Current ThreatQ Version Filter

Hatching Triage Operation

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.0

Compatible with ThreatQ Versions

>= 4.34.0

Support Tier

ThreatQ Supported

Introduction

The Hatching Triage Operation submits URL Indicators and Files object types to the Hatching Triage API for context enrichment.

The operation provides the following actions:

Submit URL - submits a URL for analysis.
Submit File - submits a File for analysis.
Get Report - retrieves the report and enriches the threat object.

The operation is compatible with Files and URL indicator types.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Operation option from the Type dropdown (optional).
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
Hostname	Your Triage instance hostname. Use `https://api.tria.ge/v0/` for public cloud API and `https://private.tria.ge/api/v0/` for private cloud API. You can also use your own if using an on-prem machine.
API Key	Your Triage instance API Key.

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following actions:

Action	Description	Object Type	Object Subtype
Submit URL	Submits a URL for analysis.	Indicators (URL)	URL
Submit File	Submits a File for analysis.	Files	N/A
Get Report	Retrieves the report and enriches the threat object.	Indicators, Files	URL (Indicators)

Submit URL & Submit File

The Submit action is used to submit a URL or File to Hatching Triage API for Analysis.

POST https://<triage-host>/samples

Sample Response:

{
    "submitted": "2021-11-02T12:33:44Z",
    "private": false,
    "status": "pending",
    "kind": "url",
    "id": "211102-prkjxacee7",
    "url": "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/All.ElectroRAT/All.ElectroRAT.zip"
}

The Submit URL Action has the following configuration option: Submission Type.

Option	Description
Submission Type	Indicates how the submission will be handled by the analyzer. Options include: Submit URL Submit fetched sample form URL

ThreatQuotient provides the following default mapping for this action:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Examples	Notes
.submitted	Indicator.Attribute	Hatching Triage Submission Date	2021-11-02 12:33:44-00:00	Automatically added
.id	Indicator.Attribute	Hatching Triage Submission ID	211102-prkjxacee7	Automatically added

Get Report

The Get Report action is used to retrieve the submission summary for the submitted threat object.

GET https://<triage-host>/samples/<submission_id>/summary

Sample Response:

{
    "target": "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/All.ElectroRAT/All.ElectroRAT.zip",
    "created": "2021-11-02T12:33:44Z",
    "owner": "shark2.ams5.hatching.dev",
    "completed": "2021-11-02T12:36:18Z",
    "tasks": {
        "211102-prkjxacee7-static1": {
            "kind": "static",
            "status": "reported"
        },
        "211102-prkjxacee7-behavioral1": {
            "target": "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/All.ElectroRAT/All.ElectroRAT.zip",
            "resource": "win10-en-20211014",
            "queue_id": 139808,
            "kind": "behavioral",
            "status": "reported",
            "score": 1,
            "backend": "horse2",
            "platform": "windows10_x64"
        },
        "211102-prkjxacee7-urlscan1": {
            "target": "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/All.ElectroRAT/All.ElectroRAT.zip",
            "failure": "400: Scan prevented ...: The submitted domain is on our blacklist, we will not scan it.",
            "kind": "urlscan",
            "status": "failed"
        }
    },
    "custom": "frontend:66ca4d10-0e04-4f87-8c90-022bd1d64937",
    "sample": "211102-prkjxacee7",
    "score": 1,
    "status": "reported",
    "sha256": {}
}

ThreatQuotient provides the following default mapping for this action:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Examples	Notes
.score	Indicator.Attribute	Triage Score	1	n/a
.sha256	Indicator.Value	SHA-256	9db4c2b2fca0039c97522753964...	n/a

Change Log

Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
Hatching Triage Operation Guide v1.0.0	4.34.0 or Greater