Backing up data on Malware Analysis Appliance using RAPI
Article ID: 168196
Malware Analysis Software - MA
You can use the API to gather these. The RAPI system returns data in JSON format, with some exceptions. Note: The API is usually authenticated via token, but if you SSH into the appliance and use 'localhost' for the queries, you don't need to supply an API token.
1) To get a list of configured users $ curl http://localhost/rapi/system/users
2) List of samples (whether analyzed or not) $ curl http://localhost/rapi/samples
Detail on a specific sample $ curl http://localhost/rapi/samples/<sample_id>
3) Retreive/save a sample's resource (file)
The above API calls in #2 return a list of samples. Each sample resource includes this metadata among others:
You can pull files off of the appliance using SCP. If you get the entire list of samples (curl http://localhost/rapi/samples) and the entire /opt/mat2/store/sample_resources folder, you've got them all.
4) Retrieve previous analysis –
a. List of tasks that were run $ curl http://localhost/rapi/tasks
b. Info about specific tasks, including the resulting risk score (task_global_risk_score) and the sample_id that was analyzed so you can link it up with the samples above $ curl http://localhost/rapi/tasks/<task_id>
c. All the found events for a task (HTML formatted) $ curl http://localhost/rapi/widgets/task_report/<task_id>
d. All the found events for a task (JSON) $ curl http://localhost/rapi/tasks/<task_id>/events