Skip to main content

Cisco Secure Malware Analytics (Threat Grid) v2

This Integration is part of the Cisco Secure Malware Analytics Pack.#

Query and upload samples to Cisco threat grid. This integration was integrated and tested with version 2 of Cisco Secure Malware Analytics (Threat Grid)

Configure Cisco Secure Malware Analytics (Threat Grid) in Cortex#

ParameterDescriptionRequired
Server URL (e.g. https://192.168.0.1)True
API tokenTrue
Source ReliabilityReliability of the source providing the intelligence data.True
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

threat-grid-sample-list#


Search samples on the Threat Grid platform. Input parameters are ANDed together. Only finished samples can be searched (that is, the ones that are having a status of succ or fail.)

Base Command#

threat-grid-sample-list

Input#

Argument NameDescriptionRequired
sample_idThe sample ID.Optional
artifactThe artifact to download. Sample ID is required when choosing 'artifact'. Possible values are: video.webm, network-artifacts.zip, report.html, sample.zip, screenshot.png, extracted-artifacts.zip, timeline.json, analysis.json, processes.json, network.pcap.Optional
sha1A sha1 of the submitted sample, only matches samples, not their artifacts.Optional
sha256A SHA256 of the submitted sample, only matches samples, not their artifacts.Optional
md5A MD5 checksum of the submitted sample, only matches samples, not their artifacts.Optional
user_onlyIt 'True' - Only display samples created by the current user, as determined by the value of api_key.Optional
org_onlyIt 'True' - Only display samples created by the current user's organization, as determined by the value of api_key.Optional
pagePage number of paginated results. Minimum value: 1.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Sample.idStringThe sample id
ThreatGrid.Sample.filenameStringThe sample filename
ThreatGrid.Sample.stateStringThe state of the sample, one of a stable set of strings "wait, prep, run, proc, succ, fail"
ThreatGrid.Sample.statusStringThe sample status, one of a stable set of strings "succ, fail"
ThreatGrid.Sample.md5StringThe sample md5
ThreatGrid.Sample.sha1StringThe sample sha1
ThreatGrid.Sample.sha256StringThe sample sha256
ThreatGrid.Sample.osStringThe sample os
ThreatGrid.Sample.submitted_atStringThe sample submission time
ThreatGrid.Sample.started_atStringThe sample analysis starting time
ThreatGrid.Sample.completed_atStringThe sample completion time
InfoFile.NameStringThe file name
InfoFile.EntryIDStringThe ID for locating the file in the War Room
InfoFile.SizeStringThe size of the file (in bytes)
InfoFile.TypeStringThe file type, as determined by libmagic (same as displayed in file entries)
InfoFile.ExtensionStringThe file extension
InfoFile.InfoStringBasic information about the file

Command example#

!threat-grid-sample-list

Context Example#

{
"ThreatGrid": {
"Sample": [
{
"completed_at": "ThreatGrid_Sample[0]_completed_at",
"filename": "md5",
"id": "id",
"md5": "md5",
"os": "os",
"sha1": "sha1",
"sha256": "sha256",
"started_at": "ThreatGrid_Sample[0]_started_at",
"state": "succ",
"status": "job_done",
"submission_id": 1538519424,
"submitted_at": "ThreatGrid_Sample[0]_submitted_at",
"tags": [],
"vm": "win7-x64"
},
{
"completed_at": "ThreatGrid_Sample[1]_completed_at",
"filename": "sha256",
"id": "id",
"md5": "md5",
"os": "os",
"sha1": "sha1",
"sha256": "sha256",
"started_at": "ThreatGrid_Sample[1]_started_at",
"state": "succ",
"status": "job_done",
"submission_id": 1531508494,
"submitted_at": "ThreatGrid_Sample[1]_submitted_at",
"tags": [
"s",
"talos",
"gravity"
],
"vm": "win7-x64"
},
]
}
}

Human Readable Output#

Sample details:#

Completed AtFilenameIdMd5OsSha1Sha256Started AtStateStatusSubmission IdSubmitted AtTagsVm
2022-12-05T04:17:00Zmd5idmd5ossha1sha2562022-12-05T04:10:44Zsuccjob_done15385194242022-12-05T04:10:44Zwin7-x64
2022-11-24T01:04:39Zsha256idmd5ossha1sha2562022-11-24T00:58:22Zsuccjob_done15315084942022-11-24T00:58:22Zs,
talos,
gravity
win7-x64

threat-grid-sample-upload#


Submits a sample to threat grid for analysis. URL or file, not both.

Base Command#

threat-grid-sample-upload

Input#

Argument NameDescriptionRequired
file_idThe file ID. Click on the chain-like icon after you upload a file in d__ to find the file_id.Optional
urlThe URL to upload. .Optional
interval_in_secondsIndicates how long to wait between command execution (in seconds) when 'polling' argument is true. Minimum value is 10 seconds. Default is 10. Default is 10.Optional
timeout_in_secondsIndicates the time in seconds until the polling sequence timeouts. Default is 60. Default is 60.Optional
sample_idThe uploaded sample ID.Optional
privateWhether to mark the sample as private.Optional
hide_polling_outputWhether to hide the polling result (automatically filled by polling).Optional
vma string identifying a specific VM to use. Options: win7-x64: Windows 7 64bit, win7-x64-2: Windows 7 64-bit Profile 2, win10-x64-2-beta: Windows 10 LTSC 2019 (beta), win10-x64-browser: Windows 10 Browser, win10-x64-jp: Windows 10 Japanese, win10-x64-kr: Windows 10 Korean, win10-x64-phishing-beta: Windows 10 (Phishing), win10: Windows 10 (Not available on Threat Grid appliances). NOTE: The standard (English) VMs default to UTF-8 encoding. To support Korean and Japanese character sets, such as S-JIS, submit to the appropriate VM.Optional
playbookName of a playbook to apply to this sample run. none: Explicitly disables playbooks, default: Default Playbook, alt_tab_programs: Conduct Active Window Change, open_word_embedded_object: Open Embedded Object in Word Document, use_best_option: allows Malware Analytics to select the best Playbook option based on the submitted sample, visit_site: Visit Website Using Internet Explorer, close_file: Close Active Window. The current list of playbooks endpoints can be obtained by querying /api/v3/configuration/playbooks.Optional

Context Output#

PathTypeDescription
ThreatGrid.Sample.idStringThe sample id
ThreatGrid.Sample.filenameStringThe sample filename
ThreatGrid.Sample.stateStringThe state of the sample, one of a stable set of strings "wait, prep, run, proc, succ, fail"
ThreatGrid.Sample.statusStringThe sample status
ThreatGrid.Sample.md5StringThe sample md5
ThreatGrid.Sample.sha1StringThe sample sha1
ThreatGrid.Sample.sha256StringThe sample sha256
ThreatGrid.Sample.osStringThe sample os
ThreatGrid.Sample.submitted_atStringThe sample submission time

Command example#

!threat-grid-sample-upload url=http://domain_example:80/ private=True

Human Readable Output#

Upload sample is executing

threat-grid-submissions-search#


Search threat grid submissions

Base Command#

threat-grid-submissions-search

Input#

Argument NameDescriptionRequired
queryQuery text. If you wish to work with an elasticsearch query please set 'advanced' argument to true.Optional
user_onlyOnly display submissions created by the current user, as determined by the value of api_key. Possible values are: True, False.Optional
org_onlyOnly display submissions created by the current user's organization, as determined by the value of api_key. Possible values are: True, False.Optional
termRestrict matches to a subset of submission fields. The value of 'term' is a comma-delimited list of strings which select groups of fields. Possible values are: antivirus, analysis.artifacts.av_signatures.product, analysis.artifacts.av_signatures.signature, behavior, analysis.behaviors.name, analysis.behaviors.title, analysis.artifacts.av_signatures.signature, domain, analysis.domains.domain, analysis.domains.domain.component, mutant, analysis.processes.mutants, analysis.processes.mutants.whole, analysis.processes.mutants.component, path, filename, analysis.paths.path, analysis.paths.path.whole, analysis.processes.paths, process, analysis.processes.process_name, analysis.processes.startup_info.command_line, analysis.processes.startup_info.image_pathname, analysis.processes.startup_info.window_title, registry_key, analysis.registry_keys.key, analysis.registry_keys.key.whole, analysis.registry_keys.key.component, analysis.processes.registry_keys, analysis.processes.registry_keys.whole, analysis.registry_keys.value_names, sample, filename, url, analysis.urls.url, analysis.urls.url.whole..Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
stateRestrict match to submissions in specific state or states. Possible values are: wait, prep, run, proc, succ, fail.Optional
sort_byIf not specified, results will be sorted by the search score, which is based on which fields match the query most accurately, and their weight. Possible values are: timestamp, submitted_at, analyzed_at, filename, type, state, threat or threat_score, login.Optional
sort_orderdesc or asc. Possible values are: desc, asc.Optional
highlightProvide a 'matches' field in results, indicating which fields were matched. Possible values are: True, False.Optional
pagePage number of paginated results. Minimum value: 1.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Sample.sampleStringThe sample ID
ThreatGrid.Sample.filenameStringThe name of the sample file
ThreatGrid.Sample.stateStringThe state of the sample, one of a stable set of strings "wait, prep, run, proc, succ, fail"
ThreatGrid.Sample.statusStringThe status of the sample
ThreatGrid.Sample.md5StringThe MD5 id of the sample
ThreatGrid.Sample.sha1StringThe SHA1 id of the sample
ThreatGrid.Sample.sha256StringThe SHA256 id of the sample
ThreatGrid.Sample.submitted_atDateTime of submission for the sample
ThreatGrid.Sample.threat_scoreNumberThe threat score of the sample

Command example#

!threat-grid-submissions-search

Context Example#

{
"ThreatGrid": {
"Sample": [
{
"filename": "md5",
"md5": "md5",
"private": false,
"sample": "sample",
"sha1": "sha1",
"sha256": "sha256",
"state": "wait",
"status": "pending",
"submitted_at": "ThreatGrid_Sample[0]_submitted_at"
},
{
"filename": "md5",
"md5": "md5",
"private": false,
"sample": "sample",
"sha1": "sha1",
"sha256": "sha256",
"state": "wait",
"status": "pending",
"submitted_at": "ThreatGrid_Sample[1]_submitted_at"
},
]
}
}

Human Readable Output#

Samples Submissed :#

Showing page 1. Current page size: 50 |Filename|Md5|Private|Sample|Sha1|Sha256|State|Status|Submitted At| |---|---|---|---|---|---|---|---|---| | md5 | md5 | false | sample | sha1 | sha256 | wait | pending | 2022-12-22T08:40:47Z | | md5 | md5 | false | sample | sha1 | sha256 | wait | pending | 2022-12-22T08:40:47Z |

threat-grid-sample-summary-get#


Returns summary analysis information

Base Command#

threat-grid-sample-summary-get

Input#

Argument NameDescriptionRequired
sample_idThe sample id.Required

Context Output#

PathTypeDescription
ThreatGrid.SampleAnalysisSummary.sampleStringThe sample ID.
ThreatGrid.SampleAnalysisSummary.registry_countNumberThe registry count of the sample.
ThreatGrid.SampleAnalysisSummary.filenameStringThe Filename of the sample.
ThreatGrid.SampleAnalysisSummary.sha256StringThe SHA256 hash of the sample.
ThreatGrid.SampleAnalysisSummary.magic_typeStringThe sample type.
ThreatGrid.SampleAnalysisSummary.first_seenDateThe timestamp when the sample was first seen.
ThreatGrid.SampleAnalysisSummary.last_seenDateThe timestamp when the sample was last seen.

Command example#

!threat-grid-sample-summary-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"SampleAnalysisSummary": {
"artifacts": {
"disk": 6,
"memory": 9,
"network": 1
},
"filename": "www.domain_example_.url",
"first_seen": "ThreatGrid_SampleAnalysisSummary_first_seen",
"iocs": [
{
"category": [
"static-anomaly"
],
"confidence": 100,
"ioc": "html-small-file-redirect",
"score": 50,
"severity": 50,
"tags": [
"html",
"redirect"
]
},
{
"category": [
"network-information"
],
"confidence": 50,
"ioc": "http-response-redirect",
"score": 25,
"severity": 50,
"tags": [
"network",
"http",
"redirect"
]
},
{
"category": [
"domain"
],
"confidence": 95,
"ioc": "network-only-safe-domains-contacted",
"score": 19,
"severity": 20,
"tags": [
"umbrella",
"dns"
]
},
{
"category": [
"network-information"
],
"confidence": 25,
"ioc": "network-communications-http-get-url",
"score": 6,
"severity": 25,
"tags": [
"network",
"http",
"get"
]
}
],
"last_seen": "ThreatGrid_SampleAnalysisSummary_last_seen",
"magic_type": "ThreatGrid_SampleAnalysisSummary_magic_type",
"md5": "md5",
"registry_count": 143,
"run_start": "ThreatGrid_SampleAnalysisSummary_run_start",
"run_stop": "ThreatGrid_SampleAnalysisSummary_run_stop",
"run_type": "url",
"sample": "sample_id",
"sha1": "sha1",
"sha256": "sha256",
"stream_count": 44,
"tags": [],
"times_seen": 85
}
}
}

Human Readable Output#

Sample summary:#

ArtifactsFilenameFirst SeenIocsLast SeenMagic TypeMd5Registry CountRun StartRun StopRun TypeSampleSha1Sha256Stream CountTagsTimes Seen
disk: 6
memory: 9
network: 1
www.domainexample.url2021-12-29T15:43:00Z{'category': ['static-anomaly'], 'confidence': 100, 'ioc': 'html-small-file-redirect', 'severity': 50, 'tags': ['html', 'redirect'], 'score': 50},
{'category': ['network-information'], 'confidence': 50, 'ioc': 'http-response-redirect', 'severity': 50, 'tags': ['network', 'http', 'redirect'], 'score': 25},
{'category': ['domain'], 'confidence': 95, 'ioc': 'network-only-safe-domains-contacted', 'severity': 20, 'tags': ['umbrella', 'dns'], 'score': 19},
{'category': ['network-information'], 'confidence': 25, 'ioc': 'network-communications-http-get-url', 'severity': 25, 'tags': ['network', 'http', 'get'], 'score': 6}
2022-12-21T12:09:33ZMS Windows 95 Internet shortcut text (URL=<http://www.domain_example>), ASCII textmd51432022-12-21T12:09:33Z2022-12-21T12:16:27Zurlsample_idsha1sha2564485

threat-grid-who-am-i#


Get logged in user

Base Command#

threat-grid-who-am-i

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ThreatGrid.User.emailstringCurrent user mail.
ThreatGrid.User.loginstringCurrent user login name.

Command example#

!threat-grid-who-am-i

Context Example#

{
"ThreatGrid": {
"User": {
"active": true,
"api_key": "key",
"api_only": false,
"device": false,
"email": "ThreatGrid_User_email",
"integration_id": "id",
"login": "login_name",
"name": "name",
"organization_id": 485008,
"role": "org-admin",
"title": ""
}
}
}

Human Readable Output#

Who am I ?#

ActiveApi KeyApi OnlyDeviceEmailIntegration IdLoginNameOrganization IdRoleTitle
truekeyfalsefalsemailz1cilogin_namenameidorg-admin

threat-grid-rate-limit-get#


Get rate limit for a specific user name. ThreatGrid employs a simple rate limiting method for sample submissions by specifying the number of samples which can be submitted within some variable time period by a user. Multiple rate limits can be employed to form overlapping submission limits. For example, 20 submissions per hour AND 400 per day.

Base Command#

threat-grid-rate-limit-get

Input#

Argument NameDescriptionRequired
loginUser login name.Required
entity_typeUser or Organization. Possible values are: user, organization.Required

Context Output#

PathTypeDescription
ThreatGrid.RateLimit.submission-rate-limitnumberArray of array(s) representing submission(s) per minute(s) or the string"nil" to clear the value. Example: [[5, 1440]] which represents 5 samples per day. This field represent the number of samples allowed.
ThreatGrid.RateLimit.submission-wait-secondsnumberThe number of seconds to wait for a submission to get uploaded on the platform.
ThreatGrid.RateLimit.submissions-availablenumberThe number of submissions available for the specified username

Command example#

!threat-grid-rate-limit-get login=login_name entity_type=user

Context Example#

{
"ThreatGrid": {
"RateLimit": {
"submission-rate-limit": [],
"submission-wait-seconds": 0,
"submissions-available": null
}
}
}

Human Readable Output#

user rate limit :#

Submission-rate-limitSubmission-wait-secondsSubmissions-available
0

threat-grid-feed-specific-get#


Gets a specific threat feed

Base Command#

threat-grid-feed-specific-get

Input#

Argument NameDescriptionRequired
feed_nameThe feed name. Possible values are: autorun-registry, banking-dns, dga-dns, dll-hijacking-dns, doc-net-com-dns, downloaded-pe-dns, dynamic-dns, irc-dns, modified-hosts-dns, parked-dns, public-ip-check-dns, ransomware-dns, rat-dns, scheduled-tasks, sinkholed-ip-dns, stolen-cert-dns.Required
output_typeThe output type. Possible values are: json, csv, stix, snort, txt. Default is json.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional

Context Output#

PathTypeDescription
ThreatGrid.Feed.sampleStringFeed sample.
ThreatGrid.Feed.descriptionStringFeed description.

Command example#

!threat-grid-feed-specific-get feed_name=doc-net-com-dns

Context Example#

{
"ThreatGrid": {
"Feed": [
{
"description": "DNS response information from requests made by document samples performing network communications.",
"domain": "login.gogie.com.000000000000.phish.farm",
"info": "ThreatGrid_Feed[0]_info",
"ips": [
"ThreatGrid_Feed[0]_ips_0",
"ThreatGrid_Feed[0]_ips_1"
],
"sample": "ThreatGrid_Feed[0]_sample",
"sample_md5": "sample_md5",
"sample_sha1": "sample_sha1",
"sample_sha256": "sample_sha256",
"timestamp": "ThreatGrid_Feed[0]_timestamp"
},
{
"description": "DNS response information from requests made by document samples performing network communications.",
"domain": "spamchallenge.msftemail.com",
"info": "ThreatGrid_Feed[1]_info",
"ips": [
"ThreatGrid_Feed[1]_ips_0",
"ThreatGrid_Feed[1]_ips_1"
],
"sample": "ThreatGrid_Feed[1]_sample",
"sample_md5": "sample_md5",
"sample_sha1": "sample_sha1",
"sample_sha256": "sample_sha256",
"timestamp": "ThreatGrid_Feed[1]_timestamp"
},
]
}
}

Human Readable Output#

Specific feed :#

SampleDescription
https://panacea.threatgrid.com/feeds/doc-net-com-dns/samples/4007c79d4db4af076e67a32b9aa9eae8DNS response information from requests made by document samples performing network communications.
https://panacea.threatgrid.com/feeds/doc-net-com-dns/samples/9df95de1e738730ea3eb9c2ec122afa7DNS response information from requests made by document samples performing network communications.

threat-grid-ip-search#


Search IPs. Please provide a single argument (only one) to use this command, as the API supports 1 filter at a time.

Base Command#

threat-grid-ip-search

Input#

Argument NameDescriptionRequired
ipThe IP to search for.Required

Context Output#

PathTypeDescription
ThreatGrid.search.ipstringIP item.
ThreatGrid.search.asnstringIP asn.
ThreatGrid.search.locationstringIP location details.

Command example#

!threat-grid-ip-search ip=8.8.8.8

Context Example#

{
"ThreatGrid": {
"search": {
"asn": {
"asn": 15169,
"org": "Google"
},
"flags": [
{
"created_at": "ThreatGrid_search_flags[0]_created_at",
"expiration": "ThreatGrid_search_flags[0]_expiration",
"flag": 1,
"login": "admin",
"mine": false,
"reason": "Content Delivery Network"
},
],
"ip": "ThreatGrid_search_ip",
"location": {
"city": "Los Angeles",
"country": "US",
"region": "CA"
},
"rev": "dns.google",
"tags": []
}
}
}

Human Readable Output#

ip data:#

AsnFlagsIpLocationRevTags
org: Google
asn: 15169
{'created_at': '2013-11-15T18:16:33Z', 'expiration': '2025-01-01T00:00:00Z', 'flag': 1, 'login': 'admin', 'reason': 'Content Delivery Network', 'mine': False},
{'created_at': '2013-11-15T18:16:34Z', 'expiration': '2025-01-01T00:00:00Z', 'flag': 1, 'login': 'admin', 'reason': 'resolves to google-public-dns-a.domain_example', 'mine': False},
{'created_at': '2013-07-25T14:08:34Z', 'expiration': '2025-01-01T00:00:00Z', 'flag': 1, 'login': 'dean', 'reason': 'Whitelisted', 'mine': False}
8.8.8.8country: US
region: CA
city: Los Angeles
dns.google

threat-grid-analysis-annotations-get#


Returns data regarding the annotations of the analysis

Base Command#

threat-grid-analysis-annotations-get

Input#

Argument NameDescriptionRequired
sample_idThe sample ID.Required

Context Output#

PathTypeDescription
ThreatGrid.SampleAnnotations.networkStringIP address & timestamp in the annotation.

Command example#

!threat-grid-analysis-annotations-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"SampleAnnotations": {
"network": {
"ip1": {
"ts": "ThreatGrid_SampleAnnotations_network_ip1_ts"
},
"ip2": {
"asn": 15169,
"city": "c",
"country": "US",
"country_name": "United States",
"org": "Google",
"region": "NY",
"region_name": "New York",
"reverse_dns": [
"lga34s32-in-f3.1e100.net"
],
"ts": "ThreatGrid_SampleAnnotations_network_ip2_ts"
},
}
}
}
}

Human Readable Output#

List of samples analysis:#

ip1ip2
ts: 2022-12-21T12:15:59Zorg: Google
ts: 2022-12-21T12:15:59Z
country: US
city: c
region_name: New York
region: NY
reverse_dns: lga34s32-in-f3.1e100.net
country_name: United States
asn: 15169

threat-grid-url-search#


Search urls. Please provide the URL in the format http://example.com:80/ (note that ThreatGrid only support '.com' domains).

Base Command#

threat-grid-url-search

Input#

Argument NameDescriptionRequired
urlThe URL to search for (please provide the URL in the format http://example.com:80/. note that ThreatGrid only support '.com' domains).Required

Context Output#

PathTypeDescription
ThreatGrid.search.urlStringURL item

Command example#

!threat-grid-url-search url=http://domain_example:80/

Context Example#

{
"ThreatGrid": {
"search": {
"host": "domain_example",
"path": "/",
"port": 80,
"protocol": "http",
"query": null,
"query-params": null,
"reference": null,
"url": "ThreatGrid_search_url"
}
}
}

Human Readable Output#

url data:#

HostPathPortProtocolQueryQuery-paramsReferenceUrl
domain_example/80httphttp://domain_example:80/

threat-grid-feeds-artifact#


Get artifacts threat feed

Base Command#

threat-grid-feeds-artifact

Input#

Argument NameDescriptionRequired
sha256Restrict returned records with this sha256.Optional
sha1Restrict returned records with this sha1.Optional
md5Restrict returned records with this md5.Optional
pathRestrict returned records to this path or path fragment.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
page_sizeThe number of items per page.Optional
pagePage number of paginated results.Optional

Context Output#

PathTypeDescription
ThreatGrid.Artifact.confidenceNumberArtifact confidence
ThreatGrid.Artifact.severityNumberArtifact severity
ThreatGrid.Artifact.iocStringArtifact IOC
ThreatGrid.Artifact.artifact_sha256StringArtifact sha256
ThreatGrid.Artifact.artifact_md5StringArtifact md5
ThreatGrid.Artifact.sample_idStringArtifact sample ID

Command example#

!threat-grid-feeds-artifact

Context Example#

{
"ThreatGrid": {
"Artifact": [
{
"aid": 1,
"artifact_md5": "md5",
"artifact_sha256": "sha256",
"confidence": 95,
"ioc": "antivirus-service-flagged-artifact",
"path": "md5.exe",
"sample_id": "id",
"severity": 100,
"timestamp": "ThreatGrid_Artifact[0]_timestamp"
},
{
"aid": 11,
"artifact_md5": "artifact_md5",
"artifact_sha256": "artifact_sha256",
"confidence": 90,
"ioc": "sample-pe-modified-on-disk",
"path": "ThreatGrid_Artifact[1]_path",
"sample_id": "id",
"severity": 90,
"timestamp": "ThreatGrid_Artifact[1]_timestamp"
},
]
}
}

Human Readable Output#

Feeds IOCs list artifact :#

Showing page 1. Current page size: 50 |Aid|Artifact Md5|Artifact Sha256|Confidence|Ioc|Path|Sample Id|Severity|Timestamp| |---|---|---|---|---|---|---|---|---| | 3 | md5 | sha256 | 90 | antivirus-flagged-artifact | \Users\Administrator.exe | id | 80 | 2022-12-05T04:10:44Z | | 9 | md5 | sha256 | 90 | antivirus-flagged-artifact | 912-.exe | id | 80 | 2022-12-05T04:10:44Z |

threat-grid-feeds-domain#


Get domain threat feed

Base Command#

threat-grid-feeds-domain

Input#

Argument NameDescriptionRequired
domainRestrict returned records to this domain or hostname.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
pagePage number of paginated results.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Domain.confidenceNumberDomain confidence
ThreatGrid.Domain.severityNumberDomain severity
ThreatGrid.Domain.iocStringDomain IOC
ThreatGrid.Domain.sample_sha256StringDomain sha256
ThreatGrid.Domain.sample_idStringDomain sample ID
ThreatGrid.Domain.domainStringThe Domain

Command example#

!threat-grid-feeds-domain

Context Example#

{
"ThreatGrid": {
"Domain": [
{
"confidence": 95,
"domain": "hookworm.capitaly.ru",
"ioc": "network-snort-pua",
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 90,
"timestamp": "ThreatGrid_Domain[0]_timestamp"
},
{
"confidence": 100,
"domain": "augustawa.com",
"ioc": "suspicious-user-agent",
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 80,
"timestamp": "ThreatGrid_Domain[1]_timestamp"
},
]
}
}

Human Readable Output#

Feeds IOCs list domain :#

Showing page 1. Current page size: 50 |Confidence|Domain|Ioc|Sample Id|Sample Sha256|Severity|Timestamp| |---|---|---|---|---|---|---| | 95 | hookworm.capitaly.ru | network-snort-pua | sample_id | sample_sha256 | 90 | 2022-12-22T07:46:38Z | | 100 | augustawa.com | suspicious-user-agent | sample_id | sample_sha256 | 80 | 2022-11-28T23:51:27Z |

threat-grid-feeds-url#


Get url threat feed

Base Command#

threat-grid-feeds-url

Input#

Argument NameDescriptionRequired
urlRestrict returned records to this url.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
pagePage number of paginated results.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Url.confidenceNumberurl confidence
ThreatGrid.Url.severityNumberurl severity
ThreatGrid.Url.iocStringurl IOC
ThreatGrid.Url.sample_sha256Stringurl sha256
ThreatGrid.Url.sample_idStringurl sample ID
ThreatGrid.Url.urlStringThe url

Command example#

!threat-grid-feeds-url

Context Example#

{
"ThreatGrid": {
"url": [
{
"confidence": 95,
"url": "hookworm.capitaly.ru",
"ioc": "network-snort-pua",
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 90,
"timestamp": "ThreatGrid_url[0]_timestamp"
},
{
"confidence": 100,
"url": "augustawa.com",
"ioc": "suspicious-user-agent",
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 80,
"timestamp": "ThreatGrid_url[1]_timestamp"
},
]
}
}

Human Readable Output#

Feeds IOCs list url :#

Showing page 1. Current page size: 50 |Confidence|url|Ioc|Sample Id|Sample Sha256|Severity|Timestamp| |---|---|---|---|---|---|---| | 95 | hookworm.capitaly.ru | network-snort-pua | sample_id | sample_sha256 | 90 | 2022-12-22T07:46:38Z | | 100 | augustawa.com | suspicious-user-agent | sample_id | sample_sha256 | 80 | 2022-11-28T23:51:27Z |

threat-grid-feeds-ip#


Get ips threat feed

Base Command#

threat-grid-feeds-ip

Input#

Argument NameDescriptionRequired
ipRestrict returned records to this IP or CIDR block.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
pagePage number of paginated results.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Ip.confidenceNumberIP confidence
ThreatGrid.Ip.severityNumberIP severity
ThreatGrid.Ip.iocStringIP IOC
ThreatGrid.Ip.sample_sha256StringIP sha256
ThreatGrid.Ip.sample_idStringIP sample ID
ThreatGrid.Ip.ipStringThe IP
ThreatGrid.Ip.portNumberThe IP port

Command example#

!threat-grid-feeds-ip

Context Example#

{
"ThreatGrid": {
"Ip": [
{
"confidence": 95,
"ioc": "network-snort-pua",
"ip": "ThreatGrid_Ip[0]_ip",
"port": null,
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 90,
"timestamp": "ThreatGrid_Ip[0]_timestamp"
},
{
"confidence": 90,
"ioc": "network-snort-indicator-compromise",
"ip": "ThreatGrid_Ip[1]_ip",
"port": null,
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 95,
"timestamp": "ThreatGrid_Ip[1]_timestamp"
},
]
}
}

Human Readable Output#

Feeds IOCs list ip :#

Showing page 1. Current page size: 50 |Confidence|Ioc|Ip|Port|Sample Id|Sample Sha256|Severity|Timestamp| |---|---|---|---|---|---|---|---| | 95 | network-snort-pua | ip | | sample_id | sample_sha256 | 90 | 2022-12-22T07:46:38Z | | 90 | network-snort-indicator-compromise | 192.168.1.1 | | sample_id | sample_sha256 | 95 | 2022-12-09T14:22:54Z |

threat-grid-feeds-network-stream#


Get network stream threat feed

Base Command#

threat-grid-feeds-network-stream

Input#

Argument NameDescriptionRequired
ipRestrict returned records to this IP address.Optional
portRestrict returned records to this port number.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
pagePage number of paginated results.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.NetworkStreams.confidenceNumberNetwork Streams confidence
ThreatGrid.NetworkStreams.severityNumberNetwork Streams severity
ThreatGrid.NetworkStreams.iocStringNetwork Streams IOC
ThreatGrid.NetworkStreams.sample_sha256StringNetwork Streams sha256
ThreatGrid.NetworkStreams.sample_idStringNetwork Streams sample ID
ThreatGrid.NetworkStreams.srcStringThe Network Streams source
ThreatGrid.NetworkStreams.src_portNumberThe Network Streams source port
ThreatGrid.NetworkStreams.dstStringThe Network Streams destination
ThreatGrid.NetworkStreams.dst_portNumberThe Network Streams destination port

Command example#

!threat-grid-feeds-network-stream

Context Example#

{
"ThreatGrid": {
"NetworkStreams": [
{
"confidence": 95,
"dst": "ThreatGrid_NetworkStreams[0]_dst",
"dst_port": 80,
"ioc": "network-snort-pua",
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 90,
"src": "ThreatGrid_NetworkStreams[0]_src",
"src_port": 49166,
"timestamp": "ThreatGrid_NetworkStreams[0]_timestamp"
},
{
"confidence": 100,
"dst": "ThreatGrid_NetworkStreams[1]_dst",
"dst_port": 80,
"ioc": "suspicious-user-agent",
"sample_id": "sample_id",
"sample_sha256": "sample_sha256",
"severity": 80,
"src": "ThreatGrid_NetworkStreams[1]_src",
"src_port": 49160,
"timestamp": "ThreatGrid_NetworkStreams[1]_timestamp"
},
]
}
}

Human Readable Output#

Feeds IOCs list network_stream :#

Showing page 1. Current page size: 50 |Confidence|Dst|Dst Port|Ioc|Sample Id|Sample Sha256|Severity|Src|Src Port|Timestamp| |---|---|---|---|---|---|---|---|---|---| | 95 | ip | 80 | network-snort-pua | sample_id | sample_sha256 | 90 | ip | 49164 | 2022-12-22T07:46:38Z | | 95 | ip | 80 | network-snort-pua | sample_id | sample_sha256 | 90 | ip | 49158 | 2022-12-22T07:46:38Z |

threat-grid-feeds-path#


Get path threat feed

Base Command#

threat-grid-feeds-path

Input#

Argument NameDescriptionRequired
pathRestrict returned records to this path or path fragment.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
pagePage number of paginated results.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Path.confidenceNumberPath confidence
ThreatGrid.Path.severityNumberPath severity
ThreatGrid.Path.iocStringPath IOC
ThreatGrid.Path.sample_sha256StringPath sha256
ThreatGrid.Path.sample_idStringPath sample ID

Command example#

!threat-grid-feeds-path

Context Example#

{
"ThreatGrid": {
"Path": [
{
"confidence": 100,
"ioc": "artifact-pe-no-name",
"path": "\\Users\\Administrator\\.exe",
"sample_id": "id",
"sample_sha256": "sha256",
"severity": 90,
"timestamp": "ThreatGrid_Path[0]_timestamp"
},
{
"confidence": 100,
"ioc": "modified-file-in-system-dir",
"path": "ThreatGrid_Path[1]_path",
"sample_id": "id",
"sample_sha256": "sha256",
"severity": 85,
"timestamp": "ThreatGrid_Path[1]_timestamp"
},
]
}
}

Human Readable Output#

Feeds IOCs list path :#

Showing page 1. Current page size: 50 |Confidence|Ioc|Path|Sample Id|Sample Sha256|Severity|Timestamp| |---|---|---|---|---|---|---| | 90 | antivirus-flagged-artifact | \Users\Administrator.exe | id | sha256 | 80 | 2022-12-05T04:10:44Z | | 90 | antivirus-flagged-artifact | 912-.exe | id | sha256 | 80 | 2022-12-05T04:10:44Z |

threat-grid-feeds-url#


Get url threat feed

Base Command#

threat-grid-feeds-url

Input#

Argument NameDescriptionRequired
urlRestrict returned records to this URL or URL fragment.Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
confidenceRestrict to IOCs with this confidence score or higher, defaults to 80. Default is 80.Optional
severityRestrict to IOCs with this severity score or higher, defaults to 80. Default is 80.Optional
iocRestrict returned records to events of this type.Optional
org_onlyIf “true”, will only match against samples submitted by your organization. Possible values are: True, False.Optional
user_onlyIf “true”, will only match against samples you submitted. Possible values are: True, False.Optional
sample_idA comma-separated list of sample IDs. Restrict results to these samples.Optional
pagePage number of paginated results.Optional
page_sizeThe number of items per page.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatGrid.Url.confidenceNumberURL confidence
ThreatGrid.Url.severityNumberURL severity
ThreatGrid.Url.iocStringURL IOC
ThreatGrid.Url.sample_sha256StringURL sha256
ThreatGrid.Url.sample_idStringURL sample ID
ThreatGrid.Url.urlStringThe URL

threat-grid-analysis-artifacts-get#


Returns the sample id artifact with artifact id

Base Command#

threat-grid-analysis-artifacts-get

Input#

Argument NameDescriptionRequired
sample_idthe sample id.Required
artifact_idThe artifact id requested.Optional

Context Output#

PathTypeDescription
ThreatGrid.ArtifactAnalysis.itemsUnknownAnalysis files of the sample and the artifact

Command example#

!threat-grid-analysis-artifacts-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"ArtifactAnalysis": {
"1": {
"antivirus": {
"reversing_labs": {
"first_seen": "ThreatGrid_ArtifactAnalysis_1_antivirus_reversing_labs_first_seen",
"last_seen": "ThreatGrid_ArtifactAnalysis_1_antivirus_reversing_labs_last_seen",
"query_hash": {
"sha256": "sha256"
},
"scanner_count": 25,
"scanner_match": 0,
"status": "KNOWN",
"threat_level": 0,
"threat_name": "",
"trust_factor": 5
},
"virustotal": {
"engines": 55,
"hits": 0,
"results": {},
"scanned": "ThreatGrid_ArtifactAnalysis_1_antivirus_virustotal_scanned",
"score": 0
}
},
"created-time": 0,
"created_by": [],
"entropy": 4.402529762804034,
"executed_from": [],
"forensics": {
"sections": {
"InternetShortcut": {
"properties": {
"URL": "ThreatGrid_ArtifactAnalysis_1_forensics_sections_InternetShortcut_properties_URL"
}
}
}
},
"magic-type": "ThreatGrid_ArtifactAnalysis_1_magic-type",
"md5": "md5",
"mime-type": "text/plain; charset=us-ascii",
"modified_by": [],
"origin": "submitted",
"path": "www.domain_example_.url",
"read_by": [],
"relation": {
"contains": null,
"extracted_from": null,
"network": null,
"process": null
},
"sha1": "sha1",
"sha256": "sha256",
"size": 45,
"type": "url",
"whitelist": []
},
"10": {
"antivirus": {
"reversing_labs": {
"first_seen": "",
"last_seen": "",
"query_hash": {
"sha256": "sha256"
},
"scanner_count": 0,
"scanner_match": 0,
"status": "UNKNOWN",
"threat_level": 0,
"threat_name": "",
"trust_factor": 0
}
},
"created-time": 1671624958,
"created_by": [
24
],
"entropy": 0,
"executed_from": [],
"forensics": null,
"magic-type": "data",
"md5": "md5",
"mime-type": "application/octet-stream; charset=binary",
"modified_by": [],
"origin": "disk",
"path": "path",
"read_by": [],
"relation": {
"contains": null,
"extracted_from": null,
"network": null,
"process": null
},
"sha1": "sha1",
"sha256": "sha256",
"size": 276959,
"type": "",
"whitelist": []
},
"11": {
"antivirus": {
"reversing_labs": {
"first_seen": "ThreatGrid_ArtifactAnalysis_11_antivirus_reversing_labs_first_seen",
"last_seen": "ThreatGrid_ArtifactAnalysis_11_antivirus_reversing_labs_last_seen",
"query_hash": {
"sha256": "sha256"
},
"scanner_count": 42,
"scanner_match": 0,
"status": "KNOWN",
"threat_level": 0,
"threat_name": "",
"trust_factor": 0
}
},
"created-time": 1671624958,
"created_by": [
24
],
"entropy": 0,
"executed_from": [],
"forensics": null,
"magic-type": "data",
"md5": "md5",
"mime-type": "application/octet-stream; charset=binary",
"modified_by": [],
"origin": "disk",
"path": "path",
"read_by": [],
"relation": {
"contains": null,
"extracted_from": null,
"network": null,
"process": null
},
"sha1": "sha1",
"sha256": "sha256",
"size": 21700,
"type": "",
"whitelist": []
},
"12": {
"antivirus": {
"reversing_labs": {
"first_seen": "",
"last_seen": "",
"query_hash": {
"sha256": "sha256"
},
"scanner_count": 0,
"scanner_match": 0,
"status": "UNKNOWN",
"threat_level": 0,
"threat_name": "",
"trust_factor": 0
}
},
"created-time": 1671624958,
"created_by": [
24
],
"entropy": 0.006721586530775835,
"executed_from": [],
"forensics": null,
"magic-type": "data",
"md5": "md5",
"mime-type": "application/octet-stream; charset=binary",
"modified_by": [],
"origin": "disk",
"path": "path",
"read_by": [],
"relation": {
"contains": null,
"extracted_from": null,
"network": null,
"process": null
},
"sha1": "sha1",
"sha256": "sha256",
"size": 262512,
"type": "",
"whitelist": []
},
}
}
}

Human Readable Output#

List of samples analysis:#

110
origin: submitted
executedfrom:
path: www.domain_example
.url
mime-type: text/plain; charset=us-ascii
whitelist:
created-time: 0
read_by:
created_by:
sha256: sha256
sha1: sha1
md5: md5
entropy: x
type: url
size: 45
modified_by:
magic-type: MS Windows 95 Internet shortcut text (URL=<http://www.domain_example>), ASCII text
relation: {"contains": null, "extracted_from": null, "network": null, "process": null}
origin: disk
executed_from:
path: path
mime-type: application/octet-stream; charset=binary
whitelist:
created-time: 1671624958
read_by:
created_by: 24
sha256: sha256
sha1: sha1
md5: md5
entropy: 0
type:
size: 276959
modified_by:
magic-type: data
relation: {"contains": null, "extracted_from": null, "network": null, "process": null}

threat-grid-analysis-iocs-get#


Returns data regarding the specified Indicator of Compromise

Base Command#

threat-grid-analysis-iocs-get

Input#

Argument NameDescriptionRequired
sample_idthe sample id.Required
iocthe IOC requested.Optional

Context Output#

PathTypeDescription
ThreatGrid.IOCAnalysis.titleStringThe title of the IOC
ThreatGrid.IOCAnalysis.confidenceNumberThe confidence of the IOC
ThreatGrid.IOCAnalysis.severityStringThe severity of the IOC
ThreatGrid.IOCAnalysis.iocStringThreat grid's IOC
ThreatGrid.IOCAnalysis.categoryStringThe IOC category of the IOC
ThreatGrid.IOCAnalysis.sha256StringThe SHA256 value of the IOC
ThreatGrid.IOCAnalysis.tagsStringThe tags of the IOC

Command example#

!threat-grid-analysis-iocs-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"IOCAnalysis": [
{
"analysis-envs": [
"win",
"mac"
],
"category": [
"network-information"
],
"confidence": 50,
"data": [
{
"Code": 302,
"Method": "GET",
"Network_Stream": 11,
"Status": "Found",
"Trans_ID": 0,
"URL": "ThreatGrid_IOCAnalysis[0]_data[0]_URL"
}
],
"description": "An HTTP message indicating a redirection notice was detected in a network stream. The HTTP response codes are used as a means of conveying the status of the connection with the server to the client. Items within the 300 range indicate a redirection notice. These occur when a page has been temporarily or permanently moved.",
"heuristic_coefficient": -0.0987738978328,
"hits": 1,
"ioc": "http-response-redirect",
"mitre": [],
"mitre-tactics": [],
"mitre-techniques": [],
"orbital-queries": [],
"severity": 50,
"suspected-sample-categories": [],
"tags": [
"network",
"http",
"redirect"
],
"title": "HTTP Redirection Response",
"truncated": false
},
{
"analysis-envs": [
"win",
"mac",
"browser"
],
"category": [
"network-information"
],
"confidence": 25,
"data": [
{
"Method": "GET",
"Network_Stream": 11,
"URL": "ThreatGrid_IOCAnalysis[1]_data[0]_URL"
}
],
"description": "Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.",
"heuristic_coefficient": -26.131188198,
"hits": 1,
"ioc": "network-communications-http-get-url",
"mitre": [
{
"tactic": "command and control",
"techniques": [
{
"subtechniques": [],
"technique": "application layer protocol"
}
]
}
],
"mitre-tactics": [
"command and control"
],
"mitre-techniques": [
"application layer protocol"
],
"orbital-queries": [],
"severity": 25,
"suspected-sample-categories": [],
"tags": [
"network",
"http",
"get"
],
"title": "Outbound HTTP GET Request From URL Submission",
"truncated": false
},
]
}
}

Human Readable Output#

List of samples analysis:#

Analysis-envsCategoryConfidenceDataDescriptionHeuristic CoefficientHitsIocMitreMitre-tacticsMitre-techniquesOrbital-queriesSeveritySuspected-sample-categoriesTagsTitleTruncated
win,
mac
network-information50{'Code': 302, 'Method': 'GET', 'Network_Stream': 11, 'Status': 'Found', 'Trans_ID': 0, 'URL': 'http://www.domain_example:80/'}An HTTP message indicating a redirection notice was detected in a network stream. The HTTP response codes are used as a means of conveying the status of the connection with the server to the client. Items within the 300 range indicate a redirection notice. These occur when a page has been temporarily or permanently moved.-0.09877389783281http-response-redirect50network,
http,
redirect
HTTP Redirection Responsefalse
win,
mac,
browser
network-information25{'Method': 'GET', 'Network_Stream': 11, 'URL': 'http://www.domain_example:80/'}Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.-26.1311881981network-communications-http-get-url{'tactic': 'command and control', 'techniques': [{'subtechniques': [], 'technique': 'application layer protocol'}]}command and controlapplication layer protocol25network,
http,
get
Outbound HTTP GET Request From URL Submissionfalse

threat-grid-analysis-metadata-get#


Returns metadata about the analysis

Base Command#

threat-grid-analysis-metadata-get

Input#

Argument NameDescriptionRequired
sample_idthe sample id.Required

Context Output#

PathTypeDescription
ThreatGrid.AnalysisMetadata.general_detailsUnknownThe Metadata Analysis General Details
ThreatGrid.AnalysisMetadata.malware_descUnknownThe Metadata Analysis Malware Desc
ThreatGrid.AnalysisMetadata.sandcastle_envUnknownThe Metadata Analysis Malware Sandcastle ENV

Command example#

!threat-grid-analysis-metadata-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"AnalysisMetadata": {
"general_details": {
"report_created": 1671624987,
"sandbox_id": "scl-work-004",
"sandbox_version": "pilot-d"
},
"malware_desc": [
{
"filename": "www.domain_example_.url",
"magic": "ThreatGrid_AnalysisMetadata_malware_desc[0]_magic",
"md5": "md5",
"sha1": "sha1",
"sha256": "sha256",
"size": 45,
"type": "url"
}
],
"sandcastle_env": {
"analysis_end": 1671624987,
"analysis_features": [],
"analysis_start": 1671624573,
"controlsubject": "win",
"current_os": "os",
"display_name": "Windows 10 Browser",
"run_time": 300,
"sample_executed": 1671624638,
"sandcastle": "3.5.124.17776.d4a3b85fe-1",
"vm": "win10-x64-browser",
"vm_id": "sample_id"
}
}
}
}

Human Readable Output#

List of samples analysis:#

FilenameMagicMd5Sha1Sha256SizeType
www.domainexample.urlMS Windows 95 Internet shortcut text (URL=<http://www.domain_example>), ASCII textmd5sha1sha25645url

threat-grid-analysis-network-streams-get#


Returns data regarding a specific network stream

Base Command#

threat-grid-analysis-network-streams-get

Input#

Argument NameDescriptionRequired
sample_idthe sample id.Required
network_stream_idThe network stream id.Optional

Context Output#

PathTypeDescription
ThreatGrid.NetworkAnalysis.protocolNumberThe network protocol
ThreatGrid.NetworkAnalysis.transportStringThe network transport
ThreatGrid.NetworkAnalysis.serviceStringThe network service
ThreatGrid.NetworkAnalysis.client_ipStringThe client IP
ThreatGrid.NetworkAnalysis.server_ipStringThe server IP

Command example#

!threat-grid-analysis-network-streams-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"NetworkAnalysis": {
"0": {
"bytes": 657,
"bytes_missed": 0,
"bytes_orig": 657,
"bytes_orig_payload": 601,
"bytes_payload": 601,
"bytes_resp": 0,
"bytes_resp_payload": 0,
"conn_state": "S0",
"dst": "ThreatGrid_NetworkAnalysis_0_dst",
"dst_port": 67,
"duration": 0.000993,
"history": "D",
"packets": 2,
"packets_orig": 2,
"service": "dhcp",
"session": 0,
"src": "ThreatGrid_NetworkAnalysis_0_src",
"src_port": 68,
"transport": "UDP",
"ts_begin": 1671624615.898952,
"ts_end": 1671624615.899945,
"uid": "id"
},
"1": {
"bytes": 664,
"bytes_missed": 0,
"bytes_orig": 0,
"bytes_orig_payload": 0,
"bytes_payload": 608,
"bytes_resp": 664,
"bytes_resp_payload": 608,
"conn_state": "SHR",
"decoded": [
{
"client_ip": "ThreatGrid_NetworkAnalysis_1_decoded[0]_client_ip",
"client_mac": "00:15:17:22:da:4d",
"dns_servers": [
"ThreatGrid_NetworkAnalysis_1_decoded[0]_dns_servers_0"
],
"lease_time": 1200,
"netmask": "ThreatGrid_NetworkAnalysis_1_decoded[0]_netmask",
"routers": [
"ThreatGrid_NetworkAnalysis_1_decoded[0]_routers_0"
],
"server_ip": "ThreatGrid_NetworkAnalysis_1_decoded[0]_server_ip",
"type": "DHCP_ACK"
}
],
"dst": "ThreatGrid_NetworkAnalysis_1_dst",
"dst_port": 67,
"duration": 0.000839,
"history": "^d",
"packets": 2,
"packets_resp": 2,
"protocol": "DHCP",
"service": "dhcp",
"session": 1,
"src": "ThreatGrid_NetworkAnalysis_1_src",
"src_port": 68,
"transport": "UDP",
"ts_begin": 1671624615.899514,
"ts_end": 1671624615.900353,
"uid": "CnmnL8FPcbmixXLv1"
},
}
}
}

Human Readable Output#

List of samples analysis:#

01
transport: UDP
dst: dst
uid: d
bytes_missed: 0
src: ip1
ts_end: 1671624615.899945
dst_port: 67
packets_orig: 2
bytes_orig_payload: 601
bytes: 657
bytes_orig: 657
duration: 0.000993
history: D
bytes_resp_payload: 0
conn_state: S0
service: dhcp
session: 0
bytes_resp: 0
ts_begin: 1671624615.898952
packets: 2
src_port: 68
bytes_payload: 601
decoded: {'client_ip': '192.168.1.28', 'client_mac': '00:15:17:22:da:4d', 'dns_servers': ['192.168.1.1'], 'lease_time': 1200, 'netmask': '255.255.255.0', 'routers': ['192.168.1.1'], 'server_ip': '192.168.1.1', 'type': 'DHCP_ACK'}
transport: UDP
protocol: DHCP
dst: 192.168.1.1
uid: CnmnL8FPcbmixXLv1
bytes_missed: 0
src: 192.168.1.28
packets_resp: 2
ts_end: 1671624615.900353
dst_port: 67
bytes_orig_payload: 0
bytes: 664
bytes_orig: 0
duration: 0.000839
history: ^d
bytes_resp_payload: 608
conn_state: SHR
service: dhcp
session: 1
bytes_resp: 664
ts_begin: 1671624615.899514
packets: 2
src_port: 68
bytes_payload: 608

threat-grid-analysis-processes-get#


Returns data regarding the specific process id in the analysis

Base Command#

threat-grid-analysis-processes-get

Input#

Argument NameDescriptionRequired
sample_idthe sample id.Required
process_idthe process id requested.Optional

Context Output#

PathTypeDescription
ThreatGrid.ProcessAnalysis.process_nameStringThe process name
ThreatGrid.ProcessAnalysis.process_idStringThe process ID

Command example#

!threat-grid-analysis-processes-get sample_id=sample_id

Context Example#

{
"ThreatGrid": {
"ProcessAnalysis": {
"1": {
"analyzed_because": "Process activity after target sample started.",
"atoms_added": [
"Ud"
],
"kpid": "uid",
"monitored": true,
"mutants_created": [
"er",
],
"new": false,
"parent": "",
"pid": 1692,
"ppid": 61,
"proc": false,
"process_name": "Explorer.EXE",
"registry_keys_created": [
{
"access": [
"CREATE_SUB_KEY",
"READ_CONTROL",
"SET_VALUE"
],
"name": "REGISTRY",
"options": [
"REG_OPTION_VOLATILE"
]
}
],
"registry_keys_deleted": [
"REGISTRY",
"REGISTRY",
],
"registry_keys_modified": [
{
"data": "data",
"data_type": "BINARY",
"name": "REGISTRY",
"value_name": "VirtualDesktop"
}
],
"startup_info": {
"command_line": "info",
"current_directory": "info",
"desktop_info": "info",
"image_pathname": "info",
"incomplete": false,
"runtime_data": "",
"shell_info": "info",
"tid": "id",
"upid": 1692,
"uthread": 0,
"window_title": "Microsoft.Windows.Explorer"
},
"threads": [
{
"client_id": "id",
"create_suspended": "0x0",
"process": "0x00000000",
"process_handle": "0xffffffff",
"return": 0,
"thread": "0x00000000"
},
],
"time": "Wed, 21 Dec 2022 12:10:16 UTC"
},
"12": {
"analyzed_because": "Parent is being analyzed",
"files_checked": [
"-active.pma",
"-spare.pma"
],
"files_created": [
"-active.pma",
".pma~RF3e02b2be.TMP"
],
"files_deleted": [
".pma",
".pma~RF3e02b2be.TMP"
],
"kpid": "0xffffe00144f57080",
"monitored": true,
"new": true,
"parent": "0xffffe0014409e680",
"pid": 2680,
"ppid": 9,
"proc": false,
"process_name": "chrome.exe",
"startup_info": {
"command_line": "ThreatGrid_ProcessAnalysis_12_startup_info_command_line",
"current_directory": "D:\\",
"desktop_info": "info",
"image_pathname": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"incomplete": false,
"runtime_data": "",
"shell_info": "",
"tid": "0xffffe00144f62400",
"upid": 2680,
"uthread": 0,
"window_title": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"threads": [
{
"client_id": 6004801706494351000,
"create_suspended": "0x0",
"process": "0x00000000",
"process_handle": "0xffffffff",
"return": 0,
"thread": "0x00000000"
},
{
"client_id": 6071227511780497000,
"create_suspended": "0x0",
"process": "0x00000000",
"process_handle": "0xffffffff",
"return": 0,
"thread": "0x00000000"
}
],
"time": "Wed, 21 Dec 2022 12:10:41 UTC"
},
}
}
}

Human Readable Output#

List of samples analysis:#

112
threads: {'client_id': "id", 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': "id", 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 39480025973576, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 39480025973576, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 39480025973576, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 39480025973576, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 39480025973576, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 39480025973576, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'}
atoms_added: ImmersiveContextMenuArray_159288160-13,
ImmersiveContextMenuArray_159288160-14,
ImmersiveContextMenuArray_159288448-11,
ImmersiveContextMenuArray_159288448-13,
ImmersiveContextMenuArray_159288448-14,
ImmersiveContextMenuArray_159288448-17,
ImmersiveContextMenuArray_159288736-10,
ImmersiveContextMenuArray_159288736-12,
ImmersiveContextMenuArray_159288736-13,
ImmersiveContextMenuArray_159288736-17,
ImmersiveContextMenuArray_159288832-12,
ImmersiveContextMenuArray_159288832-14,
ImmersiveContextMenuArray_159288832-16,
ImmersiveContextMenuArray_159288832-17,
ImmersiveContextMenuArray_159289024-11,
ImmersiveContextMenuArray_159289024-12,
ImmersiveContextMenuArray_159289600-18,
ImmersiveContextMenuArray_159289696-17,
ImmersiveContextMenuArray_159289696-18,
ImmersiveContextMenuArray_159289888-16,
ImmersiveContextMenuArray_159289888-18,
ImmersiveContextMenuArray_159289984-15,
ImmersiveContextMenuArray_4294967295,
ImmersiveContextMenuArray_60889232-10,
ImmersiveContextMenuArray_60889232-8,
ImmersiveContextMenuArray_60889232-9,
ImmersiveContextMenuArray_60890192-11,
ImmersiveContextMenuArray_60890192-7,
ImmersiveContextMenuArray_60890192-8,
ImmersiveContextMenuArray_60890192-9,
ImmersiveContextMenuArray_60891440-11,
ImmersiveContextMenuArray_60891440-12,
ImmersiveContextMenuArray_60891440-7,
ImmersiveContextMenuArray_60891440-9,
ImmersiveContextMenuArray_60891728-10,
ImmersiveContextMenuArray_60891728-6,
ImmersiveContextMenuArray_60891728-9,
ImmersiveContextMenuArray_60891824-5,
ImmersiveContextMenuArray_60891824-6,
ImmersiveContextMenuArray_60891824-7,
ImmersiveContextMenuArray_60891824-8,
ImmersiveContextMenuArray_60891920-4,
ImmersiveContextMenuArray_60891920-5,
ImmersiveContextMenuArray_60891920-6,
ImmersiveContextMenuArray_60891920-7,
ImmersiveContextMenuArray_61294096-3,
ImmersiveContextMenuArray_61294096-4,
ImmersiveContextMenuArray_61294096-6,
ImmersiveContextMenuArray_61295440-2,
ImmersiveContextMenuArray_61295440-3,
ImmersiveContextMenuArray_61295440-5,
ImmersiveContextMenuArray_61295824-131233,
ImmersiveContextMenuArray_61295824-2,
ImmersiveContextMenuArray_61295824-4,
ImmersiveContextMenuArray_61295824-5,
ImmersiveContextMenuArray_61441088-1,
ImmersiveContextMenuArray_61441088-4001,
ImmersiveContextMenuArray_61441280-4002,
ImmersiveContextMenuArray_61441568-2,
ImmersiveContextMenuArray_61441856-4003,
ImmersiveContextMenuArray_61441952-131233,
ImmersiveContextMenuArray_61442144-4001,
ImmersiveContextMenuArray_61442432-4002,
ImmersiveContextMenuArray_61442528-4000,
ImmersiveContextMenuArray_61442624-4000,
ImmersiveContextMenuArray_61442720-1,
ImmersiveContextMenuArray_61443008-1,
ImmersiveContextMenuArray_61443008-4002,
ImmersiveContextMenuArray_61443296-131233,
ImmersiveContextMenuArray_61443296-4001,
ImmersiveContextMenuArray_61443776-4000,
ImmersiveContextMenuArray_61443968-1,
ImmersiveContextMenuArray_61443968-4003,
ImmersiveContextMenuArray_61444064-4002,
ImmersiveContextMenuArray_61444160-4001,
ImmersiveContextMenuArray_61444256-3,
ImmersiveContextMenuArray_61444256-4000,
ImmersiveContextMenuArray_61444448-2,
ImmersiveContextMenuArray_61444736-131233,
ImmersiveContextMenuArray_61444832-4003,
TrayRaisedWindowProp,
uia
analyzed_because: Process activity after target sample started.
registry_keys_created: {'access': ['CREATE_SUB_KEY', 'READ_CONTROL', 'SET_VALUE'], 'name': 'REGISTRY\USER\S-1-5-21-3467368655-986044752-3166994390-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:000000000006013C', 'options': ['REG_OPTION_VOLATILE']}
monitored: true
parent:
new: false
mutants_created: Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_1280.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_16.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_1920.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_2560.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_768.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_custom_stream.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!IconCacheInit,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterMutex,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.db!dfMaintainer,
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.db!dfMaintainer
pid: 1692
kpid: uid
ppid: 61
time: Wed, 21 Dec 2022 12:10:16 UTC
registry_keys_deleted: REGISTRY\USER\S-1-5-21-3467368655-986044752-3166994390-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:00000000000A0232,
REGISTRY\USER\S-1-5-21-3467368655-986044752-3166994390-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:0000000000100036,
REGISTRY\USER\S-1-5-21-3467368655-986044752-3166994390-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\HOMEGROUP\UISTATUSCACHE
proc: false
process_name: Explorer.EXE
registry_keys_modified: {'data': 'EAAAADAwRFb0BwKtsB1qQ5DP0vmf3UYC', 'data_type': 'BINARY', 'name': 'REGISTRY\USER\S-1-5-21-3467368655-986044752-3166994390-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\APPLICATIONVIEWMANAGEMENT\W32:000000000006013C', 'value_name': 'VirtualDesktop'}
files_checked: \Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma,
\Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
files_deleted: \Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma,
\Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3e02b2be.TMP
threads: {'client_id': 6004801706494351000, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 0, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 18375121096688828000, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 18375121096688828000, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 6071227511780497000, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'},
{'client_id': 6071227511780497000, 'create_suspended': '0x0', 'process': '0x00000000', 'process_handle': '0xffffffff', 'return': 0, 'thread': '0x00000000'}
analyzed_because: Parent is being analyzed
files_created: \Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma,
\Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3e02b2be.TMP
monitored: true
parent: 0xffffe0014409e680
new: true
pid: 2680
kpid: 0xffffe00144f57080
ppid: 9
time: Wed, 21 Dec 2022 12:10:41 UTC
proc: false
process_name: chrome.exe

file#


Checks the file reputation of the specified hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA CSV list of hashes of the file to query. Supports MD5, SHA1, and SHA256.Required
longWhether to return full response for scans. Default is "false". Possible values are: True, False.Optional
thresholdIf the number of positives is higher than the threshold, the file will be considered malicious. If the threshold is not specified, the default file threshold, as configured in the instance settings, will be used.Optional
waitTime (in seconds) to wait between tries if the API rate limit is reached. Default is "60". Default is 60.Optional
retriesNumber of retries for the API rate limit. Default is "0". Default is 0.Optional

Context Output#

PathTypeDescription
File.MD5StringBad MD5 hash.
File.NameStringFile name.
File.SHA1StringBad SHA1 hash.
File.sha256StringBad SHA256 hash.
File.EntryIDStringThe entry ID of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
ThreatGrid.File.PositiveDetectionsnumberNumber of engines that positively detected the indicator as malicious.
ThreatGrid.File.DetectionEnginesnumberTotal number of engines that checked the indicator.
ThreatGrid.File.tgLinkstringThreatGrid permanent link.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required
longWhether to return full response for detected URLs. Default is "false". Possible values are: True, False.Optional
thresholdIf the number of positives is higher than the threshold, the IP address will be considered malicious. If the threshold is not specified, the default IP threshold, as configured in the instance settings, will be used.Optional
sampleSizeThe number of samples from each type (resolutions, detections, etc.) to display for long format. Default is "10". Default is 10.Optional
waitTime (in seconds) to wait between tries if the API rate limit is reached. Default is "60". Default is 60.Optional
retriesNumber of retries for API rate limit. Default is "0". Default is 0.Optional
fullResponseWhether to return all results, which can be thousands. Default is "false". We recommend that you don't return full results in playbooks. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
IP.AddressStringBad IP address.
IP.ASNStringBad IP ASN.
IP.Geo.CountryStringBad IP country.
ThreatGrid.IP.indicatorStringIP address.
ThreatGrid.IP.confidenceNumberIndicator confidence between 0-99.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

url#


Checks the reputation of a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-seperated list of URLs to check. This command will not work properly on URLs containing commas.Required
sampleSizeThe number of samples from each type (resolutions, detections, etc.) to display for long format. Default is 10.Optional
longWhether to return the full response for the detected URLs. Possible values are: True, False.Optional
thresholdIf the number of positives is higher than the threshold, the URL will be considered malicious. If the threshold is not specified, the default URL threshold, as configured in the instance settings, will be used.Optional
submitWaitTime (in seconds) to wait if the URL does not exist and is submitted for scanning. Default is "0". Default is 0.Optional
waitTime (in seconds) to wait between tries if the API rate limit is reached. Default is "60". Default is 60.Optional
retriesNumber of retries for API rate limit. Default is "0". Default is 0.Optional

Context Output#

PathTypeDescription
URL.DataStringBad URLs found.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason that the vendor made the decision.
URL.PositiveDetectionsNumberNumber of engines that positively detected the indicator as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
ThreatGrid.URL.urlStringThe URL.
ThreatGrid.URL.detection_enginesNumberNumber of engines
ThreatGrid.URL.positive_enginesNumberNumber of positive engines

domain#


Checks the reputation of a domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain name to check.Required
longWhether to return the full response for detected URLs. Default is "false". Possible values are: True, False.Optional
sampleSizeThe number of samples from each type (resolutions, detections, etc.) to display for long format. Default is 10.Optional
thresholdIf the number of positives is higher than the threshold, the domain will be considered malicious. If the threshold is not specified, the default domain threshold, as configured in the instance settings, will be used.Optional
waitTime (in seconds) to wait between tries if the API rate limit is reached. Default is "60". Default is 60.Optional
retriesNumber of retries for API rate limit. Default is "0". Default is 0.Optional
fullResponseWhether to return all results, which can be thousands. Default is "false". We recommend that you don't return full results in playbooks. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
Domain.NameStringBad domain found.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason that the vendor made the decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.CreationDateDateThe date that the domain was created.
Domain.DNSStringA list of IP objects resolved by DNS.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.WHOIS.Registrar.AbuseEmailUnknownThe email address of the contact for reporting abuse.
Domain.WHOIS.Registrar.AbusePhoneUnknownThe phone number of contact for reporting abuse.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: "GoDaddy".
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.DomainStatusStringThe status of the domain.
ThreatGrid.Domain.domainStringThe domain name.

threat-grid-domain-samples-list#


Returns a list of samples associated with a Domain.

Base Command#

threat-grid-domain-samples-list

Input#

Argument NameDescriptionRequired
domainThe domain to search for.Required
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
page_sizeThe number of items per page.Optional
pagePage number of paginated results.Optional

Context Output#

PathTypeDescription
ThreatGrid.DomainAssociatedSample.domainstringThe domain.
ThreatGrid.DomainAssociatedSample.samplesstringThe associated samples.

Command example#

!threat-grid-domain-samples-list domain=domain_example

Context Example#

{
"ThreatGrid": {
"DomainAssociatedSample": {
"domain": "domain_example",
"samples": [
{
"details": "/api/v2/samples/sample_e",
"filename": "domain_example_.url",
"iocs": [],
"login": "login_name",
"owner": "self",
"private": false,
"relation": null,
"sample": "sample_e",
"sha256": "sha256_example",
"timestamp": "ThreatGrid_DomainAssociatedSample_samples[0]_timestamp"
},
{
"details": "/api/v2/samples/sample_e",
"filename": "file_name",
"iocs": [],
"login": null,
"owner": null,
"private": false,
"relation": null,
"sample": "sample_e",
"sha256": "sha256_e",
"timestamp": "ThreatGrid_DomainAssociatedSample_samples[1]_timestamp"
},
]
}
}
}

Human Readable Output#

List of samples associated to the domain - domain_example :#

Showing page 1. Current page size: 50 |Filename|Login|Private|Sample|Sha256|Timestamp| |---|---|---|---|---|---| | domainexample.url | login_name | false | sample_e | sha256_example | 2022-12-22T08:30:57Z | | file_name | | false | sample_e | sha256_e | 2022-12-22T08:29:38Z |

threat-grid-ip-samples-list#


Returns a list of samples associated with an IP.

Base Command#

threat-grid-ip-samples-list

Input#

Argument NameDescriptionRequired
ipThe IP to search for.Required
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
page_sizeThe number of items per page.Optional
pagePage number of paginated results.Optional

Context Output#

PathTypeDescription
ThreatGrid.IpAssociatedSample.ipstringThe IP.
ThreatGrid.IpAssociatedSample.samplesstringThe associated samples.

Command example#

!threat-grid-ip-samples-list ip=8.8.8.8

Context Example#

{
"ThreatGrid": {
"IpAssociatedSample": {
"ip": "ThreatGrid_IpAssociatedSample_ip",
"samples": [
{
"details": "/api/v2/samples/sample_e",
"filename": "filename",
"iocs": [
{
"confidence": 60,
"ioc": "pe-header-linker-major",
"sample": "sample_e",
"severity": 5
}
],
"login": null,
"owner": null,
"private": false,
"relation": null,
"sample": "sample_e",
"sha256": "sha256_e",
"timestamp": "ThreatGrid_IpAssociatedSample_samples[0]_timestamp"
},
{
"details": "/api/v2/samples/sample_e",
"filename": "file_name",
"iocs": [
{
"confidence": 50,
"ioc": "file-ini-read",
"sample": "sample_e",
"severity": 30
},
{
"confidence": 60,
"ioc": "pe-resource-lang-romanian",
"sample": "sample_e",
"severity": 25
},
{
"confidence": 50,
"ioc": "network-fast-flux-nameserver",
"sample": "sample_e",
"severity": 35
}
],
"login": null,
"owner": null,
"private": false,
"relation": null,
"sample": "sample_e",
"sha256": "sha256_e",
"timestamp": "ThreatGrid_IpAssociatedSample_samples[1]_timestamp"
},
]
}
}
}

Human Readable Output#

List of samples associated to the ip - 8.8.8.8 :#

Showing page 1. Current page size: 50 |Filename|Login|Private|Sample|Sha256|Timestamp| |---|---|---|---|---|---| | filename | | false | sample_e | sha256_e | 2022-12-22T08:09:30Z | | file_name | | false | sample_e | sha256_e | 2022-12-22T08:07:40Z |

threat-grid-path-samples-list#


Returns a list of samples associated with a Path.

Base Command#

threat-grid-path-samples-list

Input#

Argument NameDescriptionRequired
pathThe path to search for. A path is a slash-separated list of directory names followed by either a directory name or a file name. Path example: ‘/user/name/file’.Required
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
page_ziseThe number of items per page.Optional
pagePage number of paginated results.Optional

Context Output#

PathTypeDescription
ThreatGrid.PathAssociatedSample.pathstringThe Path.
ThreatGrid.PathAssociatedSample.samplesstringThe associated samples.

Command example#

!threat-grid-path-samples-list path=user

Context Example#

{
"ThreatGrid": {
"PathAssociatedSample": {
"path": "user",
"samples": [
{
"details": "/api/v2/samples/sample_e",
"filename": "user",
"iocs": [
{
"confidence": 100,
"ioc": "html-script-prefix-suffix",
"sample": "sample_e",
"severity": 85
}
],
"login": null,
"owner": null,
"private": false,
"relation": null,
"sample": "sample_e",
"sha256": "sha256_e",
"timestamp": "ThreatGrid_PathAssociatedSample_samples[0]_timestamp"
},
{
"details": "/api/v2/samples/sample_e",
"filename": "file_name",
"iocs": [
{
"confidence": 85,
"ioc": "pe-invalid-certificate-signature",
"sample": "sample_e",
"severity": 100
},
{
"confidence": 100,
"ioc": "pe-certificate",
"sample": "sample_e",
"severity": 10
}
],
"login": null,
"owner": null,
"private": false,
"relation": null,
"sample": "sample_e",
"sha256": "sha256_e",
"timestamp": "ThreatGrid_PathAssociatedSample_samples[1]_timestamp"
},
]
}
}
}

Human Readable Output#

List of samples associated to the path - user :#

Showing page 1. Current page size: 50 |Filename|Login|Private|Sample|Sha256|Timestamp| |---|---|---|---|---|---| | user | | false | sample_e | sha256_e | 2022-11-11T08:26:04Z | | file_name | | false | sample_e | sha256_e | 2022-10-30T13:09:35Z |

threat-grid-url-samples-list#


Returns a list of samples associated with an URL.

Base Command#

threat-grid-url-samples-list

Input#

Argument NameDescriptionRequired
urlThe target URL. Please provide the URL in the format http://example.com:80/ .Required
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
page_ziseThe number of items per page.Optional
pagePage number of paginated results.Optional

Context Output#

PathTypeDescription
ThreatGrid.UrlAssociatedSample.urlstringThe URL.
ThreatGrid.UrlAssociatedSample.samplesstringThe associated samples.

Command example#

!threat-grid-url-samples-list url=http://domain_example:80/

Context Example#

{
"ThreatGrid": {
"UrlAssociatedSample": {
"samples": [
{
"details": "/api/v2/samples/sample_id",
"filename": "file_name",
"iocs": [
{
"confidence": 25,
"ioc": "network-communications-http-get-url",
"sample": "sample_id",
"severity": 25
}
],
"login": "login_name",
"owner": "self",
"private": false,
"relation": null,
"sample": "sample_id",
"sha256": "sha256_example",
"timestamp": "ThreatGrid_UrlAssociatedSample_samples[0]_timestamp"
},
{
"details": "/api/v2/samples/sample_id",
"filename": "file_name",
"iocs": [
{
"confidence": 90,
"ioc": "pe-uses-stealth-packer",
"sample": "sample_id",
"severity": 90
}
],
"login": null,
"owner": null,
"private": false,
"relation": null,
"sample": "sample_id",
"sha256": "sha256_example",
"timestamp": "ThreatGrid_UrlAssociatedSample_samples[1]_timestamp"
},
],
"sha256": "sha256_example",
"url": "ThreatGrid_UrlAssociatedSample_url"
}
}
}

Human Readable Output#

List of samples associated to the url - sha256_example :#

Showing page 1. Current page size: 50 |Filename|Login|Private|Sample|Sha256|Timestamp| |---|---|---|---|---|---| | domainexample.url | loginname | false | sample_id | sha256_example | 2022-12-22T08:36:44Z | | file_name | | false | sample_id | sha256_example | 2022-12-22T08:35:03Z | | file_name | | false | sample_id | sha256_example | 2022-12-22T08:35:03Z | | domain_example.url | login_name | false | sample_e | sha256_example | 2022-12-22T08:30:57Z |

threat-grid-registry-key-samples-list#


Returns a list of samples associated with a specified registry key.

Base Command#

threat-grid-registry-key-samples-list

Input#

Argument NameDescriptionRequired
registry_keyThe registry key to search for.Required
after"A date/time (ISO 8601), restricting results to samples submitted after it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
before"A date/time (ISO 8601), restricting results to samples submitted before it. Please use the following date/time format. YYYY-MM-DD Thhmmss+|-hhmm e.g. : 2012-04-19T04:00:55-0500".Optional
limitThe maximum number of records to retrieve. Default is 50.Optional
page_sizeThe number of items per page.Optional
pagePage number of paginated results.Optional

Context Output#

PathTypeDescription
ThreatGrid.RegistryKeyAssociatedSample.keystringThe Registry Key.
ThreatGrid.RegistryKeyAssociatedSample.samplesstringThe associated samples.

Command example#

!threat-grid-registry-key-samples-list registry_key=ChangeNotice

Context Example#

{
"ThreatGrid": {
"RegistryKeyAssociatedSample": {
"key": "ChangeNotice",
"samples": []
}
}
}

Human Readable Output#

List of samples associated to the registry_key - ChangeNotice :#

Showing page 1. Current page size: 50 No entries.

threat-grid-ip-associated-domains#


Returns a list of domains associated with the IP.

Base Command#

threat-grid-ip-associated-domains

Input#

Argument NameDescriptionRequired
ipThe IP to search for.Required

Context Output#

PathTypeDescription
ThreatGrid.IpAssociatedDomain.ipstringThe IP.
ThreatGrid.IpAssociatedDomain.domainsstringThe associated Domain.

Command example#

!threat-grid-ip-associated-domains ip=8.8.8.8

Context Example#

{
"ThreatGrid": {
"IpAssociatedDomain": {
"domains": [
{
"details": "/api/v2/domains/domain",
"domain": "domain"
},
{
"details": "/api/v2/domains/domain",
"domain": "domain"
},
],
"ip": "ThreatGrid_IpAssociatedDomain_ip"
}
}
}

Human Readable Output#

List of domains associated to the ip - 8.8.8.8 :#

Domain
domain2
domain1

threat-grid-ip-associated-urls#


Returns a list of URLs associated to the IP.

Base Command#

threat-grid-ip-associated-urls

Input#

Argument NameDescriptionRequired
ipThe IP to search for.Required

Context Output#

PathTypeDescription
ThreatGrid.IpAssociatedUrl.ipstringThe IP.
ThreatGrid.IpAssociatedUrl.urlsstringThe associated URL.

Command example#

!threat-grid-ip-associated-urls ip=8.8.8.8

Context Example#

{
"ThreatGrid": {
"IpAssociatedUrl": {
"ip": "ThreatGrid_IpAssociatedUrl_ip",
"urls": [
{
"details": "/api/v2/urls/sha256",
"sha256": "sha256",
"url": "ThreatGrid_IpAssociatedUrl_urls[0]_url"
},
{
"details": "/api/v2/urls/sha256",
"sha256": "sha256",
"url": "ThreatGrid_IpAssociatedUrl_urls[1]_url"
}
]
}
}
}

Human Readable Output#

List of urls associated to the ip - 8.8.8.8 :#

Sha256Url
sha256ThreatGrid_IpAssociatedUrl_urls[0]_url
sha256ThreatGrid_IpAssociatedUrl_urls[1]_url

threat-grid-domain-associated-urls#


Returns a list of URLs associated to the domain.

Base Command#

threat-grid-domain-associated-urls

Input#

Argument NameDescriptionRequired
domainThe domain to search for.Required

Context Output#

PathTypeDescription
ThreatGrid.DomainAssociatedUrl.domainstringThe Domain.
ThreatGrid.DomainAssociatedUrl.urlsstringThe associated URL.

Command example#

!threat-grid-domain-associated-urls domain=domain_example

Context Example#

{
"ThreatGrid": {
"DomainAssociatedUrl": {
"domain": "domain_example",
"urls": [
{
"details": "/api/v2/urls/sha256",
"sha256": "sha256",
"url": "ThreatGrid_DomainAssociatedUrl_urls[0]_url"
},
{
"details": "/api/v2/urls/sha256",
"sha256": "sha256",
"url": "ThreatGrid_DomainAssociatedUrl_urls[1]_url"
},
]
}
}
}

Human Readable Output#

List of urls associated to the domain - domain_example :#

Sha256Url
sha256some_url
sha256some_url

threat-grid-domain-associated-ips#


Returns a list of IPs associated to the domain.

Base Command#

threat-grid-domain-associated-ips

Input#

Argument NameDescriptionRequired
domainThe domain to search for.Required

Context Output#

PathTypeDescription
ThreatGrid.DomainAssociatedIp.domainStringThe Domain.
ThreatGrid.DomainAssociatedIp.ipsStringThe associated IP.

Command example#

!threat-grid-domain-associated-ips domain=domain_example

Context Example#

{
"ThreatGrid": {
"DomainAssociatedIp": {
"domain": "domain_example",
"ips": [
{
"ip": "ThreatGrid_DomainAssociatedIp_ips[0]_ip"
},
{
"ip": "ThreatGrid_DomainAssociatedIp_ips[1]_ip"
},
]
}
}
}

Human Readable Output#

List of ips associated to the domain - domain_example :#

Ip
ip_address
ip_address