Hybrid Analysis
Configure Hybrid analysis as an enrichment tool so that you can enrich hashes in the CTIX application with enrichment feeds from Hybrid Analysis. CTIX uses this information to enrich these indicators by removing false positives, adding contextual information, and assigning a confidence score.
Configure Hybrid Analysis App in CTIX
Before you Start
Your user group should have the create, view, and update enrichment tools and policies permissions.
You must have the API key of the Hybrid Analysis account.
Steps
Use the following steps to configure the Hybrid Analysis app in the CTIX application:
From Administration, open Enrichment Management and select Enrichment Tools.
Use the search bar to locate Hybrid Analysis and click on the app.
Click Add Account.
Enter the account name, base URL, and API key.
Note
Use this as the Base URL= https://www.hybrid-analysis.com/api/v2. You can fetch the API key from your Hybrid Analysis account. Select your Profile, and fetch the API key listed in the API Key section. You can also choose to generate the API credentials from the API Key section.
To secure the connection between CTIX and Hybrid Analysis server, select Verify SSL.
Click Save.
Configure Quota for Hybrid Analysis Feeds
Quota defines the number of hits or calls that you can make to your Hybrid Analysis account to fetch information that enhances your intel for a defined time period.
Navigate to Administration, select Enrichment Management, and click Enrichment Tools.
Select Hybrid Analysis.
On a specific account, click the ellipsis and select Manage.
Click Edit.
On the Edit Account page, select Quota.
Choose the quota duration and enter the rate at which the quota is fetched.
Enter a start date and time for the quota duration.
Select Usage alert to receive email alert notifications when you are approaching your quota limits for Hybrid Analysis.
Enter the email addresses in Internal Recipients. These email recipients will receive email notifications on quota limits.
Click Update.
To understand the number of API calls and quota units consumed by the Hybrid Analysis enrichment tool per polling, refer to the following table:
Enrichment Tool | Feed Enrichment Type | No. of API calls | Quota Consumed |
Hybrid Analysis | Retrieve Hash Detail | 1 | 1 |
Configure an Enrichment Policy for Hybrid Analysis
Define the enrichment tools to use, objects to enrich, specify the run type, and apply specific conditions.
Steps
Navigate to Administration, select Enrichment Management, and click Enrichment Tools.
Enter a name for your policy and set a priority.
Setting a priority for a policy qualifies the object for enrichment from more than one policy. When the system runs low on resources the priority set here is considered to pick the higher priority policy and perform enrichment.
Choose an object from Select Object Type.
Select from the following run type:
Sequential: The selected enrichment tools are called one after another in the order of the defined priority. You can set up three enrichment tools with preferences. For example, if you set up tool1, tool2, and tool 3 as your preference, the system makes a call to tool1 to check for any enrichment data for this IOC. If it finds this data, tool 2 and tool 3 are not called. After the first successful result, other enrichment tools are not called to enrich the selected IOC. This can help you conserve the quota of your enrichment tools.
Note
In case an enrichment tool runs out of quota, then the next enrichment tool in line will be used for enrichment.
Parallel: All the enrichment tools are called in one go to enhance your data.
Select Hybrid Analysis as the enrichment tool. You can choose up to three enrichment tools to enrich the data. You can only use the configured and in active state enrichment tools.
Click Next Step.
Specify the sources to apply enrichment.
Under Intel, choose specific sources and their respective collections to apply enrichment. You can also choose all collections under Intel.
Under Inbox, choose collections to apply enrichment.
Click Next Step.
Click Yes to apply conditions.
You can apply specific conditions like domain names, IP, TLP, title, source confidence, or description. You can build your conditions using AND or OR operators.
Click Save Policy.