Detonate URL - ThreatStream

Detonates one or more URLs using the Anomali ThreatStream v2 sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

  • threatstream-submit-to-sandbox
  • threatstream-analysis-report

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
URLThe URL to detonate.NoneURLOptional
IntervalHow often to execute polling (in minutes).5-Optional
TimeoutThe duration after which to stop polling and to resume the playbook (in minutes).120-Optional
VMThe VM to use (string).--Optional
SubmissionClassificationThe classification of the sandbox submission.--Optional
PremiumSandboxThe specifies if the premium sandbox should be used for detonation.--Optional
TagsThe CSV list of tags applied to this sample.--Optional

Playbook Outputs


PathDescriptionType
ANYRUN.Task.AnalysisDateThe date and time the analysis was executed.String
ANYRUN.Task.Behavior.CategoryThe category of a process behavior.String
ANYRUN.Task.Behavior.ActionThe actions performed by a process.String
ANYRUN.Task.Behavior.ThreatLevelThe threat score associated with a process behavior.Number
ANYRUN.Task.Behavior.ProcessUUIDThe unique ID of the process whose behaviors are being profiled.String
ANYRUN.Task.Connection.ReputationThe connection reputation.String
ANYRUN.Task.Connection.ProcessUUIDThe ID of the process that created the connection.String
ANYRUN.Task.Connection.ASNThe connection autonomous system network.String
ANYRUN.Task.Connection.CountryThe connection country.String
ANYRUN.Task.Connection.ProtocolThe connection protocol.String
ANYRUN.Task.Connection.PortThe connection port number.Number
ANYRUN.Task.Connection.IPThe connection IP address number.String
ANYRUN.Task.DnsRequest.ReputationThe reputation of the DNS request.String
ANYRUN.Task.DnsRequest.IPThe IP addresses associated with a DNS request.Unknown
ANYRUN.Task.DnsRequest.DomainThe domain resolution of a DNS request.String
ANYRUN.Task.Threat.ProcessUUIDThe unique process ID from where the threat originated.String
ANYRUN.Task.Threat.MsgThe threat message.String
ANYRUN.Task.Threat.ClassThe class of the threat.String
ANYRUN.Task.Threat.SrcPortThe port on which the threat originated.Number
ANYRUN.Task.Threat.DstPortThe destination port of the threat.Number
ANYRUN.Task.Threat.SrcIPThe source IP address where the threat originated.String
ANYRUN.Task.Threat.DstIPThe destination IP address of the threat.String
ANYRUN.Task.HttpRequest.ReputationThe reputation of the HTTP request.String
ANYRUN.Task.HttpRequest.CountryThe HTTP request country.String
ANYRUN.Task.HttpRequest.ProcessUUIDThe ID of the process making the HTTP request.String
ANYRUN.Task.HttpRequest.BodyThe HTTP request body parameters and details.Unknown
ANYRUN.Task.HttpRequest.HttpCodeThe HTTP request response code.Number
ANYRUN.Task.HttpRequest.StatusThe Status of the HTTP request.String
ANYRUN.Task.HttpRequest.ProxyDetectedWhether the HTTP request was made through a proxy.Boolean
ANYRUN.Task.HttpRequest.PortThe HTTP request port.Number
ANYRUN.Task.HttpRequest.IPThe HTTP request IP address.String
ANYRUN.Task.HttpRequest.URLThe HTTP request URL.String
ANYRUN.Task.HttpRequest.HostThe HTTP request host.String
ANYRUN.Task.HttpRequest.MethodThe HTTP request method type.String
ANYRUN.Task.FileInfoThe details of the submitted file.String
ANYRUN.Task.OSThe OS of the sandbox in which the file was analyzed.String
ANYRUN.Task.IDThe unique ID of the task.String
ANYRUN.Task.MIMEThe MIME of the file submitted for analysis.String
ANYRUN.Task.VerdictThe ANY.RUN verdict for the maliciousness of the submitted file or URL.String
ANYRUN.Task.Process.FileNameThe file name of the process.String
ANYRUN.Task.Process.PIDThe process identification number.Number
ANYRUN.Task.Process.PPIDThe parent process identification number.Number
ANYRUN.Task.Process.ProcessUUIDThe unique process ID (used by ANY.RUN).String
ANYRUN.Task.Process.CMDThe process command.String
ANYRUN.Task.Process.PathThe path of the executed command.String
ANYRUN.Task.Process.UserThe user who executed the command.String
ANYRUN.Task.Process.IntegrityLevelThe process integrity level.String
ANYRUN.Task.Process.ExitCodeThe process exit code.Number
ANYRUN.Task.Process.MainProcessWhether the process is the main process.Boolean
ANYRUN.Task.Process.Version.CompanyThe company responsible for the program executed.String
ANYRUN.Task.Process.Version.DescriptionThe description of the type of program.String
ANYRUN.Task.Process.Version.VersionThe version of the program executed.String
DBotScore.IndicatorThe indicator that was tested.String
DBotScore.ScoreThe actual score.Number
DBotScore.TypeThe indicator type.String
DBotScore.VendorThe vendor used to calculate the score.String
URL.DataThe URL data.String
URL.Malicious.VendorThe vendor that made the decision that the URL is malicious.String
URL.Malicious.DescriptionThe reason that the vendor made the decision that the URL was malicious.String
ANYRUN.Task.StatusThe task analysis status.String

Playbook Image


Detonate_URL_ThreatStream