Detonate File - ThreatStream

Detonates one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

  • Set

Commands

  • threatstream-submit-to-sandbox
  • threatstream-analysis-report

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file object of the file to detonate.NoneFileOptional
VMThe VM to use (string).--Optional
SubmissionClassificationThe classification of the sandbox submission.--Optional
PremiumSandboxSpecifies if the premium sandbox should be used for detonation.--Optional
TagsA CSV list of tags applied to this sample.--Optional
IntervalThe polling frequency. How often the polling command should run (in minutes).--Optional
TimeoutThe amount of time to wait before a timeout occurs (in minutes).--Optional

Playbook Outputs


PathDescriptionType
File.MaliciousThe malicious file's description.unknown
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
File.TypeThe file type. For example, "PE".string
File.SizeThe file size.number
File.MD5The MD5 hash of the file.string
File.NameThe file name.string
File.SHA1The SHA1 hash of the file.string
FileThe file object.unknown
File.SHA256The SHA256 hash of the file.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number

Playbook Image


Detonate_File_ThreatStream