Hybrid Analysis
Hybrid Analysis is a free malware analysis service for the community.
Connect Hybrid Analysis with Devo SOAR
Navigate to Automations > Integrations.
Search for Hybrid Analysis.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: The API key to connect to the Hybrid Analysis.
After you've entered all the details, click Connect.
Actions for Hybrid Analysis
Analyze and Wait
Analyze and wait submits a file and waits for the analysis to be completed.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Filename Column Name | Column name from parent table to lookup filename values. | Required |
Correlation ID Column Name | Column name from parent table with the correlation ids (Default is Empty value). | Required |
Environment ID | The environment relevant to the files being analyzed. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Successful/Failure message.
``` {json}{ "has_error": true, "analysis_result": null, "error": "[Errno 21] Is a directory: u'/opt/files/shared/integrationsFiles/'" }
## Analyze
Analyze submits a file and immediately returns the job description, which can later be used to retrieve the report.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------- | :------------------------------------------------------- | :------- |
| Filename Column Name | Column name from parent table to lookup filename values. | Required |
| Environment ID | The environment relevant to the files being analyzed. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Successful/Failure message.
``` {json}{
"has_error": true,
"analysis_result": null,
"error": "[Errno 21] Is a directory: u'/opt/files/shared/integrationsFiles/'"
}
Submit URL and Wait
Submit an URL and wait for the analysis to be completed.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
URL Column Name | Column name from parent table with the URLs to analyze. | Required |
Correlation ID Column Name | Column name from parent table with the correlation ids (Default is Empty value). | Required |
Environment ID | The environment relevant to the files being analyzed. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Successful/Failure message.
``` {json}{ "has_error": true, "analysis_result": null, "error": "400 Client Error: Bad Request for url: https://www.hybrid-analysis.com/api/v2/submit/url-for-analysis" }
## Submit URL
Submits an URL and returns the corresponding job description.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :-------------- | :------------------------------------------------------ | :------- |
| URL Column Name | Column name from parent table with the URLs to analyze. | Required |
| Environment ID | The environment relevant to the files being analyzed. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Successful/Failure message.
``` {json}{
"has_error": true,
"analysis_result": null,
"error": "400 Client Error: Bad Request for url: https://www.hybrid-analysis.com/api/v2/submit/url-for-analysis"
}
Get Report
Takes a job ID and fetches its report. Works with either File or URL jobs.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Job ID Column Name | Takes a job id and fetches its report. Works with either File or URL jobs. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Successful/Failure message.
``` {json}{ "has_error": true, "analysis_result": null, "error": "404 Client Error: Not Found for url: https://www.hybrid-analysis.com/api/v2/report//state" }
## URL Quick Scan
Quickly check if there are any historical reports for a URL, returns report ids(if there are any), and a sha256 hash for the lookup.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :-------------- | :--------------------------------------------------------- | :------- |
| URL Column Name | Column name from parent table to lookup URL values. | Required |
| Scan Type | The Hybrid Analysis scan type (e.g. "lookup_ha" or "all"). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Successful/Failure message.
``` {json}{
"validation_errors": [
{
"field": "url",
"errors": [
"This value should not be blank."
]
}
],
"message": "Input data validation has failed. Please check 'validation_errors' field to get more data."
}
Get Report with sha256 hashes
Returns a list of reports, given a list of hashes as an input.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Hash(SHA256) Column Name | Column name from parent table to lookup hash values. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Successful/Failure message.
{json}{}
Release Notes
v2.0.1
- Bug fix in actionGet Report with sha256 hashes
: Resulting in more than the expected number of rows when an error is encountered.v2.0.0
- Updated architecture to support IO via filesystemv1.3.9
- Added documentation link in the automation library.