OPSWAT MetaDefender
This document provides guidance on how to integrate OPSWAT MetaDefender with Google Security Operations SOAR.
Integration version: 8.0
Before you begin
Before configuring the OPSWAT MetaDefender integration in Google SecOps, obtain an API key from OPSWAT and configure the required network parameters.
Obtain the API key
To obtain the API key, complete the following steps:
Sign in to your OPSWAT account.
On your dashboard page, copy the API key value under My API Key to use it for configuring the OPSWAT MetaDefender integration inputs.
Configure network parameters
To configure the network parameters required for the OPSWAT MetaDefender integration, refer to the following table:
| Function | Default port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Integrate OPSWAT MetaDefender with Google SecOps
The integration requires the following parameters:
| Parameters | Description |
|---|---|
ApiRoot |
Required The API root of the OPSWAT MetaDefender instance. |
ApiKey |
Required The API key of the OPSWAT MetaDefender instance. |
Verify SSL |
Optional If selected, the integration verifies that the SSL certificate for connecting to the OPSWAT MetaDefender server is valid. Not selected by default. |
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure instances, you can use them in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances.
Actions
The OPSWAT MetaDefender integration contains the following actions:
- Ping
- Scan Hash
Ping
Use the Ping action to test connectivity to OPSWAT MetaDefender.
This action runs on all entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Scan Hash
Use the Scan Hash action to scan a hash file in OPSWAT MetaDefender.
This action runs on the Filehash entity.
Action inputs
None.
Action inputs
The Ping action requires the following parameters:
| Parameters | Description |
|---|---|
|
Required |
|
Optional |
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment | Available |
| Insight | Available |
| JSON result | Not available |
| Output messages | Not available |
| Script result | Available |
Entity enrichment
Entities are marked as Suspicious (True) if the results of their scan show
the Infected status. Else, False.
Insight
| Severity | |
|---|---|
| Warn | A warning insight to inform the enriched hash about its malicious status. |
Script result
The following table describes the values for the script result output when using the Scan Hash action:
| Script result name | Value |
|---|---|
is_success |
True or False |