CrowdStrike Falcon Hybrid Analysis

the crowdstrike falcon hybrid analysis connector facilitates the submission and analysis of threats, offering detailed reports and threat intelligence directly within the integrated platform crowdstrike falcon hybrid analysis is a cutting edge platform for comprehensive threat intelligence and malware analysis this connector enables swimlane turbine users to automate the retrieval of detailed threat information, such as hash overviews, report states, and submission summaries by integrating with crowdstrike falcon hybrid analysis, users can enhance their security automation workflows, rapidly assess potential threats, and streamline the threat investigation process the connector's actions facilitate the submission of urls for analysis and the search for specific terms or hashes, providing actionable insights and enabling proactive defense strategies prerequisites to effectively utilize the crowdstrike falcon hybrid analysis connector, ensure you have the following prerequisites api key authentication url the endpoint url for the crowdstrike falcon hybrid analysis api api key a valid api key provided by crowdstrike to authenticate requests capabilities the crowdstrike falcon hybrid analysis bundle has the following capabilities search for hash get hash overview submit file get status of submission get report perform quick scan of file search for terms such as ips, domains, or urls notes for more information about the api and its capabilities https //www hybrid analysis com/docs/api/v2#/ this plugin was last tested against product version v2 api configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions hash overview retrieve a comprehensive overview for a specified sha256 hash using crowdstrike falcon hybrid analysis, requiring the sha256 path parameter endpoint url overview/{{sha256}} method get input argument name type required description path parameters sha256 string required parameters for the hash overview action input example {"path parameters" {"sha256" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase sha256 string output field sha256 last file name string name of the resource other file name array name of the resource threat score object score value verdict string output field verdict url analysis boolean url endpoint for the request size number output field size type string type of the resource type short array type of the resource analysis start time string time value last multi scan string output field last multi scan tags array output field tags tags file name string name of the resource tags file string output field tags file architecture object output field architecture multiscan result number result of the operation scanners array output field scanners scanners name string name of the resource scanners status string status value scanners error message object response message scanners progress number output field scanners progress scanners total number output field scanners total scanners positives number output field scanners positives output example {"status code" 200,"response headers" {"date" "tue, 08 nov 2022 15 29 19 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 2,\\"hour\\" 4},\\"limit reached ","api version" "2 20 0","webservice version" "16 2 2 60346862a","cache control" "no cache, no store, must revalidate","pragma" "no cache","expires" "wed, 11 jan 1984 05 00 00 gmt","x content type options" "nosniff","conte report state retrieve the current state of a specific submission in crowdstrike falcon hybrid analysis using the provided submission id endpoint url report/{{id}}/state method get input argument name type required description path parameters id string required parameters for the report state action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase state string output field state error type string type of the resource error origin string error message if any error string error message if any related reports array output field related reports related reports file name string name of the resource related reports file string output field related reports file output example {"status code" 200,"response headers" {"date" "tue, 08 nov 2022 16 06 17 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 7},\\"limit reached ","api version" "2 20 0","webservice version" "16 2 2 60346862a","cache control" "no cache, no store, must revalidate","pragma" "no cache","expires" "wed, 11 jan 1984 05 00 00 gmt","x content type options" "nosniff","conte report summary retrieve a concise summary of a submission in crowdstrike falcon hybrid analysis using the provided submission id endpoint url report/{{id}}/summary method get input argument name type required description path parameters id string required parameters for the report summary action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase classification tags array output field classification tags classification tags file name string name of the resource classification tags file string output field classification tags file tags array output field tags submissions array output field submissions submissions submission id string unique identifier submissions filename object name of the resource submissions url string url endpoint for the request submissions created at string output field submissions created at machine learning models array output field machine learning models machine learning models file name string name of the resource machine learning models file string output field machine learning models file job id string unique identifier environment id number unique identifier environment description string output field environment description size object output field size type object type of the resource type short array type of the resource type short file name string name of the resource type short file string type of the resource target url object url endpoint for the request state string output field state error type string type of the resource output example {"status code" 200,"response headers" {"date" "tue, 08 nov 2022 16 10 44 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 8},\\"limit reached ","api version" "2 20 0","webservice version" "16 2 2 60346862a","cache control" "no cache, no store, must revalidate","pragma" "no cache","expires" "wed, 11 jan 1984 05 00 00 gmt","x content type options" "nosniff","conte search hash locate a specific hash in crowdstrike falcon hybrid analysis to assess potential threats requires a hash parameter endpoint url search/hash method get input argument name type required description parameters hash string required parameters for the search hash action input example {"parameters" {"hash" "string"}} output parameter type description status code number http status code of the response sha256s array output field sha256s reports array output field reports reports id string unique identifier reports environment id number unique identifier reports environment description string output field reports environment description reports state string output field reports state reports error type string type of the resource reports error origin string error message if any reports verdict string output field reports verdict output example {"status code" 200,"response headers" {"date" "tue, 08 nov 2022 15 57 49 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 6},\\"limit reached ","api version" "2 20 0","webservice version" "16 2 2 60346862a","cache control" "no cache, no store, must revalidate","pragma" "no cache","expires" "wed, 11 jan 1984 05 00 00 gmt","x content type options" "nosniff","conte search terms retrieve relevant data from crowdstrike falcon hybrid analysis by using specified search terms endpoint url search/terms method post input argument name type required description data body object required data body data body filename string optional response data data body filetype string optional response data data body filetype desc string optional response data data body env id string optional response data data body country string optional response data data body verdict number optional response data data body av detect string optional response data data body vx family string optional response data data body tag string optional response data data body date from string optional response data data body date to string optional response data data body port number optional response data data body host string optional response data data body domain string optional response data data body url string optional response data data body similar to string optional response data data body context string optional response data data body imp hash string optional response data data body ssdeep string optional response data data body autentihash string optional response data data body uses tactic string optional response data data body uses technique string optional response data input example {"data body" {"filename" "example name","filetype" "string","filetype desc" "string","env id" "string","country" "string","verdict" 123,"av detect" "string","vx family" "string","tag" "string","date from" "string","date to" "string","port" 123,"host" "string","domain" "string","url" "https //example com/api/resource","similar to" "string","context" "string","imp hash" "string","ssdeep" "string","autentihash" "string","uses tactic" "string","uses technique" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase search terms array output field search terms search terms id string unique identifier search terms value string value for the parameter count number count value result array result of the operation result verdict string result of the operation result av detect string result of the operation result threat score object result of the operation result vx family object result of the operation result job id string unique identifier result sha256 string result of the operation result environment id object unique identifier result analysis start time string result of the operation result submit name string name of the resource result environment description string result of the operation result size number result of the operation result type object type of the resource result type short string type of the resource output example {"status code" 200,"response headers" {"date" "tue, 08 nov 2022 16 59 53 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 3},\\"limit reached ","api version" "2 20 0","webservice version" "16 2 2 60346862a","cache control" "no cache, no store, must revalidate","pragma" "no cache","expires" "wed, 11 jan 1984 05 00 00 gmt","x content type options" "nosniff","conte submit url submit a url to crowdstrike falcon hybrid analysis for detailed threat analysis, requiring a data body input endpoint url submit/url method post input argument name type required description data body object required data body data body url string required response data data body environment id number required response data data body no share third party boolean optional response data data body allow community access boolean optional response data data body no hash lookup boolean optional response data data body action script string optional response data data body hybrid analysis boolean optional response data data body experimental anti evasion boolean optional set all experimental anti evasion options of the kernelmode monitor data body script logging boolean optional set the in depth script logging engine of the kernelmode monitor data body input sample tampering boolean optional when set to 'true', will allow experimental anti evasion options of the kernelmode monitor that tamper with the input sample data body tor enabled analysis boolean optional when set to 'true', will route the network traffic for the analysis via tor (if properly configured on the server) data body network settings string optional network settings, by the default, fully operating network is set data body email string optional optional e mail address that may be associated with the submission for notification data body comment string optional optional comment text that may be associated with the submission/sample (note, you can use #tags here) data body custom date time string optional optional custom date/time that can be set for the analysis system expected format is yyyy mm dd hh \ mm data body custom cmd line string optional optional commandline that should be passed to the analysis file data body custom run time integer optional optional runtime duration (in seconds) data body submit name string optional optional 'submission name' field that will be used for file type detection and analysis ignored unless url contains a file data body priority integer optional optional priority value between 1 (lowest) and 10 (highest), by default all samples run with highest priority data body document password string optional optional document password that will be used to fill in adobe/office password prompts ignored unless url contains a file data body environment variable string optional optional system environment value the value is provided in the format name=value input example {"data body" {"url" "https //example com/api/resource","environment id" 123,"no share third party"\ true,"allow community access"\ true,"no hash lookup"\ true,"action script" "string","hybrid analysis"\ true,"experimental anti evasion"\ true,"script logging"\ true,"input sample tampering"\ true,"tor enabled analysis"\ true,"network settings" "default","email" "user\@example com","comment" "string","custom date time" "string","custom cmd line" "string","custom run time" 123,"submit name" "example name","priority" 123,"document password" "string","environment variable" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase submission type string type of the resource job id string unique identifier submission id string unique identifier environment id number unique identifier sha256 string output field sha256 output example {"status code" 201,"response headers" {"date" "tue, 08 nov 2022 21 51 03 gmt","content type" "application/json","content length" "206","connection" "keep alive","api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 2,\\"hour\\" 2},\\"limit reached ","api version" "2 20 0","webservice version" "16 2 2 60346862a","submission limits" "{\\"apikey\\" {\\"quota\\" {\\"day\\" 100},\\"used\\" {\\"day\\" 1},\\"available\\" {\\"day\\" 99},\\"quota re ","cache control" "no cache, no store, must r response headers header description example api limits http response header api limits {"limits" {"minute" 200 ,"hour" 2000 },"used" {"minute" 1 ,"hour" 6 },"limit reached" \ false } api version http response header api version 2 20 0 cache control directives for caching mechanisms no cache, no store, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 766f9497ea51a790 eze connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 206 content security policy http response header content security policy default src 'none'; connect src 'self' twitter com; script src 'self' google com gstatic com google analytics com twitter com twimg com cdn inspectlet com frontend id visitors com 'unsafe inline'; font src 'self' data fonts googleapis com; child src 'self' data google com gstatic com twitter com; img src 'self' data gstatic com google com google analytics com stats g doubleclick net twitter com twimg com paypalobjects com cartodb basemaps a global ssl fastly net cartodb basemaps b global ssl fastly net cartodb basemaps c global ssl fastly net; style src 'self' google com twitter com twimg com 'unsafe inline'; object src 'self'; frame ancestors 'none' content type the media type of the resource application/json date the date and time at which the message was originated tue, 08 nov 2022 15 29 19 gmt expires the date/time after which the response is considered stale wed, 11 jan 1984 05 00 00 gmt pragma http response header pragma no cache server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=31536000; includesubdomains submission limits http response header submission limits {"apikey" {"quota" {"day" 100 },"used" {"day" 1 },"available" {"day" 99 },"quota reached" \ false },"quota reached" \ false } transfer encoding http response header transfer encoding chunked webservice version http response header webservice version 16 2 2 60346862a x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin, sameorigin x xss protection http response header x xss protection 1; mode=block