ReversingLabs A1000 Content Pack Use Cases

The ReversingLabs^® A1000 Content Pack in ThreatConnect^® supports the following use cases:

• Using the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook to submit a malware file attached to a Document Group in ThreatConnect to ReversingLabs A1000 for analysis and retrieve a PDF report of the analysis results.
• Using the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook to submit a URL Indicator in ThreatConnect to ReversingLabs A1000 for analysis and retrieve JSON and PDF reports of the analysis results.
• Using the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook to submit a File Indicator to ReversingLabs A1000 to search for a malware sample with a matching file hash and retrieve a PDF report of the analysis results for that sample.

Submitting a Malware File to ReversingLabs A1000 for Analysis and Retrieving an Analysis Report

The ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook allows you to submit a malware file attached to a Document Group in ThreatConnect to ReversingLabs A1000 for analysis. After the file is submitted, the Playbook retrieves a PDF report of the analysis results, creates a Document Group in ThreatConnect that contains the PDF report, and associates that Document Group to the one that triggered the Playbook.

By default, the Playbook waits 10 minutes for ReversingLabs A1000 to perform the analysis and create an analysis report. If these actions do not happen within 10 minutes, the Playbook will store the hash of the malware sample and the ID of the Document Group that triggered the Playbook in the Organization’s DataStore for future retrieval. In this scenario, the supporting Download Hash Reports R1 Playbook will retrieve the analysis report on a set schedule, create a Document Group in ThreatConnect that contains the report, and associate that Document Group to the one that triggered the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook.

Configuring and Activating the Playbook

After importing the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook Template into your Organization as a Playbook, open the Playbook in the Playbook Designer and make the following changes:

• Edit the Set File Submission Options Playbook App and configure key/value pairs for the desired file submission options. To view a full list of file submission options, see the “Request Parameters” subsection of the “17.2.1 Submit samples for analysis on A1000” section of A1000 Malware Analysis Platform User Guide.
• Edit the Create PDF Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the PDF analysis report.

After these changes are made, hover over the MODE dropdown at the top right of the Playbook Designer and select Active to activate the Playbook.

Executing the Playbook

Follow these steps to execute the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook, which has a UserAction Trigger.

1. Navigate to the Details screen for the Document Group containing the malware file you want to submit to ReversingLabs A1000 for analysis. If no such Group exists, upload the malware file to the Malware Vault to create a Document Group that contains the malware file.
2. On the Playbooks card, click Run Playbookfor the Analyze File with RL A1000 Trigger to execute the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook. A message stating “Starting playbook…” will be displayed at the lower-left corner of the screen.

When the Playbook’s execution is complete, a status of Complete will be displayed in the Status column of the Playbooks card for the Playbook.

Viewing the Results

Follow these steps to view the results of the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 Playbook’s execution (i.e., the Document Group that contains the PDF analysis report).

1. Select the Associations tab on the Details screen for the Document Group that triggered the Playbook.
2. On the Groups card of the Associations tab, locate a Document Group whose name contains the name of the Document Group that triggered the Playbook followed by “ PDF Report”.
3. Click the Document Group’s summary in the Name/Summary column of the Groups card. The Overview tab of its Details screen will be displayed.
4. On the Document File card, click the Download button to download the PDF analysis report.

Submitting a URL Indicator to ReversingLabs A1000 for Analysis and Retrieving an Analysis Report

The ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook allows you to submit a URL Indicator to ReversingLabs A1000 for analysis. After the URL is submitted, the Playbook retrieves both JSON and PDF reports of the analysis results, creates Document Groups in ThreatConnect for each report format, and associates those Document Groups to the URL Indicator that triggered the Playbook.

By default, the Playbook waits 10 minutes for ReversingLabs A1000 to perform the analysis and create an analysis report. If these actions do not happen within 10 minutes, the Playbook will store the ID of the URL Indicator that triggered the Playbook in the Organization’s DataStore for future retrieval. In this scenario, the supporting Download URL Reports R1 Playbook will retrieve the analysis report on a set schedule, create Document Groups in ThreatConnect for each report format (JSON and PDF), and associate those Document Groups to the URL Indicator that triggered the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook.

Configuring and Activating the Playbook

After importing the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook Template into your Organization as a Playbook, open the Playbook in the Playbook Designer and make the following changes:

• Edit the Create JSON Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the JSON analysis report.
• Edit the Create PDF Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the PDF analysis report.

After these changes are made, hover over the MODE dropdown at the top right of the Playbook Designer and select Active to activate the Playbook.

Executing the Playbook

Follow these steps to execute the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook, which has a UserAction Trigger.

1. Navigate to the Details screen for the URL Indicator you want to submit to ReversingLabs A1000 for analysis.
2. On the Playbooks card, click Run Playbookfor the Analyze URL with RL A1000 Trigger to execute the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook. A message stating “Starting playbook…” will be displayed at the lower-left corner of the screen.

When the Playbook’s execution is complete, a status of Complete will be displayed in the Status column of the Playbooks card for the Playbook.

Viewing the Results

Follow these steps to view the results of the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook’s execution (i.e., the Document Groups that contain the JSON and PDF analysis reports).

1. Select the Associations tab on the Details screen for the URL Indicator that triggered the Playbook.
2. On the Groups card of the Associations tab, locate a Document Group named “RL A1000 Report” (to view the JSON analysis report) or a Document Group whose name contains the name of the URL Indicator that triggered the Playbook followed by “ PDF Report” (to view the PDF analysis report).
3. Click the Document Group’s summary in the Name/Summary column of the Groups card. The Overview tab of its Details screen will be displayed.
4. On the Document File card, click the Download button to download the analysis report.

Submitting a File Indicator to ReversingLabs A1000 and Searching for a Malware Sample With a Matching Hash

The ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook allows you to submit a File Indicator to ReversingLabs A1000 to search for a malware sample with a matching file hash. If a match is found, the Playbook will retrieve both PDF and JSON analysis reports for the malware sample, create Document Groups in ThreatConnect for each report format, and associate those Document Groups to the File Indicator that triggered the Playbook.

By default, the Playbook waits 10 minutes for ReversingLabs A1000 to search for a matching malware sample and generate an analysis report if a match is found. If these actions do not happen within 10 minutes, the Playbook will store the ID of the File Indicator that triggered the Playbook in the Organization’s DataStore for future retrieval. In this scenario, the supporting Download Hash Reports R1 Playbook will retrieve the analysis report on a set schedule, create Document Groups in ThreatConnect for each report format (JSON and PDF), and associate those Document Groups to the File Indicator that triggered the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook.

Configuring and Activating the Playbook

After importing the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook Template into your Organization as a Playbook, open the Separate Indicator Name to MD5 SHA1 and SHA 256 Hashes Playbook Component in the Playbook Designer, hover over the MODE dropdown at the top right of the Playbook Designer, and select Active to activate the Playbook Component. After activating this Playbook Component, open the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook in the Playbook Designer and make the following changes:

• Edit the Create JSON Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the JSON analysis report.
• Edit the Create PDF Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the PDF analysis report.

After these changes are made, hover over the MODE dropdown at the top right of the Playbook Designer and select Active to activate the Playbook.

Executing the Playbook

Follow these steps to execute the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook, which has a UserAction Trigger.

1. Navigate to the Details screen for the File Indicator you want to submit to ReversingLabs A1000 for analysis.
2. On the Playbooks card, click Run Playbookfor the Search if hash exists in A1000 Trigger to execute the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook. A message stating “Starting playbook…” will be displayed at the lower-left corner of the screen.

When the Playbook’s execution is complete, a status of Complete will be displayed in the Status column of the Playbooks card for the Playbook.

Viewing the Results

Follow these steps to view the results of the ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbook’s execution (i.e., the Document Groups that contain the JSON and PDF analysis reports).

1. Select the Associations tab on the Details screen for the URL Indicator that triggered the Playbook.
2. On the Groups card of the Associations tab, locate a Document Group named “RL A1000 JSON Report” (to view the JSON analysis report) or a Document Group named “RL A1000 HASH PDF Report” (to view the PDF analysis report).
3. Click the Document Group’s summary in the Name/Summary column of the Groups card. The Overview tab of its Details screen will be displayed.
4. On the Document File card, click the Download button to download the analysis report.

Supplemental Playbooks

The ReversingLabs Content Pack A1000 Content Pack includes two supplemental Playbooks that will run in situations where an analysis or report creation in ReversingLabs A1000 takes longer than 10 minutes. It is recommended to import and activate both Playbooks to ensure that all reports are downloaded.

Download Hash Reports R1 Playbook

The Reversing Labs A1000 Content Pack - Download Hash Reports R1 Playbook downloads analysis reports for malware samples that were previously requested from ReversingLabs A1000 by searching the Organization’s DataStore for all records with a data type of Hashes, which are populated from the ReversingLabs A1000 Content Pack - Upload Malware Sample and Retrieve Report R1 and ReversingLabs A1000 Content Pack - Search for Hash and Retrieve Report R1 Playbooks.

The Reversing Labs A1000 Content Pack - Download Hash Reports R1 Playbook uses a Timer Trigger and can be set to run at a custom interval. After the Playbook downloads an analysis report for a malware sample, it will remove the corresponding record from the Organization's DataStore.

Configuring and Activating the Playbook

After importing the Reversing Labs A1000 Content Pack - Download Hash Reports R1 Playbook Template into your Organization as a Playbook, open the Playbook in the Playbook Designer and make the following changes:

• Edit the Timer Trigger and update the value of the Schedule parameter to the desired frequency at which the Playbook will run. Depending on the selected frequency, additional parameters may need to be configured.
• Edit the Create PDF Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the PDF analysis report for the malware sample.

After these changes are made, hover over the MODE dropdown at the top right of the Playbook Designer and select Active to activate the Playbook.

Download URL Reports R1 Playbook

The Reversing Labs A1000 Content Pack - Download URL Reports R1 downloads analysis reports for URLs that were previously requested from ReversingLabs A1000 by searching the Organization's DataStore for all records with a data type of URL, which are populated from the ReversingLabs A1000 Content Pack - Analyze URL and Retrieve Report R1 Playbook.

The Reversing Labs A1000 Content Pack - Download URL Reports R1 Playbook uses a Timer Trigger and can be set to run at a custom interval. After the Playbook downloads an analysis report for a URL, it will remove the corresponding record from the Organization's DataStore.

Configuring and Activating the Playbook

After importing the Reversing Labs A1000 Content Pack - Download URL Reports R1 Playbook Template into your Organization as a Playbook, open the Playbook in the Playbook Designer and make the following changes:

• Edit the Timer Trigger and update the value of the Schedule parameter to the desired frequency at which the Playbook will run. Depending on the selected frequency, additional parameters may need to be configured.
• Edit the Create PDF Report App and update the value of the Owner parameter to the ThreatConnect owner in which you want the Playbook to create the Document Group containing the PDF analysis report for the URL.

After these changes are made, hover over the MODE dropdown at the top right of the Playbook Designer and select Active to activate the Playbook.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
ReversingLabs^® is a registered trademark of ReversingLabs International GmbH.

20158-03 v.01.A