ATDDetonate

Detonates a file or URL through McAfee ATD.

Script Data


NameDescription
Script Typepython
Tagsfile, enhancement, atd

Dependencies


This script uses the following commands and scripts.

  • atd-get-report
  • atd-check-status
  • atd-file-upload

Inputs


Argument NameDescription
vmProfileListThe analyzer of a profile's ID. The profile ID number can be found in the UI Policy/Analyzer Profile page, Or using the command atd-list-analyzer-profiles, under vmProfileid key result.
submitTypeThis parameter accepts four values. Can be, "0", "1", "2" and "3". "0" - a regular file upload. "1" - a URL submission. The URL link is processed inside analyzer VM. "2" - Will submit a file with a URL. "3" - A URL will download. The file from the URL is first downloaded and then analyzed.
urlAny valid web URL.
messageIdThe maximum number character string which is 128.
srcIpThe IPv4 address of the source system or gateway from where the file is downloaded.
dstIpThe IPv4 address of the target endpoint.
skipTaskIdThe value "0" indicates corresponding taskID in API response. The value "1" indicates -1 as a taskID in API response.
analyzeAgainThe value "0" indicates to skip sample analysis if it was analyzed previously . The value "2" indicates to not skip sample analysis if it was not analyzed previously.
xModeThe Value "0" indicates no user interaction is needed during sample analysis. The value "1" indicates user interaction is needed during sample analysis.
filePriorityQThe priority of the sample analysis. The run_now command assigns the highest priority. For example, a sample is analyzed right away. The add_to_q command puts the sample in a waiting state if there is a waiting queue of samples. The default is run_now.
entryIDThe entry ID.
reportTypeThe report type can be, "html" - a HTML report, "txt" - a text report, "xml" - a XML report, "zip" - all the files packaged into a single zip file, "json" - the same report as xml but in the JSON format, "ioc" - an Indicators of Compromise format, "stix" - a Structured Threat Information Expression. By default, STIX generation is disabled. Use set stixreportstatus enable to enable it. "pdf" - Portable Document Format, "sample" - downloads a sample from McAfee Advanced Threat Defense.
timeoutThe timeout length (in seconds). The default is 10 minutes.
intervalThe interval to poll for results. The default is 10 seconds.

Outputs


PathDescriptionType
File.NameThe filename (only in the case of report type=json).Unknown
File.TypeThe file type. For example, "PE" (only in the case of a report type=json).Unknown
File.SizeThe file size(only in the case of a report type=json).Unknown
File.MD5The MD5 file hash of the file (only in the case of a report type=json).Unknown
File.SHA1The SHA1 file hash of the file (only in the case of a report type=json).Unknown
File.SHA256The SHA256 file hash of the file (only in the case of a report type=json).Unknown
File.Malicious.VendorThe vendor that made the decision that the file is malicious.Unknown
File.Malicious.DescriptionThe reason that the vendor decided that the files are malicious.Unknown
DBotScore.IndicatorThe indicator that was tested (only in the case of a report type=json).Unknown
DBotScore.TypeThe type of the indicator (only in the case of a report type=json).Unknown
DBotScore.VendorThe vendor used to calculate the score (only in the case of a report type=json).Unknown
DBotScore.ScoreThe actual score (only in the case of a report type=json).Unknown