Detonate and Analyze File - Generic

This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire.

Common Playbooks · 18 tasks · 1 input · 52 outputs

Inputs

  • File — The details of the file to search for.

Outputs

  • csfalconx.resource.tags — The analysis tags.
  • csfalconx.resource.sha256 — The SHA256 hash of the scanned file.
  • csfalconx.resource.file_name — The name of the uploaded file.
  • csfalconx.resource.sandbox — The Falcon Intelligence Sandbox findings.
  • csfalconx.resource.intel — The Falcon Intelligence Sandbox intelligence results.
  • WildFire.Report — The Wildfire findings.
  • AttackPattern — The MITRE Attack pattern information.
  • MITREATTACK — Full MITRE data for the attack pattern.
  • DBotScore — DBotScore object.
  • Joe.Analysis — Joe Analysis object.
  • DBotScore.Vendor — The vendor used to calculate the score.
  • DBotScore.Indicator — The indicator that was tested.
  • DBotScore.Type — The indicator type.
  • DBotScore.Score — The actual score.
  • DBotScore.Malicious — DBotScore Malicious object
  • DBotScore.Malicious.Vendor — The vendor used to calculate the score.
  • DBotScore.Malicious.Detections — The sub analysis detection statuses
  • DBotScore.Malicious.SHA1 — The SHA1 of the file
  • Joe.Analysis.ID — Web ID
  • Joe.Analysis.Status — Analysis Status
  • Joe.Analysis.Comments — Analysis Comments
  • Joe.Analysis.Time — Submitted Time
  • Joe.Analysis.Runs — Sub-Analysis Information
  • Joe.Analysis.Result — Analysis Results
  • Joe.Analysis.Errors — Raised errors during sampling
  • Joe.Analysis.Systems — Analysis OS
  • Joe.Analysis.MD5 — MD5 of analysis sample
  • Joe.Analysis.SHA1 — SHA1 of analysis sample
  • Joe.Analysis.SHA256 — SHA256 of analysis sample
  • Joe.Analysis.SampleName — Sample Data, could be a file name or URL
  • InfoFile — Report file object
  • InfoFile.Name — The filename.
  • InfoFile.EntryID — The entry ID of the report.
  • InfoFile.Size — File size.
  • InfoFile.Type — File type, e.g., "PE".
  • InfoFile.Info — Basic information of the file.
  • InfoFile.Extension — The extension of the image file.
  • File — File object
  • File.Extension — File extension.
  • File.MD5 — The MD5 hash of the file.
  • File.Name — The full file name.
  • File.SHA1 — The SHA1 hash of the file.
  • File.SHA256 — The SHA256 hash of the file.
  • ExtractedIndicators — outputs.extractindicators
  • AttackPattern.STIXID — The STIX ID of the Attack Pattern.
  • AttackPattern.KillChainPhases — The kill chain phases of the Attack Pattern.
  • AttackPattern.FirstSeenBySource — The first seen by source of the Attack Pattern.
  • AttackPattern.Description — The description of the Attack Pattern.
  • AttackPattern.OperatingSystemRefs — The operating system references of the Attack Pattern.
  • AttackPattern.Publications — The publications of the Attack Pattern.
  • AttackPattern.MITREID — The MITRE ID of the Attack Pattern.
  • AttackPattern.Tags — The tags of the Attack Pattern.

Commands used

attack-pattern extractIndicators joe-download-report rasterize-pdf

Flowchart

no yes yes yes yes no yes yes yes yes yes yes Start Start CrowdStrike Falcon Intelligence Sandbox Detonate and Analyze File - CrowdStrike Falcon Intelligence Sandbox Detonate and Analyze File CrowdStrike Falcon Intell... CrowdStrike Falcon Intelligen... Wildfire Detonate and Analyze File - Wildfire Detonate and Analyze File Wildfire Detonate and Ana... Wildfire Detonate and Analyze... Done Done Is CrowdStrike Falcon Intelligence Sandbox enabled? - IsIntegrationAvailable Is CrowdStrike Falcon Int... IsIntegrationAvailable Is there a file? Is there a file? Is Wildfire enabled? - IsIntegrationAvailable Is Wildfire enabled? IsIntegrationAvailable Are there MITRE findings? Are there MITRE findings? Mitre Attack - Extract Technique Information From ID - Mitre Attack - Extract Technique Information From ID Mitre Attack - Extract Te... Mitre Attack - Extract Techni... Is JoeSecurity sandbox enabled? - IsIntegrationAvailable Is JoeSecurity sandbox en... IsIntegrationAvailable Get a full report from Joe Sandbox - JSON - joe-download-report Get a full report from Jo... joe-download-report Any results from the Joe search? Any results from the Joe ... Get a full report from Joe Sandbox - PDF - joe-download-report Get a full report from Jo... joe-download-report Rasterize PDF - rasterize-pdf Rasterize PDF rasterize-pdf Extract Indicators from the Report - extractIndicators Extract Indicators from t... extractIndicators Enrich Mitre Attack Techniques information. - attack-pattern Enrich Mitre Attack Techn... attack-pattern Are there MITRE findings? Are there MITRE findings? Detonate File - JoeSecurity V2 - Detonate File - JoeSecurity V2 Detonate File - JoeSecuri... Detonate File - JoeSecurity V2