File Enrichment - Generic v2

Enrich a file using one or more integrations. - Provide threat information - Determine file reputation using the !file command

Common Playbooks · 12 tasks · 4 inputs · 95 outputs

Inputs

  • MD5 — File MD5 hash to enrich.
  • SHA256 — The file SHA256 hash to enrich.
  • SHA1 — The file SHA1 hash to enrich.
  • UseReputationCommand — Define if you would like to use the !file command. Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. Possible values: True / False.

Outputs

  • DBotScore.Indicator — The indicator that was tested.
  • DBotScore.Type — The indicator type.
  • File.SHA1 — SHA1 hash of the file.
  • File.SHA256 — SHA256 hash of the file.
  • File.Malicious.Vendor — For malicious files, the vendor that made the decision.
  • File.MD5 — MD5 hash of the file.
  • DBotScore — The DBotScore object.
  • File — The file object
  • DBotScore.Vendor — Vendor used to calculate the score.
  • DBotScore.Score — The actual score.
  • File.Malicious.Description — The reason the vendor decided the file was malicious.
  • File.Name — The name of the threat.
  • File.MalwareFamily — The file family classification.
  • File.AutoRun — Indicates if the file is set to automatically run on system startup.
  • File.AvIndustry — The score provided by the Anti-Virus industry.
  • File.CertIssuer — The ID for the certificate issuer.
  • File.CertPublisher — The ID for the certificate publisher.
  • File.CertTimestamp — The date and time (in UTC) when the file was signed using the certificate.
  • File.Classification — The threat classification for the threat.
  • File.CylanceScore — The Cylance Score assigned to the threat.
  • File.DetectedBy — The name of the Cylance module that detected the threat.
  • File.FileSize — The size of the file.
  • File.GlobalQuarantine — Identifies if the threat is on the Global Quarantine list.
  • File.Running — Identifies if the threat is executing, or another executable loaded or called it.
  • File.Safelisted — Identifies if the threat is on the Safe List.
  • File.Signed — Identifies the file as signed or not signed.
  • File.SubClassification — The threat sub-classification for the threat.
  • File.UniqueToCylance — Whether the threat was identified by Cylance, and not by other anti-virus sources.
  • File.Relationships.EntityA — The source of the relationship.
  • File.Relationships.EntityB — The destination of the relationship.
  • File.Relationships.Relationship — The name of the relationship.
  • File.Relationships.EntityAtype — The type of the source of the relationship.
  • File.Relationships.EntityBtype — The type of the destination of the relationship.
  • File.Malicious.TotalEngines — For malicious files, the total number of engines that checked the file hash.
  • DBotScore.Reliability — Reliability of the source providing the intelligence data.
  • VirusTotal.File.attributes.type_description — description of the type of the file.
  • VirusTotal.File.attributes.tlsh — The locality-sensitive hashing.
  • VirusTotal.File.attributes.names — Names of the file.
  • VirusTotal.File.attributes.last_modification_date — The last modification date in epoch format.
  • VirusTotal.File.attributes.type_tag — Tag of the type.
  • VirusTotal.File.attributes.size — Size of the file.
  • VirusTotal.File.attributes.times_submitted — Number of times the file was submitted.
  • VirusTotal.File.attributes.last_submission_date — Last submission date in epoch format.
  • VirusTotal.File.attributes.downloadable — Whether the file is downloadable.
  • VirusTotal.File.attributes.sha256 — SHA-256 hash of the file.
  • VirusTotal.File.attributes.type_extension — Extension of the type.
  • VirusTotal.File.attributes.tags — File tags.
  • VirusTotal.File.attributes.last_analysis_date — Last analysis date in epoch format.
  • VirusTotal.File.attributes.unique_sources — Unique sources.
  • VirusTotal.File.attributes.first_submission_date — First submission date in epoch format.
  • VirusTotal.File.attributes.ssdeep — SSDeep hash of the file.
  • VirusTotal.File.attributes.md5 — MD5 hash of the file.
  • VirusTotal.File.attributes.sha1 — SHA-1 hash of the file.
  • VirusTotal.File.attributes.magic — Identification of file by the magic number.
  • VirusTotal.File.attributes.meaningful_name — Meaningful name of the file.
  • VirusTotal.File.attributes.reputation — The reputation of the file.
  • VirusTotal.File.attributes.exiftool.MIMEtype — MIME type of the file.
  • VirusTotal.File.attributes.exiftool.Filetype — The file type.
  • VirusTotal.File.attributes.exiftool.WordCount — Total number of words in the file.
  • VirusTotal.File.attributes.exiftool.LineCount — Total number of lines in file.
  • VirusTotal.File.attributes.exiftool.MIMEEncoding — The MIME encoding.
  • VirusTotal.File.attributes.exiftool.FiletypeExtension — The file type extension.
  • VirusTotal.File.attributes.exiftool.Newlines — Number of newlines signs.
  • VirusTotal.File.attributes.javascript_info.tags — Tags of the JavaScript.
  • VirusTotal.File.attributes.crowdsourced_ids_stats.info — Number of IDS that marked the file as "info".
  • VirusTotal.File.attributes.crowdsourced_ids_stats.high — Number of IDS that marked the file as "high".
  • VirusTotal.File.attributes.crowdsourced_ids_stats.medium — Number of IDS that marked the file as "medium".
  • VirusTotal.File.attributes.crowdsourced_ids_stats.low — Number of IDS that marked the file as "low".
  • VirusTotal.File.attributes.sigma_analysis_stats.critical — Number of Sigma analysis that marked the file as "critical".
  • VirusTotal.File.attributes.sigma_analysis_stats.high — Number of Sigma analysis that marked the file as "high".
  • VirusTotal.File.attributes.sigma_analysis_stats.medium — Number of Sigma analysis that marked the file as "medium".
  • VirusTotal.File.attributes.sigma_analysis_stats.low — Number of Sigma analysis that marked the file as "low".
  • VirusTotal.File.attributes.trid.file_type — The TrID file type.
  • VirusTotal.File.attributes.trid.probability — The TrID probability.
  • VirusTotal.File.attributes.crowdsourced_yara_results.description — description of the YARA rule.
  • VirusTotal.File.attributes.crowdsourced_yara_results.source — Source of the YARA rule.
  • VirusTotal.File.attributes.crowdsourced_yara_results.author — Author of the YARA rule.
  • VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_name — Rule set name of the YARA rule.
  • VirusTotal.File.attributes.crowdsourced_yara_results.rule_name — Name of the YARA rule.
  • VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_id — ID of the YARA rule.
  • VirusTotal.File.attributes.total_votes.harmless — Total number of harmless votes.
  • VirusTotal.File.attributes.total_votes.malicious — Total number of malicious votes.
  • VirusTotal.File.attributes.popular_threat_classification.suggested_threat_label — Suggested thread label.
  • VirusTotal.File.attributes.popular_threat_classification.popular_threat_name — The popular thread name.
  • VirusTotal.File.attributes.last_analysis_stats.harmless — The number of engines that found the indicator to be harmless.
  • VirusTotal.File.attributes.last_analysis_stats.type-unsupported — The number of engines that found the indicator to be of type unsupported.
  • VirusTotal.File.attributes.last_analysis_stats.suspicious — The number of engines that found the indicator to be suspicious.
  • VirusTotal.File.attributes.last_analysis_stats.confirmed-timeout — The number of engines that confirmed the timeout of the indicator.
  • VirusTotal.File.attributes.last_analysis_stats.timeout — The number of engines that timed out for the indicator.
  • VirusTotal.File.attributes.last_analysis_stats.failure — The number of failed analysis engines.
  • VirusTotal.File.attributes.last_analysis_stats.malicious — The number of engines that found the indicator to be malicious.
  • VirusTotal.File.attributes.last_analysis_stats.undetected — The number of engines that could not detect the indicator.
  • VirusTotal.File.type — type of the indicator (file).
  • VirusTotal.File.id — type ID of the indicator.
  • VirusTotal.File.links.self — Link to the response.

Commands used

cylance-protect-get-threat file

Flowchart

true true true true true yes Start Start Done Done Is there a SHA256 hash? Is there a SHA256 hash? Is Cylance Protect v2 enabled? Is Cylance Protect v2 ena... Get threat information from Cylance Protect v2 - cylance-protect-get-threat Get threat information fr... cylance-protect-get-threat File Enrichment - Virus Total (API v3) - File Enrichment - Virus Total (API v3) File Enrichment - Virus T... File Enrichment - Virus Total... Is there a file hash? Is there a file hash? Check Reputation Using All Available Integrations Check Reputation Using Al... Should use !file command? Should use !file command? Check Reputation - file Check Reputation file Virus Total enrichment Virus Total enrichment Cylance Protect enrichment Cylance Protect enrichment