VMRay
Integration version: 9.0
Configure VMRay integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Api Root | String | https:/{{ip address}} | Yes | API root of the VMRay instance. |
| Api key | String | N/A | Yes | API key generated in VMRay. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the VMRay server is valid. |
Actions
Ping
Description
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Scan Hash
Description
Get details about a specific hash.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
| Threat Indicator Score Threshold | Integer | 3 | Yes | Specify the lowest score that is used to return threat indicators. Maximum: 5 |
| IOC Type Filter | CSV | ip, file, email, url, domain | Yes | Specify a comma-separated list of IOC types that need to be returned. Possible values: domains, emails, files, ips, mutexes, processes, registry, urls. |
| IOC Verdict Filter | CSV | Malicious, Suspicious | Yes | Specify a comma-separated list of IOC verdicts that is used during the ingestion of IOCs. Possible values: Malicious, Suspicious, Clean, None |
| Max IOCs To Return | Integer | 10 | No | Specify the number of IOCs to return per entity per IOC type. |
| Max Threat Indicators To Return | Integer | 10 | No | Specify the number of threat indicators to return per entity. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing information about entities. |
| Only Suspicious Insight | Checkbox | Unchecked | No | If enabled, the action only creates insight for suspicious entities. Note: The "Create Insight" parameter needs to be enabled. |
Use cases
N/A
Run On
This action runs on the Hash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"sample_child_relations": [],
"sample_child_relations_truncated": false,
"sample_child_sample_ids": [],
"sample_classifications": [],
"sample_container_type": null,
"sample_created": "2019-06-05T07:29:05",
"sample_display_url": "http://markossolomon.com/f1q7qx.php",
"sample_filename": "sample.url",
"sample_filesize": 35,
"sample_highest_vti_score": 80,
"sample_highest_vti_severity": "malicious",
"sample_id": 3945509,
"sample_imphash": null,
"sample_is_multipart": false,
"sample_last_md_score": null,
"sample_last_reputation_severity": "malicious",
"sample_last_vt_score": null,
"sample_md5hash": "de765a6a9931c754b709d44c33540149",
"sample_parent_relations": [],
"sample_parent_relations_truncated": false,
"sample_parent_sample_ids": [],
"sample_password_protected": false,
"sample_pe_signature": null,
"sample_priority": 3,
"sample_score": 80,
"sample_severity": "malicious",
"sample_sha1hash": "a4b19054d162aab802270aec8ef27f009ab4db51",
"sample_sha256hash": "8fb5c7a88058fad398dfe290f3821a3983a608abe6b39d014d9800afa3d5af70",
"sample_ssdeephash": "3:N1KTxKWiUgdhHn:C1N3an",
"sample_threat_names": [
"C2/Generic-A"
],
"sample_type": "URL",
"sample_url": "http://markossolomon.com/f1q7qx.php",
"sample_verdict": "malicious",
"sample_verdict_reason_code": null,
"sample_verdict_reason_description": null,
"sample_vti_score": "malicious",
"sample_webif_url": "https://cloud.vmray.com/user/sample/view?id=3945509",
"iocs": {
"domains": [
{
"domain": "connect.facebook.net",
"severity": "unknown",
"verdict": "clean"
}
],
"emails": [
{
"email": "connect.facebook.net",
"severity": "unknown",
"verdict": "clean"
}
],
"files": [
{
"filename": "C:\\Program Files (x86)\\L8piti24x\\mfcdjrhg8l.exe",
"categories": [
"Dropped File"
],
"severity": "not_suspicious",
"verdict": "clean",
"classifications": [
"Virus"
],
"operations": [
"Access",
"Create",
"Write"
],
"hashes": [
{
"imp_hash": null,
"md5_hash": "58a2430b19d0594b46caf69dea5c1023",
"sha1_hash": "e8f5809342eedc2b035f726811dcaa1a9b589cb7",
"sha256_hash": "b9072661a90377835205f5c66ee06ba82ec42d843c8ec5dc07c16da86c90b835",
"ssdeep_hash": "12:TMHdgo+tJVEdQiCXFMp3OOy9P72/FeFYX+NEVjB:2dfyiw2uTyOOT"
}
]
}
],
"ips": [
{
"ip_address": "195.24.68.30",
"severity": "not_suspicious",
"verdict": "malicious"
}
],
"mutexes": [
{
"mutex_name": "5PM8-Q6R2E6AAF73",
"operations": [
"access"
],
"severity": "not_suspicious",
"verdict": "clean"
}
],
"processes": [
{
"classifications": [],
"cmd_line": "/c del \"C:\\Users\\WhuOXYsD\\gIkAOpZB.exe\"",
"process_ids": [
137
],
"parent_processes": [
"\"C:\\Windows\\SysWOW64\\control.exe\""
],
"process_names": [
"cmd.exe"
],
"severity": "not_suspicious",
"verdict": "clean"
}
],
"registry": [
{
"operations": [
"access",
"write"
],
"reg_key_name": "HKEY_USERS\\S-1-5-21-98310496-2871927230-3452460056-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\YLRPWV4P6TI",
"severity": "not_suspicious",
"verdict": "clean"
}
],
"urls": [
{
"severity": "malicious",
"url": "http://markossolomon.com/f1q7qx.php",
"verdict": "malicious"
}
]
},
"threat_indicators": [
{
"category": "Heuristics",
"operation": "Contains suspicious meta data",
"score": 4,
"classifications": [
"Spyware"
]
}
]
}
Enrichment Table
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| VMRay_sample_vti_score | sample_vti_score | Always |
| VMRay_sample_child_sample_ids | sample_child_sample_ids | Always |
| VMRay_sample_id | sample_id | Always |
| VMRay_sample_sha1hash | sample_sha1hash | Always |
| VMRay_sample_classifications | sample_classifications | Always |
| VMRay_sample_last_md_score | sample_last_md_score | Always |
| VMRay_sample_last_vt_score | sample_last_vt_score | Always |
| VMRay_sample_severity | sample_severity | Always |
| VMRay_sample_url | sample_url | Always |
| VMRay_sample_imphash | sample_imphash | Always |
| VMRay_sample_highest_vti_score | sample_highest_vti_score | Always |
| VMRay_sample_container_type | sample_container_type | Always |
| VMRay_sample_webif_url | sample_webif_url | Always |
| VMRay_sample_type | sample_type | Always |
| VMRay_sample_created | sample_created | Always |
| VMRay_sample_last_reputation_severity | sample_last_reputation_severity | Always |
| VMRay_sample_filesize | sample_filesize | Always |
| VMRay_sample_parent_sample_ids | sample_parent_sample_ids | Always |
| VMRay_sample_ssdeephash | sample_ssdeephash | Always |
| VMRay_sample_md5hash | sample_md5hash | Always |
| VMRay_sample_sha256hash | sample_sha256hash | Always |
| VMRay_sample_highest_vti_severity | sample_highest_vti_severity | Always |
| VMRay_sample_priority | sample_priority | Always |
| VMRay_sample_is_multipart | sample_is_multipart | Always |
| VMRay_sample_score | sample_score | Always |
| VMRay_sample_filename | sample_filename | Always |
| VMRay_ioc_domains | Csv of iocs/domain | Always |
| VMRay_ioc_ips | Csv of iocs/ip | Always |
| VMRay_ioc_urls | Csv of iocs/url | Always |
| VMRay_ioc_files | Csv of iocs/filename | Always |
| VMRay_ioc_emails | Csv of iocs/email | Always |
| VMRay_ioc_mutexes | Csv of iocs/mutex_name | Always |
| VMRay_ioc_processes | Csv of iocs/process_names | Always |
| VMRay_ioc_registry | Csv of iocs/reg_key_name | Always |
| VMRay_threat_indicator_operations | CSv of threat_indicators/operation | Always |
| VMRay_threat_indicator_category | unique CSv of threat_indicators/category | Always |
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from VMRay: {entity.identifier}". If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from VMRay: {entity.identifier}". If data is not available for all entities (is_success=false): "None of the provided entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Scan Hash". Reason: {0}''.format(error.Stacktrace) If an invalid value for the "Threat Indicator Score Threshold" parameter is provided: "Error executing action "Scan Hash". Reason: invalid value provided in the parameter " Threat Indicator Score Threshold". Only integers in range from 0 to 5 are supported." If an invalid value for the "IOC Type Filter" parameter is provided: "Error executing action "Scan Hash". Reason: invalid value provided in the parameter "IOC Type Filter". Possible values: domains, emails, files, ips, mutexes, processes, registry, urls." If an invalid value for the "IOC Verdict Filter" parameter is provided: "Error executing action "Scan Hash". Reason: invalid value provided in the parameter "IOC Verdict Filter". Possible values: Malicious, Suspicious, Clean, None. |
General |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
Link: sample_webif_url |
Entity |
| Table | Table Name: {Entity} - IOCS - Files Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - Domains Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - IPs Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - URLs Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - Registry Keys Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - Mutexes Table Columns:
|
General |
| Table | Table Name: {Entity} - Threat Indicators Table Columns:
|
General |
Scan URL
Description
Submit a URL and receive related information.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Tag Names | CSV | N/A | No | Specify the tags that you want to add to the submission. |
| Comment | String | N/A | No | Specify the comment that you want to add to the submission. |
| Threat Indicator Score Threshold | Integer | 3 | Yes | Specify the lowest score that is used to return threat indicators. Maximum: 5 |
| IOC Type Filter | CSV | ips, urls, domains | Yes | Specify a comma-separated list of IOC types that need to be returned. Possible values: ips, urls, domains |
| IOC Verdict Filter | CSV | Malicious, Suspicious | No | Specify a comma-separated list of IOC verdicts that is used during the ingestion of IOCs. Possible values: Malicious, Suspicious, Clean, None. |
| Max IOCs To Return | Integer | 10 | No | Specify the number of IOCs to return per entity per IOC type. |
| Max Threat Indicators To Return | Integer | 10 | No | Specify the number of threat indicators to return per entity. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing information about entities. |
| Only Suspicious Insight | Checkbox | Unchecked | No | If enabled, the action only creates insight for suspicious entities. Note: The "Create Insight" parameter needs to be enabled. |
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"sample_child_relations": [],
"sample_child_relations_truncated": false,
"sample_child_sample_ids": [],
"sample_classifications": [],
"sample_container_type": null,
"sample_severity": "malicious",
"sample_sha1hash": "a4b19054d162aab802270aec8ef27f009ab4db51",
"sample_sha256hash": "8fb5c7a88058fad398dfe290f3821a3983a608abe6b39d014d9800afa3d5af70",
"sample_ssdeephash": "3:N1KTxKWiUgdhHn:C1N3an",
"sample_threat_names": [
"C2/Generic-A"
],
"sample_type": "URL",
"sample_url": "http://markossolomon.com/f1q7qx.php",
"sample_verdict": "malicious",
"sample_verdict_reason_code": null,
"sample_verdict_reason_description": null,
"sample_vti_score": "malicious",
"sample_webif_url": "https://cloud.vmray.com/user/sample/view?id=3945509",
"iocs": {
"domains": [
{
"domain": "connect.facebook.net",
"severity": "unknown",
"verdict": "clean"
}
],
"emails": [
{
"email": "connect.facebook.net",
"severity": "unknown",
"verdict": "clean"
}
],
"files": [
{
"filename": "C:\\Program Files (x86)\\L8piti24x\\mfcdjrhg8l.exe",
"categories": [
"Dropped File"
],
"severity": "not_suspicious",
"verdict": "clean",
"classifications": [
"Virus"
],
"operations": [
"Access",
"Create",
"Write"
],
"hashes": [
{
"imp_hash": null,
"md5_hash": "58a2430b19d0594b46caf69dea5c1023",
"sha1_hash": "e8f5809342eedc2b035f726811dcaa1a9b589cb7",
"sha256_hash": "b9072661a90377835205f5c66ee06ba82ec42d843c8ec5dc07c16da86c90b835",
"ssdeep_hash": "12:TMHdgo+tJVEdQiCXFMp3OOy9P72/FeFYX+NEVjB:2dfyiw2uTyOOT"
}
]
}
],
"ips": [
{
"ip_address": "195.24.68.30",
"severity": "not_suspicious",
"verdict": "malicious"
}
],
"mutexes": [
{
"mutex_name": "5PM8-Q6R2E6AAF73",
"operations": [
"access"
],
"severity": "not_suspicious",
"verdict": "clean"
}
],
"processes": [
{
"classifications": [],
"cmd_line": "/c del \"C:\\Users\\WhuOXYsD\\gIkAOpZB.exe\"",
"process_ids": [
137
],
"parent_processes": [
"\"C:\\Windows\\SysWOW64\\control.exe\""
],
"process_names": [
"cmd.exe"
],
"severity": "not_suspicious",
"verdict": "clean"
}
],
"registry": [
{
"operations": [
"access",
"write"
],
"reg_key_name": "HKEY_USERS\\S-1-5-21-98310496-2871927230-3452460056-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\YLRPWV4P6TI",
"severity": "not_suspicious",
"verdict": "clean"
}
],
"urls": [
{
"severity": "malicious",
"url": "http://markossolomon.com/f1q7qx.php",
"verdict": "malicious"
}
]
},
"threat_indicators": [
{
"category": "Heuristics",
"operation": "Contains suspicious meta data",
"score": 4,
"classifications": [
"Spyware"
]
}
]
}
Enrichment Table
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| VMRay_sample_vti_score | sample_vti_score | Always |
| VMRay_sample_child_sample_ids | sample_child_sample_ids | Always |
| VMRay_sample_id | sample_id | Always |
| VMRay_sample_sha1hash | sample_sha1hash | Always |
| VMRay_sample_classifications | sample_classifications | Always |
| VMRay_sample_last_md_score | sample_last_md_score | Always |
| VMRay_sample_last_vt_score | sample_last_vt_score | Always |
| VMRay_sample_severity | sample_severity | Always |
| VMRay_sample_url | sample_url | Always |
| VMRay_sample_imphash | sample_imphash | Always |
| VMRay_sample_highest_vti_score | sample_highest_vti_score | Always |
| VMRay_sample_container_type | sample_container_type | Always |
| VMRay_sample_webif_url | sample_webif_url | Always |
| VMRay_sample_type | sample_type | Always |
| VMRay_sample_created | sample_created | Always |
| VMRay_sample_last_reputation_severity | sample_last_reputation_severity | Always |
| VMRay_sample_filesize | sample_filesize | Always |
| VMRay_sample_parent_sample_ids | sample_parent_sample_ids | Always |
| VMRay_sample_ssdeephash | sample_ssdeephash | Always |
| VMRay_sample_md5hash | sample_md5hash | Always |
| VMRay_sample_sha256hash | sample_sha256hash | Always |
| VMRay_sample_highest_vti_severity | sample_highest_vti_severity | Always |
| VMRay_sample_priority | sample_priority | Always |
| VMRay_sample_is_multipart | sample_is_multipart | Always |
| VMRay_sample_score | sample_score | Always |
| VMRay_sample_filename | sample_filename | Always |
| VMRay_ioc_domains | Csv of iocs/domain | Always |
| VMRay_ioc_ips | Csv of iocs/ip | Always |
| VMRay_ioc_urls | Csv of iocs/url | Always |
| VMRay_ioc_files | Csv of iocs/filename | Always |
| VMRay_ioc_emails | Csv of iocs/email | Always |
| VMRay_ioc_mutexes | Csv of iocs/mutex_name | Always |
| VMRay_ioc_processes | Csv of iocs/process_names | Always |
| VMRay_ioc_registry | Csv of iocs/reg_key_name | Always |
| VMRay_threat_indicator_operations | CSv of threat_indicators/operation | Always |
| VMRay_threat_indicator_category | unique CSv of threat_indicators/category | Always |
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from VMRay: {entity.identifier}". If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from VMRay: {entity.identifier}". If data is not available for all entities (is_success=false): "None of the provided entities were enriched." Async message: "Pending entities: {entity.identifier}" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Scan URL". Reason: {0}''.format(error.Stacktrace) If an invalid value for the "Threat Indicator Score Threshold" parameter is provided: "Error executing action "Scan URL". Reason: invalid value provided in the parameter " Threat Indicator Score Threshold". Only integers in range from 0 to 5 are supported." If an invalid value for the "IOC Type Filter" parameter is provided: "Error executing action "Scan URL". Reason: invalid value provided in the parameter "IOC Type Filter". Possible values: domains, emails, files, ips, mutexes, processes, registry, urls." If an invalid value for the "IOC Verdict Filter" parameter is provided: "Error executing action "Scan URL". Reason: invalid value provided in the parameter "IOC Verdict Filter". Possible values: Malicious, Suspicious, Clean, None. |
General |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
Link: sample_webif_url |
Entity |
| Table | Table Name: {Entity} - IOCS - IPs Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - URLs Table Columns:
|
General |
| Table | Table Name: {Entity} - IOCS - Domains Table Columns:
|
General |
| Table | Table Name: {Entity} - Threat Indicators Table Columns:
|
General |
Upload File and Get Report
Description
Submit files for analysis in VMRay.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Sample File Path | String | N/A | Yes | Specify a comma-separate list of absolute file paths for submission. |
| Tag Names | CSV | N/A | No | Specify the tags that you want to add to the submission. |
| Comment | String | N/A | No | Specify the comment that you want to add to the submission. |
Use cases
Analysts may use this action to get important information regarding the file, whether it's a known malware.
Run On
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_ success | True/False | is_ success:False |
JSON Result
{
"data": {
"sample_child_sample_ids": [],
"sample_classifications": [
"Dropper",
"Pua",
"Spyware"
],
"sample_container_type": null,
"sample_created": "2020-01-30T14:12:07",
"sample_filename": "FoxitReader97_Setup_Prom_IS.exe",
"sample_filesize": 86448896,
"sample_highest_vti_score": 74,
"sample_highest_vti_severity": "suspicious",
"sample_id": 4846052,
"sample_imphash": "b34f154ec913d2d2c435cbd644e91687",
"sample_is_multipart": false,
"sample_last_md_score": null,
"sample_last_reputation_severity": "whitelisted",
"sample_last_vt_score": null,
"sample_md5hash": "403799c0fdfb3728cd8f5992a7c8b949",
"sample_parent_sample_ids": [],
"sample_priority": 1,
"sample_score": 74,
"sample_severity": "suspicious",
"sample_sha1hash": "17df3548dd9b8d0283d4acba8195955916eff5f3",
"sample_sha256hash": "2acb1432850b2d2cdb7e6418c57d635950a13f5670eae83324f7ae9130198bbc",
"sample_ssdeephash": "1572864:B9nbNI1LT6t5jOvefSRROaqMhUVkjSFuI5ym9Q5klp/yOmdAyNgc:vbNIZOOvUSRRObaCkjSFug4kYd7Nn",
"sample_type": "Windows Exe (x86-32)",
"sample_url": null,
"sample_vti_score": 74,
"sample_webif_url": "https://cloud.vmray.com/user/sample/view?id=4846052"
},
"result": "ok"
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully submitted the following files to VMRay: {submitted files}." If at least one file not found or not enough access (fail): "Error executing action "Upload File And Get Report". Reason: the following files were not accessible: {file paths}" Async Message: "Waiting for the results of: {pending file}" The action should fail and stop a playbook execution: If ran into a timeout (fail): "Error executing action "Upload File And Get Report". Reason: action ran into a timeout. Pending files: {pending files}. Please increase the timeout in the IDE. Note: action will submit all of the provided files again for the analysis." |
General |
| Table | Table Name: {Entity} - IOCS - Files Table Columns:
|
Entity |
| Table | Table Name: {Entity} - IOCS - IPs Table Columns:
|
Entity |
| Table | Table Name: {Entity} - IOCS - URLs Table Columns:
|
Entity |
| Table | Table Name: {Entity} - IOCS - Domains Table Columns:
|
Entity |
| Table | Table Name: {Entity} - IOCS - Registry Keys Table Columns:
|
Entity |
| Table | Table Name: {Entity} - IOCS - Mutexes Table Columns:
|
Entity |
| Table | Table Name: {Entity} - Threat Indicators Table Columns:
|
Entity |
| Link | Mapped as sample_webif_url | Entity |
Add Tag to Submission
Description
Add a tag to the VMRay submission.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Submission ID | String | N/A | Yes | The ID of the Submission. |
| Tag Name | String | N/A | Yes | The tag Name that need to be added. |
Use cases
This action is used to add tags to the submission. Tags allow analysts to classify the submission based on the received information.
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_ success | True/False | is_ success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully added tag "{0}" to submission {1}".format(tag_name, submission_id). The action should fail and stop a playbook execution: If an error is reported: "Failed to add tag "{0}" to submission {1}. Error is {2}".format(tag_name, submission_id, exception.stacktrace). |
General |