Skip to main content

ReversingLabs Connectors for OpenCTI: Configuration and Usage

Introduction

Refer to the Set Up ReversingLabs Connectors for OpenCTI article for installation and setup of ReversingLabs connectors before use and configuration.

Spectra Analyze connector usage

Upload a sample to Spectra Analyze. To submit a file for analysis, it must exist on Spectra Analyze. If it doesn’t exist it must be uploaded first. From the left main menu, browse through the following items:

/ observations / artifacts

Create your artifact by clicking the plus icon, entering information about the sample, and then uploading it from your source. A message will pop up saying "Artifact successfully created."

Enrichment

Select your artifact from the list and run the enrichment process from the Enrichment icon by selecting ReversingLabs spectra Analyze connector.

The following workflow has been observed:

  1. Observable (or Artifact) trigger submission Sample for Analysis
  2. Spectra Analyze: Get Classification
  • If Malware
    • Spectra Analyze: Retrieve Detail Report
    • OpenCTI: Create Indicator, Malware Type, Update Score, Create Note (embed detail report as an artifact)
  • Else:
    • OpenCTI: Update Score, Create Note (embed detail report as an artifact)
  1. OpenCTI: Update Classification
  2. OpenCTI: Update TLP: Amber
  3. OpenCTI: Update Description

alt text

Spectra Intelligence Submission connector usage

The ReversingLabs Spectra Intelligence submission connector works with Artifact, URL, StixFile, File, File-sha1, and File-sha256 observables in OpenCTI. After the sample is successfully submitted for an analysis on ReversingLabs Spectra Intelligence report is created and processed by connector.

Based on the result of the analysis, the Observable (and Artifact) is updated with the following data: Description, Size (if file sample), SHA-256, Author, Marking, Labels, Indicators of compromise, and the relationship between observable indicators and malware, if present.

Submission and analysis through Spectra Intelligence

Submit Artifact: Submit artifact

Trigger Spectra Intelligence submission connector: Trigger Spectra Intelligence submission connector

Observable after performed analysis and connector trigger: Observable after performed analysis and connector trigger

Malware Presence connector usage

The ReversingLabs Enrichment Connector for Malware Presence listens for defined data types (File hashes) and automatically enriches the following components:

  • Updates on Observable entity
    • Add description, score, labels on observable
    • Add external references if exists on observable (CVE, MITTRE)
    • Create relationship with indicators if there is known indicator in system for observable
    • Update Author
  • Creates Indicators
  • Create Report if applicable (analysis result attached to observable)
  • Create CVE
  • Create MITTRE

Enrichment

Browse through the following items

/ observations / observables

Add an Observable by selecting the plus icon, entering the information about the observable, and then uploading it or pasting it from your source. A message will pop up saying, "Observable successfully created."

Add observable

Run the enrichment

  1. Open an observable

Open an observable

  1. Click on the enrichments icon

Click on the enrichments icon

  1. Click the connector

Click on the enrichments icon

ReversingLabs home page: https://www.reversinglabs.com/

ReversingLabs Spectra Intelligence: https://www.reversinglabs.com/products/spectra-intelligence

ReversingLabs Spectra Analyze: https://www.reversinglabs.com/products/spectra-analyze

OpenCTI: https://filigran.io/solutions/open-cti/