CrowdStrike Falcon Hybrid Analysis

the crowdstrike falcon hybrid analysis connector facilitates the submission and analysis of threats, offering detailed reports and threat intelligence directly within the integrated platform crowdstrike falcon hybrid analysis is a cutting edge platform for comprehensive threat intelligence and malware analysis this connector enables swimlane turbine users to automate the retrieval of detailed threat information, such as hash overviews, report states, and submission summaries by integrating with crowdstrike falcon hybrid analysis, users can enhance their security automation workflows, rapidly assess potential threats, and streamline the threat investigation process the connector's actions facilitate the submission of urls for analysis and the search for specific terms or hashes, providing actionable insights and enabling proactive defense strategies prerequisites to effectively utilize the crowdstrike falcon hybrid analysis connector, ensure you have the following prerequisites api key authentication url the endpoint url for the crowdstrike falcon hybrid analysis api api key a valid api key provided by crowdstrike to authenticate requests capabilities the crowdstrike falcon hybrid analysis bundle has the following capabilities search for hash get hash overview submit file get status of submission get report perform quick scan of file search for terms such as ips, domains, or urls configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions hash overview retrieve a comprehensive overview for a specified sha256 hash using crowdstrike falcon hybrid analysis, requiring the sha256 path parameter endpoint url overview/{{sha256}} method get input argument name type required description sha256 string required parameter for hash overview output parameter type description status code number http status code of the response reason string response reason phrase sha256 string output field sha256 last file name string name of the resource other file name array name of the resource threat score object score value verdict string output field verdict url analysis boolean url endpoint for the request size number output field size type string type of the resource type short array type of the resource analysis start time string time value last multi scan string output field last multi scan tags array output field tags file name string name of the resource file string output field file architecture object output field architecture multiscan result number result of the operation scanners array output field scanners name string name of the resource status string status value error message object response message progress number output field progress total number output field total positives number output field positives example \[ { "status code" 200, "response headers" { "date" "tue, 08 nov 2022 15 29 19 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 2,\\"hour\\" 4},\\"limit reached ", "api version" "2 20 0", "webservice version" "16 2 2 60346862a", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "wed, 11 jan 1984 05 00 00 gmt", "x content type options" "nosniff", "content security policy" "default src 'none'; connect src 'self' twitter com; script src 'self' google ", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin, sameorigin" }, "reason" "ok", "json body" { "sha256" "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", "last file name" "bounty 32464574322730363", "other file name" \[], "threat score" null, "verdict" "no specific threat", "url analysis" false, "size" 3, "type" "ascii text, with no line terminators", "type short" \[], "analysis start time" "2019 12 23t18 02 45+00 00", "last multi scan" "2022 09 16t16 36 04+00 00", "tags" \[], "architecture" null, "multiscan result" 0, "scanners" \[] } } ] report state retrieve the current state of a specific submission in crowdstrike falcon hybrid analysis using the provided submission id endpoint url report/{{id}}/state method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase state string output field state error type string type of the resource error origin string error message if any error string error message if any related reports array output field related reports file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "date" "tue, 08 nov 2022 16 06 17 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 7},\\"limit reached ", "api version" "2 20 0", "webservice version" "16 2 2 60346862a", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "wed, 11 jan 1984 05 00 00 gmt", "x content type options" "nosniff", "content security policy" "default src 'none'; connect src 'self' twitter com; script src 'self' google ", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin, sameorigin" }, "reason" "ok", "json body" { "state" "error", "error type" "file type bad error", "error origin" "client", "error" "file \\"sample url\\" was detected as \\"url\\", this format is not supported on linux", "related reports" \[] } } ] report summary retrieve a concise summary of a submission in crowdstrike falcon hybrid analysis using the provided submission id endpoint url report/{{id}}/summary method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase classification tags array output field classification tags file name string name of the resource file string output field file tags array output field tags submissions array output field submissions submission id string unique identifier filename object name of the resource url string url endpoint for the request created at string output field created at machine learning models array output field machine learning models file name string name of the resource file string output field file job id string unique identifier environment id number unique identifier environment description string output field environment description size object output field size type object type of the resource type short array type of the resource file name string name of the resource file string output field file target url object url endpoint for the request state string output field state error type string type of the resource example \[ { "status code" 200, "response headers" { "date" "tue, 08 nov 2022 16 10 44 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 8},\\"limit reached ", "api version" "2 20 0", "webservice version" "16 2 2 60346862a", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "wed, 11 jan 1984 05 00 00 gmt", "x content type options" "nosniff", "content security policy" "default src 'none'; connect src 'self' twitter com; script src 'self' google ", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin, sameorigin" }, "reason" "ok", "json body" { "classification tags" \[], "tags" \[], "submissions" \[], "machine learning models" \[], "job id" "6324a9d41fe6d26b555927f6", "environment id" 300, "environment description" "linux (ubuntu 16 04, 64 bit)", "size" null, "type" null, "type short" \[], "target url" null, "state" "error", "error type" "file type bad error", "error origin" "client", "submit name" "http //google com/" } } ] search hash locate a specific hash in crowdstrike falcon hybrid analysis to assess potential threats requires a hash parameter endpoint url search/hash method get input argument name type required description hash string required parameter for search hash output parameter type description status code number http status code of the response sha256s array output field sha256s reports array output field reports id string unique identifier environment id number unique identifier environment description string output field environment description state string output field state error type string type of the resource error origin string error message if any verdict string output field verdict example \[ { "status code" 200, "response headers" { "date" "tue, 08 nov 2022 15 57 49 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 6},\\"limit reached ", "api version" "2 20 0", "webservice version" "16 2 2 60346862a", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "wed, 11 jan 1984 05 00 00 gmt", "x content type options" "nosniff", "content security policy" "default src 'none'; connect src 'self' twitter com; script src 'self' google ", "x xss protection" "1; mode=block" }, "json body" { "sha256s" \[], "reports" \[] } } ] search terms retrieve relevant data from crowdstrike falcon hybrid analysis by using specified search terms endpoint url search/terms method post input argument name type required description data body object required data body filename string optional name of the resource filetype string optional type of the resource filetype desc string optional type of the resource env id string optional unique identifier country string optional parameter for search terms verdict number optional parameter for search terms av detect string optional parameter for search terms vx family string optional parameter for search terms tag string optional parameter for search terms date from string optional parameter for search terms date to string optional parameter for search terms port number optional parameter for search terms host string optional parameter for search terms domain string optional parameter for search terms url string optional url endpoint for the request similar to string optional parameter for search terms context string optional parameter for search terms imp hash string optional parameter for search terms ssdeep string optional parameter for search terms autentihash string optional parameter for search terms uses tactic string optional parameter for search terms uses technique string optional parameter for search terms output parameter type description status code number http status code of the response reason string response reason phrase search terms array output field search terms id string unique identifier value string value for the parameter count number count value result array result of the operation verdict string output field verdict av detect string output field av detect threat score object score value vx family object output field vx family job id string unique identifier sha256 string output field sha256 environment id object unique identifier analysis start time string time value submit name string name of the resource environment description string output field environment description size number output field size type object type of the resource type short string type of the resource example \[ { "status code" 200, "response headers" { "date" "tue, 08 nov 2022 16 59 53 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 1,\\"hour\\" 3},\\"limit reached ", "api version" "2 20 0", "webservice version" "16 2 2 60346862a", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "wed, 11 jan 1984 05 00 00 gmt", "x content type options" "nosniff", "content security policy" "default src 'none'; connect src 'self' twitter com; script src 'self' google ", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin, sameorigin" }, "reason" "ok", "json body" { "search terms" \[], "count" 88, "result" \[] } } ] submit url submit a url to crowdstrike falcon hybrid analysis for detailed threat analysis, requiring a data body input endpoint url submit/url method post input argument name type required description data body object required data body url string required url endpoint for the request environment id number required unique identifier no share third party boolean optional parameter for submit url allow community access boolean optional parameter for submit url no hash lookup boolean optional parameter for submit url action script string optional parameter for submit url hybrid analysis boolean optional unique identifier experimental anti evasion boolean optional set all experimental anti evasion options of the kernelmode monitor script logging boolean optional set the in depth script logging engine of the kernelmode monitor input sample tampering boolean optional when set to 'true', will allow experimental anti evasion options of the kernelmode monitor that tamper with the input sample tor enabled analysis boolean optional when set to 'true', will route the network traffic for the analysis via tor (if properly configured on the server) network settings string optional network settings, by the default, fully operating network is set email string optional optional e mail address that may be associated with the submission for notification comment string optional optional comment text that may be associated with the submission/sample (note, you can use #tags here) custom date time string optional optional custom date/time that can be set for the analysis system expected format is yyyy mm dd hh \ mm custom cmd line string optional optional commandline that should be passed to the analysis file custom run time integer optional optional runtime duration (in seconds) submit name string optional optional 'submission name' field that will be used for file type detection and analysis ignored unless url contains a file priority integer optional optional priority value between 1 (lowest) and 10 (highest), by default all samples run with highest priority document password string optional optional document password that will be used to fill in adobe/office password prompts ignored unless url contains a file environment variable string optional optional system environment value the value is provided in the format name=value output parameter type description status code number http status code of the response reason string response reason phrase submission type string type of the resource job id string unique identifier submission id string unique identifier environment id number unique identifier sha256 string output field sha256 example \[ { "status code" 201, "response headers" { "date" "tue, 08 nov 2022 21 51 03 gmt", "content type" "application/json", "content length" "206", "connection" "keep alive", "api limits" "{\\"limits\\" {\\"minute\\" 200,\\"hour\\" 2000},\\"used\\" {\\"minute\\" 2,\\"hour\\" 2},\\"limit reached ", "api version" "2 20 0", "webservice version" "16 2 2 60346862a", "submission limits" "{\\"apikey\\" {\\"quota\\" {\\"day\\" 100},\\"used\\" {\\"day\\" 1},\\"available\\" {\\"day\\" 99},\\"quota re ", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "wed, 11 jan 1984 05 00 00 gmt", "x content type options" "nosniff", "content security policy" "default src 'none'; connect src 'self' twitter com; script src 'self' google ", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "created", "json body" { "submission type" "page url", "job id" "5dd714f8c25f57295a42005b", "submission id" "636acf47e5a08e698c0be584", "environment id" 120, "sha256" "a7a6b9131bde3584fe6239ac1ec996979b3e30a3dfb89269f0d8501815ed7634" } } ] response headers header description example api limits http response header api limits {"limits" {"minute" 200 ,"hour" 2000 },"used" {"minute" 1 ,"hour" 7 },"limit reached" \ false } api version http response header api version 2 20 0 cache control directives for caching mechanisms no cache, no store, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 766fdb664a58c80f eze connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 206 content security policy http response header content security policy default src 'none'; connect src 'self' twitter com; script src 'self' google com gstatic com google analytics com twitter com twimg com cdn inspectlet com frontend id visitors com 'unsafe inline'; font src 'self' data fonts googleapis com; child src 'self' data google com gstatic com twitter com; img src 'self' data gstatic com google com google analytics com stats g doubleclick net twitter com twimg com paypalobjects com cartodb basemaps a global ssl fastly net cartodb basemaps b global ssl fastly net cartodb basemaps c global ssl fastly net; style src 'self' google com twitter com twimg com 'unsafe inline'; object src 'self'; frame ancestors 'none' content type the media type of the resource application/json date the date and time at which the message was originated tue, 08 nov 2022 16 06 17 gmt expires the date/time after which the response is considered stale wed, 11 jan 1984 05 00 00 gmt pragma http response header pragma no cache server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=31536000; includesubdomains submission limits http response header submission limits {"apikey" {"quota" {"day" 100 },"used" {"day" 1 },"available" {"day" 99 },"quota reached" \ false },"quota reached" \ false } transfer encoding http response header transfer encoding chunked webservice version http response header webservice version 16 2 2 60346862a x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin, sameorigin x xss protection http response header x xss protection 1; mode=block notes for more information about the api and its capabilities api documentation https //www hybrid analysis com/docs/api/v2#/ this plugin was last tested against product version v2 api