Skip to main content

Detonate File - Generic

This Playbook is part of the Common Playbooks Pack.#

Detonate file through active integrations that support file detonation


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Detonate File - Group-IB TDS Polygon
  • Detonate File - HybridAnalysis
  • WildFire - Detonate file
  • CrowdStrike Falcon Sandbox - Detonate file
  • Detonate File - FireEye AX
  • Detonate File - JoeSecurity
  • Detonate File - ANYRUN
  • Detonate File - ThreatGrid
  • ATD - Detonate File
  • Detonate File - SNDBOX
  • Detonate File - Cuckoo
  • Detonate File - Lastline v2
  • Detonate File - VMRay


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
EntryIDEntry ID of file to be detonatedFile.EntryIDOptional
FileFile object of file to be detonatedFile.NoneOptional

Playbook Outputs#

Joe.Analysis.StatusAnalysis Statusstring
Joe.Analysis.WebIDWeb IDstring
File.NameFilename (only in case of report type=json)string
File.SHA1SHA1 of the filestring
File.SHA256SHA256 of the filestring
File.SizeFile size (only in case of report type=json)number
File.TypeFile type e.g. "PE" (only in case of report type=json)string
File.MaliciousThe File malicious descriptionunknown
File.Malicious.DescriptionFor malicious files, the reason for the vendor to make the decisionstring
File.Malicious.VendorFor malicious files, the vendor that made the decisionstring
DBotScoreThe Indicator's objectunknown
DBotScore.IndicatorThe indicator that was testedstring
DBotScore.ScoreThe actual scorenumber
DBotScore.TypeThe type of the indicatorstring
DBotScore.VendorVendor used to calculate the scorestring
IP.AddressIP's relevant to the samplestring
DBotScore.Malicious.VendorVendor used to calculate the scorestring
DBotScore.Malicious.DetectionsThe sub analysis detection statusesstring
DBotScore.Malicious.SHA1The SHA1 of the filestring
Sample.StateThe sample stateunknown
Sample.IDThe sample IDunknown
FileThe File's objectunknown
File.MD5MD5 of the filestring
Joe.Analysis.SampleNameSample Data, could be a file name or URLstring
Joe.Analysis.CommentsAnalysis Commentsstring
Joe.Analysis.TimeSubmitted Timedate
Joe.Analysis.RunsSub-Analysis Informationunknown
Joe.Analysis.ResultAnalysis Resultsstring
Joe.Analysis.ErrorsRaised errors during samplingunknown
Joe.Analysis.SystemsAnalysis OSunknown
Joe.Analysis.MD5MD5 of analysis samplestring
Joe.Analysis.SHA1SHA1 of analysis samplestring
Joe.Analysis.SHA256SHA256 of analysis samplestring
InfoFile.NameFileName of the report filestring
InfoFile.EntryIDThe EntryID of the report filestring
InfoFile.SizeFile Sizenumber
InfoFile.TypeFile type e.g. "PE"string
InfoFile.InfoBasic information of the filestring
File.ExtensionFile Extensionstring
InfoFileThe report file's objectunknown
WildFire.ReportThe submission objectunknown
WildFire.Report.StatusThe status of the submissionstring
WildFire.Report.SHA256SHA256 of the submissionstring
WildFire.Report.MD5MD5 of the submissionstring
WildFire.Report.FileTypeThe type of the submissionstring
WildFire.Report.SizeThe size of the submissionnumber
Joe.AnalysisThee Analysis objectunknown
Cuckoo.Task.CategoryCategory of taskunknown
Cuckoo.Task.MachineMachine of taskunknown
Cuckoo.Task.ErrorsErrors of taskunknown
Cuckoo.Task.TargetTarget of taskunknown
Cuckoo.Task.PackagePackage of taskunknown
Cuckoo.Task.SampleIDSample ID of taskunknown
Cuckoo.Task.GuestTask guestunknown
Cuckoo.Task.CustomCustom values of taskunknown
Cuckoo.Task.OwnerTask ownerunknown
Cuckoo.Task.PriorityPriority of taskunknown
Cuckoo.Task.PlatformPlatform of taskunknown
Cuckoo.Task.OptionsTask optionsunknown
Cuckoo.Task.StatusTask statusunknown
Cuckoo.Task.EnforceTimeoutIs timeout of task enforcedunknown
Cuckoo.Task.TimeoutTask timeoutunknown
Cuckoo.Task.MemoryTask memoryunknown
Cuckoo.Task.TagsTask tagsunknown
Cuckoo.Task.IDID of taskunknown
Cuckoo.Task.AddedOnDate on which the task was addedunknown
Cuckoo.Task.CompletedOnDate on which the task was completedunknown
Cuckoo.Task.ScoreReported score of the the taskunknown
Cuckoo.Task.MonitorMonitor of the reported taskunknown
SNDBOX.Analysis.IDAnalysis IDstring
SNDBOX.Analysis.SampleNameSample Data, could be a file name or URLstring
SNDBOX.Analysis.StatusAnalysis Statusstring
SNDBOX.Analysis.TimeSubmitted Timedate
SNDBOX.Analysis.ResultAnalysis Resultsstring
SNDBOX.Analysis.ErrorsRaised errors during samplingunknown
SNDBOX.Analysis.LinkAnalysis Linkstring
SNDBOX.Analysis.MD5MD5 of analysis samplestring
SNDBOX.Analysis.SHA1SHA1 of analysis samplestring
SNDBOX.Analysis.SHA256SHA256 of analysis samplestring
SNDBOX.AnalysisSNDBOX analysisunknown
HybridAnalysis.Submit.StateThe state of the processstring
HybridAnalysis.Submit.SHA256The submission SHA256string
HybridAnalysis.Submit.JobIDThe JobID of the submissionstring
HybridAnalysis.Submit.EnvironmentIDThe environmentID of the submissionstring
HybridAnalysis.SubmitThe HybridAnalysis objectunknown
ANYRUN.Task.AnalysisDateDate and time the analysis was executed.String
ANYRUN.Task.Behavior.CategoryCategory of a process behavior.String
ANYRUN.Task.Behavior.ActionActions performed by a process.String
ANYRUN.Task.Behavior.ThreatLevelThreat score associated with a process behavior.Number
ANYRUN.Task.Behavior.ProcessUUIDUnique ID of the process whose behaviors are being profiled.String
ANYRUN.Task.Connection.ReputationConnection reputation.String
ANYRUN.Task.Connection.ProcessUUIDID of the process that created the connection.String
ANYRUN.Task.Connection.ASNConnection autonomous system network.String
ANYRUN.Task.Connection.CountryConnection country.String
ANYRUN.Task.Connection.ProtocolConnection protocol.String
ANYRUN.Task.Connection.PortConnection port number.Number
ANYRUN.Task.Connection.IPConnection IP number.String
ANYRUN.Task.DnsRequest.ReputationReputation of the DNS request.String
ANYRUN.Task.DnsRequest.IPIP addresses associated with a DNS request.Unknown
ANYRUN.Task.DnsRequest.DomainDomain resolution of a DNS request.String
ANYRUN.Task.Threat.ProcessUUIDUnique process ID from where the threat originated.String
ANYRUN.Task.Threat.MsgThreat message.String
ANYRUN.Task.Threat.ClassClass of the threat.String
ANYRUN.Task.Threat.SrcPortPort on which the threat originated.Number
ANYRUN.Task.Threat.DstPortDestination port of the threat.Number
ANYRUN.Task.Threat.SrcIPSource IP address where the threat originated.String
ANYRUN.Task.Threat.DstIPDestination IP address of the threat.String
ANYRUN.Task.HttpRequest.ReputationReputation of the HTTP request.String
ANYRUN.Task.HttpRequest.CountryHTTP request country.String
ANYRUN.Task.HttpRequest.ProcessUUIDID of the process making the HTTP request.String
ANYRUN.Task.HttpRequest.BodyHTTP request body parameters and details.Unknown
ANYRUN.Task.HttpRequest.HttpCodeHTTP request response code.Number
ANYRUN.Task.HttpRequest.StatusStatus of the HTTP request.String
ANYRUN.Task.HttpRequest.ProxyDetectedWhether the HTTP request was made through a proxy.Boolean
ANYRUN.Task.HttpRequest.PortHTTP request port.Number
ANYRUN.Task.HttpRequest.IPHTTP request IP address.String
ANYRUN.Task.HttpRequest.URLHTTP request URL.String
ANYRUN.Task.HttpRequest.HostHTTP request host.String
ANYRUN.Task.HttpRequest.MethodHTTP request method type.String
ANYRUN.Task.FileInfoDetails of the submitted file.String
ANYRUN.Task.OSOS of the sandbox in which the file was analyzed.String
ANYRUN.Task.IDThe unique ID of the task.String
ANYRUN.Task.MIMEThe MIME of the file submitted for analysis.String
ANYRUN.Task.MD5The MD5 hash of the file submitted for analysis.String
ANYRUN.Task.SHA1The SHA1 hash of the file submitted for analysis.String
ANYRUN.Task.SHA256The SHA256 hash of the file submitted for analysis.String
ANYRUN.Task.SSDeepSSDeep hash of the file submitted for analysis.String
ANYRUN.Task.VerdictANY.RUN verdict for the maliciousness of the submitted file or URL.String
ANYRUN.Task.Process.FileNameFile name of the process.String
ANYRUN.Task.Process.PIDProcess identification number.Number
ANYRUN.Task.Process.PPIDParent process identification number.Number
ANYRUN.Task.Process.ProcessUUIDUnique process ID (used by ANY.RUN).String
ANYRUN.Task.Process.CMDProcess command.String
ANYRUN.Task.Process.PathPath of the executed command.String
ANYRUN.Task.Process.UserUser who executed the command.String
ANYRUN.Task.Process.IntegrityLevelThe process integrity level.String
ANYRUN.Task.Process.ExitCodeProcess exit code.Number
ANYRUN.Task.Process.MainProcessWhether the process is the main process.Boolean
ANYRUN.Task.Process.Version.CompanyCompany responsible for the program executed.String
ANYRUN.Task.Process.Version.DescriptionDescription of the type of program.String
ANYRUN.Task.Process.Version.VersionVersion of the program executed.String
File.ExtensionExtension of the file submitted for analysis.String
File.NameThe name of the file submitted for analysis.String
File.MD5MD5 hash of the file submitted for analysis.String
File.SHA1SHA1 hash of the file submitted for analysis.String
File.SHA256SHA256 hash of the file submitted for analysis.String
File.SSDeepSSDeep hash of the file submitted for analysis.String
File.Malicious.VendorFor malicious files, the vendor that made the decision.String
File.Malicious.DescriptionFor malicious files, the reason that the vendor made the decision.String
ANYRUN.Task.StatusTask analysis status.String