Skip to main content

Spectra Intelligence Service Installation Guide

Introduction

The ReversingLabs Spectra Intelligence service for Assemblyline delivers comprehensive, high-precision file reputation and analysis information for submitted files. Results are returned in JSON format, including file reputation data, file analysis results, and anti-virus scanner cross-reference reports. This information enables a detailed threat investigation within your security workflows.

Requirements

Installation

To install the ReversingLabs Spectra Intelligence service on your Assemblyline appliance:

  1. Using your web browser, go to the service management page: https://<assemblyline_host>/admin/services
  2. Click the Add service button
  3. Paste the entire content of the service_manifest.yaml file in the text box.
  4. Click the Add button

alt text

Your service information has been added to the system. The scaler component should automatically start a container of your newly created service.

Configuration

After the service is installed and registered, proceed to configure it.

  1. Navigate to the Administration menu -> Services, or to https://<assemblyline_host>/admin/services.
  2. Click "ReversingLabsSpectraIntelligence".
  3. Fill out the service configuration under the Service Parameters tab:
    • Spectra Intelligence address (string) - enter https://data.reversinglabs.com
    • Spectra Intelligence password (string) - the password of your Spectra Intelligence account
    • Spectra Intelligence username (string) - the username of your Spectra Intelligence account
Forgot your password?

Contact support@reversinglabs.com for assistance with your credentials.

alt text

Next, validate that the service is enabled in user settings:

  1. Navigate to https://<assemblyline_host>/settings.
  2. Make sure that the service is selected in the Services Selection section.

alt text

Using the service

Follow these steps to use the service:

  1. Upload a file or provide a URL through the Submit menu
  2. Once uploaded, Assemblyline will automatically redirect you to the submission details page
  3. Allow a few minutes for the upload to complete, during which the service automatically performs lookups with Spectra Intelligence
  4. View the complete Spectra Intelligence results in the Service Results section of the File Details page

Full results from the Spectra Intelligence service are available in the Service Results section of the File Details.

Service results

To view the service results:

  1. From the submission details view, click the filename under the Files section. The File Details pane will appear.
  2. Scroll down to the Service Results section, then click "ReversingLabsSpectraIntelligence".

alt text

Understanding the results

The Spectra Intelligence service for Assemblyline features three separate cloud service calls and their result sections:

Each cloud service returns its own variation of results depending on the outcome of its query. The following table represents the possible input and output options separated by cloud service.

File

  • File Reputation
    • If the file was found on File Reputation and its results returned: File Reputation JSON and its malware score
    • If the file was not found on File Reputation: File Reputation; or, in the case there is no reference to the file on File Reputation, no results will be returned.
  • AV Scanners
    • If the file was found on AV Scanners and its result returned: AV Scanners JSON and its cross reference results
  • File Analysis
    • If the file was found on File Reputation and its results returned: File Analysis JSON
    • If the file was not found on File Analysis: File analysis message; In case there is no reference for the file on File analysis no results will be returned.

JSON output in each result section can be expanded and collapsed as needed.

File analysis score

ReversingLabs Spectra Intelligence service for Assemblyline contains a malware score calculation functionality. Each analyzed file will receive a ReversingLabs malware score mapped to the Assemblyline score table. The higher the score the higher the maliciousness of the file and the risk of having it in your system.

alt text

The following is the score enumeration and interpretation for one single file.

ClassificationValue
Malicious> 2000
Likely malicious< 2000
Highly suspicious< 1000
Suspicious< 500
Nothing found0
Whitelisted<= -1000

Troubleshooting

Check the following section for information about errors and debugging: https://<assemblyline_host>/admin/errors

Additional information

For more information on Spectra Intelligence services usage and report JSON interpretation, check out the Spectra Intelligence user documentation here.

ReversingLabs home page: https://www.reversinglabs.com/

ReversingLabs Spectra Intelligence: https://www.reversinglabs.com/products/spectra-intelligence

Assemblyline: https://www.cyber.gc.ca/en/assemblyline