MetaDefender Sandbox
MetaDefender Sandbox Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Unique adaptive threat analysis technology, enabling zero-day malware detection and more Indicator of Compromise (IOCs) extraction. (previously known as OPSWAT Filescan Sandbox)
#
Configure MetaDefender Sandbox on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for MetaDefender Sandbox.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL (e.g. https://www.filescan.io/api) True API Key True Trust any certificate (not secure) False Use system proxy settings False Verbose False Click Test to validate the URLs, the API Key and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
metadefender-sandbox-scan-urlScan URL with MetaDefender Sandbox
Note: MetaDefender Sandbox handles URL scanning as a file scan.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandmetadefender-sandbox-scan-url
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL to submit | Required |
timeout | The timeout for the polling in seconds | Optional |
hide_polling_output | Hide polling output | Optional |
description | Uploaded file/url description | Optional |
tags | Tags array to propagate | Optional |
password | Custom password, in case uploaded archive is protected | Optional |
is_private | If file should not be available for download by other users | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.Name | String | The full file name. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
MetaDefender.Sandbox.Analysis.finalVerdict.verdict | String | The final verdict. |
MetaDefender.Sandbox.Analysis.allTags | Unknown | All tags. |
MetaDefender.Sandbox.Analysis.overallState | String | Overall state of the scan. |
MetaDefender.Sandbox.Analysis.taskReference.name | String | Name of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.additionalInfo | Unknown | Additional informations about the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.ID | String | ID of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.state | String | State of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.resourceReference | Unknown | Resource reference of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.opcount | Number | Counter. |
MetaDefender.Sandbox.Analysis.taskReference.processTime | Number | processTime. |
MetaDefender.Sandbox.Analysis.subtaskReferences | Unknown | Status of scan subtasks. |
MetaDefender.Sandbox.Analysis.allSignalGroups | Unknown | All signal groups. |
MetaDefender.Sandbox.Analysis.resources | Unknown | Resources. |
MetaDefender.Sandbox.Analysis.file.name | String | The name of the file. |
MetaDefender.Sandbox.Analysis.file.hash | String | The SHA256 of the file. |
MetaDefender.Sandbox.Analysis.file.type | String | The type of the submission. |
#
Command example!metadefender-sandbox-scan-url url=https://www.test.com
#
Context Example#
Human Readable Output#
Scan Result (digest):
FileHash FileName FileType FinalVerdict SubtaskReferences Tags 1111111111111111111111111111111111111111111111111111111111111111 https://www.test.com other BENIGN osint, url-render, domain-resolve html, png
#
metadefender-sandbox-scan-fileScan File with MetaDefender Sandbox
#
Base Commandmetadefender-sandbox-scan-file
#
InputArgument Name | Description | Required |
---|---|---|
entry_id | he War Room entry ID of the file to submit | Required |
timeout | The timeout for the polling in seconds | Optional |
hide_polling_output | Hide polling output | Optional |
description | Uploaded file/url description | Optional |
tags | Tags array to propagate | Optional |
password | Custom password, in case uploaded archive is protected | Optional |
is_private | If file should not be available for download by other users | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.Name | String | The full file name. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
MetaDefender.Sandbox.Analysis.finalVerdict.verdict | String | The final verdict. |
MetaDefender.Sandbox.Analysis.allTags | Unknown | All tags. |
MetaDefender.Sandbox.Analysis.overallState | String | Overall state of the scan. |
MetaDefender.Sandbox.Analysis.taskReference.name | String | Name of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.additionalInfo | Unknown | Additional informations about the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.ID | String | ID of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.state | String | State of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.resourceReference | Unknown | Resource reference of the main scan task. |
MetaDefender.Sandbox.Analysis.taskReference.opcount | Number | Counter. |
MetaDefender.Sandbox.Analysis.taskReference.processTime | Number | processTime. |
MetaDefender.Sandbox.Analysis.subtaskReferences | Unknown | Status of scan subtasks. |
MetaDefender.Sandbox.Analysis.allSignalGroups | Unknown | All signal groups. |
MetaDefender.Sandbox.Analysis.resources | Unknown | Resources. |
MetaDefender.Sandbox.Analysis.file.name | String | The name of the file. |
MetaDefender.Sandbox.Analysis.file.hash | String | The SHA256 of the file. |
MetaDefender.Sandbox.Analysis.file.type | String | The type of the submission. |
#
Command example!metadefender-sandbox-scan-file entry_id=1234@abcd-efgh-ijkl-mnop-xyz
#
Context Example#
Human Readable Output#
Scan Result (digest):
FileHash FileName FileType FinalVerdict SubtaskReferences Tags 1111111111111111111111111111111111111111111111111111111111111111 1234@abcd-efgh-ijkl-mnop-xyz pe MALICIOUS visualization, osint, domain-resolve html, peexe
#
metadefender-sandbox-search-querySearch for reports. Finds reports and uploaded files by various tokens.
#
Base Commandmetadefender-sandbox-search-query
#
InputArgument Name | Description | Required |
---|---|---|
query | The query string | Required |
limit | Number of total results. Maximum 50 | Optional |
page | Page number, starting from 1 | Optional |
page_size | The page size. Can be 5, 10 or 20 | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MetaDefender.Sandbox.Analysis.id | String | The analysis id. |
MetaDefender.Sandbox.Analysis.file.name | String | The name of the file. |
MetaDefender.Sandbox.Analysis.file.sha256 | String | The SHA256 of the file. |
MetaDefender.Sandbox.Analysis.verdict | String | The final verdict. |
MetaDefender.Sandbox.Analysis.state | String | Overall state of the scan. |
MetaDefender.Sandbox.Analysis.date | Date | The scan date. |
MetaDefender.Sandbox.Analysis.file.mime_type | String | The file MimeType. |
MetaDefender.Sandbox.Analysis.file.short_type | String | The type of the submission. |
MetaDefender.Sandbox.Analysis.tags | Unknown | All tags. |
#
Command example!metadefender-sandbox-search-query query="834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc"
#
Context Example#
Human Readable Output#
Analysis Result:
Id SampleName SHA256 Verdict State Date 8c38be8c-7cfd-4d64-be41-c98a795c9ce0 bad_file.exe 834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc MALICIOUS success_partial 03/14/2023, 15:07:07 e334d27f-e2b1-46c9-9936-7d3155eb3706 bad_file.exe 834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc UNKNOWN success 03/14/2020, 15:03:48