Skip to main content

File Enrichment - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Enrich a file using one or more integrations.

  • Provide threat information
  • File Reputation using !file command

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • File Enrichment - Virus Total (API v3)

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

  • file
  • cylance-protect-get-threat

Playbook Inputs#


NameDescriptionDefault ValueRequired
MD5File MD5 hash to enrich.File.MD5Optional
SHA256The file SHA256 hash to enrich.File.SHA256Optional
SHA1The file SHA1 hash to enrich.File.SHA1Optional
UseReputationCommandDefine if you would like to use the !file command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.
FalseRequired

Playbook Outputs#


PathDescriptionType
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
File.SHA1SHA1 hash of the file.string
File.SHA256SHA256 hash of the file.string
File.Malicious.VendorFor malicious files, the vendor that made the decision.string
File.MD5MD5 hash of the file.string
DBotScoreThe DBotScore object.unknown
FileThe file objectunknown
DBotScore.VendorVendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
File.Malicious.DescriptionThe reason the vendor decided the file was malicious.string
File.NameThe name of the threat.string
File.MalwareFamilyThe file family classification.string
File.AutoRunIndicates if the file is set to automatically run on system startup.string
File.AvIndustryThe score provided by the Anti-Virus industry.string
File.CertIssuerThe ID for the certificate issuer.string
File.CertPublisherThe ID for the certificate publisher.string
File.CertTimestampThe date and time (in UTC) when the file was signed using the certificate.string
File.ClassificationThe threat classification for the threat.string
File.CylanceScoreThe Cylance Score assigned to the threat.string
File.DetectedByThe name of the Cylance module that detected the threat.string
File.FileSizeThe size of the file.string
File.GlobalQuarantineIdentifies if the threat is on the Global Quarantine list.string
File.RunningIdentifies if the threat is executing, or another executable loaded or called it.string
File.SafelistedIdentifies if the threat is on the Safe List.string
File.SignedIdentifies the file as signed or not signed.string
File.SubClassificationThe threat sub-classification for the threat.string
File.UniqueToCylanceWhether the threat was identified by Cylance, and not by other anti-virus sources.string
File.Relationships.EntityAThe source of the relationship.String
File.Relationships.EntityBThe destination of the relationship.String
File.Relationships.RelationshipThe name of the relationship.String
File.Relationships.EntityAtypeThe type of the source of the relationship.String
File.Relationships.EntityBtypeThe type of the destination of the relationship.String
File.Malicious.TotalEnginesFor malicious files, the total number of engines that checked the file hash.Unknown
DBotScore.ReliabilityReliability of the source providing the intelligence data.String
VirusTotal.File.attributes.type_descriptiondescription of the type of the file.String
VirusTotal.File.attributes.tlshThe locality-sensitive hashing.String
VirusTotal.File.attributes.namesNames of the file.String
VirusTotal.File.attributes.last_modification_dateThe last modification date in epoch format.Number
VirusTotal.File.attributes.type_tagTag of the type.String
VirusTotal.File.attributes.sizeSize of the file.Number
VirusTotal.File.attributes.times_submittedNumber of times the file was submitted.Number
VirusTotal.File.attributes.last_submission_dateLast submission date in epoch format.Number
VirusTotal.File.attributes.downloadableWhether the file is downloadable.Boolean
VirusTotal.File.attributes.sha256SHA-256 hash of the file.String
VirusTotal.File.attributes.type_extensionExtension of the type.String
VirusTotal.File.attributes.tagsFile tags.String
VirusTotal.File.attributes.last_analysis_dateLast analysis date in epoch format.Number
VirusTotal.File.attributes.unique_sourcesUnique sources.Number
VirusTotal.File.attributes.first_submission_dateFirst submission date in epoch format.Number
VirusTotal.File.attributes.ssdeepSSDeep hash of the file.String
VirusTotal.File.attributes.md5MD5 hash of the file.String
VirusTotal.File.attributes.sha1SHA-1 hash of the file.String
VirusTotal.File.attributes.magicIdentification of file by the magic number.String
VirusTotal.File.attributes.meaningful_nameMeaningful name of the file.String
VirusTotal.File.attributes.reputationThe reputation of the file.Number
VirusTotal.File.attributes.exiftool.MIMEtypeMIME type of the file.String
VirusTotal.File.attributes.exiftool.FiletypeThe file type.String
VirusTotal.File.attributes.exiftool.WordCountTotal number of words in the file.String
VirusTotal.File.attributes.exiftool.LineCountTotal number of lines in file.String
VirusTotal.File.attributes.exiftool.MIMEEncodingThe MIME encoding.String
VirusTotal.File.attributes.exiftool.FiletypeExtensionThe file type extension.String
VirusTotal.File.attributes.exiftool.NewlinesNumber of newlines signs.String
VirusTotal.File.attributes.javascript_info.tagsTags of the JavaScript.String
VirusTotal.File.attributes.crowdsourced_ids_stats.infoNumber of IDS that marked the file as "info".Number
VirusTotal.File.attributes.crowdsourced_ids_stats.highNumber of IDS that marked the file as "high".Number
VirusTotal.File.attributes.crowdsourced_ids_stats.mediumNumber of IDS that marked the file as "medium".Number
VirusTotal.File.attributes.crowdsourced_ids_stats.lowNumber of IDS that marked the file as "low".Number
VirusTotal.File.attributes.sigma_analysis_stats.criticalNumber of Sigma analysis that marked the file as "critical".Number
VirusTotal.File.attributes.sigma_analysis_stats.highNumber of Sigma analysis that marked the file as "high".Number
VirusTotal.File.attributes.sigma_analysis_stats.mediumNumber of Sigma analysis that marked the file as "medium".Number
VirusTotal.File.attributes.sigma_analysis_stats.lowNumber of Sigma analysis that marked the file as "low".Number
VirusTotal.File.attributes.trid.file_typeThe TrID file type.String
VirusTotal.File.attributes.trid.probabilityThe TrID probability.Number
VirusTotal.File.attributes.crowdsourced_yara_results.descriptiondescription of the YARA rule.String
VirusTotal.File.attributes.crowdsourced_yara_results.sourceSource of the YARA rule.String
VirusTotal.File.attributes.crowdsourced_yara_results.authorAuthor of the YARA rule.String
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_nameRule set name of the YARA rule.String
VirusTotal.File.attributes.crowdsourced_yara_results.rule_nameName of the YARA rule.String
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_idID of the YARA rule.String
VirusTotal.File.attributes.total_votes.harmlessTotal number of harmless votes.Number
VirusTotal.File.attributes.total_votes.maliciousTotal number of malicious votes.Number
VirusTotal.File.attributes.popular_threat_classification.suggested_threat_labelSuggested thread label.String
VirusTotal.File.attributes.popular_threat_classification.popular_threat_nameThe popular thread name.Number
VirusTotal.File.attributes.last_analysis_stats.harmlessThe number of engines that found the indicator to be harmless.Number
VirusTotal.File.attributes.last_analysis_stats.type-unsupportedThe number of engines that found the indicator to be of type unsupported.Number
VirusTotal.File.attributes.last_analysis_stats.suspiciousThe number of engines that found the indicator to be suspicious.Number
VirusTotal.File.attributes.last_analysis_stats.confirmed-timeoutThe number of engines that confirmed the timeout of the indicator.Number
VirusTotal.File.attributes.last_analysis_stats.timeoutThe number of engines that timed out for the indicator.Number
VirusTotal.File.attributes.last_analysis_stats.failureThe number of failed analysis engines.Number
VirusTotal.File.attributes.last_analysis_stats.maliciousThe number of engines that found the indicator to be malicious.Number
VirusTotal.File.attributes.last_analysis_stats.undetectedThe number of engines that could not detect the indicator.Number
VirusTotal.File.typetype of the indicator (file).String
VirusTotal.File.idtype ID of the indicator.String
VirusTotal.File.links.selfLink to the response.Unknown

Playbook Image#


File Enrichment - Generic v2