Detonate Remote File from URL - McAfee ATD

Detonates a File from a URL using the McAfee Advanced Threat Defense sandbox integration.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • McAfee_Advanced_Threat_Defense

Scripts

  • Set

Commands

  • atd-get-report
  • atd-file-upload
  • atd-check-status

Playbook Inputs


NameDescriptionDefault ValueRequired
URLURL to detonate.URL.DataOptional
IntervalPolling frequency - how often the polling command should run (minutes)1Optional
TimeoutHow much time to wait before a timeout occurs (minutes)15Optional

Playbook Outputs


PathDescriptionType
ATD.Task.taskIdThe task ID of the sample uploadedstring
ATD.Task.jobIdThe job ID of the sample uploadedstring
ATD.Task.messageIdThe message Id relevant to the sample uploadedstring
ATD.Task.urlThe URL detonatedstring
ATD.Task.srcIpSource IPv4 addressstring
ATD.Task.destIpDestination IPv4 addressstring
ATD.Task.MD5MD5 of the sample uploadedstring
ATD.Task.SHA1SHA1 of the sample uploadedstring
ATD.Task.SHA256SHA256 of the sample uploadedstring
File.NameFilename (only in case of report type=json)string
File.TypeFile type e.g. "PE" (only in case of report type=json)string
File.MD5MD5 hash of the file (only in case of report type=json)string
File.SHA1SHA1 hash of the file (only in case of report type=json)string
File.SHA256SHA256 hash of the file (only in case of report type=json)string
File.EntryIDThe Entry ID of the samplestring
DBotScore.IndicatorThe indicator we tested (only in case of report type=json)string
DBotScore.TypeThe type of the indicator (only in case of report type=json)string
DBotScore.VendorVendor used to calculate the score (only in case of report type=json)string
DBotScore.ScoreThe actual score (only in case of report type=json)number
IP.AddressIP's relevant to the samplestring
InfoFile.EntryIDThe EntryID of the report filestring
InfoFile.ExtensionThe extension of the report filestring
InfoFile.NameThe name of the report filestring
InfoFile.InfoThe info of the report filestring
InfoFile.SizeThe size of the report filenumber
InfoFile.TypeThe type of the report filestring
FileFile objectunknown
File.MaliciousFile Malicious objectunknown
DBotScoreDBotScore objectunknown
InfoFileReport file objectunknown
URL.MaliciousURL Malicious objectunknown