Installing and Configuring the ReversingLabs A1000 Content Pack

Installing the ReversingLabs A1000 Content Pack

Follow the steps in this section to install the ReversingLabs^® A1000 Content Pack through TC Exchange™ in ThreatConnect^®.

1. Log into ThreatConnect with a System Administrator account.
2. On the top navigation bar, hover over Settingsand select TC Exchange Settings. The Installed tab of the TC Exchange Settings screen will be displayed.
3. Click the Catalog tab. The Catalog screen will be displayed.
4. Select Content Packs from the dropdown to the left of the search bar to display all Content Packs in the TC Exchange catalog (Figure 1).
   

    

5. Click Installin the Options column for the ReversingLabs A1000 Content Pack. A drawer showing all items in the Content Pack will be displayed, including a description of the Content Pack, a list of all items (i.e., Apps, Artifact types, Attribute Types, Playbooks, and Workflows) that the Content Pack contains, and an indication of whether each item is already installed on your ThreatConnect instance.
6. Click the + Install button at the top of the drawer to install the Content Pack and any items it contains that are not already installed or created on your ThreatConnect instance.

After the Content Pack is installed, the following items will be installed at the System level in TC Exchange (new Apps, Playbook Templates, and Workflow Templates) or created at the System level (new Attribute types and Artifact Types) on your ThreatConnect instance if they do not already exist there:

Playbook Apps:

• Array Operations
• DataStore
• HTTP Client
• JMESPath
• JSON Operations
• Python^® Regex Operations
• Set Variable
• String Operations
• ThreatConnect Associations
• ThreatConnect Create Groups
• ThreatConnect Get Groups
• ThreatConnect Get Indicators

Playbook Templates:

• ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1
• ReversingLabs A1000 Content Pack - Download URL Reports R1
• ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1
• ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1
• ReversingLabs A1000 Content Pack - Download Hash Reports R1

Configuring the ReversingLabs A1000 Content Pack

The ReversingLabs A1000 Content Pack leverages five Playbooks to accomplish its use cases. Follow these instructions to import the Playbook Templates as Playbooks.

1. On the top navigation bar, hover over Playbooks and select Templates. The Templates screen will be displayed.
2. Enter “reversinglabs” (without the quotation marks) in the search bar. The five Playbook Templates in Figure 2 will be displayed.
   

    

3. For each Playbook Template, click the vertical ellipsison the right side of the row and select Import as Playbook from the dropdown. The Import Playbook drawer will be displayed (Figure 3).
   

    

   • RL A1000 PASSWORD: Enter the ReversingLabs A1000 password used for authentication.
   • RL A1000 URL: Enter the base URL for your ReversingLabs A1000 instance (e.g., https://a1000-companyabc.reversinglabs.com).
     Important

     When entering the base URL, do not enter any trailing slashes. Entering those characters or any other text that provides an incorrect base URL will result in a 404 error when you try to run Playbooks that call this variable.
   • RL A1000 USERNAME: Enter the ReversingLabs A1000 username used for authentication.
   • Click the IMPORT button.
     Note

     Once you enter these variables during the first Playbook’s import, you will not be prompted to enter them for subsequent imports, as all five Playbooks use the same variables. Each variable will be saved in your Organization and can be edited on the Variables tab of the Organization Settings screen if necessary. See the “Variables” section of ThreatConnect Organization Administration Guide for more information.
4. Repeat this process for each of the remaining Playbook Templates.

Updating the ReversingLabs A1000 Content Pack

When an update for the ReversingLabs A1000 Content Pack is available in TC Exchange, follow these steps to ensure that all items provided by the Content Pack are updated on your ThreatConnect instance:

1. Click Updatein the Options column for the ReversingLabs A1000 Content Pack on the Installed tab of the TC Exchange Settings screen.
2. After the Content Pack has updated successfully, navigate to the Playbooks screen, search for “reversinglabs” (without the quotation marks), and delete all five Playbooks provided by the previous version of the Content Pack:
   • ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1
   • ReversingLabs A1000 Content Pack - Download URL Reports R1
   • ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1
   • ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1
   • ReversingLabs A1000 Content Pack - Download Hash Reports R1
3. Reimport all five Playbook Templates as described in the “Configuring the ReversingLabs A1000 Content Pack” section. You will not be prompted to enter any of the variables, as they will already have been saved as Organization-level variables when you imported the Playbook Templates during the initial installation of the Content Pack.

Troubleshooting Frequently Asked Questions (FAQ)

Why didn’t the five ReversingLabs Playbooks update after I updated the ReversingLabs A1000 Content Pack?

When you update the Content Pack on the TC Exchange Settings screen, the five Playbook Templates will be updated. However, updates to Playbook Templates do not apply to Playbooks that were previously imported from the Templates. As such, in order to add the updated Playbooks in your Organization, you must import them from the updated Templates. The Playbooks themselves will not update when the Content Pack is updated.

Why do I now have 10 Playbooks from the ReversingLabs A1000 Content Pack in my Organization?

If you have a duplicate copy of each of the five Playbooks, but with a “1” at the end of the name (e.g., ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 1), then you did not delete the existing Playbooks before importing them from the updated Playbook Templates. If the Playbooks exist in your Organization when you import from the updated Templates, then the newly imported versions will not replace the existing versions, but rather be imported as a new version, with a “1” at the end of their name to distinguish them from the existing version.

I ran one of the Playbooks from the ReversingLabs A1000 Content Pack from an Indicator’s Details screen, but the operation timed out. When I checked my browser’s console feedback, I saw 404 errors. Why did this happen?

You may have included unnecessary text (e.g., a trailing slash) when entering the RL A1000 URL variable during the first Playbook Template import. To resolve this issue, navigate to the Variables tab of the Organization Settings screen, edit the RL A1000 URL variable to remove the unnecessary text and ensure that the correct base URL is entered, and then save the edited variable.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Python^® is a registered trademark of Python Software Foundation.
ReversingLabs^® is a registered trademark of ReversingLabs International GmbH.

20158-02 v.01.A