Document toolboxDocument toolbox

Hybrid Analysis

Hybrid Analysis is a free malware analysis service for the community.

Connect Hybrid Analysis with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Hybrid Analysis.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. API Key: The API key to connect to the Hybrid Analysis.

  9. After you've entered all the details, click Connect.

Actions for Hybrid Analysis

Analyze and Wait

Analyze and wait submits a file and waits for the analysis to be completed.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Filename Column Name

Column name from parent table to lookup filename values.

Required

Correlation ID Column Name

Column name from parent table with the correlation ids (Default is Empty value).

Required

Environment ID

The environment relevant to the files being analyzed.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Successful/Failure message.

``` {json}{ "has_error": true, "analysis_result": null, "error": "[Errno 21] Is a directory: u'/opt/files/shared/integrationsFiles/'" }

## Analyze Analyze submits a file and immediately returns the job description, which can later be used to retrieve the report. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :------------------- | :------------------------------------------------------- | :------- | | Filename Column Name | Column name from parent table to lookup filename values. | Required | | Environment ID | The environment relevant to the files being analyzed. | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: Successful/Failure message. ``` {json}{ "has_error": true, "analysis_result": null, "error": "[Errno 21] Is a directory: u'/opt/files/shared/integrationsFiles/'" }

Submit URL and Wait

Submit an URL and wait for the analysis to be completed.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

URL Column Name

Column name from parent table with the URLs to analyze.

Required

Correlation ID Column Name

Column name from parent table with the correlation ids (Default is Empty value).

Required

Environment ID

The environment relevant to the files being analyzed.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Successful/Failure message.

``` {json}{ "has_error": true, "analysis_result": null, "error": "400 Client Error: Bad Request for url: https://www.hybrid-analysis.com/api/v2/submit/url-for-analysis" }

## Submit URL Submits an URL and returns the corresponding job description. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :-------------- | :------------------------------------------------------ | :------- | | URL Column Name | Column name from parent table with the URLs to analyze. | Required | | Environment ID | The environment relevant to the files being analyzed. | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: Successful/Failure message. ``` {json}{ "has_error": true, "analysis_result": null, "error": "400 Client Error: Bad Request for url: https://www.hybrid-analysis.com/api/v2/submit/url-for-analysis" }

Get Report

Takes a job ID and fetches its report. Works with either File or URL jobs.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Job ID Column Name

Takes a job id and fetches its report. Works with either File or URL jobs.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Successful/Failure message.

``` {json}{ "has_error": true, "analysis_result": null, "error": "404 Client Error: Not Found for url: https://www.hybrid-analysis.com/api/v2/report//state" }

## URL Quick Scan Quickly check if there are any historical reports for a URL, returns report ids(if there are any), and a sha256 hash for the lookup. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :-------------- | :--------------------------------------------------------- | :------- | | URL Column Name | Column name from parent table to lookup URL values. | Required | | Scan Type | The Hybrid Analysis scan type (e.g. "lookup_ha" or "all"). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: Successful/Failure message. ``` {json}{ "validation_errors": [ { "field": "url", "errors": [ "This value should not be blank." ] } ], "message": "Input data validation has failed. Please check 'validation_errors' field to get more data." }

Get Report with sha256 hashes

Returns a list of reports, given a list of hashes as an input.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Hash(SHA256) Column Name

Column name from parent table to lookup hash values.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Successful/Failure message.

{json}{}

Release Notes

  • v2.0.1 - Bug fix in action Get Report with sha256 hashes: Resulting in more than the expected number of rows when an error is encountered.

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.3.9 - Added documentation link in the automation library.