Detonate File - Generic

Detonates a file through active integrations that support file detonation.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Detonate File - Cuckoo
  • Detonate File - Lastline v2
  • Detonate File - ThreatGrid
  • CrowdStrike Falcon Sandbox - Detonate file
  • ATD - Detonate File
  • WildFire - Detonate file
  • Detonate File - HybridAnalysis
  • Detonate File - SNDBOX
  • Detonate File - FireEye AX
  • Detonate File - VMRay
  • Detonate File - ANYRUN
  • Detonate File - JoeSecurity

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

This playbook does not use any commands.

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
EntryIDThe entry ID of the file to be detonated.EntryIDFileOptional
FileThe file object of the file to be detonated.NoneFileOptional

Playbook Outputs


PathDescriptionType
Joe.Analysis.StatusThe analysis status.string
Joe.Analysis.WebIDThe web ID.string
File.NameThe filename (only in case of report type=json).string
File.SHA1The SHA1 hash of the file.string
File.SHA256The SHA256 hash of the file.string
File.SizeThe file size (only in case of report type=json).number
File.TypeThe file type. For example, "PE" (only in case of report type=json).string
File.MaliciousThe malicious file's description.unknown
File.Malicious.DescriptionThe reason for the vendor to make the decision that the file is malicious.string
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
DBotScoreThe indicator's object.unknown
DBotScore.IndicatorThe indicator we tested.string
DBotScore.ScoreThe actual score.number
DBotScore.TypeThe type of the indicator.string
DBotScore.VendorThe vendor used to calculate the score.string
IP.AddressThe IP addresses's relevant to the sample.string
DBotScore.Malicious.VendorThe vendor used to calculate the score.string
DBotScore.Malicious.DetectionsThe sub analysis detection statuses.string
DBotScore.Malicious.SHA1The SHA1 hash of the file.string
Sample.StateThe sample state.unknown
Sample.IDThe sample ID.unknown
FileThe file's object.unknown
File.MD5The MD5 hash of the file.string
Joe.Analysis.SampleNameThe sample data. Can be, a file name or a URL.string
Joe.Analysis.CommentsThe analysis comments.string
Joe.Analysis.TimeThe submitted time.date
Joe.Analysis.RunsThe sub-analysis information.unknown
Joe.Analysis.ResultThe analysis results.string
Joe.Analysis.ErrorsThe errors raised during sampling.unknown
Joe.Analysis.SystemsThe analysis OS.unknown
Joe.Analysis.MD5The MD5 hash of the analysis sample.string
Joe.Analysis.SHA1The SHA1 hash of the analysis sample.string
Joe.Analysis.SHA256The SHA256 hash of the analysis sample.string
InfoFile.NameThe filename of the report file.string
InfoFile.EntryIDThe EntryID of the report file.string
InfoFile.SizeThe file size.number
InfoFile.TypeThe file type. For example, "PE".string
InfoFile.InfoThe basic information of the file.string
File.ExtensionThe file extension.string
InfoFileThe report file's object.unknown
WildFire.ReportThe submission object.unknown
WildFire.Report.StatusThe status of the submission.string
WildFire.Report.SHA256The SHA256 hash of the submission.string
WildFire.Report.MD5The MD5 hash of the submission.string
WildFire.Report.FileTypeThe type of the submission.string
WildFire.Report.SizeThe size of the submission.number
Joe.AnalysisThe analysis object.unknown
Cuckoo.Task.CategoryThe category of the task.unknown
Cuckoo.Task.MachineThe machine of the task.unknown
Cuckoo.Task.ErrorsThe errors of the task.unknown
Cuckoo.Task.TargetThe target of the task.unknown
Cuckoo.Task.PackageThe package of the task.unknown
Cuckoo.Task.SampleIDThe sample ID of the task.unknown
Cuckoo.Task.GuestThe task guest.unknown
Cuckoo.Task.CustomThe custom values of the task.unknown
Cuckoo.Task.OwnerThe task owner.unknown
Cuckoo.Task.PriorityThe priority of the task.unknown
Cuckoo.Task.PlatformThe platform of the task.unknown
Cuckoo.Task.OptionsThe task options.unknown
Cuckoo.Task.StatusThe task status.unknown
Cuckoo.Task.EnforceTimeoutWhether the timeout of the task is enforced.unknown
Cuckoo.Task.TimeoutThe task timeout.unknown
Cuckoo.Task.MemoryThe task memory.unknown
Cuckoo.Task.TagsThe task tags.unknown
Cuckoo.Task.IDThe ID of the task.unknown
Cuckoo.Task.AddedOnThe date the task was added.unknown
Cuckoo.Task.CompletedOnThe date the task was completed.unknown
Cuckoo.Task.ScoreThe reported score of the the task.unknown
Cuckoo.Task.MonitorThe monitor of the reported task.unknown
SNDBOX.Analysis.IDThe analysis ID.string
SNDBOX.Analysis.SampleNameThe sample data. Can be, "file name" or "URL".string
SNDBOX.Analysis.StatusThe analysis status.string
SNDBOX.Analysis.TimeThe time it was submitted.date
SNDBOX.Analysis.ResultThe analysis results.string
SNDBOX.Analysis.ErrorsThe errors raised during sampling.unknown
SNDBOX.Analysis.LinkThe analysis link.string
SNDBOX.Analysis.MD5The MD5 hash of the analysis sample.string
SNDBOX.Analysis.SHA1The SHA1 hash of the analysis sample.string
SNDBOX.Analysis.SHA256The SHA256 hash of the analysis sample.string
SNDBOX.AnalysisThe SNDBOX analysis.unknown
HybridAnalysis.Submit.StateThe state of the process.string
HybridAnalysis.Submit.SHA256The submission SHA256 hash.string
HybridAnalysis.Submit.JobIDThe JobID of the submission.string
HybridAnalysis.Submit.EnvironmentIDThe environmentID of the submission.string
HybridAnalysis.SubmitThe HybridAnalysis object.unknown
ANYRUN.Task.AnalysisDateThe date and time the analysis was executed.String
ANYRUN.Task.Behavior.CategoryThe category of a process behavior.String
ANYRUN.Task.Behavior.ActionThe actions performed by a process.String
ANYRUN.Task.Behavior.ThreatLevelThe threat score associated with a process behavior.Number
ANYRUN.Task.Behavior.ProcessUUIDThe unique ID of the process whose behaviors are being profiled.String
ANYRUN.Task.Connection.ReputationThe connection reputation.String
ANYRUN.Task.Connection.ProcessUUIDThe ID of the process that created the connection.String
ANYRUN.Task.Connection.ASNThe connection autonomous system network.String
ANYRUN.Task.Connection.CountryThe connection country.String
ANYRUN.Task.Connection.ProtocolThe connection protocol.String
ANYRUN.Task.Connection.PortThe connection port number.Number
ANYRUN.Task.Connection.IPThe connection IP address number.String
ANYRUN.Task.DnsRequest.ReputationThe reputation of the DNS request.String
ANYRUN.Task.DnsRequest.IPThe IP addresses associated with a DNS request.Unknown
ANYRUN.Task.DnsRequest.DomainThe domain resolution of a DNS request.String
ANYRUN.Task.Threat.ProcessUUIDThe unique process ID from where the threat originated.String
ANYRUN.Task.Threat.MsgThe threat message.String
ANYRUN.Task.Threat.ClassThe class of the threat.String
ANYRUN.Task.Threat.SrcPortThe port on which the threat originated.Number
ANYRUN.Task.Threat.DstPortThe destination port of the threat.Number
ANYRUN.Task.Threat.SrcIPThe source IP address where the threat originated.String
ANYRUN.Task.Threat.DstIPThe destination IP address of the threat.String
ANYRUN.Task.HttpRequest.ReputationThe reputation of the HTTP request.String
ANYRUN.Task.HttpRequest.CountryThe HTTP request country.String
ANYRUN.Task.HttpRequest.ProcessUUIDThe ID of the process making the HTTP request.String
ANYRUN.Task.HttpRequest.BodyThe HTTP request body parameters and details.Unknown
ANYRUN.Task.HttpRequest.HttpCodeThe HTTP request response code.Number
ANYRUN.Task.HttpRequest.StatusThe status of the HTTP request.String
ANYRUN.Task.HttpRequest.ProxyDetectedWhether the HTTP request was made through a proxy.Boolean
ANYRUN.Task.HttpRequest.PortThe HTTP request port.Number
ANYRUN.Task.HttpRequest.IPThe HTTP request IP address.String
ANYRUN.Task.HttpRequest.URLThe HTTP request URL.String
ANYRUN.Task.HttpRequest.HostThe HTTP request host.String
ANYRUN.Task.HttpRequest.MethodThe HTTP request method type.String
ANYRUN.Task.FileInfoThe details of the submitted file.String
ANYRUN.Task.OSThe OS of the sandbox in which the file was analyzed.String
ANYRUN.Task.IDThe unique ID of the task.String
ANYRUN.Task.MIMEThe MIME of the file submitted for analysis.String
ANYRUN.Task.MD5The MD5 hash of the file submitted for analysis.String
ANYRUN.Task.SHA1The SHA1 hash of the file submitted for analysis.String
ANYRUN.Task.SHA256The SHA256 hash of the file submitted for analysis.String
ANYRUN.Task.SSDeepThe SSDeep hash of the file submitted for analysis.String
ANYRUN.Task.VerdictThe ANY.RUN verdict for the maliciousness of the submitted file or URL.String
ANYRUN.Task.Process.FileNameThe file name of the process.String
ANYRUN.Task.Process.PIDThe process identification number.Number
ANYRUN.Task.Process.PPIDThe parent process identification number.Number
ANYRUN.Task.Process.ProcessUUIDThe unique process ID (used by ANY.RUN).String
ANYRUN.Task.Process.CMDThe process command.String
ANYRUN.Task.Process.PathThe path of the executed command.String
ANYRUN.Task.Process.UserThe user who executed the command.String
ANYRUN.Task.Process.IntegrityLevelThe process integrity level.String
ANYRUN.Task.Process.ExitCodeThe process exit code.Number
ANYRUN.Task.Process.MainProcessWhether the process is the main process.Boolean
ANYRUN.Task.Process.Version.CompanyThe company responsible for the program executed.String
ANYRUN.Task.Process.Version.DescriptionThe description of the type of program.String
ANYRUN.Task.Process.Version.VersionThe version of the program executed.String
DBotScore.IndicatorThe indicator that was tested.String
DBotScore.ScoreThe actual score.Number
DBotScore.TypeType of indicator.String
DBotScore.VendorThe vendor used to calculate the score.String
File.ExtensionThe extension of the file submitted for analysis.String
File.NameThe name of the file submitted for analysis.String
File.MD5The MD5 hash of the file submitted for analysis.String
File.SHA1The SHA1 hash of the file submitted for analysis.String
File.SHA256The SHA256 hash of the file submitted for analysis.String
File.SSDeepThe SSDeep hash of the file submitted for analysis.String
File.Malicious.VendorThe vendor that made the decision that the file is malicious.String
File.Malicious.DescriptionThe reason that the vendor made the decision tha the file is malicious.String
ANYRUN.Task.StatusThe task analysis status.String

Playbook Image


Detonate_File_Generic