Integrations

Spectra Analyze > Administration > Integrations & Connectors > Integrations

Overview

Spectra Analyze supports optional integration with multiple first-party and third-party static and dynamic analysis services. Through these integrations, samples can be automatically submitted for dynamic analysis or reanalyzed on demand using any of the supported services.

Analysis services must be configured on the Administration > Integrations & Connectors > Integrations page by an administrator. The administrator can determine which file types to analyze with each configured integration.

First-party integrations are:

• ReversingLabs Cloud Sandbox for dynamic analysis.
• ReversingLabs Auxiliary Analysis for static analysis.

Third-party integrations are always used for dynamic analysis, and they are:

• CAPE Sandbox
• Cisco Secure Malware Analytics
• Cuckoo Sandbox
• FireEye Sandbox
• Joe Sandbox
• VMRay

Integrations configuration

Under Administration > Integrations & Connectors > Integrations, you can see the list of all integrations that can be configured on the appliance. To see only the configured integrations, in the top right corner, select Configured. To see all possible integrations, select Show all.

Integrations

For every integration, a subset of the following options are available:

• Enabled: enable or disable an integration. First-party integrations are enabled by default.
• Show links: not configurable for first-party integrations. For third-party integrations, enable or disable the display of links to the third-party web interfaces in the analysis report.
• Test connection: click to test the connection to the integration.
• Automatic upload: enable or disable automatic file uploads.
• Automatic file retrieval: enabled by default for ReversingLabs Cloud Sandbox. When enabled, files dropped during dynamic analysis that are within configured file size limits are downloaded to the appliance and analyzed locally.
• Include in classification: enabled by default for ReversingLabs Cloud Sandbox. When enabled, all future sample uploads, as well as any reanalyzed samples, may receive their final classification from the ReversingLabs Cloud Sandbox. Samples that already had a recent dynamic analysis classification before the option was enabled update their classification once their Sample Details Summary page is opened, or during regular appliance synchronizations with Spectra Intelligence. Only ReversingLabs Cloud Sandbox can be configured to affect the final sample classification. Other analysis results do not affect the overall final classification of the sample, but are, rather, another source of information for analysts.
• Actions: not available for first-party integrations. Click Configure to configure a third-party integration for the first time, or Edit to update an existing third-party integration. For more information about how to configure each of the integrations, see below.

File types

On this page, you can also edit which File types are submitted for analysis when uploaded automatically. Click Edit, and for every file type group, select or remove the file types to submit. Click Save to save your changes.

The file types configured here apply only to files uploaded automatically. However, you can analyze any file type with any enabled dynamic analysis service when manually queuing a file to be reanalyzed provided that the dynamic analysis service supports that file type.

Similarly, if no file types are specified, and automatic upload is enabled, all files uploaded to the appliance are indiscriminately submitted for dynamic analysis, regardless of whether their file type is supported.

warning

Configuration updates may take several minutes to apply. Features remain available during this time, but changes, such as enabling or disabling automatic file uploads, are not applied instantly.

Dynamic analysis

ReversingLabs Cloud Sandbox

Spectra Analyze is integrated with the ReversingLabs Cloud Sandbox by default, and configured by ReversingLabs.

Optionally, administrators can enable or disable various options for this integration.

Prerequisites

For this service to be available, the appliance has to be connected to Spectra Intelligence.

For more information, see Analysis services - ReversingLabs Cloud Sandbox.

CAPE Sandbox

To configure CAPE, go to Administration > Integrations & Connectors > Integrations. In the top right corner, click Show all to show all possible integrations. Find CAPE Sandbox and, in the Actions column, click Configure. Provide the following information:

• API scheme and host: enter the API server scheme and host.
• API port: enter the API server port.
  • Test connection: click to test the API connection.
• Use API host for web host: select this option to use the API server host as the web server host. If this option is not selected, provide the web host information below.
• Web scheme and host: enter the web server scheme and host.
• Web port: enter the web server port.
  • Test connection: click to test the web connection.
• Submit only distinct files to CAPE: disabled by default. Select this option to submit only distinct files to CAPE. When this option is enabled, if a file has already been submitted to Spectra Analyze and analyzed, it is not sent for reanalysis when it is submitted again. This option applies to files submitted using the GUI and the API. It does not affect the reanalysis feature - you can still submit files for reanalysis with any of the integrations even if the files have already been analyzed.

To save your changes, click Submit.

note

Maximum supported file size is 400 MiB.

For more information, see Analysis services - CAPE Sandbox.

Cisco Secure Malware Analytics

To configure Cisco Secure Malware Analytics, go to Administration > Integrations & Connectors > Integrations. In the top right corner, click Show all to show all possible integrations. Find Cisco Secure Malware Analytics and, in the Actions column, click Configure. Provide the following information:

• API URL: enter the Cisco Secure Malware Analytics API URL.
• API key: enter the API key.
  • Test connection: click to test the API connection.
• Send files privately: select this option to send files privately.
• Populate web URL based on API URL: select this option to populate the web URL based on the API URL. If this option is not selected, provide the web host information below.
• Web scheme and host: enter the Cisco Secure Malware Analytics web URL.
  • Test connection: click to test the web connection.

To save your changes, click Submit.

note

Maximum supported file size is 250 MiB.

For more information, see Analysis services - Cisco Secure Malware Analytics.

Cuckoo Sandbox

To configure Cuckoo, go to Administration > Integrations & Connectors > Integrations. In the top right corner, click Show all to show all possible integrations. Find Cuckoo and, in the Actions column, click Configure. Provide the following information:

• API scheme and host: enter the API server scheme and host.
• API port: enter the API server port.
• Enable Cuckoo API Authentication: select this option to enable Cuckoo API authentication.
• Token: enter the API token.
  • Test connection: click to test the API connection.
• Use API host for web host: select this option to use the API server host as the web server host. If this option is not selected, provide the web host information below.
• Web scheme and host: enter the web server scheme and host.
• Web port: enter the web server port.
  • Test connection: click to test the web connection.

To save your changes, click Submit.

note

Maximum supported file size is 400 MiB.

For more information, see Analysis services - Cuckoo Sandbox.

FireEye Sandbox

To configure FireEye, go to Administration > Integrations & Connectors > Integrations. In the top right corner, click Show all to show all possible integrations. Find FireEye and, in the Actions column, click Configure. Provide the following information:

• API scheme and host: enter the API server scheme and host.
• API port: enter the API server port.
• Username: enter the API username.
• Password: enter the API password.
• API version: from the drop-down list, select the API version.
  • Test connection: click to test the API connection.
• Use API host for web host: select this option to use the API server host as the web server host. If this option is not selected, provide the web host information below.
• Web scheme and host: enter the web server scheme and host.
• Web port: enter the web server port.
  • Test connection: click to test the web connection.

To save your changes, click Submit.

note

Maximum supported file size is 100 MiB.

For more information, see Analysis services - FireEye Sandbox.

Joe Sandbox

Important

If Joe Sandbox integration is enabled, the following terms and conditions apply: Joe Sandbox Cloud Online Service Terms and Conditions of Use.

To configure Joe Sandbox, go to Administration > Integrations & Connectors > Integrations. In the top right corner, click Show all to show all possible integrations. Find Joe and, in the Actions column, click Configure. Provide the following information:

• API URL: enter the Joe Sandbox API URL. For on-premise installation, the API URL is usually schema://server-address:port/joesandbox/index.php/api.
• API key: enter the API key.
  • Test connection: click to test the API connection.
• Enable internet access: select this option to enable samples to be analyzed with full internet access on Joe Sandbox systems.
• Allow URL submissions: select this option to allow URL submissions. If enabled, URL submissions are analyzed with full internet access on Joe Sandbox systems.
• Populate web URL based on API URL: select this option to populate the web URL based on the API URL. If this option is not selected, provide the web host information below.
• Web scheme and host: enter the web URL. For on-premise installation, the web URL is usually schema://server-address:port/joesandbox/index.php.
  • Test connection: click to test the web connection.
• Submit only distinct files to Joe Sandbox: disabled by default. Select this option to submit only distinct files to Joe Sandbox. When this option is enabled, if a file has already been submitted to Spectra Analyze and analyzed, it is not sent for reanalysis when it is submitted again. This option applies to files submitted using the GUI and the API. It does not affect the reanalysis feature - you can still submit files for reanalysis with any of the integrations even if the files have already been analyzed.

To save your changes, click Submit.

note

Maximum supported file size is 400 MiB.

For more information, see Analysis services - Joe Sandbox.

VMRay

To configure VMRay, go to Administration > Integrations & Connectors > Integrations. In the top right corner, click Show all to show all possible integrations. Find VMRay and, in the Actions column, click Configure. Provide the following information:

• API URL: enter the VMRay API URL.
• API key: enter the API key.
  • Test connection: click to test the API connection.
• Populate web URL based on API URL: select this option to populate the web URL based on the API URL. If this option is not selected, provide the web host information below.
• Web scheme and host: enter the VMRay web URL.
  • Test connection: click to test the web connection.

To save your changes, click Submit.

note

Maximum supported file size is 305 MiB.

For more information, see Analysis services - VMRay.

Static analysis

Static analysis services are configured by ReversingLabs.

Optionally, administrators can enable or disable Automatic upload for this integration.

note

Maximum supported file size is 100 MiB.

Submitting only distinct files is not supported.

For more information, see Analysis services - Static analysis.