Detonate File - ThreatStream

Detonate one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.

Anomali ThreatStream · 9 tasks · 7 inputs · 14 outputs

Inputs

  • File — File object of the file to detonate.
  • VM — The VM to use (string)
  • SubmissionClassification — Classification of the Sandbox submission.
  • PremiumSandbox — Specifies if the premium sandbox should be used for detonation.
  • Tags — A CSV list of tags applied to this sample.
  • Interval — Polling frequency - how often the polling command should run (minutes).
  • Timeout — Amount of time to wait before a timeout occurs (minutes).

Outputs

  • File.Malicious — The file malicious description.
  • File.Malicious.Vendor — For malicious files, the vendor that made the decision.
  • File.Type — File type, for example: "PE".
  • File.Size — File size.
  • File.MD5 — MD5 hash of the file.
  • File.Name — File name.
  • File.SHA1 — SHA1 hash of the file.
  • File — The file object.
  • File.SHA256 — SHA256 hash of the file.
  • DBotScore — The DBotScore object.
  • DBotScore.Indicator — The indicator that was tested.
  • DBotScore.Type — The indicator type.
  • DBotScore.Vendor — Vendor used to calculate the score.
  • DBotScore.Score — The actual score.

Commands used

threatstream-analysis-report threatstream-submit-to-sandbox

Flowchart

yes yes yes Start Start Is Anomali ThreatStream v2 enabled? Is Anomali ThreatStream v... Done Done ThreatStream Get Report - threatstream-analysis-report ThreatStream Get Report threatstream-analysis-report Set file to context - Set Set file to context Set GenericPolling - GenericPolling GenericPolling GenericPolling Is there a file to detonate? Is there a file to detonate? Is the file size bigger than 0? Is the file size bigger t... ThreatStream Upload File - threatstream-submit-to-sandbox ThreatStream Upload File threatstream-submit-to-sandbox