Hybrid Analysis
Use the Hybrid Analysis integration to submit and analyze files.
Supported File Types
The maximum file upload size is 100 MB.
- PE (.exe, .scr, .pif, .dll, .com, .cpl, and so on)
- Microsoft Word (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub)
- APK
- JAR executables
- Windows Script Component (.sct)
- Windows Shortcut (.lnk)
- Windows Help (.chm)
- HTML Application (.hta)
- Windows Script File (*.wsf)
- Javascript (.js)
- Visual Basic (*.vbs, *.vbe)
- Shockwave Flash (.swf)
- Perl (.pl)
- PowerShell (.ps1, .psd1, .psm1)
- Scalable Vector Graphics (.svg)
- Python scripts (.py)
- Perl scripts (.pl)
- Linux ELF executables
- MIME RFC 822 (*.eml)
- Outlook (*.msg files)
Configure the Hybrid Analysis Integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Hybrid Analysis.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URI : for example, https://216.128.82
- API Key : Cortex XSOAR creates an API key, do not populate this field.
- Secret Key (applicable for v1)
- Do not validate server certificate (insecure)
- Use system proxy settings
- Click Test to validate the URLs and token.
Use Cases
- Submit sample files for analysis.
- Get result data of sample files.
- Search the Hybrid Analysis database.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Scan a file hash: hybrid-analysis-scan
- Submit a sample file: hybrid-analysis-submit-sample
- Search Hybrid Analysis: hybrid-analysis-search
- Detonate a file: hybrid-analysis-detonate-file
- Get the status of a file submission: hybrid-analysis-get-report-status
- Submit a website or file URL for quick analysis: hybrid-analysis-quick-scan-url
- Submit a website or file URL for analysis: hybrid-analysis-submit-url
- Get a list of scanners: hybrid-analysis-list-scanners
- Get scan results: hybrid-analysis-quick-scan-url-results
1. Scan a file hash
Returns summary information for a given MD5, SHA1 or SHA256 hash, and all reports generated for any environment ID.
Base Command
hybrid-analysis-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The MD5, SHA1, or SHA256 hash of the file. | Required |
| malicious_threat_levels | Threat level values, which will determine if the file is malicious. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | SHA256 hash of the file. |
| File.SHA1 | string | SHA1 hash of the file. |
| File.MD5 | string | MD5 hash of the file. |
| File.environmentId | string | The environment ID of the file. |
| File.analysis_start_time | string | The start time of the file analysis. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | string | A list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | string | The total number of network connections of the file. |
| File.total_processes | string | The total processes count of the file. |
| File.total_signatures | string | The total signatures count of the file. |
| File.hosts | string | A list of hosts of the file. |
| File.isinteresting | string | Whether the server found the file interesting. |
| File.domains | string | A list of domains related to the file. |
| File.isurlanalysis | string | Whether the file was analyzed by a URL. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | string | The indicator. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The DBot score vendor. |
| DBotScore.Score | number | The DBot score. |
Command Example
!hybrid-analysis-scan file=bb3bed4a07c472ad7a51c19634e33ad2c9769a27fa750f096d9cca5b5b9e4616
Human Readable Output
2. Submit a file sample
Submits a file from the investigation to the analysis server. The minimum required authorization is "default".
Base Command
hybrid-analysis-submit-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID | The environment ID to which to submit the file. Run the vx-get-environments command to get all environment IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.Submit.JobID | string | JobID of the submission. |
| HybridAnalysis.Submit.SHA256 | string | The SHA256 hash of the submission. |
| HybridAnalysis.Submit.EnvironmentID | string | The environment ID of the submission. |
Command Example
!hybrid-analysis-submit-sample entryId=413@13 environmentID=100
Human Readable Output
3. Search Hybrid Analysis
Performs a search on the database using the Hybrid Analysis search syntax.
Base Command
hybrid-analysis-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query | The query to run, in the Hybrid Analysis query syntax. For more information, see `/faq#advanced-search-options`. For example: url:google, host:95.181.53.78. | Optional |
| filename | The full file name, including the file extension. | Optional |
| filetype | Filetype e.g. docx | Optional |
| filetype_desc | A description of the file type, for example, PE32 executable. | Optional |
| env_id | The environment ID. | Optional |
| country | The ISO code of the country by which to filter results, for example: swe. | Optional |
| verdict | The verdict by which to filter results. Can be "1- whitelisted", "2- no verdict", "3- "no specific threat", "4- suspicious", or "5- malicious". | Optional |
| av_detect | The AV multi-scan range (0-100) by which to filter results, for example: "50-70". | Optional |
| vx_family | The AV family substring by which to filter results, for example: "nemucod". | Optional |
| tag | The hashtag by which to filter results, for example: "ransomware". | Optional |
| port | The port by which to filter results. | Optional |
| host | The host (IP address) by which to filter results. | Optional |
| domain | The domain by which to filter results. | Optional |
| url | The HTTP request substring by which to filter results. | Optional |
| similar_to | Similar samples, for example: . | Optional |
| context | Sample context, for example: . | Optional |
| imp_hash | The import hash. | Optional |
| ssdeep | The ssdeep hash. | Optional |
| authentihash | The authentication hash. | Optional |
| min_malicious_scanners | The number of scanners that report the file as malicious to determine whether the file is malicious. Default is "2". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.Search.SHA256 | string | The SHA256 hash of the search result. |
| HybridAnalysis.Search.SHA1 | string | The SHA1 hash of the search result. |
| HybridAnalysis.Search.MD5 | string | The MD5 hash of the search result. |
| HybridAnalysis.Search.environmentId | string | The environment ID of the search result. |
| HybridAnalysis.Search.start_time | date | The start time of the search result. |
| HybridAnalysis.Search.threatscore | string | The threat score of the search result, by server. |
| HybridAnalysis.Search.verdict | string | The verdict of the search result. |
| HybridAnalysis.Search.environmentDescription | string | The environment description of search result. |
| HybridAnalysis.Search.submitname | string | The submission name of the search result. |
| HybridAnalysis.Search.vxfamily | string | The family of search result. |
| HybridAnalysis.Search.threatscore | string | The threat score of the search result. |
| HybridAnalysis.Search.type_short | string | The type of search result, for example: "url" or "host". |
| HybridAnalysis.Search.size | number | The size of the search result. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Vendor | unknown | The DBotScore vendor. |
| DBotScore.Score | unknown | The DBot score. |
Command Example
!hybrid-analysis-search filename=fvp_setup_3.2.1.53fi.exe min_malicious_scanners=2
Human Readable Output
4. Detonate a file
Submits a file for detonation in Hybrid Analysis.
Base Command
hybrid-analysis-detonate-file
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file you want to detonate. | Required |
| environmentID | The environment ID to which to submit the file for detonation. Run the vx-get-environments command to get all environment IDs. Default is 100, or other WINDOWS ID. | Optional |
| delay | The amount of time (in seconds) to wait between calls. Default is "3". | Optional |
| timeout | The total wait time (in seconds) before timeout. Default is "60". | Optional |
| malicious_threat_levels |
A comma separated list of threat level values. Files that have a threat level
specified in the list will be considered malicious. |
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA256 hash of the file. |
| File.SHA1 | string | The SHA1 hash of the file. |
| File.MD5 | string | The MD5 of the file. |
| File.environmentalId | string | The environmental ID of the file. |
| File.analysis_start_time | string | The start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | string | A list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | string | The total number of network connections of the file. |
| File.total_processes | string | The total processes count of the file. |
| File.total_signatures | string | The total signatures count of the file. |
| File.hosts | string | A list of hosts of the file. |
| File.isinteresting | string | Whether the server found the file interesting. |
| File.domains | string | A list of domains related to the file. |
| File.isurlanalysis | string | Whether the file was analyzed by a URL. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | string | The indicator. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The DBot score vendor. |
| DBotScore.Score | number | The DBot score. |
5. Get the status of a file submission
Returns the state of the file submission.
Base Command
hybrid-analysis-get-report-status
Input
| Argument Name | Description | Required |
|---|---|---|
| jobID | The job ID of the submission. | Optional |
| sha256 | The submission SHA256. | Optional |
| environmentID | The environment ID of the submission. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.Submit.State | string | The state of the process. |
| HybridAnalysis.Submit.SHA256 | string | The SHA256 hash of the submission. |
| HybridAnalysis.Submit.JobID | string | The job ID of the submission. |
| HybridAnalysis.Submit.EnvironmentID | string | The environment ID of the submission. |
6. Submit a website or file URL for quick analysis
Submits the URL of a website, or the URL that contains the file, for analysis.
Base Command
hybrid-analysis-quick-scan-url
Input
| Argument Name | Description | Required |
|---|---|---|
| scan_type | The type of scan. Run the hybrid-analysis-list-scanners command to view available scanners. | Optional |
| url | The website URL, or the URL that contains the file to submit. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.URL.Data | string | The URL. |
| HybridAnalysis.URL.ScanID | string | The scan ID. |
| HybridAnalysis.URL.SHA256 | string | The SHA256 hash of the URL. |
| HybridAnalysis.URL.Finished | boolean | Whether the scan completed. |
| File.Name | string | The URL. |
| File.SHA256 | string | The SHA256 hash of the file. |
| HybridAnalysis.URL.SubmissionType | string | The type of the submission. Can be "file" or "url". |
Command Example
!hybrid-analysis-quick-scan-url url=www.google.com
Human Readable Output
7. Submit a website or file URL for analysis
Submits the URL of a website or the URL that contains the file, for analysis.
Base Command
hybrid-analysis-submit-url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL of the file to submit. | Required |
| environmentID | The environment ID to which to submit the file. Run the vx-get-environments command to get all environment IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.Submit.JobID | string | The job ID of the submission. |
| HybridAnalysis.Submit.SHA256 | string | The SHA256 of the submission. |
| HybridAnalysis.Submit.EnvironmentID | number | The environment ID of the submission. |
| HybridAnalysis.Submit.SubmissionType | string | The type of the submission. Can be "file" or "url". |
Command Example
!hybrid-analysis-submit-url environmentID=100 url=www.google.com
Human Readable Output
8. Get a list of scanners
Returns a list of available scanners.
Base Command
hybrid-analysis-list-scanners
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.Scanner.Available | unknown | Whether the scanner is available. |
| HybridAnalysis.Scanner.Name | unknown | The scanner name. |
| HybridAnalysis.Scanner.Description | unknown | The scanner description. |
Command Example
!hybrid-analysis-list-scanners
Human Readable Output
9. Get scan results
Returns the scan results of the given URL ID.
Base Command
hybrid-analysis-quick-scan-url-results
Input
| Argument Name | Description | Required |
|---|---|---|
| scanID | The scan ID of the scanned URL. | Required |
| min_malicious_scanners | The number of scanners that report the file as malicious to determine whether the file is malicious. Default is "2". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| HybridAnalysis.URL.ScanID | string | The scan ID. |
| HybridAnalysis.URL.SHA256 | string | The SHA256 hash of the indicator. |
| HybridAnalysis.URL.Finished | boolean | Whether the process completed. |
| HybridAnalysis.URL.Scanner.Name | string | The scanner name. |
| HybridAnalysis.URL.Scanner.Positives | number | The number of positive results. |
| HybridAnalysis.URL.Scanner.Status | string | The status of the file. |
| HybridAnalysis.URL.Whitelist.ID | string | The type of ID. |
| HybridAnalysis.URL.Whitelist.Value | boolean | Whether the indicator is on the whitelist. |
| File.SHA256 | string | The SHA256 hash of the file. |
Command Example
!hybrid-analysis-quick-scan-url-results scanID=5d6cf460028838eb26d56dc4
Human Readable Output
