SpectraAnalyze-EnrichFileHash

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook will enrich a Microsoft Sentinel incident with file hash information from a Spectra Analyze appliance. A comment will be added to the incident with details about the file.

Attribute Value
Type Playbook
Solution ReversingLabs
Source View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 2
reversinglabsa1000 Managed 1 2
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Entities_-_Get_FileHashes post /entities/filehash
Add_comment_to_incident_(V3) post /Incidents/Comment

reversinglabsa1000 (Managed)

Action Method Endpoint Other
Retrieve_classification_for_a_sample get /api/samples/v3/@{encodeURIComponent(items('For_each_file_hash_entity')?['hashValue'])}/classification/
Retrieve_the_static_analysis_report get /api/v2/samples/@{encodeURIComponent(items('For_each_file_hash_entity')?['hashValue'])}/ticore/

Additional Documentation

📄 Source: SpectraAnalyze-EnrichFileHash/readme.md

Author: Aaron Hoffmann (ReversingLabs)

This playbook enriches file hash entities with information from a ReversingLabs Spectra Analyze (formerly A1000) appliance.

Deploy to Azure Deploy to Azure Gov

Prerequisites

You'll need the following:

Post-deployment

After deploying the template, you'll want to update the playbook connections with your Spectra Analyze API token.

Screenshots

Playbook overview

References

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to ReversingLabs