VMRay Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.2.0 |
| Compatible with ThreatQ Versions | >= 4.34.0 |
| Support Tier | ThreatQ Supported |
Introduction
The VMRay Operation is used to submit URLs, FQDNs and File Objects to VMRay for analysis and retrieve reports in PDF format.
The operation provides the following actions:
- Submit Indicator - submits an indicator to the VMRay platform.
- Submit File - Submits a file to the VMRay platform.
- Get Report - Retrieves the report for a submitted object.
The operation is compatible with Files and Indicator (FDQN, URL) object types.
The VMRay Operation is required in order to use the VMRay CDF.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Hostname Your VMRay instance hostname. API Key
Your VMRay API Key.
Verify SSL Enable or disable SSL verification. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The VMRay operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Submit Indicator | Submits a supported indicator to the VMRay platform | Indicators | FQDN, URL |
| Submit File | Submits a file to the VMRay platform. | File | Attachment |
| Get Report | Retrieves the report for a submitted object. | Indicators | FQDN, URL |
Notes
- By executing one of the submit actions, a
VMRay Sample IDattribute is added to the object on which we ran the operation on. - This
VMRay Sample IDattribute will be used when executing theget_reportaction for fetching the submission report link. - The attribute is automatically deleted when the report link is fetched for a completed analysis.
Submit Indicator
The Submit Indicator action submits an indicator for analysis.
POST https://cloud.vmray.com/rest/sample/submit
Configuration Options
The Submit Indicator action provides the following configuration options:
| Parameter | Type | Example | Default | Notes |
|---|---|---|---|---|
| Data Retention | int | 0 | 0 | The amount of time in days, before submissions are automatically deleted from the VMRay server. Valid Options: 0, 60, 120, 180, 360. Value of 0 means it will not automatically delete. |
| Submission Comment | str | n/a | Some Comment | Comment for current indicator submission. |
| Tags | str | Some_Tag | n/a | Comma-separated list of tags for this submission. |
| Reputation Lookups & WHOIS Lookups | str | True | 10 | Indicates whether 'Reputation Analysis' and 'Analysis Artifacts' (applicable for file hashes and URLs) should be performed for the submitted sample. |
| Max Recursive Samples | int | 1 | 10 | Number of files to be analyzed. As example for a value of 10, by submitting a zip archive containing multiple files only the first 10 files would be analyzed. |
| Max Dynamic Analyses Per Sample | int | 1 | True | Protects the user by limiting the number of Dynamic Analyses that are performed for both the original sample as well as any recursive samples within the original object. |
Submit File
The Submit File action submits a file for analysis.
POST https://cloud.vmray.com/rest/sample/submit
Configuration Options
The Submit File action provides the following configuration options:
| Parameter | Type | Example | Default | Notes |
|---|---|---|---|---|
| tags | str | some_tag | n/a | Comma-separated list of tags for this submission. |
| Submission Comment | str | Some Comment | n/a | Comment for current indicator submission. |
When running the action Submit File on an Attachment with Malware Safety Lock enabled the file actually submitted to VMRay will be a zipped file, also the created Filename indicator will have a .zip extension. The Filename indicator will be the bridge relationship between the submitted file and the retrieved data from the CDF.
Get Report
The Get Report action can be executed for both Indicators and Attachments using the endpoint listed below. The action displays the submission status and the link for downloading the PDF report.
GET https://cloud.vmray.com/rest/sample/<sample_id>/vtis
Known Issues/Limitations
- By executing one of the submit actions, a
VMRay Sample IDattribute is added to the object (the object which the action was executed on). ThisVMRay Sample IDattribute will be used when executing theget_reportaction for fetching the submission report link. The attribute is automatically deleted when the report link is fetched for a completed analysis.
Change Log
- Version 1.2.0
- Updated the Submit File action to resolve a lost relationship issue that can occur between the submitted file and the retrieved indicators when running the VMRay CDF.
- Version 1.1.1
- Added X-App-Name in the request header.
- Version 1.1.0
- Added Hostname parameter to the operation's configuration page.
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| VMRay Operation Guide v1.2.0 | 4.34 or Greater |
| VMRay Operation Guide v1.1.1 | 4.34 or Greater |
| VMRay Operation Guide v1.1.0 | 4.34 or Greater |
| VMRay Operation Guide v1.0.0 | 4.34 or Greater |