ReversingLabs Intelligence (Preview)

  • Reference

ReversingLabs continually processes goodware and malware files providing early intelligence about attacks before they infiltrate customer infrastructures. This visibility to threats “in-the-wild” enables preparation for new attacks and quickly identifies the threat levels of new files as they arrive. ReversingLabs enables more effective and efficient threat identification, development of better threat intelligence, and implementation of proactive threat hunting programs.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name ReversingLabs support
URL https://support.reversinglabs.com/
Email support@reversinglabs.com
Connector Metadata
Publisher ReversingLabs US Inc.
Website https://www.reversinglabs.com/
Privacy policy https://www.reversinglabs.com/privacy-policy
Categories Security

Prerequisites

To use this integration, you need to have a ReversingLabs account. Please contact sales@reversinglabs.com to get started.

Known issues and limitations

Please note that some of our APIs will return a 404 to indicate that a resource was not found. This is not an error state but simply informational. To avoid the Logic App showing errors in the run state, we were advised to place calls to APIs in a Scope primitive.

Creating a connection

The connector supports the following authentication types:
Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
username securestring The username for this api True
password securestring The password for this api True

Throttling Limits

Name Calls Renewal Period
API calls per connection10060 seconds

Actions

Analyze URL

This service enables the submission of a URL for analysis. ReversingLabs will crawl the URL, identifying files to download and submitting them to our file processing pipeline for classification and enrichment. A detailed report can then be retrieved using our URL Threat Intelligence API.
File dynamic analysis

This service allows users to detonate a previously uploaded file in the ReversingLabs TitaniumCloud sandbox.
Find Files Using Multi-Part Search Criteria

This service provides a means to acquire a list of hashes that match the provided multi-part search criteria.
Get File Hash Analysis Detail

This service provides analysis results for the requested file.
Get File Hash Analysis Detail - Bulk Request

This service provides a means to send multiple file hashes in a single request and provides analysis results for these file hashes.
Get File Hash Reputation

This service provides information about the malware status of requested files.
Get File Hash Reputation - Bulk Request

This service provides a means to send multiple hashes of files in a single request and provides information about the malware status for those files..
Get Files Signed with Specific Certificate Thumbprint(s)

This service provides a list of files signed with a particular certificate, specified by its thumbprint.
Get Functionally Similar File Hashes Using ReversingLabs Hash Algorithm

This service provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level.
Get Historic Multi-AV Scan Records

This service provides historic Multi-AV scan records for a given file hash.
Get Historic Multi-AV Scan Records - Bulk Request

This service provides a means to send multiple hashes of files in a single request and provides Multi-AV scan records data for those files.
Get merged dynamic analysis report for a file

This service allows user to download a merged report with an overview of all dynamic analyses performed on the file.
Get Similar File Hashes Using Import Hashing Algorithm

This service provides a list of SHA1 hashes functionally similar to the file associated with the provided import hash (ImpHash).
Get specific dynamic analysis report for a file

This service allows user to download a specific report of a dynamic analysis performed on the file.
Get URI Statistics on Email addresses, IP(s), Domain(s) and URL(s)

This service provides statistical information on the number of known, malicious, and suspicious file(s) associated with the URI.
Get URL Threat Intelligence Report

This service returns threat intelligence data, including reputation from various reputation sources, metadata for performed URL analyses, and the maliciousness of files found on the submitted URL.
Re-Analyze File

This service provides a means to send file(s) for rescanning.
Re-Analyze File - Bulk Request

This service provides a means to initiate multiple files to be rescanned using a single request.
Sample file upload

This services provides a means to upload a file for analysis.
Sample metadata file upload

This service provides a means to send metadata for previously successfully uploaded file.

Analyze URL

Operation ID:
Post-url-analyze

This service enables the submission of a URL for analysis. ReversingLabs will crawl the URL, identifying files to download and submitting them to our file processing pipeline for classification and enrichment. A detailed report can then be retrieved using our URL Threat Intelligence API.

Parameters

Name Key Required Type Description
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
Content type
 Content-Type: string

Content type
url
 url True string

full URL of a website including the protocol
response_format
 response_format string

xml, json

File dynamic analysis

Operation ID:
Post-file-dynamic-analysis

This service allows users to detonate a previously uploaded file in the ReversingLabs TitaniumCloud sandbox.

Parameters

Name Key Required Type Description
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
sha1
 sha1 string

sha1
platform
 platform string

windows10/windows7

Returns

Name Path Type Description
status
 rl.status string

status
requested_hash
 rl.requested_hash string

requested_hash
analysis_id
 rl.analysis_id string

analysis_id

Find Files Using Multi-Part Search Criteria

Operation ID:
Post-advanced-search-query

This service provides a means to acquire a list of hashes that match the provided multi-part search criteria.

Parameters

Name Key Required Type Description
Content type
 Content-Type: string

Content type
query
 query True string

Every expression must be built according the the following format:<field_name>:<field_value>. Please consult RL documentation for a list of field names and the operators that can be applied.
page
 page integer
records_per_page
 records_per_page integer

The number of records returned in the response.
format
 format string

Option to return in specific format

Get File Hash Analysis Detail

Operation ID:
Get-api-databrowser-rldata-query-hash_type-hash_value

This service provides analysis results for the requested file.

Parameters

Name Key Required Type Description
Hash type
 hash_type True string

required parameter; accepts these options: md5, sha1, sha256
Hash value
 hash_value True string

required parameter; must be a valid hash of the type defined by ash_type
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in xml (default).

Get File Hash Analysis Detail - Bulk Request

Operation ID:
Post-api-databrowser-rldata-bulk_query-post_format

This service provides a means to send multiple file hashes in a single request and provides analysis results for these file hashes.

Parameters

Name Key Required Type Description
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
Content type
 Content-Type: string

Content type
hash_type
 hash_type True string

md5, sha1, sha256
hashes
 hashes string

Get File Hash Reputation

Operation ID:
Get-api-databrowser-malware_presence-query-hash_type-hash_value

This service provides information about the malware status of requested files.

Parameters

Name Key Required Type Description
Hash Type
 hash_type True string

required parameter; accepts these options: md5, sha1, sha256
Hash Value
 hash_value True string

required parameter; must be a valid hash of the type defined by hash_type
Show Hashes
 show_hashes boolean

Both single and bulk malware presence queries support an additional request parameter show_hashes which can be either true or false. The parameter show_hashes can also be used with the Extended Malware Presence query. If not specified, the default value is false. When set to true, the show_hashes parameter will direct databrowser to provide md5, sha1 and sha256 hashes for the requested file(s), in addition to the rest of the Malware Presence information.
Extended
 extended True boolean

Both single and bulk malware presence queries support an additional query flag extended which can be either true or false. If not specified, the default value is false. When set to true, the extended flag will direct databrowser to provide a richer response schema with additional information about the requested file(s).
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in xml (default).

Get File Hash Reputation - Bulk Request

Operation ID:
Post-api-databrowser-malware_presence-bulk_query-post_format

This service provides a means to send multiple hashes of files in a single request and provides information about the malware status for those files..

Parameters

Name Key Required Type Description
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
Content type
 Content-Type: string

Content type
hash_type
 hash_type True string

md5, sha1, sha256
hashes
 hashes string

Get Files Signed with Specific Certificate Thumbprint(s)

Operation ID:
Get-api-certificate-index-v1-query-thumbprint

This service provides a list of files signed with a particular certificate, specified by its thumbprint.

Parameters

Name Key Required Type Description
Thumbprint
 thumbprint True string

the thumbprint (sha1, sha256, md5) of the requested certificate. Most of our certificates use SHA256 for storing the thumbprint
Classification
 classification string

if this parameter is provided in the request, the query will return a list of only those files that match the requested threat status. Possible values are: KNOWN, MALICIOUS, SUSPICIOUS, UNKNOWN
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in xml (default).
Limit
 limit integer

Maximum number of files to return in the certificate file list. It is possible to choose a number between 1 and 100 (100 is the default value)
Extended
 extended True boolean

Both single and bulk malware presence queries support an additional query flag extended which can be either true or false. If not specified, the default value is false. When set to true, the extended flag will direct databrowser to provide a richer response schema with additional information about the requested file(s).

Get Functionally Similar File Hashes Using ReversingLabs Hash Algorithm

Operation ID:
Get-Group-By-RHA1-Single-Query

This service provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level.

Parameters

Name Key Required Type Description
RHA1 type
 rha1_type True string

rha1_type is a measure of the RHA1 precision level. It represents the degree to which a file is functionally similar to another file. A higher Precision Level will match fewer files but the files will have more functional similarity: - pe01, elf01, machO01 - 25% precision level - pe02 - 50% precision level
Hash value
 hash_value True string

required parameter; must be a valid SHA1 value
Next page sha1
 next_page_sha1 string

next_page_sha1 is an optional parameter used for pagination. It is the SHA1 hash of the first file on the next page.
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in xml (default).
Limit
 limit integer

the maximum number of file SHA1 hashes to return. This value has to be an integer in the range from 1 and 1000 (1000 is the default value)
Extended
 extended string

extended is an optional parameter. Possible values are true - extended, and false - non-extended data set (default)
Classification
 classification string

if this parameter is provided in the request, the query will return a filtered list of files that match the requested classification. Possible values are: - KNOWN - SUSPICIOUS - MALICIOUS - UNKNOWN

Get Historic Multi-AV Scan Records

Operation ID:
Get-historic-multi-av-scan-records-query-hash_type-hash_value

This service provides historic Multi-AV scan records for a given file hash.

Parameters

Name Key Required Type Description
Hash type
 hash_type True string

required parameter; accepts these options: md5, sha1, sha256
Hash value
 hash_value True string

required parameter; must be a valid hash of the type defined by hash_type
History
 history True boolean

Both single and bulk malware presence queries support an additional query flag extended which can be either true or false. If not specified, the default value is false. When set to true, the extended flag will direct databrowser to provide a richer response schema with additional information about the requested file(s).
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in xml (default).

Get Historic Multi-AV Scan Records - Bulk Request

Operation ID:
Get-historic-multi-av-scan-records-query-hash_type-hash_value-bulk

This service provides a means to send multiple hashes of files in a single request and provides Multi-AV scan records data for those files.

Parameters

Name Key Required Type Description
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
Content type
 Content-Type: string

Content type
hash_type
 hash_type True string

md5, sha1, sha256
hashes
 hashes string

Get merged dynamic analysis report for a file

Operation ID:
Get-file-merged-dynamic-analysis-report-hash_type-hash_value

This service allows user to download a merged report with an overview of all dynamic analyses performed on the file.

Parameters

Name Key Required Type Description
Hash Type
 hash_type True string

required parameter; accepts these options: sha1
Hash Value
 hash_value True string

required parameter; must be a valid hash of the type defined by hash_type

Get Similar File Hashes Using Import Hashing Algorithm

Operation ID:
Get-api-historic-multi-av-scan-records-query-hash_type-hash_value

This service provides a list of SHA1 hashes functionally similar to the file associated with the provided import hash (ImpHash).

Parameters

Name Key Required Type Description
Hash value
 hash_value True string

required parameter; must be a valid ImpHash hash
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in xml (default).

Get specific dynamic analysis report for a file

Operation ID:
Get-file-dynamic-analysis-report-hash_type-hash_value-analysis_id

This service allows user to download a specific report of a dynamic analysis performed on the file.

Parameters

Name Key Required Type Description
Hash Type
 hash_type True string

required parameter; accepts these options: md5,sha1
Hash Value
 hash_value True string

required parameter; must be a valid hash of the type defined by hash_type
analysis_id value should be an exact analysis id or keyword "latest"
 analysis_id True string

required parameter; analysis_id value should be an exact analysis id or keyword "latest"

Get URI Statistics on Email addresses, IP(s), Domain(s) and URL(s)

Operation ID:
Get-fetch-uri-state

This service provides statistical information on the number of known, malicious, and suspicious file(s) associated with the URI.

Parameters

Name Key Required Type Description
Hash value
 hash_value True string

required parameter; The SHA1 hash value of the URI string
Format
 format string

Optional parameter that allows choosing the response format. Supported values are xml and json. If the parameter is not provided in the request, the response will be returned in json (default).

Get URL Threat Intelligence Report

Operation ID:
Post-url-threat-intelligence

This service returns threat intelligence data, including reputation from various reputation sources, metadata for performed URL analyses, and the maliciousness of files found on the submitted URL.

Parameters

Name Key Required Type Description
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
Content type
 Content-Type: string

Content type
url
 url True string

full URL of a website including the protocol
response_format
 response_format string

xml, json

Re-Analyze File

Operation ID:
Get-api-reanalyze-query-hash_type-hash_value

This service provides a means to send file(s) for rescanning.

Parameters

Name Key Required Type Description
Hash type
 hash_type True string

required parameter; accepts these options: md5, sha1, sha256
Hash value
 hash_value True string

required parameter; must be a valid hash of the type defined by hash_type

Re-Analyze File - Bulk Request

Operation ID:
Post-api-rescan-v1-bulk_query-post_format

This service provides a means to initiate multiple files to be rescanned using a single request.

Parameters

Name Key Required Type Description
Format
 format True string

format accepts the options xml or json and defines the return format
Post format
 post_format True string

Required parameter that defines the POST payload format. Supported options are xml and json
Content type
 Content-Type: string

Content type
hash_type
 hash_type True string

md5, sha1, sha256
hashes
 hashes string

Sample file upload

Operation ID:
Post-api-sample-file-upload

This services provides a means to upload a file for analysis.

Parameters

Name Key Required Type Description
SHA1 value
 sha1_value True string

Required parameter.
Content type
 Content-Type: string

Content type

Sample metadata file upload

Operation ID:
Post-api-sample-metadata-upload

This service provides a means to send metadata for previously successfully uploaded file.

Parameters

Name Key Required Type Description
SHA1 value
 sha1_value True string

Required parameter.
Content type
 Content-Type: string

Content type