Detonate File - SNDBOX

Detonates a file using the SNDBOX.

Advanced Threat Defense supports the following File Types:

Microsoft (2003 and earlier): doc, dot, xls, csv, xlt, xlm, ppt, pot, pps.

Microsoft (2007 and later): docx, docm, dotx, dotm, dotm, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, iqy, pptx, pptm, potx, ppsx, xml.

Other: pe32, rtf, pdf, vbs, vbe, ps1, js, lnk, html, bat.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

  • Set

Commands

  • sndbox-download-report
  • sndbox-analysis-submit-sample
  • sndbox-analysis-info

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file to detonate. The file is taken from the context.NoneFileOptional
IntervalHow often the polling command should run (in minutes).1-Optional
TimeoutHow much time to wait before a timeout occurs (in minutes).15-Optional

Playbook Outputs


PathDescriptionType
SNDBOX.Analysis.IDThe analysis ID.string
SNDBOX.Analysis.SampleNameThe sample data. Can be, "filename" or "URL".string
SNDBOX.Analysis.StatusThe analysis status.string
SNDBOX.Analysis.TimeThe submitted time.date
SNDBOX.Analysis.ResultThe analysis results.string
SNDBOX.Analysis.ErrorsThe errors raised during sampling.unknown
SNDBOX.Analysis.LinkThe analysis link.string
SNDBOX.Analysis.MD5The MD5 hash of the analysis sample.string
SNDBOX.Analysis.SHA1The SHA1 hash of the analysis sample.string
SNDBOX.Analysis.SHA256The SHA256 hash of the analysis sample.string
DBotScore.VendorThe name of the vendor: SNDBOX.string
DBotScore.IndicatorThe name of the sample file or URL.unknown
DBotScore.TypeThe file.string
DBotScore.ScoreThe actual score.number
DBotScore.Malicious.VendorThe name of the vendor: SNDBOX.string
DBotScore.Malicious.DetectionsThe sub analysis detection statuses.string
DBotScore.Malicious.SHA1The SHA1 hash of the file.string
InfoFile.NameThe filename.string
InfoFile.EntryIDThe EntryID of the report.string
InfoFile.SizeThe file size.number
InfoFile.TypeThe file type. For example, "PE".string
InfoFile.InfoThe basic information of the file.string
InfoFile.ExtensionThe file extension.string
File.SizeThe file size.number
File.SHA1The SHA1 hash of the file.string
File.SHA256The SHA256 hash of the file.string
File.NameThe sample name.string
File.SSDeepThe SSDeep hash of the file.string
File.EntryIDThe War Room entry ID of the file.string
File.InfoThe basic information of the file.string
File.TypeThe file type. For example, "PE".string
File MD5The MD5 hash of the file.string
File.ExtensionThe file extension.string

Playbook Image


Detonate_File_SNDBOX