Skip to main content

Detonate File - Generic

This Playbook is part of the Common Playbooks Pack.#

Detonate file through active integrations that support file detonation

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Detonate File - JoeSecurity V2
  • Detonate File - Lastline v2
  • WildFire - Detonate file
  • Detonate File - VMRay
  • Detonate File - Group-IB TDS Polygon
  • CrowdStrike Falcon Sandbox - Detonate file
  • Detonate File - CrowdStrike Falcon Intelligence Sandbox
  • Detonate file - CrowdStrike Falcon Sandbox v2
  • Detonate File - ThreatGrid
  • Detonate File - FireEye AX
  • ATD - Detonate File
  • Detonate File - ANYRUN
  • Detonate File - JoeSecurity
  • Detonate File - Cuckoo
  • Detonate File - SecneurX Analysis
  • Detonate File - ThreatGrid v2
  • Detonate File - HybridAnalysis

Integrations#

  • OPSWAT Filescan

Scripts#

This playbook does not use any scripts.

Commands#

  • opswat-filescan-scan-file

Playbook Inputs#


NameDescriptionDefault ValueRequired
EntryIDEntry ID of file to be detonatedFile.EntryIDOptional
FileFile object of file to be detonatedFileOptional

Playbook Outputs#


PathDescriptionType
Joe.Analysis.StatusAnalysis Statusstring
Joe.Analysis.WebIDWeb IDstring
File.NameThe file's name (only in case of report type=json)string
File.SHA1SHA1 hash of the filestring
File.SHA256SHA256 hash of the filestring
File.SizeFile size (only in case of report type=json)number
File.TypeFile type e.g. "PE" (only in case of report type=json)string
File.MaliciousThe File malicious descriptionunknown
File.Malicious.DescriptionFor malicious files, the reason for the vendor to make the decisionstring
File.Malicious.VendorFor malicious files, the vendor that made the decisionstring
DBotScoreThe Indicator's objectunknown
DBotScore.IndicatorThe indicator that was testedstring
DBotScore.ScoreThe actual scorenumber
DBotScore.TypeThe type of the indicatorstring
DBotScore.VendorVendor used to calculate the scorestring
IP.AddressIP's relevant to the samplestring
DBotScore.Malicious.VendorVendor used to calculate the scorestring
DBotScore.Malicious.DetectionsThe sub analysis detection statusesstring
DBotScore.Malicious.SHA1The SHA1 of the filestring
Sample.StateThe sample stateunknown
Sample.IDThe sample IDunknown
FileThe File's objectunknown
File.MD5MD5 hash of the filestring
Joe.Analysis.SampleNameSample Data, could be a file name or URLstring
Joe.Analysis.CommentsAnalysis Commentsstring
Joe.Analysis.TimeSubmitted Timedate
Joe.Analysis.RunsSub-Analysis Informationunknown
Joe.Analysis.ResultAnalysis Resultsstring
Joe.Analysis.ErrorsRaised errors during samplingunknown
Joe.Analysis.SystemsAnalysis OSunknown
Joe.Analysis.MD5MD5 of analysis samplestring
Joe.Analysis.SHA1SHA1 of analysis samplestring
Joe.Analysis.SHA256SHA256 of analysis samplestring
InfoFile.NameFileName of the report filestring
InfoFile.EntryIDThe EntryID of the report filestring
InfoFile.SizeFile Sizenumber
InfoFile.TypeFile type e.g. "PE"string
InfoFile.InfoBasic information of the filestring
File.ExtensionThe extension of the filestring
InfoFileThe report file's objectunknown
WildFire.ReportThe submission objectunknown
WildFire.Report.StatusThe status of the submissionstring
WildFire.Report.SHA256SHA256 of the submissionstring
WildFire.Report.MD5MD5 of the submissionstring
WildFire.Report.FileTypeThe type of the submissionstring
WildFire.Report.SizeThe size of the submissionnumber
Joe.AnalysisThe Analysis objectunknown
Cuckoo.Task.CategoryCategory of taskunknown
Cuckoo.Task.MachineMachine of taskunknown
Cuckoo.Task.ErrorsErrors of taskunknown
Cuckoo.Task.TargetTarget of taskunknown
Cuckoo.Task.PackagePackage of taskunknown
Cuckoo.Task.SampleIDSample ID of taskunknown
Cuckoo.Task.GuestTask guestunknown
Cuckoo.Task.CustomCustom values of taskunknown
Cuckoo.Task.OwnerTask ownerunknown
Cuckoo.Task.PriorityPriority of taskunknown
Cuckoo.Task.PlatformPlatform of taskunknown
Cuckoo.Task.OptionsTask optionsunknown
Cuckoo.Task.StatusTask statusunknown
Cuckoo.Task.EnforceTimeoutIs timeout of task enforcedunknown
Cuckoo.Task.TimeoutTask timeoutunknown
Cuckoo.Task.MemoryTask memoryunknown
Cuckoo.Task.TagsTask tagsunknown
Cuckoo.Task.IDID of taskunknown
Cuckoo.Task.AddedOnDate on which the task was addedunknown
Cuckoo.Task.CompletedOnDate on which the task was completedunknown
Cuckoo.Task.ScoreReported score of the the taskunknown
Cuckoo.Task.MonitorMonitor of the reported taskunknown
SNDBOX.Analysis.IDAnalysis IDstring
SNDBOX.Analysis.SampleNameSample Data, could be a file name or URLstring
SNDBOX.Analysis.StatusAnalysis Statusstring
SNDBOX.Analysis.TimeSubmitted Timedate
SNDBOX.Analysis.ResultAnalysis Resultsstring
SNDBOX.Analysis.ErrorsRaised errors during samplingunknown
SNDBOX.Analysis.LinkAnalysis Linkstring
SNDBOX.Analysis.MD5MD5 of analysis samplestring
SNDBOX.Analysis.SHA1SHA1 of analysis samplestring
SNDBOX.Analysis.SHA256SHA256 of analysis samplestring
SNDBOX.AnalysisSNDBOX analysisunknown
HybridAnalysis.Submit.StateThe state of the processstring
HybridAnalysis.Submit.SHA256The submission SHA256string
HybridAnalysis.Submit.JobIDThe JobID of the submissionstring
HybridAnalysis.Submit.EnvironmentIDThe environmentID of the submissionstring
HybridAnalysis.SubmitThe HybridAnalysis objectunknown
ANYRUN.Task.AnalysisDateDate and time the analysis was executed.String
ANYRUN.Task.Behavior.CategoryCategory of a process behavior.String
ANYRUN.Task.Behavior.ActionActions performed by a process.String
ANYRUN.Task.Behavior.ThreatLevelThreat score associated with a process behavior.Number
ANYRUN.Task.Behavior.ProcessUUIDUnique ID of the process whose behaviors are being profiled.String
ANYRUN.Task.Connection.ReputationConnection reputation.String
ANYRUN.Task.Connection.ProcessUUIDID of the process that created the connection.String
ANYRUN.Task.Connection.ASNConnection autonomous system network.String
ANYRUN.Task.Connection.CountryConnection country.String
ANYRUN.Task.Connection.ProtocolConnection protocol.String
ANYRUN.Task.Connection.PortConnection port number.Number
ANYRUN.Task.Connection.IPConnection IP number.String
ANYRUN.Task.DnsRequest.ReputationReputation of the DNS request.String
ANYRUN.Task.DnsRequest.IPIP addresses associated with a DNS request.Unknown
ANYRUN.Task.DnsRequest.DomainDomain resolution of a DNS request.String
ANYRUN.Task.Threat.ProcessUUIDUnique process ID from where the threat originated.String
ANYRUN.Task.Threat.MsgThreat message.String
ANYRUN.Task.Threat.ClassClass of the threat.String
ANYRUN.Task.Threat.SrcPortPort on which the threat originated.Number
ANYRUN.Task.Threat.DstPortDestination port of the threat.Number
ANYRUN.Task.Threat.SrcIPSource IP address where the threat originated.String
ANYRUN.Task.Threat.DstIPDestination IP address of the threat.String
ANYRUN.Task.HttpRequest.ReputationReputation of the HTTP request.String
ANYRUN.Task.HttpRequest.CountryHTTP request country.String
ANYRUN.Task.HttpRequest.ProcessUUIDID of the process making the HTTP request.String
ANYRUN.Task.HttpRequest.BodyHTTP request body parameters and details.Unknown
ANYRUN.Task.HttpRequest.HttpCodeHTTP request response code.Number
ANYRUN.Task.HttpRequest.StatusStatus of the HTTP request.String
ANYRUN.Task.HttpRequest.ProxyDetectedWhether the HTTP request was made through a proxy.Boolean
ANYRUN.Task.HttpRequest.PortHTTP request port.Number
ANYRUN.Task.HttpRequest.IPHTTP request IP address.String
ANYRUN.Task.HttpRequest.URLHTTP request URL.String
ANYRUN.Task.HttpRequest.HostHTTP request host.String
ANYRUN.Task.HttpRequest.MethodHTTP request method type.String
ANYRUN.Task.FileInfoDetails of the submitted file.String
ANYRUN.Task.OSOS of the sandbox in which the file was analyzed.String
ANYRUN.Task.IDThe unique ID of the task.String
ANYRUN.Task.MIMEThe MIME of the file submitted for analysis.String
ANYRUN.Task.MD5The MD5 hash of the file submitted for analysis.String
ANYRUN.Task.SHA1The SHA1 hash of the file submitted for analysis.String
ANYRUN.Task.SHA256The SHA256 hash of the file submitted for analysis.String
ANYRUN.Task.SSDeepSSDeep hash of the file submitted for analysis.String
ANYRUN.Task.VerdictANY.RUN verdict for the maliciousness of the submitted file or URL.String
ANYRUN.Task.Process.FileNameFile name of the process.String
ANYRUN.Task.Process.PIDProcess identification number.Number
ANYRUN.Task.Process.PPIDParent process identification number.Number
ANYRUN.Task.Process.ProcessUUIDUnique process ID (used by ANY.RUN).String
ANYRUN.Task.Process.CMDProcess command.String
ANYRUN.Task.Process.PathPath of the executed command.String
ANYRUN.Task.Process.UserUser who executed the command.String
ANYRUN.Task.Process.IntegrityLevelThe process integrity level.String
ANYRUN.Task.Process.ExitCodeProcess exit code.Number
ANYRUN.Task.Process.MainProcessWhether the process is the main process.Boolean
ANYRUN.Task.Process.Version.CompanyCompany responsible for the program executed.String
ANYRUN.Task.Process.Version.DescriptionDescription of the type of program.String
ANYRUN.Task.Process.Version.VersionVersion of the program executed.String
File.SSDeepSSDeep hash of the file submitted for analysis.String
ANYRUN.Task.StatusTask analysis status.String
VMRay.JobThe Job Objectunknown
VMRay.Job.JobIDThe ID of a new job.number
VMRay.Job.SampleIDThe ID of sample.number
VMRay.Job.CreatedThe timestamp of the created job.date
VMRay.Job.VMNameThe name of virtual machine.string
VMRay.Job.VMIDThe ID of virtual machine.number
VMRay.SampleThe Sample For Analysisunknown
VMRay.Sample.SampleIDThe sample ID of the task.number
VMRay.Sample.CreatedThe timestamp of the created sample.date
VMRay.Sample.FileNameThe file name of the sample.string
VMRay.Sample.MD5The MD5 hash of the sample.string
VMRay.Sample.SHA1The SHA1 hash of the sample.string
VMRay.Sample.SHA256The SHA256 hash of the sample.string
VMRay.Sample.SSDeepThe SSDeep of the sample.string
VMRay.Sample.VerdictVerdict for the sample (Malicious, Suspicious, Clean, Not Available).String
VMRay.Sample.VerdictReasonDescription of the Verdict Reason.String
VMRay.Sample.SeveritySeverity of the sample (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated.string
VMRay.Sample.TypeThe file type.string
VMRay.Sample.ClassificationsThe classifications of the sample.string
VMRay.SubmissionSubmission Objectunknown
VMRay.Submission.SubmissionIDThe submission ID.number
VMRay.Submission.HadErrorsWhether there are any errors in the submission.boolean
VMRay.Submission.IsFinishedThe status of submission. Can be, "true" or "false".boolean
VMRay.Submission.MD5The MD5 hash of the sample in submission.string
VMRay.Submission.SHA1The SHA1 hash of the sample in submission.string
VMRay.Submission.SHA256The SHA256 hash of the sample in submission.string
VMRay.Submission.VerdictVerdict for the sample (Malicious, Suspicious, Clean, Not Available).String
VMRay.Submission.VerdictReasonDescription of the Verdict Reason.String
VMRay.Submission.SeveritySeverity of the sample (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated.string
VMRay.Submission.SSDeepThe SSDeep hash of the sample in submission.string
VMRay.Submission.SampleIDThe ID of the sample in submission.number
VMRay.Sample.IOC.FileFile Objectunknown
VMRay.Sample.IOC.File.AnalysisIDThe IDs of other analyses that contain the given file.number
VMRay.Sample.IOC.File.NameThe name of the file.string
VMRay.Sample.IOC.File.OperationThe operation of the given file.string
VMRay.Sample.IOC.File.IDThe ID of the file.number
VMRay.Sample.IOC.File.TypeThe type of the file.string
VMRay.Sample.IOC.File.HashesFile Hashes Objectunknown
VMRay.Sample.IOC.File.Hashes.MD5The MD5 hash of the given file.string
VMRay.Sample.IOC.File.Hashes.SSDeepThe SSDeep hash of the given file.string
VMRay.Sample.IOC.File.Hashes.SHA256The SHA256 hash of the given file.string
VMRay.Sample.IOC.File.Hashes.SHA1The SHA1 hash of the given file.string
VMRay.Sample.IOC.URLURL Objectunknown
VMRay.Sample.IOC.URL.AnalysisIDThe IDs of the other analyses that contain the given URL.number
VMRay.Sample.IOC.URL.URLThe URL.string
VMRay.Sample.IOC.URL.OperationThe operation of the specified URL.string
VMRay.Sample.IOC.URL.IDThe ID of the URL.number
VMRay.Sample.IOC.URL.TypeThe type of the URL.string
VMRay.Sample.IOC.DomainDomain Objectunknown
VMRay.Sample.IOC.Domain.AnalysisIDThe IDs of the other analyses that contain the given domain.number
VMRay.Sample.IOC.Domain.DomainThe domain.string
VMRay.Sample.IOC.Domain.IDThe ID of the domain.number
VMRay.Sample.IOC.Domain.TypeThe type of the domain.string
VMRay.Sample.IOC.IPIP Objectunknown
VMRay.Sample.IOC.IP.AnalysisIDThe IDs of the other analyses that contain the given IP address.number
VMRay.Sample.IOC.IP.IPThe IP address.string
VMRay.Sample.IOC.IP.OperationThe operation of the given IP address.string
VMRay.Sample.IOC.IP.IDThe ID of the IP address.number
VMRay.Sample.IOC.IP.TypeThe type of the IP address.string
VMRay.Sample.IOC.MutexMutex Objectunknown
VMRay.Sample.IOC.Mutex.AnalysisIDThe IDs of other analyses that contain the given IP address.number
VMRay.Sample.IOC.Mutex.NameThe name of the mutex.string
VMRay.Sample.IOC.Mutex.OperationThe operation of the given mutexstring
VMRay.Sample.IOC.Mutex.IDThe ID of the mutex.number
VMRay.Sample.IOC.Mutex.TypeThe type of the mutex.string
VMRay.ThreatIndicatorIndicator Objectunknown
VMRay.ThreatIndicator.AnalysisIDThe list of connected analysis IDs.number
VMRay.ThreatIndicator.CategoryThe category of threat indicators.string
VMRay.ThreatIndicator.ClassificationThe classifications of threat indicators.string
VMRay.ThreatIndicator.IDThe ID of the threat indicator.number
VMRay.ThreatIndicator.OperationThe operation that caused the indicators.string
SecneurXAnalysis.Report.SHA256SHA256 value of the analyzed samplestring
SecneurXAnalysis.Report.VerdictSummary result of the analyzed samplestring
SecneurXAnalysis.Report.TagsMore details of the analyzed samplestring
SecneurXAnalysis.Report.IOCList of IOC's observed in the analyzed samplestring
SecneurXAnalysis.Report.StatusAnalysis queued sample stateString

Playbook Image#


Detonate File - Generic