Skip to main content

Check Point Threat Emulation (SandBlast)

This Integration is part of the Check Point Threat Emulation (SandBlast) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Check Point Threat Emulation (SandBlast)#

Threat Emulation performs remote analysis by uploading files to a virtual SandBox. Uploaded files are monitored in multiple OS and microsoft office application versions. Malicious files are saved in the ThreatCloud. Safe files are available for download after inspection.

Upload files using polling, the service supports Microsoft Office files, as well as PDF, SWF, archives and executables. Active content will be cleaned from any documents that you upload (Microsoft Office and PDF files only). Query on existing IOCs, file status, analysis, reports. Download files from the database. Supports both appliance and cloud. Supported Threat Emulation versions are any R80x. This integration was integrated and tested with version v1 of CheckPointSandBlast

Configure Check Point Threat Emulation (SandBlast) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Check Point Threat Emulation (SandBlast).

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLhttps://te.checkpoint.comTrue
    Authorization - API KeyFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Source ReliabilityReliability of the source providing the intelligence data.True
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Runs reputation on files.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileHash of the file to query. Supports MD5, SHA1, and SHA256.Required

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.

Command example#

!file file=e129988964fa250bc8186bfe6f399f12

Context Example#

{
"DBotScore": [
{
"Indicator": "e129988964fa250bc8186bfe6f399f12",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "file",
"Vendor": "VirusTotal"
},
{
"Indicator": "e129988964fa250bc8186bfe6f399f12",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "file",
"Vendor": "CheckPointSandBlast"
}
],
"File": {
"MD5": "e129988964fa250bc8186bfe6f399f12",
"Malicious": {
"Description": {
"confidence": 0,
"malware_family": 0,
"malware_type": 0,
"severity": 0,
"signature_name": ""
},
"Vendor": "CheckPointSandBlast"
},
"SHA1": "a5e7aa50b66fdad3ae3b5e9ca66283a263bf7027",
"SHA256": "7e1eeaa9ac04812ce89eabb824d65073a3a37a1600ad1e1b7748ae12e04bb168"
}
}

Human Readable Output#

Results of file hash: "e129988964fa250bc8186bfe6f399f12"#

MD5SHA1SHA256Malicious
e129988964fa250bc8186bfe6f399f12a5e7aa50b66fdad3ae3b5e9ca66283a263bf70277e1eeaa9ac04812ce89eabb824d65073a3a37a1600ad1e1b7748ae12e04bb168Vendor: CheckPointSandBlast
Description: {"signature_name": "", "malware_family": 0, "malware_type": 0, "severity": 0, "confidence": 0}

sandblast-query#


Use the Query API to have a client application look for either the analysis report of a specific file on the Check Point Threat Prevention service databases or the status of a file, uploaded for analysis. It is recommended to add file_name.

Base Command#

sandblast-query

Input#

Argument NameDescriptionRequired
file_nameName of the file to query. Recommended to use, without it status will be "PARTIALLY_FOUND".Optional
file_hashFile hash to query, accepted digests are: md5, sha1 and sha256. Only md5 returns 'FOUND' status.Required
featuresFeatures to use on the file. Possible values are: Threat Emulation, Anti-Virus, Threat Extraction, All. Default is All.Optional
reportsComma separated list of supported report formats. Note - Requesting for PDF and summary reports simultaneously is not supported. Possible values are: pdf, xml, tar, summary. Default is xml, summary.Optional
methodThreat extraction request method. Possible values are: clean, pdf. Default is pdf.Optional
extracted_partsComma separated list of fields to be cleaned in the file. Only relevant if method = clean. Possible values are: Linked Objects, Macros and Code, Sensitive Hyperlinks, PDF GoToR Actions, PDF Launch Actions, PDF URI Actions, PDF Sound Actions, PDF Movie Actions, PDF JavaScript Actions, PDF Submit Form Actions, Database Queries, Embedded Objects, Fast Save Data, Custom Properties, Statistic Properties, Summary Properties. Default is Linked Objects, Macros and Code, Sensitive Hyperlinks, PDF GoToR Actions, PDF Launch Actions, PDF URI Actions, PDF Sound Actions, PDF Movie Actions, PDF JavaScript Actions, PDF Submit Form Actions, Database Queries, Embedded Objects, Fast Save Data.Optional

Context Output#

PathTypeDescription
SandBlast.Query.StatusStringStatus of requested features.
SandBlast.Query.MD5StringThe file's MD5.
SandBlast.Query.SHA1StringThe file's SHA1.
SandBlast.Query.SHA256StringThe file's SHA256.
SandBlast.Query.FileTypeStringFile type can be different from the one sent in the query request (according to the type to identify).
SandBlast.Query.FileNameStringName of the file saved on Check Point databases.
SandBlast.Query.FeaturesStringFeatures used.
SandBlast.Query.AntiVirus.SignatureNameStringIf the file is not detected by Anti-Virus, the signature name is empty.
SandBlast.Query.AntiVirus.MalwareFamilyNumberID for malware family, if available: {0-}.
SandBlast.Query.AntiVirus.MalwareTypeNumberID for malware type, if available: {0-}.
SandBlast.Query.AntiVirus.SeverityNumber0 for benign files. Minimum: 0 Maximum: 4
SandBlast.Query.AntiVirus.ConfidenceNumber0 for benign files. Minimum: 0 Maximum 5
SandBlast.Query.AntiVirus.StatusStringStatus of Anti-Virus on the requested file.
SandBlast.Query.ThreatExtraction.MethodStringMethod that was used.
SandBlast.Query.ThreatExtraction.ExtractResultStringCP_EXTRACT_RESULT_UNKNOWN (Default - returned if the POD did not receive an answer from the Threat Extraction engine in 60 seconds). CP_EXTRACT_RESULT_SUCCESS, CP_EXTRACT_RESULT_FAILURE, CP_EXTRACT_RESULT_TIMEOUT, CP_EXTRACT_RESULT_UNSUPPORTED_FILE, CP_EXTRACT_RESULT_NOT_SCRUBBED, CP_EXTRACT_RESULT_INTERNAL_ERROR, CP_EXTRACT_RESULT_DISK_LIMIT_REACHED, CP_EXTRACT_RESULT_ENCRYPTED_FILE, CP_EXTRACT_RESULT_DOCSEC_FILE, CP_EXTRACT_RESULT_OUT_OF_MEMORY
SandBlast.Query.ThreatExtraction.ExtractedFileDownloadIdStringThe download id of the extracted file, for download request. Only sent when extract_result = CP_EXTRACT_RESULT_SUCCESS
SandBlast.Query.ThreatExtraction.OutputFileNameStringClean file name.
SandBlast.Query.ThreatExtraction.TimeStringTime for threat extraction completion.
SandBlast.Query.ThreatExtraction.ExtractContentStringContent of extracted file.
SandBlast.Query.ThreatExtraction.TexProductBooleanTrue if the queried file is already a Sandblast-safe copy.
SandBlast.Query.ThreatExtraction.StatusStringStatus of Threat Extraction on the requested file.
SandBlast.Upload.ThreatExtraction.ExtractionData.InputExtensionStringUploaded filename-extension as sent by the client.
SandBlast.Query.ThreatExtraction.ExtractionData.InputRealExtensionStringExtension as resolved by Threat Extraction.
SandBlast.Query.ThreatExtraction.ExtractionData.MessageStringStatus message for scrub_result
SandBlast.Query.ThreatExtraction.ExtractionData.ProtectionNameStringPotential malicious content extracted.
SandBlast.Query.ThreatExtraction.ExtractionData.ProtectionTypeStringProtection done for scrub_method: Conversion to PDF
SandBlast.Query.ThreatExtraction.ExtractionData.ProtocolVersionStringProtocol used.
SandBlast.Query.ThreatExtraction.ExtractionData.RealExtensionStringReal extension as resolved by Threat Extraction
SandBlast.Query.ThreatExtraction.ExtractionData.RiskNumberRepresents the risk of the part that was extracted from the document.
SandBlast.Query.ThreatExtraction.ExtractionData.ScrubActivityStringReadable result from Threat Extraction.
SandBlast.Query.ThreatExtraction.ExtractionData.ScrubMethodStringConvert to PDF
SandBlast.Query.ThreatExtraction.ExtractionData.ScrubResultNumberCode result from Threat Extraction.
SandBlast.Query.ThreatExtraction.ExtractionData.ScrubTimeStringThreat Extraction process time.
SandBlast.Query.ThreatExtraction.ExtractionData.ScrubbedContentStringContent that was removed
SandBlast.Query.ThreatEmulation.TrustNumberRating of the threat data and its relevance to this instance. It is recommended to block threats with confidence medium and above.
SandBlast.Query.ThreatEmulation.ScoreNumberThreat Emulation score.
SandBlast.Query.ThreatEmulation.CombinedVerdictStringCombined verdict of all the images. Benign reports are not supported for local gateways.
SandBlast.Query.ThreatEmulation.SeverityNumberCombined severity of threats found. In case threats are not found, this field is not given. 1 - low, 2 - medium, 3 - high, 4 - critical.
SandBlast.Query.ThreatEmulation.ConfidenceNumberRating of the threat data and its relevance to this instance. It is recommended to block threats with confidence 2 and above. 1 - low, 2 - medium, 3 - high.
SandBlast.Query.ThreatEmulation.ImagesStringSand boxes used in Threat Emulation. Information about image types can be found in https://sc1.checkpoint.com/documents/TPAPI/CP_1.0_ThreatPreventionAPI_APIRefGuide/html_frameset.htm under "Query API" -> "Query Response Format" -> "Images Object Format".
SandBlast.Query.ThreatEmulation.StatusStringStatus of Threat Emulation on the requested file.

Command example#

!sandblast-query file_hash=e129988964fa250bc8186bfe6f399f12 file_name=HelloWorld.pdf

Context Example#

{
"SandBlast": {
"Query": {
"AntiVirus": {
"Confidence": 0,
"MalwareFamily": 0,
"MalwareType": 0,
"Severity": 0,
"SignatureName": "",
"Status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
}
},
"Features": [
"te",
"av",
"extraction"
],
"FileName": "HelloWorld.pdf",
"FileType": "pdf",
"MD5": "e129988964fa250bc8186bfe6f399f12",
"SHA1": "a5e7aa50b66fdad3ae3b5e9ca66283a263bf7027",
"SHA256": "7e1eeaa9ac04812ce89eabb824d65073a3a37a1600ad1e1b7748ae12e04bb168",
"Status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
},
"ThreatEmulation": {
"CombinedVerdict": "benign",
"Images": [
{
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"report": {
"verdict": "benign"
},
"revision": 1,
"status": "found"
},
{
"id": "3ff3ddae-e7fd-4969-818c-d5f1a2be336d",
"report": {
"verdict": "benign"
},
"revision": 1,
"status": "found"
}
],
"Score": -2147483648,
"Status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
},
"Trust": 0
},
"ThreatExtraction": {
"ExtractContent": "",
"ExtractResult": "CP_EXTRACT_RESULT_SUCCESS",
"ExtractedFileDownloadId": "11aa4b44-6699-43fe-b73a-d42435551b06",
"ExtractionData": {
"InputExtension": "pdf",
"InputRealExtension": "pdf",
"Message": "OK",
"ProtectionName": "Extract potentially malicious content",
"ProtectionType": "Conversion to PDF",
"ProtocolVersion": "",
"RealExtension": "pdf",
"Risk": 0,
"ScrubActivity": "PDF file was converted to PDF",
"ScrubMethod": "Convert to PDF",
"ScrubResult": 0,
"ScrubTime": "0.114",
"ScrubbedContent": ""
},
"Method": "pdf",
"OutputFileName": "HelloWorld.cleaned.pdf",
"Status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
},
"TexProduct": false,
"Time": "0.114"
}
}
}
}

Human Readable Output#

Query Results

File Info#

FilenameFiletypeLabelMessageMd5Sha1Sha256
HelloWorld.pdfpdfFOUNDThe request has been fully answered.e129988964fa250bc8186bfe6f399f12a5e7aa50b66fdad3ae3b5e9ca66283a263bf70277e1eeaa9ac04812ce89eabb824d65073a3a37a1600ad1e1b7748ae12e04bb168

Threat Emulation#

Combinedverdict
benign

Anti-Virus#

MalwarefamilyMalwaretypeConfidenceSeverity
0000

Threat Extraction#

ExtractresultExtractedfiledownloadidRisk
CP_EXTRACT_RESULT_SUCCESS11aa4b44-6699-43fe-b73a-d42435551b060

sandblast-upload#


Use the Upload API to have a client application request that Check Point Threat Prevention modules scan and analyze a file. When you upload a file to the service, the file is encrypted. It is un-encrypted during analysis, and then deleted. This command uses polling with query. The stages of polling are 'UPLOAD_SUCCESS', 'PENDING' and ends with 'FOUND' or 'PARTIALLY_FOUND'. Once the command is done polling it will return analyzed information about the file.

Base Command#

sandblast-upload

Input#

Argument NameDescriptionRequired
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
timeout_in_secondsTime out in seconds till polling ends. Default is 600.Optional
file_idID of the file to upload, which will be taken from the uploaded file to XSOAR.Required
file_nameRename the file to upload, if empty the uploaded file will keep its original name.Optional
featuresFeatures to use on the file. Possible values are: Threat Emulation, Anti-Virus, Threat Extraction, All. Default is All.Optional
image_idsID of available OS images. An image is an operating system configuration. Inputs must be of same length as image_revisions and will be paired according to position. Information about image types can be found in https://sc1.checkpoint.com/documents/TPAPI/CP_1.0_ThreatPreventionAPI_APIRefGuide/html_frameset.htm under "Query API" -> "Query Response Format" -> "Images Object Format". Possible values are: e50e99f3-5963-4573-af9e-e3f4750b55e2, 7e6fe36e-889e-4c25-8704-56378f0830df, 8d188031-1010-4466-828b-0cd13d4303ff, 5e5de275-a103-4f67-b55b-47532918fa59, 3ff3ddae-e7fd-4969-818c-d5f1a2be336d, 6c453c9b-20f7-471a-956c-3198a868dc92, 10b4a9c6-e414-425c-ae8b-fe4dd7b25244.Optional
image_revisionsRevisions of available OS images. An image is an operating system configuration. Inputs must be of same length as image_ids and will be paired according to position.Optional
reportsComma separated list of supported report formats. Note - Requesting for PDF and summary reports simultaneously is not supported. Possible values are: pdf, xml, tar, summary. Default is xml, summary.Optional
methodThreat extraction request method. Possible values are: clean, pdf. Default is pdf.Optional
extracted_partsComma separated list of fields to be cleaned in the file. Only relevant if method = clean. Possible values are: Linked Objects, Macros and Code, Sensitive Hyperlinks, PDF GoToR Actions, PDF Launch Actions, PDF URI Actions, PDF Sound Actions, PDF Movie Actions, PDF JavaScript Actions, PDF Submit Form Actions, Database Queries, Embedded Objects, Fast Save Data, Custom Properties, Statistic Properties, Summary Properties. Default is Linked Objects, Macros and Code, Sensitive Hyperlinks, PDF GoToR Actions, PDF Launch Actions, PDF URI Actions, PDF Sound Actions, PDF Movie Actions, PDF JavaScript Actions, PDF Submit Form Actions, Database Queries, Embedded Objects, Fast Save Data.Optional

Context Output#

PathTypeDescription
SandBlast.Upload.StatusStringStatus of requested features.
SandBlast.Upload.MD5StringThe file's MD5.
SandBlast.Upload.SHA1StringThe file's SHA1.
SandBlast.Upload.SHA256StringThe file's SHA256.
SandBlast.Upload.FileTypeStringFile type can be different from the one sent in the upload request (according to the type to identify).
SandBlast.Upload.FileNameStringName of the file saved on Check Point databases.
SandBlast.Upload.FeaturesStringFeatures used.
SandBlast.Upload.AntiVirus.SignatureNameStringIf the file is not detected by Anti-Virus, the signature name is empty.
SandBlast.Upload.AntiVirus.MalwareFamilyNumberID for malware family, if available: {0-}.
SandBlast.Upload.AntiVirus.MalwareTypeNumberID for malware type, if available: {0-}.
SandBlast.Upload.AntiVirus.SeverityNumber0 for benign files. Minimum: 0 Maximum: 4
SandBlast.Upload.AntiVirus.ConfidenceNumber0 for benign files. Minimum: 0 Maximum 5
SandBlast.Upload.AntiVirus.StatusStringStatus of Anti-Virus on the requested file.
SandBlast.Upload.ThreatExtraction.MethodStringMethod that was used.
SandBlast.Upload.ThreatExtraction.ExtractResultStringCP_EXTRACT_RESULT_UNKNOWN (Default - returned if the POD did not receive an answer from the Threat Extraction engine in 60 seconds). CP_EXTRACT_RESULT_SUCCESS, CP_EXTRACT_RESULT_FAILURE, CP_EXTRACT_RESULT_TIMEOUT, CP_EXTRACT_RESULT_UNSUPPORTED_FILE, CP_EXTRACT_RESULT_NOT_SCRUBBED, CP_EXTRACT_RESULT_INTERNAL_ERROR, CP_EXTRACT_RESULT_DISK_LIMIT_REACHED, CP_EXTRACT_RESULT_ENCRYPTED_FILE, CP_EXTRACT_RESULT_DOCSEC_FILE, CP_EXTRACT_RESULT_OUT_OF_MEMORY
SandBlast.Upload.ThreatExtraction.ExtractedFileDownloadIdStringThe download id of the extracted file, for download request. Only sent when extract_result = CP_EXTRACT_RESULT_SUCCESS
SandBlast.Upload.ThreatExtraction.OutputFileNameStringClean file name.
SandBlast.Upload.ThreatExtraction.TimeStringTime for threat extraction completion.
SandBlast.Upload.ThreatExtraction.ExtractContentStringContent of extracted file.
SandBlast.Upload.ThreatExtraction.TexProductBooleanTrue if the queried file is already a Sandblast-safe copy.
SandBlast.Upload.ThreatExtraction.StatusStringStatus of Threat Extraction on the requested file.
SandBlast.Upload.ThreatExtraction.ExtractionData.InputExtensionStringUploaded filename-extension as sent by the client.
SandBlast.Upload.ThreatExtraction.ExtractionData.InputRealExtensionStringExtension as resolved by Threat Extraction.
SandBlast.Upload.ThreatExtraction.ExtractionData.MessageStringStatus message for scrub_result
SandBlast.Upload.ThreatExtraction.ExtractionData.ProtectionNameStringPotential malicious content extracted.
SandBlast.Upload.ThreatExtraction.ExtractionData.ProtectionTypeStringProtection done for scrub_method: Conversion to PDF
SandBlast.Upload.ThreatExtraction.ExtractionData.ProtocolVersionStringProtocol used.
SandBlast.Upload.ThreatExtraction.ExtractionData.RealExtensionStringReal extension as resolved by Threat Extraction
SandBlast.Upload.ThreatExtraction.ExtractionData.RiskNumberRepresents the risk of the part that was extracted from the document.
SandBlast.Upload.ThreatExtraction.ExtractionData.ScrubActivityStringReadable result from Threat Extraction.
SandBlast.Upload.ThreatExtraction.ExtractionData.ScrubMethodStringConvert to PDF
SandBlast.Upload.ThreatExtraction.ExtractionData.ScrubResultNumberCode result from Threat Extraction.
SandBlast.Upload.ThreatExtraction.ExtractionData.ScrubTimeStringThreat Extraction process time.
SandBlast.Upload.ThreatExtraction.ExtractionData.ScrubbedContentStringContent that was removed
SandBlast.Upload.ThreatEmulation.TrustNumberRating of the threat data and its relevance to this instance. It is recommended to block threats with confidence medium and above.
SandBlast.Upload.ThreatEmulation.ScoreNumberThreat Emulation score.
SandBlast.Upload.ThreatEmulation.CombinedVerdictStringCombined verdict of all the images. Benign reports are not supported for local gateways.
SandBlast.Upload.ThreatEmulation.SeverityNumberCombined severity of threats found. In case threats are not found, this field is not given.
SandBlast.Upload.ThreatEmulation.ImagesStringSand boxes used in Threat Emulation. Information about image types can be found in https://sc1.checkpoint.com/documents/TPAPI/CP_1.0_ThreatPreventionAPI_APIRefGuide/html_frameset.htm under "Query API" -> "Query Response Format" -> "Images Object Format".
SandBlast.Upload.ThreatEmulation.StatusStringStatus of Threat Emulation on the requested file.

Command example#

!sandblast-upload file_id=252@117def34-6ca2-4db3-86eb-c9378ad46e65

Context Example#

{
"SandBlast": {
"Upload": {
"AntiVirus": {
"Confidence": 0,
"MalwareFamily": 0,
"MalwareType": 0,
"Severity": 0,
"SignatureName": "",
"Status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
}
},
"Features": [
"te",
"av",
"extraction"
],
"FileName": "HelloWorld.pdf",
"FileType": ".pdf",
"MD5": "e129988964fa250bc8186bfe6f399f12",
"SHA1": "a5e7aa50b66fdad3ae3b5e9ca66283a263bf7027",
"SHA256": "7e1eeaa9ac04812ce89eabb824d65073a3a37a1600ad1e1b7748ae12e04bb168",
"Status": {
"code": 1003,
"label": "PENDING",
"message": "The request is pending."
},
"ThreatEmulation": {
"CombinedVerdict": "benign",
"Images": [
{
"id": "3ff3ddae-e7fd-4969-818c-d5f1a2be336d",
"report": {
"verdict": "benign"
},
"revision": 1,
"status": "found"
},
{
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"report": {
"verdict": "benign"
},
"revision": 1,
"status": "found"
}
],
"Score": -2147483648,
"Status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
},
"Trust": 0
},
"ThreatExtraction": {
"Method": "pdf",
"Status": {
"code": 1003,
"label": "PENDING",
"message": "The request is pending."
},
"TexProduct": false
}
}
}
}

Human Readable Output#

Upload Results

File Info#

FilenameFiletypeLabelMessageMd5Sha1Sha256
HelloWorld.pdf.pdfUPLOAD_SUCCESSThe file was uploaded successfully.e129988964fa250bc8186bfe6f399f12a5e7aa50b66fdad3ae3b5e9ca66283a263bf70277e1eeaa9ac04812ce89eabb824d65073a3a37a1600ad1e1b7748ae12e04bb168

sandblast-download#


Use the Download API to download a scanned file from the ThreatCloud according to the file ID.

Base Command#

sandblast-download

Input#

Argument NameDescriptionRequired
file_idID of the file to download, which will be taken from "Extractedfiledownloadid" from "Threat Extraction" results.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!sandblast-download file_id=9dc066ec-ae77-4c96-b176-8dc88db515a9

Context Example#

{
"File": {
"EntryID": "279@117def34-6ca2-4db3-86eb-c9378ad46e65",
"Extension": "pdf",
"Info": "application/pdf",
"MD5": "63a6c12e9b7aa5fb8a1c758de8b87926",
"Name": "HelloWorld.cleaned.pdf",
"SHA1": "febf2e17da8f2d2264897069c6358c001f2fc62d",
"SHA256": "63d3c65cef4eda67d58d81150a9295393990ad81cbc6607e62092d708b9973bb",
"SHA512": "e7c5058ea2fbd6834fbcdb0699c713e58b54bd7f3e9e340cf48bd3feebe04ef52f9edf0876f051f15bb0f6d09c3b9ae685654267cc281279023e677e95a2c55e",
"SSDeep": "384:DGW1n7dLCkC4Ta3ZyCJhpVgizPvth6irUABhcLk5JcRzcpnSMTxZYH06ZJWY:yMa3gCJai3ZHBc8SMTxY",
"Size": 16228,
"Type": "PDF document, version 1.5"
}
}

Human Readable Output#

sandblast-quota#


Use the Quote API to have a client application get the current license and quota status of the API Key that you use in the authorization of the other APIs. For cloud services only.

Base Command#

sandblast-quota

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
SandBlast.Quota.RemainQuotaHourNumberRemaining quota hours.
SandBlast.Quota.RemainQuotaMonthNumberRemaining quota months.
SandBlast.Quota.AssignedQuotaHourNumberAssigned quota hours.
SandBlast.Quota.AssignedQuotaMonthNumberAssigned quota months.
SandBlast.Quota.HourlyQuotaNextResetStringHourly quota next reset.
SandBlast.Quota.MonthlyQuotaNextResetStringMonthly quota next reset.
SandBlast.Quota.QuotaIdStringQuota ID.
SandBlast.Quota.CloudMonthlyQuotaPeriodStartStringCloud monthly quota period start.
SandBlast.Quota.CloudMonthlyQuotaUsageForThisGwNumberCloud monthly quota usage for this GW.
SandBlast.Quota.CloudHourlyQuotaUsageForThisGwNumberCloud hourly quota usage for this GW.
SandBlast.Quota.CloudMonthlyQuotaUsageForQuotaIdNumberCloud monthly quota usage for QuotaID.
SandBlast.Quota.CloudHourlyQuotaUsageForQuotaIdNumberCloud hourly quota usage for QuotaID.
SandBlast.Quota.MonthlyExceededQuotaNumberMonthly exceeded quota.
SandBlast.Quota.HourlyExceededQuotaNumberHourly exceeded quota.
SandBlast.Quota.CloudQuotaMaxAllowToExceedPercentageNumberCloud quota max allowed to exceed percentage.
SandBlast.Quota.PodTimeGmtStringPod time GMT.
SandBlast.Quota.QuotaExpirationStringQuota expiration.
SandBlast.Quota.ActionStringQuota action.

Command example#

!sandblast-quota

Context Example#

{
"SandBlast": {
"Quota": {
"Action": "ALLOW",
"AssignedQuotaHour": 500,
"AssignedQuotaMonth": 10000,
"CloudHourlyQuotaUsageForQuotaId": 2,
"CloudHourlyQuotaUsageForThisGw": 2,
"CloudMonthlyQuotaPeriodStart": "2022-08-01T00:00:00.000Z",
"CloudMonthlyQuotaUsageForQuotaId": 4,
"CloudMonthlyQuotaUsageForThisGw": 4,
"CloudQuotaMaxAllowToExceedPercentage": 1000,
"HourlyExceededQuota": 0,
"HourlyQuotaNextReset": "2022-08-01T15:00:00.000Z",
"MonthlyExceededQuota": 0,
"MonthlyQuotaNextReset": "2022-09-01T00:00:00.000Z",
"PodTimeGmt": "2022-08-01T14:42:44.000Z",
"QuotaExpiration": "2022-09-22T00:00:00.000Z",
"QuotaId": "D21T63R",
"RemainQuotaHour": 498,
"RemainQuotaMonth": 9996
}
}
}

Human Readable Output#

Quota Information#

RemainquotahourRemainquotamonthAssignedquotahourAssignedquotamonthHourlyquotanextresetMonthlyquotanextresetQuotaidCloudmonthlyquotaperiodstartCloudmonthlyquotausageforthisgwCloudhourlyquotausageforthisgwCloudmonthlyquotausageforquotaidCloudhourlyquotausageforquotaidMonthlyexceededquotaHourlyexceededquotaCloudquotamaxallowtoexceedpercentagePodtimegmtQuotaexpirationAction
4989996500100002022-08-01T15:00:00.000Z2022-09-01T00:00:00.000ZD21T63R2022-08-01T00:00:00.000Z42420010002022-08-01T14:42:44.000Z2022-09-22T00:00:00.000ZALLOW