Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

add new ReversingLabs solution v1.0.0

This commit is contained in:
Aaron Hoffman 2022-09-12 15:52:45 -04:00
Родитель ccd79bd86b
Коммит 2a963db141
11 изменённых файлов: 3738 добавлений и 2035 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

27
Solutions/ReversingLabs/Data/Solution_ReversingLabs.json
Просмотреть файл

@ -1,12 +1,23 @@
{
"Name": "ReversingLabs",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Description": "[ReversingLabs](https://www.reversinglabs.com/) provides explainable threat intelligence into malware infected files and objects, for any file, any location, and any threat.",
"Playbooks": [
"Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json"
"Author": "ReversingLabs - support@reversinglabs.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/reversinglabs.svg\" width=\"75px\" height=\"75px\">",
"Description": "The ReversingLabs solution for Microsoft Sentinel includes a number of Sentinel resources designed to automate your security operations using the power of TitaniumCloud APIs and visualize your threat intelligence capabilities using included workbooks.",
"Workbooks": [
"Workbooks\\ReversingLabs-CapabilitiesOverview\\ReversingLabs-CapabilitiesOverview.json"
],
"Analytic Rules": [],
"Playbooks": [
"Playbooks\\ReversingLabs-EnrichFilehash\\azuredeploy.json"
],
"Parsers": [],
"SavedSearches": [],
"Hunting Queries": [],
"Data Connectors": [],
"Watchlists": [],
"WatchlistDescription": [],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ReversingLabs",
"Version": "1.0.0",
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\ReversingLabs",
"Version": "1.1.0"
}
"TemplateSpec": false
}

Двоичные данные
Solutions/ReversingLabs/Package/1.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
Solutions/ReversingLabs/Package/1.1.0.zip
Просмотреть файл

Двоичный файл не отображается.

73
Solutions/ReversingLabs/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[ReversingLabs](https://www.reversinglabs.com/) provides explainable threat intelligence into malware infected files and objects, for any file, any location, and any threat.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Playbooks:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/reversinglabs.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe ReversingLabs solution for Microsoft Sentinel includes a number of Sentinel resources designed to automate your security operations using the power of TitaniumCloud APIs and visualize your threat intelligence capabilities using included workbooks.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -44,13 +44,58 @@
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "ReversingLabs",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "ReversingLabs - Capabilities Overview",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
@ -64,7 +109,7 @@
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Microsoft Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@ -74,7 +119,7 @@
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "ReversingLabsFileInfo",
"label": "ReversingLabs-EnrichFileHash",
"elements": [
{
"name": "playbook1-text",
@ -87,25 +132,13 @@
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "ReversingLabsFileInfo",
"defaultValue": "ReversingLabs-EnrichFileHash",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook1-UserName",
"type": "Microsoft.Common.TextBox",
"label": "ReversingLabs Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to ReversingLabs API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
}
@ -113,11 +146,11 @@
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook1-UserName": "[steps('playbooks').playbook1.playbook1-UserName]"
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]"
}
}
}

703
Solutions/ReversingLabs/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

60
Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/readme.md
Просмотреть файл

@ -1,60 +0,0 @@
# Enrich-SentinelIncident-ReversingLabs-File-Information
This playbook utilizes the ReversingLabs Intelligence connector to automatically enrich incident comments section with file information.
Learn more about the integration via the [connector documentation](https://docs.microsoft.com/connectors/reversinglabsintelligence/).
In order to successfully run this playbook you will need a valid ReversingLabs TitaniumCloud subscription with the XREF(Historic Multi-AV Scan Records), File Reputation and File Hash Analysis Detail APIs enabled. You can obtain your subscription at support@reversinglabs.com.
Playbook extracts hashes (SHA-1, SHA-256 or MD5) by utilizing Azure Sentinel-recognized entity FileHashCustomEntity. In your custom rule, map your hash field to this entity:
```
YourLog_CL
| extend FileHashCustomEntity = <your_hash_field>
```
Sample comment output:
```
ReversingLabs Multi-AV Scan Records:
ahnlab_online : antivir : detectedavast : Win32:Malware-genbitdefender : carbonblack_online : clamav : PUA.Win.Packer.Exe-6crowdstrike : crowdstrike_online : drweb : Trojan.DownLoader33.21319ensilo_online : esetnod32 : f_prot : fireeye_online : fortinet : gdata : ikarus : invincea_online : k7computing : kaspersky_online : mcafee_online : Artemis!08490DB63F89 (trojan)microsoft_online : panda_online : quickheal : rising_online : Trojan.MalCert!1.C446sentinelone_online : sophos_online : sunbelt : symantec_beta : trendmicro_consumer : vba32 : Trojan.Downloaderwatchguard_online :
ReversingLabs File Hash Details:
This file (SHA1: db2363303dfa061ae92c8e2c114277174c5f5e38) is a 32-bit portable executable application. Additionally, it was identified as InnoSetup installer, and unpacking was successful. The application uses the Windows graphical user interface (GUI) subsystem, while the languages used are Dutch from Netherlands and English from United States. According to version information, this is CoronaVirus Status [Plugin for Google Chrome] from CENTR MBR LLC. Appended data was detected at the file's end. Its length is greater than the size of the image. Cryptography related data was found in the file. This application has access to device configuration, monitoring, networking and running processes and has security related capabilities. The application is digitally signed, and its certificate is valid. There are 874 extracted files.
Sha1: db2363303dfa061ae92c8e2c114277174c5f5e38
Sd5: 08490db63f89b78bdfbc3dd3ae17c706
Sha256: 33cc2944588599a4c70215483e3a59c957c6e7be091a230f9ab9297d12f00933
Sha384: deb41647a35986dff1b82faf8f957a7ab78b98109ca3c7bdb67dd27ec42a9cd26d6f4e5a26e63b716703bd497db70032
Sha512: b015c0ff6efc24a35b954021d8fdb9ab3b7d69cb1314b629607aae197642ab3999a5aa32388708586058ade19d91ec558e6170e42f92c46cafceed54a829dd0e
Sample size: 11135784KB
ReversingLabs File Hash Reputation:
File name: Win32.Trojan.Generic
File status: MALICIOUS
Reason: analyst_sample_override
Scanner count: 31
Scanner percent: 22.5806446075439
Scanner match: 7
First seen: 2020-04-03T06:41:18
Last seen: 2021-02-07T09:45:35
Threat level: 5
Trust factor: 5
```

24
Solutions/ReversingLabs/Playbooks/ReversingLabs-EnrichFileHash/README.md Normal file
Просмотреть файл

@ -0,0 +1,24 @@
# ReversingLabs-EnrichFileHash
Author: Aaron Hoffmann (ReversingLabs)
This playbook enriches file hash entities with information from the ReversingLabs TitaniumCloud API.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/)
## Prerequisites
You'll need the following:
* A ReversingLabs TitaniumCloud subscription
* A ReversingLabs TitaniumCloud username
* A ReversingLabs TitaniumCloud password
## Post-deployment
After deploying the template, you'll want to update the playbook connections with your TitaniumCloud API username and password.
## Screenshots
![Playbook overview](./playbook.jpg)

665
Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json → Solutions/ReversingLabs/Playbooks/ReversingLabs-EnrichFileHash/azuredeploy.json
Просмотреть файл

@ -1,19 +1,32 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "ReversingLabs-EnrichFileHash",
"description": "This playbook will enrich a Sentinel Incident with file hash information from ReversingLabs TitaniumCloud. A comment will be added to the incident with details about the file.",
"prerequisites": [
"ReversingLabs TitaniumCloud license",
"ReversingLabs TitaniumCloud username and password"
],
"lastUpdateTime": "2022-08-08T10:00:00.000Z",
"entities": ["FileHash"],
"tags": ["Enrichment"],
"author": {
"name": "Aaron Hoffmann"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "ReversingLabsFileInfo",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
"defaultValue": "ReversingLabs-EnrichFileHash",
"type": "string",
"metadata": {
"description": "Name of the playbook (Logic Apps resources) which will be created"
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"ConnectorConnectionName": "[concat('connector-', parameters('PlaybookName'))]"
"ReversingLabsConnectionName": "[concat('reversinglabs-', parameters('PlaybookName'))]"
},
"resources": [
{
@ -22,7 +35,6 @@
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
@ -32,13 +44,13 @@
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('ConnectorConnectionName')]",
"name": "[variables('ReversingLabsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"displayName": "[variables('ReversingLabsConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsintelligence')]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
@ -47,9 +59,9 @@
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"dependson": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('ConnectorConnectionName'))]"
"[resourceId('Microsoft.Web/connections', variables('ReversingLabsConnectionName'))]"
],
"properties": {
"state": "Enabled",
@ -63,7 +75,7 @@
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
@ -74,33 +86,16 @@
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
"path": "/incident-creation"
}
}
},
"actions": {
"Alert_-_Get_incident": {
"Entities_-_Get_FileHashes": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Entities_-_Get_FileHashes": {
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
@ -110,20 +105,20 @@
"path": "/entities/filehash"
}
},
"For_each_-_File_Reputation": {
"For_each_-_File_hash_reputation": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions": {
"Add_comment_to_incident_(V3)_-_file_reputation": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Parse_JSON_-_file_reputation": [
"Set_comment_logo": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p><strong>ReversingLabs File Hash Reputation:</strong><br>\n<strong>File name:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['threat_name']}<br>\n<strong>File status: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['status']}<br>\n<strong>Reason: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['reason']}<br>\n<strong>Scanner count:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_count']}<br>\n<strong>Scanner percent:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_percent']}<br>\n<strong>Scanner match: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_match']}<br>\n<strong>First seen: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['first_seen']}<br>\n<strong>Last seen: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['last_seen']}<br>\n<strong>Threat level: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['threat_level']}<br>\n<strong>Trust factor:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['trust_factor']}</p>"
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><span style=\"font-size: 16px\"><strong></strong></span><span style=\"font-size: 16px\"><strong>@{outputs('Set_comment_logo')}</strong></span><span style=\"font-size: 16px\"><strong>ReversingLabs - Enrich File Hash</strong></span><span style=\"font-size: 16px\"><strong>@{variables('results_comment')}</strong></span><span style=\"font-size: 16px\"><strong></strong></span></p>"
},
"host": {
"connection": {
@ -134,142 +129,83 @@
"path": "/Incidents/Comment"
}
},
"Get_File_Hash_Reputation": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"headers": {
"User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0"
},
"host": {
"connection": {
"name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']"
}
},
"method": "get",
"path": "/api/databrowser/malware_presence/query/@{encodeURIComponent(items('For_each_-_File_Reputation')?['Algorithm'])}/@{encodeURIComponent(items('For_each_-_File_Reputation')?['Value'])}",
"queries": {
"extended": true,
"format": "json",
"show_hashes": true
}
}
},
"Parse_JSON_-_file_reputation": {
"Clear_analysis_story_variable": {
"runAfter": {
"Get_File_Hash_Reputation": [
"Parse_hash_reputation_JSON": [
"Succeeded"
]
},
"type": "ParseJson",
"type": "SetVariable",
"inputs": {
"content": "@body('Get_File_Hash_Reputation')",
"schema": {
"properties": {
"rl": {
"properties": {
"malware_presence": {
"properties": {
"classification": {
"properties": {
"family_name": {
"type": "string"
},
"is_generic": {
"type": "boolean"
},
"platform": {
"type": "string"
},
"type": {
"type": "string"
}
},
"type": "object"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
},
"query_hash": {
"properties": {
"sha1": {
"type": "string"
}
},
"type": "object"
},
"reason": {
"type": "string"
},
"scanner_count": {
"type": "integer"
},
"scanner_match": {
"type": "integer"
},
"scanner_percent": {
"type": "number"
},
"status": {
"type": "string"
},
"threat_level": {
"type": "integer"
},
"threat_name": {
"type": "string"
},
"trust_factor": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
}
"name": "analysis_story",
"value": " "
}
},
"Clear_results_body_variable": {
"runAfter": {
"Initialize_variable": [
"Clear_analysis_story_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_hash_-_Details": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions": {
"For_each_-_entry": {
"foreach": "@body('Parse_JSON_-_details')?['rl']?['sample']?['analysis']?['entries']",
"actions": {
"Add_comment_to_incident_(V3)_-_details": {
"runAfter": {},
"type": "ApiConnection",
"type": "SetVariable",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p><strong>ReversingLabs File Hash Details:</strong><br>\n@{items('For_each_-_entry')?['tc_report']?['story']}<br>\n<strong>Sha1: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha1']}<br>\n<strong>Sd5: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['md5']}<br>\n<strong>Sha256: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha256']}<br>\n<strong>Sha384: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha384']}<br>\n<strong>Sha512: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha512']}<br>\n<strong>Sample size: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sample_size']}KB</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "results_body",
"value": " "
}
},
"method": "post",
"path": "/Incidents/Comment"
"Close_results_table": {
"runAfter": {
"Condition_If_Hash_Unknown": [
"Succeeded"
]
},
"type": "AppendToStringVariable",
"inputs": {
"name": "results_comment",
"value": "@{variables('results_body')}</table>"
}
},
"Condition_If_Hash_Unknown": {
"actions": {
"Append_to_string_variable_unknown": {
"runAfter": {
"Compose_unknown_reputation": [
"Succeeded"
]
},
"type": "AppendToStringVariable",
"inputs": {
"name": "results_body",
"value": "@outputs('Compose_unknown_reputation')"
}
},
"Compose_unknown_reputation": {
"runAfter": {},
"type": "Compose",
"inputs": "<tr>\n <td style=\"font-weight: bold;\">Hash (@{items('For_each_-_File_hash_reputation')?['Algorithm']})</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['query_hash']?['sha256']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status</td>\n <td style=\"background-color: grey; font-weight: bold; color: white\">@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['status']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status Description</td>\n <td>The sample has not received a classification. It does not exist in the file reputation database, or there is no information on whether it is malicious or not.</td>\n</tr>"
}
},
"runAfter": {
"Set_variable": [
"Succeeded"
]
},
"else": {
"actions": {
"For_each_Analysis_story": {
"foreach": "@body('Parse_JSON_file_hash_analysis')?['rl']?['sample']?['analysis']?['entries']",
"actions": {
"Append_to_string_variable": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "analysis_story",
"value": "@items('For_each_Analysis_story')?['tc_report']?['story']"
}
}
},
"runAfter": {
"Parse_JSON_-_details": [
"Parse_JSON_file_hash_analysis": [
"Succeeded"
]
},
@ -280,7 +216,7 @@
"type": "ApiConnection",
"inputs": {
"headers": {
"User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0"
"User-Agent": "ReversingLabs Azure Connector TiCloud v1.0.0"
},
"host": {
"connection": {
@ -288,15 +224,15 @@
}
},
"method": "get",
"path": "/api/databrowser/rldata/query/@{encodeURIComponent(items('For_each_hash_-_Details')?['Algorithm'])}/@{encodeURIComponent(items('For_each_hash_-_Details')?['Value'])}",
"path": "/api/databrowser/rldata/query/@{encodeURIComponent(toLower(string(items('For_each_-_File_hash_reputation')?['Algorithm'])))}/@{encodeURIComponent(items('For_each_-_File_hash_reputation')?['Value'])}",
"queries": {
"format": "json"
}
}
},
"Parse_JSON_-_details": {
"Parse_JSON_file_hash_analysis": {
"runAfter": {
"Get_File_Hash_Analysis_Detail": [
"Switch_-_reason": [
"Succeeded"
]
},
@ -949,71 +885,186 @@
"type": "object"
}
}
}
},
"Switch_-_reason": {
"runAfter": {
"Initialize_variable": [
"Get_File_Hash_Analysis_Detail": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_hash_-_Multi-AV": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"cases": {
"Case": {
"case": "best_source",
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"For_each_-_xref": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p><strong>ReversingLabs Multi-AV Scan Records:<br>\n</strong>@{variables('Scanner results')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"For_each_-_xref": {
"foreach": "@body('Parse_JSON_-_multi-AV_scan')?['rl']?['sample']?['xref']",
"actions": {
"For_each_-_result": {
"foreach": "@items('For_each_-_xref')?['results']",
"actions": {
"Append_to_string_variable": {
"Set_variable_2": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "classification_reason",
"value": "the sample can be obtained from a trusted source, or it was unpacked from a file originating from a trusted source"
}
}
}
},
"Case_2": {
"case": "antivirus",
"actions": {
"Set_variable_3": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "classification_reason",
"value": "the sample was classified by the ReversingLabs multi-scan algorithm based on aggregated antivirus scan results"
}
}
}
},
"Case_3": {
"case": "best_certificate",
"actions": {
"Set_variable_4": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "classification_reason",
"value": "the sample or its container are signed with a valid and trusted certificate"
}
}
}
},
"Case_4": {
"case": "analyst_sample_override",
"actions": {
"Set_variable_5": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "classification_reason",
"value": "the sample was classified manually after an analysis"
}
}
}
},
"Case_5": {
"case": "TC_certificate",
"actions": {
"Set_variable_6": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "classification_reason",
"value": "the sample is signed with a recognized whitelisted certificate"
}
}
}
}
},
"default": {
"actions": {}
},
"expression": "@body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['reason']",
"type": "Switch"
},
"Switch_-_status": {
"runAfter": {
"For_each_Analysis_story": [
"Succeeded"
]
},
"cases": {
"Case": {
"case": "MALICIOUS",
"actions": {
"Append_to_string_variable_malicious": {
"runAfter": {
"Compose_malicious_reputation": [
"Succeeded"
]
},
"type": "AppendToStringVariable",
"inputs": {
"name": "Scanner results",
"value": "@{items('For_each_-_result')?['scanner']} : @{items('For_each_-_result')?['result']}"
}
"name": "results_body",
"value": "@outputs('Compose_malicious_reputation')"
}
},
"Compose_malicious_reputation": {
"runAfter": {},
"type": "Foreach"
"type": "Compose",
"inputs": "<tr>\n <td style=\"font-weight: bold;\">Hash (@{items('For_each_-_File_hash_reputation')?['Algorithm']})</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['query_hash']?['sha256']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status</td>\n <td style=\"background-color: red; font-weight: bold; color: white\">@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['status']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status Description</td>\n <td>The sample was classified as malicious by ReversingLabs proprietary algorithms. This classification is reserved for high-accuracy heuristics and named threats, such as Emotet, Dridex and WannaCry. Threat severity is expressed through the threat level value on a scale of 1-5. The higher the value, the more severe the threat.</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Threat Name</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['threat_name']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Threat Level</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['threat_level']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Reason</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['reason']} - @{variables('classification_reason')}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">File Details</td>\n <td>@{variables('analysis_story')}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Scanner Detection</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['scanner_match']} of @{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['scanner_count']} scanners detected this file</td>\n</tr>"
}
}
},
"Case_2": {
"case": "KNOWN",
"actions": {
"Append_to_string_variable_known": {
"runAfter": {
"Parse_JSON_-_multi-AV_scan": [
"Compose_known_reputation": [
"Succeeded"
]
},
"type": "Foreach"
"type": "AppendToStringVariable",
"inputs": {
"name": "results_body",
"value": "@outputs('Compose_known_reputation')"
}
},
"Get_Historic_Multi-AV_Scan_Records": {
"Compose_known_reputation": {
"runAfter": {},
"type": "Compose",
"inputs": "<tr>\n <td style=\"font-weight: bold;\">Hash (@{items('For_each_-_File_hash_reputation')?['Algorithm']})</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['query_hash']?['sha256']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status</td>\n <td style=\"background-color: green; font-weight: bold; color: white\">@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['status']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status Description</td>\n <td>The sample is presumed to be benign by ReversingLabs. The sample does not have any AV detections from trustworthy sources and it does not match any of our internal threat signatures. We recommend checking the trust factor of the sample. A low trust factor (4 or 5 on a scale of 0 to 5, with 0 being highest trust) indicates the source is not trusted. On the other hand, samples with high trust factor values (0, 1, or 2) come from prominent software vendors.</td>\n<tr>\n <td style=\"font-weight: bold;\">Trust Factor</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['trust_factor']}</td>\n</tr>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Reason</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['reason']} - @{variables('classification_reason')}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Details</td>\n <td>@{variables('analysis_story')}</td>\n</tr>"
}
}
},
"Case_3": {
"case": "SUSPICIOUS",
"actions": {
"Append_to_string_variable_suspicious": {
"runAfter": {
"Compose_suspicious_reputation": [
"Succeeded"
]
},
"type": "AppendToStringVariable",
"inputs": {
"name": "results_body",
"value": "@outputs('Compose_suspicious_reputation')"
}
},
"Compose_suspicious_reputation": {
"runAfter": {},
"type": "Compose",
"inputs": "<tr>\n <td style=\"font-weight: bold;\">Hash (@{items('For_each_-_File_hash_reputation')?['Algorithm']})</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['query_hash']?['sha256']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status</td>\n <td style=\"background-color: orange; font-weight: bold; color: black\">@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['status']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Status Description</td>\n <td>The sample is considered suspicious based on ReversingLabs classification algorithms multi-level analysis. This file may be declared malicious or known at a later time when more reliable heuristics start detecting the file, when a threat specific signature is written, or any new information is received that changes its threat profile.</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Threat Name</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['threat_name']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Threat Level</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['threat_level']}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Reason</td>\n <td>@{body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['reason']} - @{variables('classification_reason')}</td>\n</tr>\n<tr>\n <td style=\"font-weight: bold;\">Details</td>\n <td>@{variables('analysis_story')}</td>\n</tr>"
}
}
}
},
"default": {
"actions": {}
},
"expression": "@body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['status']",
"type": "Switch"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Parse_hash_reputation_JSON')?['rl']?['malware_presence']?['status']",
"UNKNOWN"
]
}
]
},
"type": "If"
},
"Get_File_Hash_Reputation": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"headers": {
"User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0"
"User-Agent": "ReversingLabs Azure Connector TiCloud v1.0.0"
},
"host": {
"connection": {
@ -1021,89 +1072,61 @@
}
},
"method": "get",
"path": "/api/xref/v2/query/@{encodeURIComponent(items('For_each_hash_-_Multi-AV')?['Algorithm'])}/@{encodeURIComponent(items('For_each_hash_-_Multi-AV')?['Value'])}",
"path": "/api/databrowser/malware_presence/query/@{encodeURIComponent(toLower(string(items('For_each_-_File_hash_reputation')?['Algorithm'])))}/@{encodeURIComponent(items('For_each_-_File_hash_reputation')?['Value'])}",
"queries": {
"extended": true,
"format": "json",
"history": false
"show_hashes": true
}
}
},
"Parse_JSON_-_multi-AV_scan": {
"Parse_hash_reputation_JSON": {
"runAfter": {
"Get_Historic_Multi-AV_Scan_Records": [
"Get_File_Hash_Reputation": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_Historic_Multi-AV_Scan_Records')",
"content": "@body('Get_File_Hash_Reputation')",
"schema": {
"properties": {
"rl": {
"properties": {
"sample": {
"malware_presence": {
"properties": {
"first_scanned_on": {
"classification": {
"properties": {
"family_name": {
"type": "string"
},
"first_seen_on": {
"type": "string"
},
"last_scanned_on": {
"type": "string"
},
"last_seen_on": {
"type": "string"
},
"md5": {
"type": "string"
},
"ripemd160": {
"type": "string"
},
"sample_size": {
"type": "integer"
},
"sample_type": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
},
"sha384": {
"type": "string"
},
"sha512": {
"type": "string"
},
"single_scan": {
"is_generic": {
"type": "boolean"
},
"xref": {
"items": {
"properties": {
"results": {
"items": {
"properties": {
"result": {
"platform": {
"type": "string"
},
"scanner": {
"type": {
"type": "string"
}
},
"required": [
"scanner",
"result"
],
"type": "object"
},
"type": "array"
"first_seen": {
"type": "string"
},
"scanned_on": {
"last_seen": {
"type": "string"
},
"query_hash": {
"properties": {
"sha256": {
"type": "string"
}
},
"type": "object"
},
"reason": {
"type": "string"
},
"scanner_count": {
@ -1112,39 +1135,20 @@
"scanner_match": {
"type": "integer"
},
"scanners": {
"items": {
"properties": {
"name": {
"scanner_percent": {
"type": "number"
},
"status": {
"type": "string"
},
"timestamp": {
"threat_level": {
"type": "integer"
},
"threat_name": {
"type": "string"
},
"version": {
"type": "string"
}
},
"required": [
"timestamp",
"version",
"name"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"scanner_match",
"scanner_count",
"scanners",
"scanned_on",
"results"
],
"type": "object"
},
"type": "array"
"trust_factor": {
"type": "integer"
}
},
"type": "object"
@ -1156,16 +1160,74 @@
"type": "object"
}
}
},
"Set_comment_logo": {
"runAfter": {
"Close_results_table": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<svg x=\"0px\" y=\"0px\"\n\t viewBox=\"50 150 7041.9 295.3\" style=\"enable-background:new 50 150 7041.9 295.3; \" xml:space=\"preserve\">\n<g>\n\t<g>\n\t\t<path class=\"st0\" style=\"fill:#F6143F\" d=\"M279.3,303.1h-30.8l-27.9,92.2H173v-92.2h-20.6v109.6h84l9.7-30.7h35.2l9.4,30.7h22.5L279.3,303.1z M250,365\n\t\t\tl9.3-30.2c1.6-5.5,2.7-11.4,3.8-17.3h1.3c1,5.9,2.2,11.8,3.8,17.3l9.1,30.2H250z\"/>\n\t\t<path class=\"st0\" style=\"fill:#F6143F\" d=\"M349.8,413.5c-12.5,0-17.8-0.3-31.7-0.9V303.1c14.5-0.6,19.8-0.9,32.3-0.9c29.3,0,47.5,5.2,47.5,29.8v1.3\n\t\t\tc0,9.4-4.1,18.6-13.9,23c10.3,4.3,14.5,13.7,14.5,23.1v1.5C398.5,408.3,378.1,413.5,349.8,413.5 M377.8,332.7\n\t\t\tc0-12.5-9.9-13.6-27.4-13.6h-12.2v29.7h18.6c17,0,21.1-5.6,21.1-14.7V332.7z M378.3,379.3c-0.1-9.6-4.6-15.6-21.4-15.6h-18.7v32.9\n\t\t\th5.6c22.4,0,34.5-0.1,34.5-15.6V379.3z\"/>\n\t\t<path class=\"st0\" style=\"fill:#F6143F\" d=\"M446,415c-14.3,0-29.1-1.9-34.5-3.4v-15.8c9,0.9,19.2,1.8,32.9,1.8c13.3,0,19.6-3.7,19.6-13.6\n\t\t\tc0-7.1-2.8-11.1-13.7-15.6l-16.5-6.8c-16.2-6.6-24.9-15.9-24.9-31.9c0-21.2,13.3-28.9,39.2-28.9c13.8,0,26.8,2.2,32,3.5V320\n\t\t\tc-8.4-0.7-19.6-1.9-31.1-1.9c-12.8,0-19.8,2.2-19.8,11.1c0,6.6,3.1,10,14,14.5l14.9,6.1c19.2,7.8,26.8,15.6,26.8,34.2\n\t\t\tC484.9,403.8,470.6,415,446,415\"/>\n\t</g>\n\t<g>\n\t\t<path class=\"st1\" style=\"fill:#231F20\" d=\"M52.9,292.1l25.8-44.7c-11.7-5-18.9-13.7-18.9-30.4v-1c0-28.9,21.8-34.2,48.2-34.2c11.1,0,21,0.3,30.7,0.7\n\t\t\tv109.6h-20.1v-40.4h-10.2c-3.4,0-6.6,0-9.6-0.1l-24.2,40.6H52.9z M80,217.2c0,14.2,8.4,18.1,27.3,18.1c3.8,0,7.5,0,11.4-0.2v-36\n\t\t\tc-26.8,0-38.6,0.2-38.6,17.1V217.2z\"/>\n\t\t<path class=\"st1\" style=\"fill:#231F20\" d=\"M291.5,182.5l-22.6,75.9c-1.9,6.4-3.2,13.7-4.4,19.6h-0.3c-1.5-5.8-2.5-13.3-4.4-19.6l-22.6-75.9h-84.9v109.6\n\t\t\th69.8v-16.9H173V244h46v-16.5h-46v-27.9h48.1l27.9,92.5h30.1l33.2-109.6H291.5z\"/>\n\t\t<polygon class=\"st1\" style=\"fill:#231F20\" points=\"318,292.1 318,182.5 387.7,182.5 387.7,199.6 338.6,199.6 338.6,227.5 384.6,227.5 384.6,244 \n\t\t\t338.6,244 338.6,275.1 387.7,275.1 387.7,292.1 \t\t\"/>\n\t\t<path class=\"st1\" style=\"fill:#231F20\" d=\"M463.7,292.1l-24.2-40.5c-2.9,0.1-6.2,0.1-9.6,0.1h-10.2v40.4h-20.1V182.5c9.7-0.4,19.6-0.7,30.7-0.7\n\t\t\tc26.4,0,48.2,5.3,48.2,34.2v1c0,16.7-7.2,25.4-18.9,30.4l25.8,44.7H463.7z M458.4,216.3c0-17-11.8-17.1-38.6-17.1v36\n\t\t\tc3.8,0.2,7.5,0.2,11.4,0.2c18.9,0,27.3-4,27.3-18.1V216.3z\"/>\n\t\t<path class=\"st1\" style=\"fill:#231F20\" d=\"M525.1,294.5c-14.3,0-29.1-1.9-34.5-3.4v-15.8c9,0.9,19.2,1.8,32.9,1.8c13.3,0,19.6-3.7,19.6-13.6\n\t\t\tc0-7.1-2.8-11.1-13.7-15.6l-16.5-6.8c-16.2-6.6-24.9-15.9-24.9-31.9c0-21.2,13.3-28.9,39.2-28.9c13.9,0,26.8,2.2,32,3.5v15.6\n\t\t\tc-8.4-0.7-19.6-1.9-31.1-1.9c-12.8,0-19.8,2.2-19.8,11.1c0,6.6,3.1,10,14,14.5l14.9,6c19.2,7.8,26.8,15.6,26.8,34.2\n\t\t\tC564,283.2,549.7,294.5,525.1,294.5\"/>\n\t\t<rect x=\"573\" y=\"182.5\" class=\"st1\" style=\"fill:#231F20\" width=\"20.6\" height=\"109.6\"/>\n\t\t<path class=\"st1\" style=\"fill:#231F20\" d=\"M671.5,292.1l-35.1-65c-2.7-5-5.8-10.9-8.3-16.4h-0.3c0.3,6.2,0.6,13,0.6,19.6v61.8h-18.9V182.5h23.9l35,63.7\n\t\t\tc2.6,5,6,11.4,8.4,16.7h0.3c-0.5-6.5-0.6-14.2-0.6-20.8v-59.6h19v109.6H671.5z\"/>\n\t\t<path class=\"st1\" style=\"fill:#231F20\" d=\"M753.2,294.5c-25.1,0-45.9-9.7-45.9-49.4v-15.5c0-41.9,23.6-49.3,46.3-49.3c16.1,0,31.9,2.7,35.2,3.7v15.8\n\t\t\tc-7.1-0.6-24.2-1.5-31.7-1.5c-17.8,0-29.3,4-29.3,31.3V245c0,25.1,9.1,31.4,26.8,31.4c5.5,0,10.9-0.2,14.7-0.4v-26.6l-8.4,0v-15.7\n\t\t\th28v57.4C783,292.4,769,294.5,753.2,294.5\"/>\n\t</g>\n</g>\n</svg>\n"
},
"Set_variable": {
"runAfter": {
"Clear_results_body_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "results_comment",
"value": "<table>\n <tr>"
}
}
},
"runAfter": {
"Initialize_classification_reason": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Initialize_analysis_story": {
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "analysis_story",
"type": "string"
}
]
}
},
"Initialize_variable": {
"Initialize_classification_reason": {
"runAfter": {
"Initialize_analysis_story": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "classification_reason",
"type": "string"
}
]
}
},
"Initialize_results_table": {
"runAfter": {
"Entities_-_Get_FileHashes": [
"Succeeded"
@ -1175,7 +1237,24 @@
"inputs": {
"variables": [
{
"name": "Scanner results",
"name": "results_comment",
"type": "string",
"value": "<table>\n <tr>"
}
]
}
},
"Initialize_variable": {
"runAfter": {
"Initialize_results_table": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "results_body",
"type": "string"
}
]
@ -1189,12 +1268,12 @@
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"connectionName": "azuresentinel",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"reversinglabsintelligence": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ConnectorConnectionName'))]",
"connectionName": "[variables('ConnectorConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ReversingLabsConnectionName'))]",
"connectionName": "reversinglabsintelligence",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsintelligence')]"
}
}

Двоичные данные
Solutions/ReversingLabs/Playbooks/ReversingLabs-EnrichFileHash/playbook.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 105 KiB

6
Solutions/ReversingLabs/SolutionMetadata.json
Просмотреть файл

@ -1,7 +1,8 @@
{
"publisherId": "reversinglabs1597673283347",
"offerId": "reversinglabsticloudenrichment",
"firstPublishDate": "2021-10-20",
"offerId": "rl_offer_content_hub_aoae",
"firstPublishDate": "2022-09-12",
"lastPublishDate": "2022-09-12",
"providers": ["ReversingLabs"],
"categories": {
"domains" : ["Security - Threat Intelligence"],
@ -10,6 +11,7 @@
"support": {
"name": "ReversingLabs",
"tier": "Partner",
"email": "support@reversinglabs.com",
"link": "https://support.reversinglabs.com/hc/en-us"
}
}

1523
Solutions/ReversingLabs/Workbooks/ReversingLabs-CapabilitiesOverview/ReversingLabs-CapabilitiesOverview.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны