Skip to main content

Detonate File - HybridAnalysis

This Playbook is part of the Hybrid Analysis (Deprecated) Pack.#


Use cs-falcon-sandbox-submit-sample with polling=true instead.

Deprecated. Use cs-falcon-sandbox-submit-sample with polling=true instead.

Detonates one or more files using the Hybrid Analysis integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • GenericPolling


This playbook does not use any integrations.


This playbook does not use any scripts.


  • hybrid-analysis-submit-sample
  • hybrid-analysis-scan

Playbook Inputs#

NameDescriptionDefault ValueSourceRequired
FileThe file object of the file to detonate. The File is taken from the context.NoneFileOptional
IntervalThe duration for executing the pooling (in minutes).1-Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).15-Optional
SystemsThe operating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat--Optional
CommentsThe comments for the analysis.--Optional
InternetAccessWhether to enable internet access (boolean). The default is "true". "True" means there is internet access. False means there is no internet access.True-Optional
ReportFileTypeThe resource type to download. The default is html. The supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yara.--Optional
EnvironmentIDThe hybrid analysis environment ID to submit the file to.100-Optional

Playbook Outputs#

File.SHA256The SHA256 hash of the
File.SHA1The SHA1 hash of the file.unknown
File.MD5The MD5 hash of the file.string
File.environmentIdThe environment ID of the file.unknown
File.analysis_start_timeThe analysis start time of the file.unknown
File.submitnameThe submission name of the file.string
File.classification_tagsThe list of classification tags of the file.string
File.vxfamilyThe family classification of the file.string
File.total_network_connectionsThe total network connections of the file.string
File.total_processesThe total processes count of the file.unknown
File.total_signaturesThe total signatures count of the file.string
File.hostsThe list of the file's hosts.number
File.isinterestingWhether the server found the file interesting.string
File.domainsThe list of the file's related domains.string
File.isurlanalysisWhether the file was analyzed by URL.string
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
File.Malicious.DescriptionThe reason for the vendor to make the decision that the file is malicious.string
HybridAnalysis.Submit.StateThe state of the process.string
HybridAnalysis.Submit.SHA256The submission SHA256 hash.unknown
HybridAnalysis.Submit.JobIDThe JobID of the submission.unknown
HybridAnalysis.Submit.EnvironmentIDThe environmentID of the submission.unknown

Playbook Image#