OPSWAT MetaDefender
This document provides guidance on how to integrate OPSWAT MetaDefender with Google Security Operations SOAR.
Integration version: 8.0
Before you begin
Before configuring the OPSWAT MetaDefender integration in Google SecOps, obtain an API key from OPSWAT and configure the required network parameters.
Obtain the API key
To obtain the API key, complete the following steps:
-
Sign in to your OPSWAT account.
-
On your dashboard page, copy the API key value under My API Keyto use it for configuring the OPSWAT MetaDefender integration inputs.
Configure network parameters
To configure the network parameters required for the OPSWAT MetaDefender integration, refer to the following table:
| Function | Default port | Direction | Protocol |
|---|---|---|---|
|
API
|
Multivalues | Outbound | apikey
|
Integrate OPSWAT MetaDefender with Google SecOps
The integration requires the following parameters:
| Parameters | Description |
|---|---|
ApiRoot
|
Required
The API root of the OPSWAT MetaDefender instance. |
ApiKey
|
Required
The API key of the OPSWAT MetaDefender instance. |
Verify SSL
|
Optional
If selected, the integration verifies that the SSL certificate for connecting to the OPSWAT MetaDefender server is valid. Not selected by default. |
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure instances, you can use them in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances .
Actions
The OPSWAT MetaDefender integration contains the following actions:
- Ping
- Scan Hash
Ping
Use the Pingaction to test connectivity to OPSWAT MetaDefender.
This action runs on all entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Scan Hash
Use the Scan Hashaction to scan a hash file in OPSWAT MetaDefender.
This action runs on the Filehash entity.
Action inputs
None.
Action inputs
The Pingaction requires the following parameters:
| Parameters | Description |
|---|---|
|
Required |
|
Optional |
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment | Available |
| Insight | Available |
| JSON result | Not available |
| Output messages | Not available |
| Script result | Available |
Entity enrichment
Entities are marked as Suspicious( True
) if the results of their scan show
the Infected
status. Else, False
.
Insight
| Severity | |
|---|---|
| Warn | A warning insight to inform the enriched hash about its malicious status. |
Script result
The following table describes the values for the script result output when using the Scan Hashaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
