File Enrichment - Generic v2
Enrich a file using one or more integrations. - Provide threat information - Determine file reputation using the !file command
Common Playbooks · 12 tasks · 4 inputs · 95 outputs
Inputs
MD5— File MD5 hash to enrich.SHA256— The file SHA256 hash to enrich.SHA1— The file SHA1 hash to enrich.UseReputationCommand— Define if you would like to use the !file command. Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. Possible values: True / False.
Outputs
DBotScore.Indicator— The indicator that was tested.DBotScore.Type— The indicator type.File.SHA1— SHA1 hash of the file.File.SHA256— SHA256 hash of the file.File.Malicious.Vendor— For malicious files, the vendor that made the decision.File.MD5— MD5 hash of the file.DBotScore— The DBotScore object.File— The file objectDBotScore.Vendor— Vendor used to calculate the score.DBotScore.Score— The actual score.File.Malicious.Description— The reason the vendor decided the file was malicious.File.Name— The name of the threat.File.MalwareFamily— The file family classification.File.AutoRun— Indicates if the file is set to automatically run on system startup.File.AvIndustry— The score provided by the Anti-Virus industry.File.CertIssuer— The ID for the certificate issuer.File.CertPublisher— The ID for the certificate publisher.File.CertTimestamp— The date and time (in UTC) when the file was signed using the certificate.File.Classification— The threat classification for the threat.File.CylanceScore— The Cylance Score assigned to the threat.File.DetectedBy— The name of the Cylance module that detected the threat.File.FileSize— The size of the file.File.GlobalQuarantine— Identifies if the threat is on the Global Quarantine list.File.Running— Identifies if the threat is executing, or another executable loaded or called it.File.Safelisted— Identifies if the threat is on the Safe List.File.Signed— Identifies the file as signed or not signed.File.SubClassification— The threat sub-classification for the threat.File.UniqueToCylance— Whether the threat was identified by Cylance, and not by other anti-virus sources.File.Relationships.EntityA— The source of the relationship.File.Relationships.EntityB— The destination of the relationship.File.Relationships.Relationship— The name of the relationship.File.Relationships.EntityAtype— The type of the source of the relationship.File.Relationships.EntityBtype— The type of the destination of the relationship.File.Malicious.TotalEngines— For malicious files, the total number of engines that checked the file hash.DBotScore.Reliability— Reliability of the source providing the intelligence data.VirusTotal.File.attributes.type_description— description of the type of the file.VirusTotal.File.attributes.tlsh— The locality-sensitive hashing.VirusTotal.File.attributes.names— Names of the file.VirusTotal.File.attributes.last_modification_date— The last modification date in epoch format.VirusTotal.File.attributes.type_tag— Tag of the type.VirusTotal.File.attributes.size— Size of the file.VirusTotal.File.attributes.times_submitted— Number of times the file was submitted.VirusTotal.File.attributes.last_submission_date— Last submission date in epoch format.VirusTotal.File.attributes.downloadable— Whether the file is downloadable.VirusTotal.File.attributes.sha256— SHA-256 hash of the file.VirusTotal.File.attributes.type_extension— Extension of the type.VirusTotal.File.attributes.tags— File tags.VirusTotal.File.attributes.last_analysis_date— Last analysis date in epoch format.VirusTotal.File.attributes.unique_sources— Unique sources.VirusTotal.File.attributes.first_submission_date— First submission date in epoch format.VirusTotal.File.attributes.ssdeep— SSDeep hash of the file.VirusTotal.File.attributes.md5— MD5 hash of the file.VirusTotal.File.attributes.sha1— SHA-1 hash of the file.VirusTotal.File.attributes.magic— Identification of file by the magic number.VirusTotal.File.attributes.meaningful_name— Meaningful name of the file.VirusTotal.File.attributes.reputation— The reputation of the file.VirusTotal.File.attributes.exiftool.MIMEtype— MIME type of the file.VirusTotal.File.attributes.exiftool.Filetype— The file type.VirusTotal.File.attributes.exiftool.WordCount— Total number of words in the file.VirusTotal.File.attributes.exiftool.LineCount— Total number of lines in file.VirusTotal.File.attributes.exiftool.MIMEEncoding— The MIME encoding.VirusTotal.File.attributes.exiftool.FiletypeExtension— The file type extension.VirusTotal.File.attributes.exiftool.Newlines— Number of newlines signs.VirusTotal.File.attributes.javascript_info.tags— Tags of the JavaScript.VirusTotal.File.attributes.crowdsourced_ids_stats.info— Number of IDS that marked the file as "info".VirusTotal.File.attributes.crowdsourced_ids_stats.high— Number of IDS that marked the file as "high".VirusTotal.File.attributes.crowdsourced_ids_stats.medium— Number of IDS that marked the file as "medium".VirusTotal.File.attributes.crowdsourced_ids_stats.low— Number of IDS that marked the file as "low".VirusTotal.File.attributes.sigma_analysis_stats.critical— Number of Sigma analysis that marked the file as "critical".VirusTotal.File.attributes.sigma_analysis_stats.high— Number of Sigma analysis that marked the file as "high".VirusTotal.File.attributes.sigma_analysis_stats.medium— Number of Sigma analysis that marked the file as "medium".VirusTotal.File.attributes.sigma_analysis_stats.low— Number of Sigma analysis that marked the file as "low".VirusTotal.File.attributes.trid.file_type— The TrID file type.VirusTotal.File.attributes.trid.probability— The TrID probability.VirusTotal.File.attributes.crowdsourced_yara_results.description— description of the YARA rule.VirusTotal.File.attributes.crowdsourced_yara_results.source— Source of the YARA rule.VirusTotal.File.attributes.crowdsourced_yara_results.author— Author of the YARA rule.VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_name— Rule set name of the YARA rule.VirusTotal.File.attributes.crowdsourced_yara_results.rule_name— Name of the YARA rule.VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_id— ID of the YARA rule.VirusTotal.File.attributes.total_votes.harmless— Total number of harmless votes.VirusTotal.File.attributes.total_votes.malicious— Total number of malicious votes.VirusTotal.File.attributes.popular_threat_classification.suggested_threat_label— Suggested thread label.VirusTotal.File.attributes.popular_threat_classification.popular_threat_name— The popular thread name.VirusTotal.File.attributes.last_analysis_stats.harmless— The number of engines that found the indicator to be harmless.VirusTotal.File.attributes.last_analysis_stats.type-unsupported— The number of engines that found the indicator to be of type unsupported.VirusTotal.File.attributes.last_analysis_stats.suspicious— The number of engines that found the indicator to be suspicious.VirusTotal.File.attributes.last_analysis_stats.confirmed-timeout— The number of engines that confirmed the timeout of the indicator.VirusTotal.File.attributes.last_analysis_stats.timeout— The number of engines that timed out for the indicator.VirusTotal.File.attributes.last_analysis_stats.failure— The number of failed analysis engines.VirusTotal.File.attributes.last_analysis_stats.malicious— The number of engines that found the indicator to be malicious.VirusTotal.File.attributes.last_analysis_stats.undetected— The number of engines that could not detect the indicator.VirusTotal.File.type— type of the indicator (file).VirusTotal.File.id— type ID of the indicator.VirusTotal.File.links.self— Link to the response.
Commands used
cylance-protect-get-threat
file