SNDBOX (Deprecated)
This Integration is part of the SNDBOX (Deprecated) Pack.#
Deprecated
No available replacement.
Use the SNDBOX integration to detect and analyze potentially malicious files.
SNDBOX Playbook
- Detonate File - SNDBOX
Use Cases
- Sample a file.
- Get information on an old analysis.
Supported File Types
SNDBOX supports the following file types:
- Microsoft (2003 and earlier): doc, dot, xls, csv, xlt, xlm, ppt, pot, pps
- Microsoft (2007 and later): docx, docm, dotx, dotm, dotm, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, iqy, pptx, pptm, potx, ppsx, xml
- Other: pe32, rtf, pdf, vbs, vbe, ps1, js, lnk, html, bat
Configure SNDBOX on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for SNDBOX.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Use Public API Key. (By approving SNDBOX public API you are accepting SNDBOX TOS @ https://app.sndbox.com/tos). Public submissions are shared with the community
- Private API Key
- Use system proxy settings
- Trust any certificate (not secure)
- Max. Polling Time (in seconds):
- Verbose (show log in case of error)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check SNDBOX status: sndbox-is-online
- Get information for an analysis: sndbox-analysis-info
- Submit a sample for analysis: sndbox-analysis-submit-sample
- Download a report resource: sndbox-download-report
- (Deprecated) Detonate a report: sndbox-detonate-file
- Download a file sample of an analysis: sndbox-download-sample
1. Check SNDBOX status
Checks if SNDBOX is online or in maintenance mode.
Base Command
sndbox-is-online
Input
There is no input for this command.
Context Output
There is no context output for this command.
2. Get information for an analysis
Show information about an analysis.
Base Command
sndbox-analysis-info
Input
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | Analysis IDs, supports CSV arrays | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SNDBOX.Analysis.ID | string | Analysis ID |
| SNDBOX.Analysis.SampleName | string | Sample data |
| SNDBOX.Analysis.Status | string | Analysis status |
| SNDBOX.Analysis.Time | date | Submitted time |
| SNDBOX.Analysis.Score | float | Analysis score |
| SNDBOX.Analysis.Result | string | Analysis results |
| SNDBOX.Analysis.Errors | unknown | Raised errors during sampling |
| SNDBOX.Analysis.Link | string | Analysis link |
| SNDBOX.Analysis.MD5 | string | MD5 of analysis sample |
| SNDBOX.Analysis.SHA1 | string | SHA-1 of analysis sample |
| SNDBOX.Analysis.SHA256 | string | SHA-256 of analysis sample |
| DBotScore.Vendor | string | Vendor name: SNDBOX |
| DBotScore.Indicator | unknown | The name of the sample file |
| DBotScore.Type | string | File type |
| DBotScore.Score | number | The actual score |
| DBotScore.Malicious.Vendor | string | Vendor name: SNDBOX |
| DBotScore.Malicious.Detections | string | The sub-analysis detection statuses |
| DBotScore.Malicious.SHA1 | string | SHA-1 of the file |
Command Example
!sndbox-analysis-info analysis_id="65577395-48d8-4d51-bc97-bc2486f49ca0"Context Example
Human Readable Output
3. Submit a sample for analysis
Submit a sample for analysis.
Base Command
sndbox-analysis-submit-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| file_id | War Room entry of a file, e.g., 3245@4 | Optional |
| should_wait | Should the command poll for the result of the analysis | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SNDBOX.Analysis.ID | string | Analysis ID |
| SNDBOX.Analysis.SampleName | string | Sample data, (file name or URL) |
| SNDBOX.Analysis.Status | string | Analysis status |
| SNDBOX.Analysis.Time | date | Submitted time |
| SNDBOX.Analysis.Result | string | Analysis results |
| SNDBOX.Analysis.Errors | unknown | Raised errors during sampling |
| SNDBOX.Analysis.Link | string | Analysis Link |
| SNDBOX.Analysis.MD5 | string | MD5 of analysis sample |
| SNDBOX.Analysis.SHA1 | string | SHA-1 of analysis sample |
| SNDBOX.Analysis.SHA256 | string | SHA-256 of analysis sample |
| DBotScore.Vendor | string | Vendor name: SNDBOX |
| DBotScore.Indicator | unknown | The name of the sample file or URL |
| DBotScore.Type | string | 'url' for url samples, otherwise 'file' |
| DBotScore.Score | number | The actual score |
| DBotScore.Malicious.Vendor | string | Vendor name: SNDBOX |
| DBotScore.Malicious.SHA1 | string | SHA-1 of the file |
Command Example
!sndbox-analysis-submit-sample file_id="288@670"Context Example
Human Readable Output
4. Download a report resource
Download a resource belonging to a report. This can be the full report, dropped binaries, etc.
Base Command
sndbox-download-report
Input
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | Analysis ID | Required |
| type | The resource type to download. Default is JSON. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name |
| InfoFile.EntryID | string | The EntryID of the report |
| InfoFile.Size | number | File size |
| InfoFile.Type | string | File type, e.g., "PE" |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension |
Command Example
!sndbox-download-report analysis_id=65577395-48d8-4d51-bc97-bc2486f49ca0 type=jsonContext Example
Human Readable Output
5. (Deprecated) Detonate a file
Submit a sample for detonation. This command is deprecated.
Base Command
sndbox-detonate-file
Input
| Argument Name | Description | Required |
|---|---|---|
| file_id | War Room entry of a file, e.g., 3245@4 | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SNDBOX.Analysis.ID | string | Analysis ID |
| SNDBOX.Analysis.SampleName | string | Sample data (file name or URL) |
| SNDBOX.Analysis.Status | string | Analysis status |
| SNDBOX.Analysis.Time | date | Submitted time |
| SNDBOX.Analysis.Result | string | Analysis results |
| SNDBOX.Analysis.Errors | unknown | Raised errors during sampling |
| SNDBOX.Analysis.Link | string | Analysis link |
| SNDBOX.Analysis.MD5 | string | MD5 of analysis sample |
| SNDBOX.Analysis.SHA1 | string | SHA-1 of analysis sample |
| SNDBOX.Analysis.SHA256 | string | SHA-256 of analysis sample |
| DBotScore.Vendor | string | Vendor name: SNDBOX |
| DBotScore.Indicator | unknown | The name of the sample file or URL |
| DBotScore.Type | string | File |
| DBotScore.Score | number | The actual score |
| DBotScore.Malicious.Vendor | string | Vendor name: SNDBOX |
| DBotScore.Malicious.Detections | string | The sub-analysis detection statuses |
| DBotScore.Malicious.SHA1 | string | SHA-1 of the file |
6. Download the sample file of an analysis
Download the sample file of an analysis. For security reasons, the file extension will be .dontrun.
Base Command
sndbox-download-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | Analysis ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.Size | number | File size |
| File.SHA1 | string | SHA-1 hash of the file |
| File.SHA256 | string | SHA-256 hash of the file |
| File.Name | string | The sample name |
| File.SSDeep | string | SSDeep hash of the file |
| File.EntryID | string | War Room entry ID of the file |
| File.Info | string | Basic information of the file |
| File.Type | string | File type, e.g., "PE" |
| File MD5 | string | MD5 hash of the file |
| File.Extension | string | File extension |
Command Example
!sndbox-download-sample analysis_id=65577395-48d8-4d51-bc97-bc2486f49ca0Context Example
