Cuckoo
Integration version: 9.0
Configure Cuckoo integration in Google Security Operations SOAR
Configure Cuckoo integration with a CA certificate
You can verify your connection with a CA certificate file if needed.
Before you start, ensure you have the following:
- The CA certificate file
- The latest Cuckoo integration version
To configure the integration with a CA certificate, complete the following steps:
- Parse your CA certificate file into a Base64 String.
- Open the integration configuration parameters page.
- Insert the string in the CA Certificate File field.
- To test that the integration is successfully configured, select the Verify SSL checkbox and click Test.
Configure Cuckoo integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | http://x.x.x.x:8090 | Yes | Address of the Cuckoo instance. |
| Web Interface Address | String | http://x.x.x.x:8000 | Yes | Address of the Cuckoo Web UI instance. |
| Warning Threshold | Integer | 5.0 | Yes | N/A |
| CA Certificate File | String | N/A | No | N/A |
| Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your Cuckoo connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
| API Token | Password | N/A | No | API Token of the integration. |
Actions
Detonate File
Description
Submit a file for analysis and get a report, also known as async.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File Paths | String | N/A | Yes | The path of the file to submit. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| max_score | N/A | N/A |
JSON Result
{
"powershell8693919272434274241.ps1": {
"info": {
"category": "file",
"added": 1547640117.991152,
"monitor": "22c39cbb35f4d916477b47453673bc50bcd0df09",
"package": "ps1",
"started": 1547640190.471362,
"route": "internet",
"custom": null,
"machine": {
"status": "stopped",
"shutdown_on": "2019-01-16 12:28:55",
"started_on": "2019-01-16 12:03:16",
"manager": "VirtualBox",
"label": "win7x6427",
"name": "win7x6427"
},
"ended": 1547641736.394026,
"score": 6.6,
"platform": "windows",
"version": "2.0.6",
"owner": null,
"git": {
"head": "03731c4c136532389e93239ac6c3ad38441f81a7",
"fetch_head": "03731c4c136532389e93239ac6c3ad38441f81a7"
},
"options": "procmemdump=yes,route=internet",
"id": 889621,
"duration": 1545
},
"signatures":
[{
"families": [],
"description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
"name": "network_cnc_http",
"markcount": 1,
"references": [],
"marks":
[{
"suspicious_features": "Connection to IP address",
"type": "generic",
"suspicious_request": "GET http://1.1.1.1:8080/"
}],
"severity": 2
}, {
"families": [],
"description": "Connects to smtp.live.com, possibly for spamming or data exfiltration",
"name": "smtp_live",
"markcount": 1,
"references": [],
"marks":
[{
"category": "domain",
"type": "ioc",
"ioc": "smtp.live.com",
"description": null
}],
"severity": 2
}, {
"families": [],
"description": "Connects to smtp.mail.yahoo.com, possibly for spamming or data exfiltration",
"name": "smtp_yahoo",
"markcount": 1,
"references": [],
"marks":
[{
"category": "domain",
"type": "ioc",
"ioc": "smtp.mail.yahoo.com",
"description": null
}],
"severity": 2
}]
}
}
Detonate URL
Description
Send an URL for analysis and get a report, also known as async.
Parameters
N/A
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"info": {
"category": "url",
"git": {
"head": "03731c4c136532389e93239ac6c3ad38441f81a7",
"fetch_head": "03731c4c136532389e93239ac6c3ad38441f81a7"
},
"monitor": "22c39cbb35f4d916477b47453673bc50bcd0df09",
"package": "ie",
"started": null,
"route": "internet",
"custom": null,
"machine": {
"status": "stopped",
"shutdown_on": "2019-01-16 13:14:26",
"label": "win7x6412",
"manager": "VirtualBox",
"started_on": "2019-01-16 12:48:54",
"name": "win7x6412"
},
"ended": 1547644467.207864,
"added": null,
"id": 889669,
"platform": null,
"version": "2.0.6",
"owner": null,
"score": 4.4,
"options": "procmemdump=yes,route=internet",
"duration": null
},
"signatures": [{
"families": [],
"description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
"name": "network_cnc_http",
"markcount": 1,
"references": [],
"marks": [{
"suspicious_features": "Connection to IP address",
"type": "generic",
"suspicious_request": "GET http://1.1.1.1:8080/"
}],
"severity": 2
}, {
"families": [],
"description": "Performs some HTTP requests",
"name": "network_http",
"markcount": 9,
"references": [],
"marks": [{
"category": "request",
"ioc": "GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl",
"type": "ioc",
"description": null
}, {
"category": "request",
"ioc": "GET http://www.microsoft.com/pki/crl/products/WinPCA.crl",
"type": "ioc",
"description": null
}, {
"category": "request",
"ioc": "GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
"type": "ioc",
"description": null
}],
"severity": 2
}, {
"families": [],
"description": "Communicates with host for which no DNS query was performed",
"name": "nolookup_communication",
"markcount": 11,
"references": [],
"marks": [{
"host": "1.1.1.1",
"type": "generic"
}, {
"host": "1.1.1.1",
"type": "generic"
}, {
"host": "1.1.1.1",
"type": "generic"
}],
"severity": 3
}]},
"Entity": "http://digi.ba/eng/#pgc-56-0-0"
}
]
Entity Enrichment
Entity is marked as suspicious (True) if the score exceeds the threshold. Otherwise: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Cuckoo_Score | N/A |
| task_id | N/A |
Get Report
Description
Get a report of a particular task by the ID, also known as async.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Task ID | String | N/A | Yes | The task's ID. Example: 10 |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| score | N/A | N/A |
JSON Result
{
"info": {
"category": "file",
"added": 1547640117.991152,
"monitor": "22c39cbb35f4d916477b47453673bc50bcd0df09",
"package": "ps1",
"started": 1547640190.471362,
"route": "internet",
"custom": null,
"machine": {
"status": "stopped",
"shutdown_on": "2019-01-16 12:28:55",
"started_on": "2019-01-16 12:03:16",
"manager": "VirtualBox",
"label": "win7x6427",
"name": "win7x6427"
},
"ended": 1547641736.394026,
"score": 6.6,
"platform": "windows",
"version": "2.0.6",
"owner": null,
"git": {
"head": "03731c4c136532389e93239ac6c3ad38441f81a7",
"fetch_head": "03731c4c136532389e93239ac6c3ad38441f81a7"
},
"options": "procmemdump=yes,route=internet",
"id": 889621,
"duration": 1545
},
"signatures": [{
"families": [],
"description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
"name": "network_cnc_http",
"markcount": 1,
"references": [],
"marks": [{
"suspicious_features": "Connection to IP address",
"type": "generic",
"suspicious_request": "GET http://1.1.1.1:8080/"
}],
"severity": 2
}, {
"families": [],
"description": "Connects to smtp.live.com, possibly for spamming or data exfiltration",
"name": "smtp_live",
"markcount": 1,
"references": [],
"marks": [{
"category": "domain",
"type": "ioc",
"ioc": "smtp.live.com",
"description": null
}],
"severity": 2
}, {
"families": [],
"description": "Connects to smtp.mail.yahoo.com, possibly for spamming or data exfiltration",
"name": "smtp_yahoo",
"markcount": 1,
"references": [],
"marks": [{
"category": "domain",
"type": "ioc",
"ioc": "smtp.mail.yahoo.com",
"description": null
}],
"severity": 2
}]
}
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |