Enricher - HybridAnalysis#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

HybridAnalysis Enricher

Input

Hashes (hash-md5, hash-sha256, hash-sha1), ipv4, and domains.

Output

Indicator and additional related TTP (malware and attack technique) entities.

API endpoint

https://www.hybrid-analysis.com/api/v2

Description

Enriches hash observables and creates indicators. The enricher produces TTPs and relationships between them and the MITRE ATT&CK entities within the platform.

Requirements#

Users need an API key. Sign up and subscribe to the service to obtain the required credentials to access the API endpoint exposing the service.

Configure the enricher parameters#

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the HybridAnalysis enricher.

  3. The API URL field is automatically filled in with the default domain for the endpoint. You can add a proxy or set up ports according to your needs.
    Default value: https://www.hybrid-analysis.com/api/v2.

  4. In the API key field, enter the API key associated with your API user profile, so that you can log in and consume the API service.

  5. The SSL verification checkbox is automatically selected.

  6. In the Path to SSL certificate, you can enter the path to your PEM file.
    It is also possible to leave the field blank.

  7. In the Indicator half-life field, enter a value between 0 and 100.
    You can specify the half-life for indicator entities created with the HybridAnalysis Enricher.
    Default value: 30.

  8. In the Indicator confidence threshold (low) field, enter a value between 0 and 100.
    Entities with a higher HybridAnalysis risk score than the value defined here are flagged as Indicator with low confidence.
    After completing the analysis, enriched entities with a higher risk score than the low indicator threshold and lower than the medium and high indicator thresholds, are flagged as Indicator with low confidence. Default value: 0.

  9. In the Indicator confidence threshold (medium) field, enter a value between 0 and 100.
    Entities with a higher HybridAnalysis risk score than the value defined here are flagged as Indicator with medium confidence.
    After completing the analysis, enriched entities with a higher risk score than the medium indicator threshold and lower than the high indicator thresholds, are flagged as Indicator with medium confidence.
    Default value: 70.

  10. In the Indicator confidence threshold (high) field, enter a value between 0 and 100.
    Entities with a higher HybridAnalysis risk score than the value defined here are flagged as Indicator with high confidence.
    After completing the analysis, enriched entities with a higher risk score than the high indicator thresholds, are flagged as Indicator with high confidence.
    Default value: 70.

  11. In the Malware confidence threshold (low) field, enter a value between 0 and 100.
    Entities with a higher HybridAnalysis risk score than the value defined here are flagged as Malware with low confidence.
    After completing the analysis, enriched entities with a higher risk score than the low malware threshold and lower than the medium and high malware thresholds, are flagged as Malware with low confidence.
    Default value: 0.

  12. In the Malware confidence threshold (medium) field, enter a value between 0 and 100.
    Entities with a higher HybridAnalysis risk score than the value defined here are flagged as Malware with medium confidence.
    After completing the analysis, enriched entities with a higher risk score than the medium malware threshold and lower than the high malware thresholds, are flagged as Malware with medium confidence.
    Default value: 70.

  13. In the Malware confidence threshold (high) field, enter a value between 0 and 100.
    Entities with a higher HybridAnalysis risk score than the value defined here are flagged as Malware with high confidence.
    After completing the analysis, enriched entities with a higher risk score than the high malware thresholds, are flagged as Malware with high confidence.
    Default value: 70.

  14. The checkboxes Ingest mitre attacks with verdict value “informative”/“suspicious”/“malicious” are optional, and can be selected depending on your needs.

  15. To store your changes, click Save; to discard them, click Cancel.

Additional information#

Confidence mapping:

Value

0 - 100 Range

0 - 10 Range

Low

001 - 029

01 - 03

Medium

030 - 069

04 - 06

High

070 - 100

07 - 10