Hybrid Analysis provides a malware analysis service that allows users to automate the analysis of files and URLs for potential threats. This connector facilitates automated operations such as retrieving analysis reports, environment details, submitting files, submitting URLs, etc.
This document provides information about the Hybrid Analysis Connector, which facilitates automated interactions, with a Hybrid Analysis server using FortiSOAR™ playbooks. Add the Hybrid Analysis Connector as a step in FortiSOAR™ playbooks and perform automated operations with Hybrid Analysis.
Connector Version: 2.0.1
FortiSOAR™ Version Tested on: 7.5.0-4015
Hybrid Analysis Version Tested on: v2
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Hybrid Analysis Connector in version 2.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-hybrid-analysis
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Hybrid Analysis connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Hybrid Analysis server to which you will connect and perform the automated operations. |
API Key | API key that is configured for your account to access the Hybrid Analysis endpoint. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Analysis Report for Multiple HashCodes | Retrieves the analysis report summary from the Hybrid Analysis server for multiple MD5/SHA1/SHA256 hash codes you have specified. | get_analysis_report_for_multiple_hashcodes Investigation |
Get Environment | Retrieves all the sandbox information from the Hybrid Analysis server. | get_environment Investigation |
Submit File | Submits a file from the FortiSOAR™ Attachments/Indicators module to the Hybrid Analysis server for analysis. | detonate_file Investigation |
Submit URL | Submits a URL to the Hybrid Analysis server for analysis. | submit_url Investigation |
Quick Scan URL | Submits a URL to the Hybrid Analysis server for a Quick Scan. You can query the Hybrid Analysis server again, in a few minutes, to check the results of the scan. | url_quick_scan Investigation |
Get Analysis Report | Retrieves all the analysis details from the Hybrid Analysis server for a submitted file, based on the input parameters you specify. | get_analysis_report Investigation |
Advanced Search | Retrieves all the reports from the Hybrid Analysis server that match the input parameters you specify. | search_query Investigation |
Get Files Dropped by Sample | Retrieves all the details of the dropped file from the Hybrid Analysis server and adds the file to the FortiSOAR™ Attachments module. You specify the sample for which you want to retrieve dropped files, based on the input parameters you have specified. | get_file Investigation |
Get Sample Screenshot | Retrieves screenshots of specified submitted samples that are captured during analysis from the Hybrid Analysis server. You specify the sample for which you want to retrieve screenshots based on the input parameters you have specified. You can optionally also add the screenshots to the FortiSOAR™ Attachments module. | get_sample_screenshots Investigation |
Get Submission State | Retrieves the state of a submitted file from the Hybrid Analysis server, based on the input parameters you have specified. | get_submitted_sample_state Investigation |
Get Latest Analysis Reports | Retrieves a list of reports from the Hybrid Analysis server. | get_latest_analysis_reports Investigation |
Get API Quota | Retrieves details of the API quota for the specified user account from the Hybrid Analysis server. | get_api_quota Investigation |
Parameter | Description |
---|---|
Hash Codes | Specify the hash codes in the MD5, SHA256, or SHA1 format whose summary you want to retrieve from the Hybrid Analysis server. You can specify multiple hash codes as comma-separated values. |
The output contains the following populated JSON schema:
[ { "job_id": "", "environment_id": "", "environment_description": "", "size": "", "type": "", "type_short": [], "target_url": "", "state": "", "error_type": "", "error_origin": "", "submit_name": "", "md5": "", "sha1": "", "sha256": "", "sha512": "", "ssdeep": "", "imphash": "", "av_detect": "", "vx_family": "", "url_analysis": "", "analysis_start_time": "", "threat_score": "", "interesting": "", "threat_level": "", "verdict": "", "certificates": [], "domains": [], "classification_tags": [], "compromised_hosts": [], "hosts": [], "total_network_connections": "", "total_processes": "", "total_signatures": "", "extracted_files": [], "file_metadata": "", "processes": [], "tags": [], "mitre_attcks": [], "submissions": [ { "submission_id": "", "filename": "", "url": "", "created_at": "" } ], "network_mode": "", "machine_learning_models": [] } ]
None.
The output contains the following populated JSON schema:
[ { "id": "", "environment_id": "", "description": "", "group_icon": "", "architecture": "", "analysis_mode": "", "virtual_machines": [], "total_virtual_machines": "", "busy_virtual_machines": "", "invalid_virtual_machines": "" } ]
Parameter | Description |
---|---|
Attachment/Indicator ID | Specify the ID of the file that you want to submit to the Hybrid Analysis server. The ID is used to access the file from FortiSOAR™'s Attachments or Indicators module. |
Environment ID | Specify the ID of the environment in which the file is to be run.
For example, Following are available environment IDs:
|
Priority | The priority value of the sample. By default, the priority is set to 0 . Minimum permissible value is 0 and maximum is 100 . |
Action Script | (Optional) Select a custom runtime action script. You can select one of the following custom runtime action scripts:
|
Network Settings | (Optional) Select a network setting. You can select from one of the following options:
|
Required Memory Dump? | Select this option, i.e set it to false to avoid memory analysis dumps. By default, this is set to true . |
Experimental Anti-Evasion? | Select this option, i.e set it to true , to enable all the experimental anti-evasion options of the kernel mode monitor. By default, this is set to false . |
Set the IN-Depth Script Logging | Select this option, i.e set it to true , to enable the in-depth script logging engine of the kernel mode monitor. By default, this is set to false . |
Allow Sample Tampering | Select this option, i.e set it to true , to enable the experimental anti-evasion options of the kernel mode monitor that tampers with the input sample. By default, this is set to false . |
Email Notification | (Optional) Specify the email Address with the file submitted for submission. This email address is used for notification purposes. |
Comment | (Optional) Specify a comment to add when submitting the file. |
Custom Date Time for the Analysis System | (Optional) Specify a custom date and time to set for the analysis system. |
Custom CMD Line Pass to the Analysis File | (Optional) Specify the custom command line to pass to the analysis file. |
Custom Run Time | (Optional) Specify the runtime duration in seconds.
NOTE: Time should be between 30 to 360 sec. |
Submit Name | (Optional) Specify the name of the submitted file. The Submission Name field is used for file type detection and analysis. |
Document Password | (Optional) Specify the password of the document to fill in Adobe or Office password prompts. |
Environment Variable (Format name=value) | (Optional) Specify the system environment value. You must provide this value in the name=value format. |
The output contains the following populated JSON schema:
{ "job_id": "", "environment_id": "", "submission_id": "", "sha256": "" }
Parameter | Description |
---|---|
URL | Specify the URL that you want to submit to the Hybrid Analysis server. |
Environment ID | Specify the ID of the environment in which the URL is to be run.
For example, Following are available environment IDs:
|
Priority | (Optional) Specify the priority value of the sample URL. By default, all URL samples are set to run with the highest priority i.e., 100 . Minimum permissible value is 1 and maximum is 100 . |
Action Script | (Optional) Select a custom runtime action script. You can select one of the following custom runtime action scripts:
|
Required Memory Dump? | Select this option, i.e set it to false to avoid memory analysis dumps. By default, this is set to true . |
Experimental Anti-Evasion? | Select this option, i.e set it to true , to enable all the experimental anti-evasion options of the kernel mode monitor. By default, this is set to false . |
Set the IN-Depth Script Logging | Select this option, i.e set it to true , to enable the in-depth script logging engine of the kernel mode monitor. By default, this is set to false . |
Allow Sample Tampering | Select this option, i.e set it to true , to enable the experimental anti-evasion options of the kernel mode monitor that tampers with the input sample. By default, this is set to false . |
Network Settings | (Optional) Select a network setting. You can select from one of the following options:
|
Email Notification | (Optional) Specify the email Address with the URL submitted for submission. This email address is used for notification purposes. |
Comment | (Optional) Specify a comment to add when submitting the file. |
Custom Date Time for the Analysis System | (Optional) Specify a custom date and time to set for the analysis system. |
Custom CMD Line Pass to the Analysis File | (Optional) Specify the custom command line to pass to the analysis file. |
Custom Run Time | (Optional) Specify the runtime duration in seconds.
NOTE: Time should be between 30 to 360 sec. |
Submit Name | (Optional) Specify the name of the submitted file. The Submission Name field is used for file type detection and analysis. |
Document Password | (Optional) Specify the password of the document to fill in Adobe or Office password prompts. |
Environment Variable (Format name=value) | (Optional) Specify the system environment value. You must provide this value in the name=value format. |
The output contains the following populated JSON schema:
{ "submission_type": "", "job_id": "", "submission_id": "", "environment_id": "", "sha256": "" }
Parameter | Description |
---|---|
URL | Specify the URL that you want to scan in Hybrid Analysis server for analyzes. |
Comment | (Optional) Specify a comment that you want to add when submitting the file. |
Submit Name | (Optional) Specify the name of the submitted file. The Submission Name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{ "id": "", "sha256": "", "reports": [], "finished": "", "scanners": [ { "name": "", "total": "", "status": "", "percent": "", "progress": "", "positives": "", "error_message": "", "anti_virus_results": [] } ], "whitelist": [], "scanners_v2": { "bfore_ai": { "name": "", "status": "", "percent": "", "progress": "", "error_message": "" }, "clean_dns": { "name": "", "status": "", "reports": [], "progress": "", "error_message": "", "reports_count": "" }, "urlscan_io": { "name": "", "status": "", "percent": "", "progress": "", "error_message": "" }, "virustotal": "", "metadefender": "", "scam_adviser": { "name": "", "status": "", "percent": "", "progress": "", "error_message": "" }, "crowdstrike_ml": "" }, "submission_type": "" }
Parameter | Description |
---|---|
Job ID | Specify the ID of the file for which to retrieve the report from the Hybrid Analysis server. You can get the job ID when you submit a sample file.
NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the file for which you want to retrieve a report from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | Specify the ID of the environment on which the submitted file is to be run, whose report you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256 hash code. |
The output contains the following populated JSON schema:
{ "md5": "", "sha1": "", "size": "", "tags": [], "type": "", "hosts": [], "state": "", "job_id": "", "sha256": "", "sha512": "", "ssdeep": "", "domains": [], "imphash": "", "verdict": "", "av_detect": "", "processes": [ { "pid": "", "uid": "", "icon": "", "name": "", "sha256": "", "handles": [], "modules": [], "mutants": [], "streams": [], "av_label": "", "av_total": "", "registry": [], "parentuid": "", "amsi_calls": [], "av_matched": "", "command_line": "", "script_calls": [], "created_files": [], "file_accesses": [], "process_flags": [], "normalized_path": "" } ], "subsystem": "", "vx_family": "", "entrypoint": "", "error_type": "", "image_base": "", "signatures": [ { "name": "", "type": "", "origin": "", "attck_id": "", "capec_id": "", "category": "", "relevance": "", "identifier": "", "description": "", "threat_level": "", "attck_id_wiki": "", "threat_level_human": "" } ], "target_url": "", "type_short": [], "interesting": "", "submissions": [ { "url": "", "filename": "", "created_at": "", "submission_id": "" } ], "submit_name": "", "certificates": [], "error_origin": "", "mitre_attcks": [ { "parent": "", "tactic": "", "attck_id": "", "technique": "", "attck_id_wiki": "", "malicious_identifiers": [], "suspicious_identifiers": [], "informative_identifiers": [], "malicious_identifiers_count": "", "suspicious_identifiers_count": "", "informative_identifiers_count": "" } ], "network_mode": "", "threat_level": "", "threat_score": "", "url_analysis": "", "file_metadata": "", "crowdstrike_ai": { "analysis_related_urls": [], "executable_process_memory_analysis": [] }, "environment_id": "", "extracted_files": [], "total_processes": "", "major_os_version": "", "minor_os_version": "", "total_signatures": "", "compromised_hosts": [], "entrypoint_section": "", "analysis_start_time": "", "classification_tags": [], "dll_characteristics": [], "is_certificates_valid": "", "environment_description": "", "machine_learning_models": [], "total_network_connections": "", "image_file_characteristics": [], "certificates_validation_message": "" }
Parameter | Description |
---|---|
File Name | Specify the name of the file based on which you want to search for a report on the Hybrid Analysis server. |
File Type | Specify the type of the file based on which you want to search for a report on the Hybrid Analysis server. |
File Type Description | Specify the description of the file type based on which you want to search for a report on the Hybrid Analysis server. |
Environment ID | Specify the ID of the environment based on which you want to search for a report on the Hybrid Analysis. |
Verdict | Select the verdict of the Hybrid Analysis server after scanning the submitted file. You can select one of the following options:
|
AV Multiscan range | Specify the AV Multiscan range of the file based on which you want to search for a report on the Hybrid Analysis server. |
AV Family Substring | Specify the AV Family Substring of the file type based on which you want to search for a report on the Hybrid Analysis server. |
Hash Tag | Specify the hash tag of the file based on which you want to search for a report on the Hybrid Analysis server. |
Port | Specify the port of the file based on which you want to search for a report on the Hybrid Analysis server. |
Host | Specify the host of the file based on which you want to search for a report on the Hybrid Analysis server. |
Domain | Specify the domain of the file based on which you want to search for a report on the Hybrid Analysis server. |
HTTP Request Substring | Specify the HTTP Request Substring of the file based on which you want to search for a report on the Hybrid Analysis server. |
Similar Samples | Specify the samples that are similar to the submitted file that you want to search for a report on the Hybrid Analysis server. For example, files having a similar SHA value. |
Sample Context | Specify the samples that have a similar context to the submitted file that you want to search for a report on the Hybrid Analysis server. |
Start DateTime | Select the DateTime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
End DateTime | Select the DateTime using which you want to filter the result set to only include only those items that have been created before the specified timestamp. |
IMP Hash | Specify the IMP Hash of the file based on which you want to search for a report on the Hybrid Analysis server. |
SS Deep | Specify the SS Deep of the file based on which you want to search for a report on the Hybrid Analysis server. |
Authenti Hash | Specify the authentication hash of the file based on which you want to search for a report on the Hybrid Analysis server. |
Uses Tactic | Specify the MITRE ATT&CK® tactic of the file based on which you want to search for a report on the Hybrid Analysis server. |
Uses Technique | Specify the MITRE ATT&CK® technique of the file based on which you want to search for a report on the Hybrid Analysis server. |
The output contains the following populated JSON schema:
{ "count": "", "result": [ { "vx_family": "", "verdict": "", "submit_name": "", "type_short": "", "job_id": "", "analysis_start_time": "", "environment_description": "", "threat_score": "", "av_detect": "", "sha256": "", "environment_id": "", "size": "", "type": "" } ], "search_terms": [ { "id": "", "value": "" } ] }
Parameter | Description |
---|---|
Job ID | Specify the ID of the file for which you want to retrieve details of the dropped file from the Hybrid Analysis server. You can get the job ID when you submit a sample file.
NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the file for which you want to retrieve details of the dropped file from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | Specify the ID of the environment on which the submitted file is to be run, whose details of the dropped file you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256. |
The output contains the following populated JSON schema:
{ "id": "", "@id": "", "file": { "id": "", "@id": "", "size": "", "uuid": "", "@type": "", "assignee": "", "filename": "", "metadata": [], "mimeType": "", "thumbnail": "", "uploadDate": "" }, "name": "", "type": "", "uuid": "", "@type": "", "@context": "", "assignee": "", "createDate": "", "createUser": { "id": "", "@id": "", "name": "", "uuid": "", "@type": "", "avatar": "", "userId": "", "userType": "", "createDate": "", "createUser": "", "modifyDate": "", "modifyUser": "" }, "modifyDate": "", "modifyUser": { "id": "", "@id": "", "name": "", "uuid": "", "@type": "", "avatar": "", "userId": "", "userType": "", "createDate": "", "createUser": "", "modifyDate": "", "modifyUser": "" }, "recordTags": [], "description": "" }
Parameter | Description |
---|---|
Job ID | Specify the ID of the file for which you want to retrieve screenshots that are captured during analysis from the Hybrid Analysis server. You can get the job ID when you submit a sample file. NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the file for which you want to retrieve screenshots that are captured during analysis from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | The ID of the environment on which the submitted file is to be run, whose screenshots you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256. |
Attach Screenshots to FortiSOAR | If you select this option, i.e. set it to True, then the sample screenshots are added to the FortiSOAR™ Attachments module. By default, this is set to false . |
The output contains the following populated JSON schema:
[ { "name": "", "image": "", "date": "" } ]
Parameter | Description |
---|---|
Job ID | Specify the ID of the submitted file for which you want to retrieve the state information from the Hybrid Analysis server. You can get the job ID when you submit a sample file.
NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the submitted file for which you want to retrieve the state information from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | Specify the ID of the environment on which the submitted file is to be run, whose state information you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256. |
The output contains the following populated JSON schema:
{ "state": "", "error_type": "", "error_origin": "", "error": "", "related_reports": [] }
None.
The output contains the following populated JSON schema:
{ "count": "", "status": "", "data": [ { "job_id": "", "md5": "", "sha1": "", "sha256": "", "interesting": "", "analysis_start_time": "", "threat_score": "", "threat_level": "", "threat_level_human": "", "av_detect": "", "unknown": "", "submit_name": "", "url_analysis": "", "size": "", "type": "", "environment_id": "", "environment_description": "", "shared_analysis": "", "reliable": "", "report_url": "", "vt_detect": "", "ms_detect": "", "processes": [ { "uid": "", "name": "", "normalized_path": "", "command_line": "", "sha256": "" } ], "ssdeep": "" } ] }
None.
The output contains the following populated JSON schema:
{ "detonation": { "total": "", "apikey": { "quota": { "hour": "", "day": "", "week": "", "month": "", "year": "", "omega": "" }, "used": { "hour": "", "day": "", "week": "", "month": "", "year": "", "omega": "" }, "available": { "hour": "", "day": "", "week": "", "month": "", "year": "", "omega": "" }, "quota_reached": "" }, "quota_reached": "" }, "quick_scan": { "total": "", "apikey": "", "quota_reached": "" } }
The Sample - hybrid-analysis - 2.0.1
playbook collection comes bundled with the Hybrid Analysis connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Hybrid Analysis connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Hybrid Analysis provides a malware analysis service that allows users to automate the analysis of files and URLs for potential threats. This connector facilitates automated operations such as retrieving analysis reports, environment details, submitting files, submitting URLs, etc.
This document provides information about the Hybrid Analysis Connector, which facilitates automated interactions, with a Hybrid Analysis server using FortiSOAR™ playbooks. Add the Hybrid Analysis Connector as a step in FortiSOAR™ playbooks and perform automated operations with Hybrid Analysis.
Connector Version: 2.0.1
FortiSOAR™ Version Tested on: 7.5.0-4015
Hybrid Analysis Version Tested on: v2
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Hybrid Analysis Connector in version 2.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-hybrid-analysis
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Hybrid Analysis connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Hybrid Analysis server to which you will connect and perform the automated operations. |
API Key | API key that is configured for your account to access the Hybrid Analysis endpoint. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Analysis Report for Multiple HashCodes | Retrieves the analysis report summary from the Hybrid Analysis server for multiple MD5/SHA1/SHA256 hash codes you have specified. | get_analysis_report_for_multiple_hashcodes Investigation |
Get Environment | Retrieves all the sandbox information from the Hybrid Analysis server. | get_environment Investigation |
Submit File | Submits a file from the FortiSOAR™ Attachments/Indicators module to the Hybrid Analysis server for analysis. | detonate_file Investigation |
Submit URL | Submits a URL to the Hybrid Analysis server for analysis. | submit_url Investigation |
Quick Scan URL | Submits a URL to the Hybrid Analysis server for a Quick Scan. You can query the Hybrid Analysis server again, in a few minutes, to check the results of the scan. | url_quick_scan Investigation |
Get Analysis Report | Retrieves all the analysis details from the Hybrid Analysis server for a submitted file, based on the input parameters you specify. | get_analysis_report Investigation |
Advanced Search | Retrieves all the reports from the Hybrid Analysis server that match the input parameters you specify. | search_query Investigation |
Get Files Dropped by Sample | Retrieves all the details of the dropped file from the Hybrid Analysis server and adds the file to the FortiSOAR™ Attachments module. You specify the sample for which you want to retrieve dropped files, based on the input parameters you have specified. | get_file Investigation |
Get Sample Screenshot | Retrieves screenshots of specified submitted samples that are captured during analysis from the Hybrid Analysis server. You specify the sample for which you want to retrieve screenshots based on the input parameters you have specified. You can optionally also add the screenshots to the FortiSOAR™ Attachments module. | get_sample_screenshots Investigation |
Get Submission State | Retrieves the state of a submitted file from the Hybrid Analysis server, based on the input parameters you have specified. | get_submitted_sample_state Investigation |
Get Latest Analysis Reports | Retrieves a list of reports from the Hybrid Analysis server. | get_latest_analysis_reports Investigation |
Get API Quota | Retrieves details of the API quota for the specified user account from the Hybrid Analysis server. | get_api_quota Investigation |
Parameter | Description |
---|---|
Hash Codes | Specify the hash codes in the MD5, SHA256, or SHA1 format whose summary you want to retrieve from the Hybrid Analysis server. You can specify multiple hash codes as comma-separated values. |
The output contains the following populated JSON schema:
[ { "job_id": "", "environment_id": "", "environment_description": "", "size": "", "type": "", "type_short": [], "target_url": "", "state": "", "error_type": "", "error_origin": "", "submit_name": "", "md5": "", "sha1": "", "sha256": "", "sha512": "", "ssdeep": "", "imphash": "", "av_detect": "", "vx_family": "", "url_analysis": "", "analysis_start_time": "", "threat_score": "", "interesting": "", "threat_level": "", "verdict": "", "certificates": [], "domains": [], "classification_tags": [], "compromised_hosts": [], "hosts": [], "total_network_connections": "", "total_processes": "", "total_signatures": "", "extracted_files": [], "file_metadata": "", "processes": [], "tags": [], "mitre_attcks": [], "submissions": [ { "submission_id": "", "filename": "", "url": "", "created_at": "" } ], "network_mode": "", "machine_learning_models": [] } ]
None.
The output contains the following populated JSON schema:
[ { "id": "", "environment_id": "", "description": "", "group_icon": "", "architecture": "", "analysis_mode": "", "virtual_machines": [], "total_virtual_machines": "", "busy_virtual_machines": "", "invalid_virtual_machines": "" } ]
Parameter | Description |
---|---|
Attachment/Indicator ID | Specify the ID of the file that you want to submit to the Hybrid Analysis server. The ID is used to access the file from FortiSOAR™'s Attachments or Indicators module. |
Environment ID | Specify the ID of the environment in which the file is to be run.
For example, Following are available environment IDs:
|
Priority | The priority value of the sample. By default, the priority is set to 0 . Minimum permissible value is 0 and maximum is 100 . |
Action Script | (Optional) Select a custom runtime action script. You can select one of the following custom runtime action scripts:
|
Network Settings | (Optional) Select a network setting. You can select from one of the following options:
|
Required Memory Dump? | Select this option, i.e set it to false to avoid memory analysis dumps. By default, this is set to true . |
Experimental Anti-Evasion? | Select this option, i.e set it to true , to enable all the experimental anti-evasion options of the kernel mode monitor. By default, this is set to false . |
Set the IN-Depth Script Logging | Select this option, i.e set it to true , to enable the in-depth script logging engine of the kernel mode monitor. By default, this is set to false . |
Allow Sample Tampering | Select this option, i.e set it to true , to enable the experimental anti-evasion options of the kernel mode monitor that tampers with the input sample. By default, this is set to false . |
Email Notification | (Optional) Specify the email Address with the file submitted for submission. This email address is used for notification purposes. |
Comment | (Optional) Specify a comment to add when submitting the file. |
Custom Date Time for the Analysis System | (Optional) Specify a custom date and time to set for the analysis system. |
Custom CMD Line Pass to the Analysis File | (Optional) Specify the custom command line to pass to the analysis file. |
Custom Run Time | (Optional) Specify the runtime duration in seconds.
NOTE: Time should be between 30 to 360 sec. |
Submit Name | (Optional) Specify the name of the submitted file. The Submission Name field is used for file type detection and analysis. |
Document Password | (Optional) Specify the password of the document to fill in Adobe or Office password prompts. |
Environment Variable (Format name=value) | (Optional) Specify the system environment value. You must provide this value in the name=value format. |
The output contains the following populated JSON schema:
{ "job_id": "", "environment_id": "", "submission_id": "", "sha256": "" }
Parameter | Description |
---|---|
URL | Specify the URL that you want to submit to the Hybrid Analysis server. |
Environment ID | Specify the ID of the environment in which the URL is to be run.
For example, Following are available environment IDs:
|
Priority | (Optional) Specify the priority value of the sample URL. By default, all URL samples are set to run with the highest priority i.e., 100 . Minimum permissible value is 1 and maximum is 100 . |
Action Script | (Optional) Select a custom runtime action script. You can select one of the following custom runtime action scripts:
|
Required Memory Dump? | Select this option, i.e set it to false to avoid memory analysis dumps. By default, this is set to true . |
Experimental Anti-Evasion? | Select this option, i.e set it to true , to enable all the experimental anti-evasion options of the kernel mode monitor. By default, this is set to false . |
Set the IN-Depth Script Logging | Select this option, i.e set it to true , to enable the in-depth script logging engine of the kernel mode monitor. By default, this is set to false . |
Allow Sample Tampering | Select this option, i.e set it to true , to enable the experimental anti-evasion options of the kernel mode monitor that tampers with the input sample. By default, this is set to false . |
Network Settings | (Optional) Select a network setting. You can select from one of the following options:
|
Email Notification | (Optional) Specify the email Address with the URL submitted for submission. This email address is used for notification purposes. |
Comment | (Optional) Specify a comment to add when submitting the file. |
Custom Date Time for the Analysis System | (Optional) Specify a custom date and time to set for the analysis system. |
Custom CMD Line Pass to the Analysis File | (Optional) Specify the custom command line to pass to the analysis file. |
Custom Run Time | (Optional) Specify the runtime duration in seconds.
NOTE: Time should be between 30 to 360 sec. |
Submit Name | (Optional) Specify the name of the submitted file. The Submission Name field is used for file type detection and analysis. |
Document Password | (Optional) Specify the password of the document to fill in Adobe or Office password prompts. |
Environment Variable (Format name=value) | (Optional) Specify the system environment value. You must provide this value in the name=value format. |
The output contains the following populated JSON schema:
{ "submission_type": "", "job_id": "", "submission_id": "", "environment_id": "", "sha256": "" }
Parameter | Description |
---|---|
URL | Specify the URL that you want to scan in Hybrid Analysis server for analyzes. |
Comment | (Optional) Specify a comment that you want to add when submitting the file. |
Submit Name | (Optional) Specify the name of the submitted file. The Submission Name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{ "id": "", "sha256": "", "reports": [], "finished": "", "scanners": [ { "name": "", "total": "", "status": "", "percent": "", "progress": "", "positives": "", "error_message": "", "anti_virus_results": [] } ], "whitelist": [], "scanners_v2": { "bfore_ai": { "name": "", "status": "", "percent": "", "progress": "", "error_message": "" }, "clean_dns": { "name": "", "status": "", "reports": [], "progress": "", "error_message": "", "reports_count": "" }, "urlscan_io": { "name": "", "status": "", "percent": "", "progress": "", "error_message": "" }, "virustotal": "", "metadefender": "", "scam_adviser": { "name": "", "status": "", "percent": "", "progress": "", "error_message": "" }, "crowdstrike_ml": "" }, "submission_type": "" }
Parameter | Description |
---|---|
Job ID | Specify the ID of the file for which to retrieve the report from the Hybrid Analysis server. You can get the job ID when you submit a sample file.
NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the file for which you want to retrieve a report from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | Specify the ID of the environment on which the submitted file is to be run, whose report you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256 hash code. |
The output contains the following populated JSON schema:
{ "md5": "", "sha1": "", "size": "", "tags": [], "type": "", "hosts": [], "state": "", "job_id": "", "sha256": "", "sha512": "", "ssdeep": "", "domains": [], "imphash": "", "verdict": "", "av_detect": "", "processes": [ { "pid": "", "uid": "", "icon": "", "name": "", "sha256": "", "handles": [], "modules": [], "mutants": [], "streams": [], "av_label": "", "av_total": "", "registry": [], "parentuid": "", "amsi_calls": [], "av_matched": "", "command_line": "", "script_calls": [], "created_files": [], "file_accesses": [], "process_flags": [], "normalized_path": "" } ], "subsystem": "", "vx_family": "", "entrypoint": "", "error_type": "", "image_base": "", "signatures": [ { "name": "", "type": "", "origin": "", "attck_id": "", "capec_id": "", "category": "", "relevance": "", "identifier": "", "description": "", "threat_level": "", "attck_id_wiki": "", "threat_level_human": "" } ], "target_url": "", "type_short": [], "interesting": "", "submissions": [ { "url": "", "filename": "", "created_at": "", "submission_id": "" } ], "submit_name": "", "certificates": [], "error_origin": "", "mitre_attcks": [ { "parent": "", "tactic": "", "attck_id": "", "technique": "", "attck_id_wiki": "", "malicious_identifiers": [], "suspicious_identifiers": [], "informative_identifiers": [], "malicious_identifiers_count": "", "suspicious_identifiers_count": "", "informative_identifiers_count": "" } ], "network_mode": "", "threat_level": "", "threat_score": "", "url_analysis": "", "file_metadata": "", "crowdstrike_ai": { "analysis_related_urls": [], "executable_process_memory_analysis": [] }, "environment_id": "", "extracted_files": [], "total_processes": "", "major_os_version": "", "minor_os_version": "", "total_signatures": "", "compromised_hosts": [], "entrypoint_section": "", "analysis_start_time": "", "classification_tags": [], "dll_characteristics": [], "is_certificates_valid": "", "environment_description": "", "machine_learning_models": [], "total_network_connections": "", "image_file_characteristics": [], "certificates_validation_message": "" }
Parameter | Description |
---|---|
File Name | Specify the name of the file based on which you want to search for a report on the Hybrid Analysis server. |
File Type | Specify the type of the file based on which you want to search for a report on the Hybrid Analysis server. |
File Type Description | Specify the description of the file type based on which you want to search for a report on the Hybrid Analysis server. |
Environment ID | Specify the ID of the environment based on which you want to search for a report on the Hybrid Analysis. |
Verdict | Select the verdict of the Hybrid Analysis server after scanning the submitted file. You can select one of the following options:
|
AV Multiscan range | Specify the AV Multiscan range of the file based on which you want to search for a report on the Hybrid Analysis server. |
AV Family Substring | Specify the AV Family Substring of the file type based on which you want to search for a report on the Hybrid Analysis server. |
Hash Tag | Specify the hash tag of the file based on which you want to search for a report on the Hybrid Analysis server. |
Port | Specify the port of the file based on which you want to search for a report on the Hybrid Analysis server. |
Host | Specify the host of the file based on which you want to search for a report on the Hybrid Analysis server. |
Domain | Specify the domain of the file based on which you want to search for a report on the Hybrid Analysis server. |
HTTP Request Substring | Specify the HTTP Request Substring of the file based on which you want to search for a report on the Hybrid Analysis server. |
Similar Samples | Specify the samples that are similar to the submitted file that you want to search for a report on the Hybrid Analysis server. For example, files having a similar SHA value. |
Sample Context | Specify the samples that have a similar context to the submitted file that you want to search for a report on the Hybrid Analysis server. |
Start DateTime | Select the DateTime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
End DateTime | Select the DateTime using which you want to filter the result set to only include only those items that have been created before the specified timestamp. |
IMP Hash | Specify the IMP Hash of the file based on which you want to search for a report on the Hybrid Analysis server. |
SS Deep | Specify the SS Deep of the file based on which you want to search for a report on the Hybrid Analysis server. |
Authenti Hash | Specify the authentication hash of the file based on which you want to search for a report on the Hybrid Analysis server. |
Uses Tactic | Specify the MITRE ATT&CK® tactic of the file based on which you want to search for a report on the Hybrid Analysis server. |
Uses Technique | Specify the MITRE ATT&CK® technique of the file based on which you want to search for a report on the Hybrid Analysis server. |
The output contains the following populated JSON schema:
{ "count": "", "result": [ { "vx_family": "", "verdict": "", "submit_name": "", "type_short": "", "job_id": "", "analysis_start_time": "", "environment_description": "", "threat_score": "", "av_detect": "", "sha256": "", "environment_id": "", "size": "", "type": "" } ], "search_terms": [ { "id": "", "value": "" } ] }
Parameter | Description |
---|---|
Job ID | Specify the ID of the file for which you want to retrieve details of the dropped file from the Hybrid Analysis server. You can get the job ID when you submit a sample file.
NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the file for which you want to retrieve details of the dropped file from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | Specify the ID of the environment on which the submitted file is to be run, whose details of the dropped file you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256. |
The output contains the following populated JSON schema:
{ "id": "", "@id": "", "file": { "id": "", "@id": "", "size": "", "uuid": "", "@type": "", "assignee": "", "filename": "", "metadata": [], "mimeType": "", "thumbnail": "", "uploadDate": "" }, "name": "", "type": "", "uuid": "", "@type": "", "@context": "", "assignee": "", "createDate": "", "createUser": { "id": "", "@id": "", "name": "", "uuid": "", "@type": "", "avatar": "", "userId": "", "userType": "", "createDate": "", "createUser": "", "modifyDate": "", "modifyUser": "" }, "modifyDate": "", "modifyUser": { "id": "", "@id": "", "name": "", "uuid": "", "@type": "", "avatar": "", "userId": "", "userType": "", "createDate": "", "createUser": "", "modifyDate": "", "modifyUser": "" }, "recordTags": [], "description": "" }
Parameter | Description |
---|---|
Job ID | Specify the ID of the file for which you want to retrieve screenshots that are captured during analysis from the Hybrid Analysis server. You can get the job ID when you submit a sample file. NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the file for which you want to retrieve screenshots that are captured during analysis from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | The ID of the environment on which the submitted file is to be run, whose screenshots you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256. |
Attach Screenshots to FortiSOAR | If you select this option, i.e. set it to True, then the sample screenshots are added to the FortiSOAR™ Attachments module. By default, this is set to false . |
The output contains the following populated JSON schema:
[ { "name": "", "image": "", "date": "" } ]
Parameter | Description |
---|---|
Job ID | Specify the ID of the submitted file for which you want to retrieve the state information from the Hybrid Analysis server. You can get the job ID when you submit a sample file.
NOTE: If you specify the Job ID you do not require to specify File SHA256 or the environment ID. |
File SHA256 | Specify the SHA256 value of the submitted file for which you want to retrieve the state information from the Hybrid Analysis server. You can get the SHA256 value when you submit a sample file.
NOTE: If you specify File SHA256, then you must specify the Environment ID. |
Environment ID | Specify the ID of the environment on which the submitted file is to be run, whose state information you want to retrieve from the Hybrid Analysis server. You can get the Environment ID when you submit a sample file.
NOTE: If you specify Environment ID, then you must specify the File SHA256. |
The output contains the following populated JSON schema:
{ "state": "", "error_type": "", "error_origin": "", "error": "", "related_reports": [] }
None.
The output contains the following populated JSON schema:
{ "count": "", "status": "", "data": [ { "job_id": "", "md5": "", "sha1": "", "sha256": "", "interesting": "", "analysis_start_time": "", "threat_score": "", "threat_level": "", "threat_level_human": "", "av_detect": "", "unknown": "", "submit_name": "", "url_analysis": "", "size": "", "type": "", "environment_id": "", "environment_description": "", "shared_analysis": "", "reliable": "", "report_url": "", "vt_detect": "", "ms_detect": "", "processes": [ { "uid": "", "name": "", "normalized_path": "", "command_line": "", "sha256": "" } ], "ssdeep": "" } ] }
None.
The output contains the following populated JSON schema:
{ "detonation": { "total": "", "apikey": { "quota": { "hour": "", "day": "", "week": "", "month": "", "year": "", "omega": "" }, "used": { "hour": "", "day": "", "week": "", "month": "", "year": "", "omega": "" }, "available": { "hour": "", "day": "", "week": "", "month": "", "year": "", "omega": "" }, "quota_reached": "" }, "quota_reached": "" }, "quick_scan": { "total": "", "apikey": "", "quota_reached": "" } }
The Sample - hybrid-analysis - 2.0.1
playbook collection comes bundled with the Hybrid Analysis connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Hybrid Analysis connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.