Splunk SOAR

Splunk SOAR (Cloud) delivers the benefits of SOAR as a cloud-based service. With Splunk SOAR (Cloud), you gain the functionality of a security orchestration, automation, and response (SOAR) system that is delivered as a software-as-a-service (SaaS) solution hosted and managed by Splunk. By integrating OPSWAT Filescan with Splunk SOAR, security teams can automate the process of scanning files for malware and other security threats. This integration allows security teams to quickly and easily scan files for potential threats, and take immediate action to mitigate any risks that are identified.

With the integration, you can send a file or URL scan request from Splunk SOAR to Filescan, or search for previously scanned reports in Filescan or you can make a quick file, ip, domain or URL reputation.

You can find more information about Splunk SOAR here.

OPSWAT Filescan Sandbox integration in Splunkbase marketplace available here.

Installation

You can install OPSWAT Filescan from Splunkbase or from Splunk SOAR directly.

Install from Splunk SOAR

In Splunk SOAR go to Apps and select "New Apps".

Then search for OPSWAT Filescan and Install it:

Install from Splunkbase

Download OPSWAT Filescan Sandboxfrom Splunkbase: https://splunkbase.splunk.com/app/6942 and in Splunk under Apps select "Insall App":

After that drag and drop the downloaded app. And click to "Install"

Configuration

After installed, you can find OPSWAT Filescan app under the "Unconfigured Apps" list:

Under 'CONFIGURE NEW ASSET' fill the required fileds.

Under Asset Info tab, please fill the asset name and description:

After this, configure the connection under Asset Settings tab:

A Filescan API key is required to use the integration.

You can use the Activation Key that you received from your OPSWAT Sales Representative, and follow the instructions on the License Activation page or you can create an API key on the Community site under API Key tab.

You need to add your API key, and if you have on-prem version of OPSWAT Filescan, you can add your own server's URL. The default URL is Filescan Community.

After saving the settings you can use the asset.

Testing the asset

You can test the connection of your asset under the view menu:

For that, select Actions -> test connectivity at left and on the right side select your asset. After clicking on 'Test Action' button a message will appear. The following message indicates that the setup was successful:

[USERNAME] API key has been set successfully

Available actions

detonate url

Scan URL resource with Filescan POST - Scan URLAPI

Parameters

	Description	Required
url	The URL to submit	yes
password	Custom password, in case uploaded archive is protected
is private	If file should not be available for download by other users
description	Uploaded file/url description

Example output
    
    
 
{
    "identifier": "detonate_url",    "result_data":    [...],
    "result_summary":    {...},
    "status": "success",    "message": "1 action succeeded",    "exception_occured": false,    "action_cancelled": false}
Copy

detonate file

Scan file resource with Filescan POST - Scan FileAPI

Parameters

	Description	Required
vault id	Vault ID of file to detonate	yes
password	Custom password, in case uploaded archive is protected
is private	If file should not be available for download by other users
description	Uploaded file/url description

Example output
    
    
 
{
    "identifier": "detonate_file",    "result_data":    [...],
    "result_summary":    {...},
    "status": "success",    "message": "1 action succeeded",    "exception_occured": false,    "action_cancelled": false}
Copy

search

Search for reports. Finds reports and uploaded files by various tokens. It uses OPSWAT Filescan API Reference v1API endpoint and the 'query' field.

Parameters

	Description	Default value	Required
query	The query string		yes
limit	Number of total results. Maximum 50. (If page and page_size was also provided, then it will be ignored.)	10
page	Page number, starting from 1
page_size	Page size. Can be 5, 10 or 20

Example output
    
    
 
{
    "identifier": "search",    "result_data":    [...],
    "result_summary":    {...},
    "status": "success",    "message": "1 action succeeded",    "exception_occured": false,    "action_cancelled": false}
Copy

file reputation

Get the reputation for one given hash (returns with the last 10 Filescan reports). It uses GET - Get ReputationAPI endpoint.

	Description	Default value	Required
sha256	SHA256 value of the file		yes

Example output
    
 
{
    "identifier": "file_reputation",    "result_data":    [...],
    "result_summary":    {...},
    "status": "success",    "message": "1 action succeeded",    "exception_occured": false,    "action_cancelled": false}
Copy

ioc reputation

Get the reputation for one given hash (returns with the last 10 Filescan reports). It uses GET - Get ReputationAPI endpoint.

	Description	Default value	Required
type	Type of the ioc. It should be ip, domain or url.		yes
value	The value

Example output
    
 
{
    "identifier": "ioc_reputation",    "result_data":    [...],
    "result_summary":    {...},
    "status": "success",    "message": "1 action succeeded",    "exception_occured": false,    "action_cancelled": false}
Copy

Last updated on

Was this page helpful?