Secure Malware Analytics Integration

Cisco Secure Malware Analytics (formerly Cisco Threat Grid) combines advanced sandboxing with threat intelligence into a powerful solution to protect organizations from malware. Secure Malware Analytics is an advanced and automated malware analysis and malware threat intelligence platform in which suspicious files or web destinations can be detonated without impacting the user environment.

Cisco Secure Malware Analytics leverages both static and dynamic analysis to thoroughly examine sample files that users submit either directly through the cloud portal or automated through the Secure Malware Analytics API. In static analysis, the system inspects submission attributes, while dynamic analysis involves executing the file or browsing the URL to observe its behavior. By aggregating data from a vast repository of malware samples and associated domains, Secure Malware Analytics enriches context around threat artifacts, enabling a comprehensive understanding of the scope and impact of a threat.

When integrated with Cisco XDR, Secure Malware Analytics provides contextual responses about investigated observables, such as whether an investigated file hash or URL has been analyzed by Secure Malware Analytics and, if so, what associated artifacts were discovered in that analysis including C&C, payload, and behavior information. Additionally, it provides information on whether the investigated domain or URL has been contacted by any analyzed malware and, if so which malware and which observed behaviors were related to the connection. These responses will include information from your own private submissions as well as any of the millions of submissions per year that are public information.

The Secure Malware Analytics integration also serves as a reference module that provides licensed Secure Malware Analytics portal users with the ability to pivot into the Secure Malware Analytics Cloud portal to gather additional intelligence about file hashes, IPs, domains, and URLs. Through this pivot, users can access a detailed sample analysis that includes threat scores, metadata, behavioral indicators, domain connections, and more.

The integration supports automation workflows that can automatically trigger certain actions within Secure Malware Analytics, such as submitting URLs for analysis. This capability allows security teams to automate parts of their incident response process. This enables timely threat detection and response, reducing manual effort.

Additionally, the integration allows for the creation of dashboard cards for quick insight into current Secure Malware Analytics sample submission data.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Malware Analytics integration.

  3. Click Get Started. The Secure Malware Analytics integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Malware Analytics integration in Cisco XDR.

You can perform the following tasks after you integrate Secure Malware Analytics with Cisco XDR:

  • Investigations - Start a new investigation into any combination of file hashes, domains, and URLs and the results will include any records of them found in Cisco Secure Malware Analytics. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Cisco Secure Malware Analytics has recent information. In the Secure Malware Analytics portal, you can view the Submissions page to get SHA-256 and URL observables for which Secure Malware Analytics will return responses. For details, see Investigate.

  • Dashboard - Add Cisco Secure Malware Analytics cards to a dashboard in Control Center to view data, such as metrics related to the submission of samples for analysis and the results of the analysis, giving visibility into trends and patterns in malware activity. For details, see Configure Dashboards and Cards. For a list of available Secure Malware Analytics cards, see Integration Cards.

  • Pivot Menu - Use the Pivot menu to access actions in Cisco Secure Malware Analytics. Available actions include submitting URLs for analysis and searching for observables, such as URLs, file hashes, IP addresses, and domains.

  • Automation:

    • Atomic Actions - The atomic actions for Secure Malware Analytics can be used as building blocks in custom workflows. These include various tools to create, manage, and check the status of submissions, and can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows – The workflows for Cisco Secure Malware Analytics can be installed from the Automation Exchange and include capabilities to automate the submission of URLs for analysis. See Workflows and Exchange.

    • Targets – The Cisco Secure Malware Analytics target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.