RESTful APIs that Don't Rest

At FireEye, we know that our customers need access to our products’ functionality programmatically. Although several of our products have published APIs, we’re working to define APIs more holistically across the FireEye Global Threat Management Platform, and look forward to sharing more about our progress in 2016.

To that end, we are pleased to announce that with its latest release, the FireEye Malware Analysis Series (AX Series), has introduced an additional vehicle to access the malware testing environment that enables the safe execution and inspection of advanced malware embedded in web pages, email attachments, and files. This is delivered through a new RESTful API framework, allowing your organization to ensure simple and direct integration into an existing infrastructure or workflow.

How does it work? Organizations and FireEye partners will be now be able to integrate with solutions such as content-sharing platforms, pivoting from detection to investigation, and validating potentially malicious objects. With the new API, sample functions that can be automated include the ability to submit files/URLs to the Malware Analysis engine, query for alert information, and retrieve reports from the system.

What does this mean for security teams? Several of our customers are already leveraging this API to conduct deeper investigations and accelerate their workflow. A common example is exemplified by one of our customers, a large government agency, that has designed a workflow and architecture built on a cluster of FireEye Malware Analysis appliances. They wrote simple scripts to automate the malware submission of suspicious objects. They receive real-time responses from their AX Series submissions, enabling quick, low-overhead responses.

To learn about more uses cases and customer stories, please contact info@fireeye.com. ISVs who would like to evaluate potential partnership opportunities should reach out to CSC@FireEye.com. We have also included a set of sample API calls below to help you get started.

Malware Analysis (AX Series) Sample WSAPI Commands

Login api: To create a token for submission and getting config, status, results alerts etc. curl -gsSk -D /tmp/wsh.txt -u rdsingh:rdsingh@123 -F form=foo https://172.16.225.70/wsapis/v1.1.0/auth/login

Logout api: To deactivate the token
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -F form=foo https://172. 16.225.70/wsapis/v1.1.0/auth/logout

Config api: To get the OS profile and application id informations
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml
https://172.16.225.70/wsapis/v1.1.0/config

Status api: To get the status of a submission (In-progress or Done)
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml https://172.16.225.70/wsapis/v1.1.0/submissions/status/132394

Results api: To get the OS changes of a malicious and non-malicious submission -concise output
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml 'https://172.16.225.70/wsapis/v1.1.0/submissions/results/132394'

-normal output
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml ' https://172.16.225.70/wsapis/v1.1.0/submissions/results/132394?info_level=normal'

-extended output
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml ' https://172.16.225.70/wsapis/v1.1.0/submissions/results/132394?info_level=extended'

Alerts api: To get the alerts information of a malicious submission -concise output
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml ' https://172.16.225.70/wsapis/v1.1.0/alerts?alert_id=132394'

-normal output
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml 'https://172.16.225.70/wsapis/v1.1.0/alerts?alert_id=132394&info_level=normal'

-extended output
curl -qgsSk --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' --header Accept:application/xml ' https://172.16.225.70/wsapis/v1.1.0/alerts?alert_id=132394&info_level=extended'

Submission api: To submit a sample (file or url) for an analysis

A. Sandbox Mode

-File Submission
curl -s -k -H 'Content-Type: multipart/form-data' --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -F filename=@/data1 /ReplayLoop/carefulmalicious/mal_sust/ZNJAN84744663.xls -F 'options={"application":"0", "timeout":"120", "priority":"0", "profiles":["winxp-sp3"]," analysistype":"0 ","force":"false","prefetch":"1"}' https://172.16.225.70/wsapis/v1.1.0/submissions

-URL Submission
curl -k -H 'Content-Type: application/json' --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -d '{ "timeout":180, "priority":0,
"profiles":["winxp-sp3"], "application":"0","force":"true"," analysistype":"0 ","prefetch":1," urls":["http://172.16.225.80/malsust/File_share/malware/0Dayrecord.doc "] }' https://172.16.225.70/wsapis/v1.1.0/submissions/ url

-Multiple Profiles
curl -s -k -H 'Content-Type: multipart/form-data' --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -F filename=@/data1 /ReplayLoop/carefulmalicious/mal_sust/ZNJAN84744663.xls -F 'options={"application":"0","timeout":"120", "priority":"0", " profiles":["winxp-sp3","win7-sp1"] ," analysistype":"0 ","force":"
false","prefetch":"1"}' https://172.16.225.70/wsapis/v1.1.0/submissions

B. Live Mode

- File Submission
curl -s -k -H 'Content-Type: multipart/form-data' --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -F filename=@/data1 /ReplayLoop/carefulmalicious/mal_sust/ZNJAN84744663.xls -F 'options={"application":"0",
"timeout":"120", "priority":"0", "profiles":["winxp-sp3"]," analysistype":"1 ","force":"false","
prefetch":"1"}' https://172.16.225.70/wsapis/v1.1.0/submissions

-URL Submission
curl -k -H 'Content-Type: application/json' --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -d '{ "timeout":180, "priority":0, "profiles":["winxp-sp3"], "application":"0","force":"true"," analysistype":"1 ","prefetch":1, "urls":["http://172.16.225.80/malsust/File_share/malware/0Dayrecord.doc "] }' https://172.16.225.70/wsapis/v1.1.0/submissions/ url

-Multiple Profiles
curl -s -k -H 'Content-Type: multipart/form-data' --header 'X-FeApi-Token: IIAc5WPCjQP5dcMO0Pnf0etmihY8ws0pjrMHCEJ8rN0FABQ=' -F filename=@/data1 /ReplayLoop/carefulmalicious/mal_sust/ZNJAN84744663.xls -F 'options={"application":"0","timeout":"120", "priority":"0", "profiles":["winxp-sp3","win7-sp1"] ," analysistype":"1 ","force":"
false","prefetch":"1"}' https://172.16.225.70/wsapis/v1.1.0/submissions