Skip to main content

Detonate and Analyze File - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • CrowdStrike Falcon Intelligence Sandbox Detonate and Analyze File
  • Wildfire Detonate and Analyze File
  • Mitre Attack - Extract Technique Information From ID
  • Detonate File - JoeSecurity V2

Integrations#

This playbook does not use any integrations.

Scripts#

  • IsIntegrationAvailable

Commands#

  • rasterize-pdf
  • joe-download-report
  • attack-pattern
  • extractIndicators

Playbook Inputs#


NameDescriptionDefault ValueRequired
FileThe details of the file to search for.FileOptional

Playbook Outputs#


PathDescriptionType
csfalconx.resource.tagsThe analysis tags.string
csfalconx.resource.sha256The SHA256 hash of the scanned file.string
csfalconx.resource.file_nameThe name of the uploaded file.string
csfalconx.resource.sandboxThe Falcon Intelligence Sandbox findings.string
csfalconx.resource.intelThe Falcon Intelligence Sandbox intelligence results.string
WildFire.ReportThe Wildfire findings.string
AttackPatternThe MITRE Attack pattern information.string
MITREATTACKFull MITRE data for the attack pattern.string
DBotScoreDBotScore object.string
Joe.AnalysisJoe Analysis object.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.ScoreThe actual score.string
DBotScore.MaliciousDBotScore Malicious objectstring
DBotScore.Malicious.VendorThe vendor used to calculate the score.string
DBotScore.Malicious.DetectionsThe sub analysis detection statusesstring
DBotScore.Malicious.SHA1The SHA1 of the filestring
Joe.Analysis.IDWeb IDstring
Joe.Analysis.StatusAnalysis Statusstring
Joe.Analysis.CommentsAnalysis Commentsstring
Joe.Analysis.TimeSubmitted Timedate
Joe.Analysis.RunsSub-Analysis Informationstring
Joe.Analysis.ResultAnalysis Resultsstring
Joe.Analysis.ErrorsRaised errors during samplingstring
Joe.Analysis.SystemsAnalysis OSstring
Joe.Analysis.MD5MD5 of analysis samplestring
Joe.Analysis.SHA1SHA1 of analysis samplestring
Joe.Analysis.SHA256SHA256 of analysis samplestring
Joe.Analysis.SampleNameSample Data, could be a file name or URLstring
InfoFileReport file objectstring
InfoFile.NameThe filename.string
InfoFile.EntryIDThe entry ID of the report.string
InfoFile.SizeFile size.number
InfoFile.TypeFile type, e.g., "PE".string
InfoFile.InfoBasic information of the file.string
InfoFile.ExtensionThe extension of the image file.string
FileFile objectstring
File.ExtensionFile extension.string
File.MD5The MD5 hash of the file.string
File.NameThe full file name.string
File.SHA1The SHA1 hash of the file.string
File.SHA256The SHA256 hash of the file.string
ExtractedIndicatorsoutputs.extractindicatorsstring
AttackPattern.STIXIDThe STIX ID of the Attack Pattern.string
AttackPattern.KillChainPhasesThe kill chain phases of the Attack Pattern.string
AttackPattern.FirstSeenBySourceThe first seen by source of the Attack Pattern.string
AttackPattern.DescriptionThe description of the Attack Pattern.string
AttackPattern.OperatingSystemRefsThe operating system references of the Attack Pattern.string
AttackPattern.PublicationsThe publications of the Attack Pattern.string
AttackPattern.MITREIDThe MITRE ID of the Attack Pattern.string
AttackPattern.TagsThe tags of the Attack Pattern.string

Playbook Image#


Detonate and Analyze File - Generic