.*.analysis.analysis_yara_latest_ruleset_date | string | |
action_result.data.*.analysis.analysis_yara_match_count | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_created | string | |
action_result.data.*.reputation_lookup.reputation_lookup_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_job_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_result_code | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_sample_id | numeric | vmray sample id |
action_result.data.*.reputation_lookup.reputation_lookup_sample_md5 | string | md5 |
action_result.data.*.reputation_lookup.reputation_lookup_sample_sha1 | string | sha1 |
action_result.data.*.reputation_lookup.reputation_lookup_sample_sha256 | string | sha256 |
action_result.data.*.reputation_lookup.reputation_lookup_verdict | string | |
action_result.data.*.reputation_lookup.reputation_lookup_submission_id | numeric | |
action_result.data.*.reputation_lookup.reputation_lookup_user_email | string | |
action_result.data.*.reputation_lookup.reputation_lookup_user_id | numeric | |
action_result.data.*.analysis.summary.extracted_files.*.md5_hash | string | md5 |
action_result.data.*.analysis.summary.extracted_files.*.sha1_hash | string | sha1 |
action_result.data.*.analysis.summary.extracted_files.*.sha256_hash | string | sha256 |
action_result.data.*.analysis.summary.extracted_files.*.norm_filename | string | file path |
action_result.data.*.analysis.summary.artifacts.ips.*.ip_address | string | ip |
action_result.data.*.analysis.summary.artifacts.urls.*.url | string | url |
action_result.data.*.analysis.summary.artifacts.mutexes.*.mutex_name | string | |
action_result.data.*.analysis.summary.artifacts.registry.*.reg_key_name | string | |
action_result.data.*.analysis.summary.artifacts.files.*.norm_filename | string | file path |
action_result.data.*.analysis.summary.artifacts.domains.*.domain | string | domain |
action_result.data.*.analysis.summary.artifacts.emails.*.sender | string | email |
action_result.data.*.analysis.summary.artifacts.emails.*.subject | string | |
action_result.data.*.analysis.summary.artifacts.processes.*.cmd_line | string | |
action_result.data.*.analysis.summary.mitre_attack.techniques.*.description | string | |
action_result.data.*.analysis.summary.mitre_attack.techniques.*.id | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.category_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.rule_score | numeric | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.operation_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.rule_classifications | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.technique_desc | string | |
action_result.data.*.analysis.summary.vti.vti_rule_matches.*.threat_names.*.name | string | |
action_result.status | string | |
action_result.message | string | |
action_result.summary.submission_id | numeric | vmray submission id |
action_result.summary.verdict | string | |
action_result.summary.url | numeric | |
action_result.summary.billing_type | string | |
action_result.summary.recursive_submission_ids.child_submission_ids.*.child_submission_id | numeric | vmray submission id |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get information of a specific sample
Type: investigate
Read only: True
This action gets information about a sample given its hash. See get report for a description of the timeout parameter.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | The sample hash | string | hash sha256 sha1 md5 |
timeout | optional | Timeout | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.parameter.hash | string | hash md5 sha1 sha256 |
action_result.parameter.timeout | numeric | |
action_result.data.*.sample_type | string | |
action_result.data.*.sample_created | string | |
action_result.data.*.sample_filename | string | file name |
action_result.data.*.sample_filesize | numeric | |
action_result.data.*.sample_highest_vti_score | numeric | |
action_result.data.*.sample_id | numeric | vmray sample id |
action_result.data.*.sample_is_multipart | boolean | |
action_result.data.*.sample_last_md_score | numeric | |
action_result.data.*.sample_last_vt_score | numeric | |
action_result.data.*.sample_md5hash | string | md5 |
action_result.data.*.sample_priority | numeric | |
action_result.data.*.sample_score | numeric | |
action_result.data.*.sample_verdict | string | |
action_result.data.*.sample_sha1hash | string | sha1 |
action_result.data.*.sample_sha256hash | string | sha256 |
action_result.data.*.sample_url | string | url |
action_result.data.*.sample_vti_score | numeric | |
action_result.data.*.sample_webif_url | string | |
action_result.data.*.sample_classifications | string | |
action_result.data.*.sample_threat_names | string | |
action_result.status | string | |
action_result.message | string | |
action_result.summary.score | numeric | |
action_result.summary.verdict | string | |
action_result.summary.recursive_sample_ids.parent_sample_ids.*.parent_sample_id | numeric | vmray sample id |
action_result.summary.recursive_sample_ids.child_sample_ids.*.child_sample_id | numeric | vmray sample id |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |