CheckPointSandBlast
Uploads files using polling. The service supports Microsoft Office files, as well as PDF, SWF, archives, and executables. Active content will be cleaned from any documents that you upload (Microsoft Office and PDF files only). Queries on existing IOCs, file status, analysis, and reports. Downloads files from the database. Supports both appliance and cloud. Supported Threat Emulation versions are any R80x.
Forensics & Malware Analysis · Check Point Threat Emulation (SandBlast)
Configuration parameters
url— Server URL (required)credentials—insecure— Trust any certificate (not secure)proxy— Use system proxy settingsintegrationReliability— Source Reliability
Commands (5)
-
fileRuns reputation on files.
-
sandblast-downloadUses the Download API to download a scanned file from the ThreatCloud according to the file ID.
-
sandblast-queryUse the Query API to have a client application look for either a specific file's analysis report on the Check Point Threat Prevention service databases or the status of a file, uploaded for analysis. It is recommended to add file_name.
-
sandblast-quotaUses the Quota API to have a client application get the current license and quota status of the API key used in the authorization of the other APIs. For cloud services only.
-
sandblast-uploadUses the Upload API to have a client application request for Check Point Threat Prevention modules to scan and analyze a file. When you upload a file to the service, the file is encrypted. It is un-encrypted during analysis and then deleted. This command uses polling with query. The stages of polling are 'UPLOAD_SUCCESS', 'PENDING' and ends with 'FOUND' or 'PARTIALLY_FOUND'. Once the command is done polling, it returns analyzed information about the file.