Skip to main content

MetaDefender Sandbox

This Integration is part of the MetaDefender Sandbox Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Unique adaptive threat analysis technology, enabling zero-day malware detection and more Indicator of Compromise (IOCs) extraction. (previously known as OPSWAT Filescan Sandbox)

Configure MetaDefender Sandbox on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MetaDefender Sandbox.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g. https://www.filescan.io/api)True
    API KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    VerboseFalse
  4. Click Test to validate the URLs, the API Key and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

metadefender-sandbox-scan-url#


Scan URL with MetaDefender Sandbox

Note: MetaDefender Sandbox handles URL scanning as a file scan.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

metadefender-sandbox-scan-url

Input#

Argument NameDescriptionRequired
urlThe URL to submitRequired
timeoutThe timeout for the polling in secondsOptional
hide_polling_outputHide polling outputOptional
descriptionUploaded file/url descriptionOptional
tagsTags array to propagateOptional
passwordCustom password, in case uploaded archive is protectedOptional
is_privateIf file should not be available for download by other usersOptional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
File.NameStringThe full file name.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
MetaDefender.Sandbox.Analysis.finalVerdict.verdictStringThe final verdict.
MetaDefender.Sandbox.Analysis.allTagsUnknownAll tags.
MetaDefender.Sandbox.Analysis.overallStateStringOverall state of the scan.
MetaDefender.Sandbox.Analysis.taskReference.nameStringName of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.additionalInfoUnknownAdditional informations about the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.IDStringID of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.stateStringState of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.resourceReferenceUnknownResource reference of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.opcountNumberCounter.
MetaDefender.Sandbox.Analysis.taskReference.processTimeNumberprocessTime.
MetaDefender.Sandbox.Analysis.subtaskReferencesUnknownStatus of scan subtasks.
MetaDefender.Sandbox.Analysis.allSignalGroupsUnknownAll signal groups.
MetaDefender.Sandbox.Analysis.resourcesUnknownResources.
MetaDefender.Sandbox.Analysis.file.nameStringThe name of the file.
MetaDefender.Sandbox.Analysis.file.hashStringThe SHA256 of the file.
MetaDefender.Sandbox.Analysis.file.typeStringThe type of the submission.

Command example#

!metadefender-sandbox-scan-url url=https://www.test.com

Context Example#

{
{
"DBotScore":
[
{
"Indicator": "1111111111111111111111111111111111111111111111111111111111111111",
"Score": 1,
"Type": "file",
"Vendor": "MetaDefender Sandbox"
}
],
"File":
[
{
"Name": "https://www.test.com",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"MetaDefender":
{
"Sandbox":
{
"Analysis":
[
{
"finalVerdict":
{
"verdict": "BENIGN"
},
"allTags":
[
{
"source": "MEDIA_TYPE",
"sourceIdentifier": "12345678",
"isRootTag": true,
"tag":
{
"name": "html",
"synonyms":
[],
"descriptions":
[],
"verdict":
{
"verdict": "NO_THREAT",
"threatLevel": 0.1,
"confidence": 1
}
}
}
],
"overallState": "success_partial",
"taskReference":
{
"name": "transform-file",
"additionalInfo":
{
"submitName": "https://www.test.com",
"submitTime": 1679014774270,
"digests":
{
"SHA-256": "1111111111111111111111111111111111111111111111111111111111111111"
}
},
"ID": "abcd-1234",
"state": "SUCCESS",
"resourceReference":
{
"type": "TRANSFORM_FILE",
"name": "file",
"ID": "abcd-5678"
},
"opcount": 1,
"processTime": 20350
},
"subtaskReferences":
[
{
"name": "domain-resolve",
"additionalInfo": 72,
"ID": "12345678",
"state": "SUCCESS",
"resourceReference":
{
"type": "DOMAIN_RESOLVE",
"name": "domain-resolve",
"ID": "123456789"
},
"opcount": 20,
"processTime": 11309
}
],
"allSignalGroups":
[
{
"identifier": "I000",
"description": "OSINT source detected malicious resource",
"averageSignalStrength": 0.75,
"peakSignalStrength": 0.75,
"finalSignalStrength": 0.75,
"verdict":
{
"verdict": "LIKELY_MALICIOUS",
"threatLevel": 0.75,
"confidence": 1
},
"allTags":
[],
"signals":
[
{
"strength": 0.75,
"isStrictlyBasedOnInputData": false,
"signalReadable": "OSINT provider TEST provider (2/93)",
"additionalInfo": "https://www.google.com",
"originPath": "osint.results.verdict",
"originType": "INPUT_FILE",
"originIdentifier": "1234"
}
]
}
],
"resources":
{
"00f1e4d6-27fb-45e8-8a02-dc53818044ec":
{
"resourceReference":
{
"name": "osint"
},
"results":
[]
}
},
"file":
{
"name": "https://www.test.com",
"hash": "1111111111111111111111111111111111111111111111111111111111111111",
"type": "other"
}
}
]
}
}
}

Human Readable Output#

Scan Result (digest):#

FileHashFileNameFileTypeFinalVerdictSubtaskReferencesTags
1111111111111111111111111111111111111111111111111111111111111111https://www.test.comotherBENIGNosint, url-render, domain-resolvehtml, png

metadefender-sandbox-scan-file#


Scan File with MetaDefender Sandbox

Base Command#

metadefender-sandbox-scan-file

Input#

Argument NameDescriptionRequired
entry_idhe War Room entry ID of the file to submitRequired
timeoutThe timeout for the polling in secondsOptional
hide_polling_outputHide polling outputOptional
descriptionUploaded file/url descriptionOptional
tagsTags array to propagateOptional
passwordCustom password, in case uploaded archive is protectedOptional
is_privateIf file should not be available for download by other usersOptional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
File.NameStringThe full file name.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
MetaDefender.Sandbox.Analysis.finalVerdict.verdictStringThe final verdict.
MetaDefender.Sandbox.Analysis.allTagsUnknownAll tags.
MetaDefender.Sandbox.Analysis.overallStateStringOverall state of the scan.
MetaDefender.Sandbox.Analysis.taskReference.nameStringName of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.additionalInfoUnknownAdditional informations about the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.IDStringID of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.stateStringState of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.resourceReferenceUnknownResource reference of the main scan task.
MetaDefender.Sandbox.Analysis.taskReference.opcountNumberCounter.
MetaDefender.Sandbox.Analysis.taskReference.processTimeNumberprocessTime.
MetaDefender.Sandbox.Analysis.subtaskReferencesUnknownStatus of scan subtasks.
MetaDefender.Sandbox.Analysis.allSignalGroupsUnknownAll signal groups.
MetaDefender.Sandbox.Analysis.resourcesUnknownResources.
MetaDefender.Sandbox.Analysis.file.nameStringThe name of the file.
MetaDefender.Sandbox.Analysis.file.hashStringThe SHA256 of the file.
MetaDefender.Sandbox.Analysis.file.typeStringThe type of the submission.

Command example#

!metadefender-sandbox-scan-file entry_id=1234@abcd-efgh-ijkl-mnop-xyz

Context Example#

{
{
"DBotScore":
[
{
"Indicator": "1111111111111111111111111111111111111111111111111111111111111111",
"Score": 1,
"Type": "file",
"Vendor": "MetaDefender Sandbox"
}
],
"File":
[
{
"Name": "1234@abcd-efgh-ijkl-mnop-xyz",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"MetaDefender":
{
"Sandbox":
{
"Analysis":
[
{
"finalVerdict":
{
"verdict": "MALICIOUS"
},
"allTags":
[
{
"source": "SIGNAL",
"sourceIdentifier": "1234",
"isRootTag": false,
"tag":
{
"name": "packed",
"synonyms": [],
"descriptions": [],
"verdict": {
"verdict": "SUSPICIOUS",
"threatLevel": 0.5,
"confidence": 1
}
}
}
],
"overallState": "success_partial",
"taskReference":
{
"name": "transform-file",
"additionalInfo": {
"submitName": "bad_file.exe",
"submitTime": 1679011634945,
"digests": {
"SHA-256": "1111111111111111111111111111111111111111111111111111111111111111"
}
},
"ID": "1234",
"state": "SUCCESS",
"resourceReference": {
"type": "TRANSFORM_FILE",
"name": "file",
"ID": "0101010101"
},
"opcount": 1,
"processTime": 7180
},
"subtaskReferences":
[
{
"name": "domain-resolve",
"additionalInfo": 72,
"ID": "12345678",
"state": "SUCCESS",
"resourceReference":
{
"type": "DOMAIN_RESOLVE",
"name": "domain-resolve",
"ID": "123456789"
},
"opcount": 20,
"processTime": 11309
}
],
"allSignalGroups":
[
{
"identifier": "Y002",
"description": "Matched a malicious YARA rule",
"averageSignalStrength": 1,
"peakSignalStrength": 1,
"finalSignalStrength": 1,
"verdict": {
"verdict": "MALICIOUS",
"threatLevel": 1,
"confidence": 1
},
"allTags": [],
"signals": [
{
"strength": 1,
"isStrictlyBasedOnInputData": true,
"signalReadable": "Matched YARA with strength \"0.75\"",
"additionalInfo": "PUP_InstallRex_AntiFWb",
"originPath": "file.yaraMatches",
"originType": "INPUT_FILE",
"originIdentifier": "111111111111111111111111111"
}
]
}
],
"resources":
{
"00f1e4d6-27fb-45e8-8a02-dc53818044ec":
{
"resourceReference":
{
"name": "osint"
},
"results":
[]
}
},
"file":
{
"name": "1234@abcd-efgh-ijkl-mnop-xyz",
"hash": "1111111111111111111111111111111111111111111111111111111111111111",
"type": "other"
}
}
]
}
}
}

Human Readable Output#

Scan Result (digest):#

FileHashFileNameFileTypeFinalVerdictSubtaskReferencesTags
11111111111111111111111111111111111111111111111111111111111111111234@abcd-efgh-ijkl-mnop-xyzpeMALICIOUSvisualization, osint, domain-resolvehtml, peexe

metadefender-sandbox-search-query#


Search for reports. Finds reports and uploaded files by various tokens.

Base Command#

metadefender-sandbox-search-query

Input#

Argument NameDescriptionRequired
queryThe query stringRequired
limitNumber of total results. Maximum 50Optional
pagePage number, starting from 1Optional
page_sizeThe page size. Can be 5, 10 or 20Optional

Context Output#

PathTypeDescription
MetaDefender.Sandbox.Analysis.idStringThe analysis id.
MetaDefender.Sandbox.Analysis.file.nameStringThe name of the file.
MetaDefender.Sandbox.Analysis.file.sha256StringThe SHA256 of the file.
MetaDefender.Sandbox.Analysis.verdictStringThe final verdict.
MetaDefender.Sandbox.Analysis.stateStringOverall state of the scan.
MetaDefender.Sandbox.Analysis.dateDateThe scan date.
MetaDefender.Sandbox.Analysis.file.mime_typeStringThe file MimeType.
MetaDefender.Sandbox.Analysis.file.short_typeStringThe type of the submission.
MetaDefender.Sandbox.Analysis.tagsUnknownAll tags.

Command example#

!metadefender-sandbox-search-query query="834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc"

Context Example#

{
"MetaDefender":
{
"Sandbox":
{
"Analysis":
[
{
"id": "b4f92c03-0fc2-4a40-9d34-8f2b05dd240c",
"file": {
"name": "bad_file.exe",
"mime_type": "application/x-msdownload",
"short_type": "peexe",
"sha256": "834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc",
},
"state": "success",
"verdict": "malicious",
"tags": [
{
"source": "MEDIA_TYPE",
"sourceIdentifier": "834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc",
"isRootTag": true,
"tag": {
"name": "peexe",
"synonyms": [],
"descriptions": [],
"verdict": {
"verdict": "NO_THREAT",
"threatLevel": 0.1,
"confidence": 1
}
}
}
],
"date": "03/20/2023, 14:28:09"
}
]
}
}
}

Human Readable Output#

Analysis Result:#

IdSampleNameSHA256VerdictStateDate
8c38be8c-7cfd-4d64-be41-c98a795c9ce0bad_file.exe834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dcMALICIOUSsuccess_partial03/14/2023, 15:07:07
e334d27f-e2b1-46c9-9936-7d3155eb3706bad_file.exe834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dcUNKNOWNsuccess03/14/2020, 15:03:48