Recorded Future Sandbox

this connector integrates recorded future sandbox api with swimlane turbine prerequisites the connector can be authenticated in one of two ways bearer token authentication, which requires an url , and an api token oauth 2 0 client credentials flow, which requires a client id , client secret and token url capabilities this connector provides the following capabilities create a new yara rule delete an existing yara rule get all resources get all yara rules get pcap of analysis get sample by sample id get samples get search samples get summary by sample id post samples update an existing yara rule use cases update an existing yara rule when updating a yara rule the compilation can fail if that is the case the rule name is updated, but the old rule content will remain both name and rule are always required to be filled, even when changing only one of the attributes notes https //support recordedfuture com/hc/en us https //support recordedfuture com/hc/en us/articles/9907891784211 recorded future sandbox api resources microservices for more information on authentication, see the link https //support recordedfuture com/hc/en us/articles/10599138095507 api authentication if you need any further details please visit the recorded future sandbox support facility \[ https //support recordedfuture com/hc/en us ] configurations recorded future sandbox bearer auth authenticates using api token configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional recorded future sandbox oauth 2 0 auth authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create a new yara rule create a new yara rule endpoint url /api/v0/yara method post input argument name type required description data body object required response data data body name string required response data data body rule string required response data input example {"data body" {"name" "arkei yara","rule" "rule family arkei {\n meta \n author = \\"nikos '\\"n0t'\\" totosis\\"\n description = \\"arkei stealer payload\\"\n triage family = \\"arkei\\"\n triage tags = \\"stealer\\"\n\n strings \n $c1 = \\"/c timeout /t 5 & del /f /q \\\\\\"%s\\\\\\" & exit\\" ascii\n $c2 = \\"bcdefghijklmnopqrstuvwxyz1234567890\\" ascii\n\n $s1 = \\"%dx%d\\" ascii\n $s2 = \\"%d/%d/%d %d %d %d\\" ascii\n $s3 = \\"%s / %s\\" ascii\n $s4 = \\"%d mb\\" ascii\n $s5 = \\"utc%d\\" ascii\n $s6 = \\"johndoe\\" ascii\n $s7 = \\"hal9th\\" ascii\n\n condition \n 1 of ($c ) and 4 of ($s )\n}"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} delete an existing yara rule delete an exising yara rule endpoint url /api/v0/yara/{{rule name}} method delete input argument name type required description path parameters rule name string required parameters for the delete an existing yara rule action input example {"path parameters" {"rule name" "arkei yara"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get all resources list all resources available endpoint url /api/v0/resources method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get all yara rules returns a listing of yara rules that are accessible by the user endpoint url /api/v0/yara method get output parameter type description status code number http status code of the response reason string response reason phrase rules array output field rules rules name string name of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"rules" \[{},{}]}} get pcap of analysis retrieves the pcap of the analysis for further manual analysis endpoint url /api/v0/samples/{{sampleid}}/{{taskid}}/dump pcap method get input argument name type required description path parameters sampleid string required parameters for the get pcap of analysis action path parameters taskid string required parameters for the get pcap of analysis action input example {"path parameters" {"sampleid" "190724 hakvlwz8cx","taskid" "25507"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get sample by id queries the sample with the specified id endpoint url /api/v0/samples/{{sampleid}} method get input argument name type required description path parameters sampleid string required parameters for the get sample by id action input example {"path parameters" {"sampleid" "190724 hakvlwz8cx"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "190724 hakvlwz8cx","status" "reported","kind" "file","filename" "evil bat","private"\ true,"submitted" "2019 07 24t13 32 07 253524z"}} get samples queries the collection of samples submitted by requester endpoint url /api/v0/samples method get input argument name type required description parameters subset string optional parameters for the get samples action input example {"parameters" {"subset" "owned"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get search samples the search api endpoint supports all filters and queries which can be used through the web interface, and allow you to search available analyses for a range of iocs or file characteristics endpoint url /api/v0/search method get input argument name type required description parameters query string required parameters for the get search samples action input example {"parameters" {"query" "family\ emotet"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data status string response data data kind string response data data filename string response data data private boolean response data data submitted string response data data completed string response data next string output field next output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}],"next" "2020 10 26t16 51 21 232458z"}} get summary by sample id returns a short summary of the sample and its analysis tasks endpoint url /api/v0/samples/{{sampleid}}/summary method get input argument name type required description path parameters sampleid string required parameters for the get summary by sample id action input example {"path parameters" {"sampleid" "190724 hakvlwz8cx"}} output parameter type description status code number http status code of the response reason string response reason phrase sample string output field sample status string status value custom string output field custom owner string output field owner target string output field target created string output field created completed string output field completed score number score value sha256 string output field sha256 tasks object output field tasks tasks 200606 l5dz9871we behavioral1 object output field tasks 200606 l5dz9871we behavioral1 tasks 200606 l5dz9871we behavioral1 kind string output field tasks 200606 l5dz9871we behavioral1 kind tasks 200606 l5dz9871we behavioral1 status string status value tasks 200606 l5dz9871we behavioral1 tags array output field tasks 200606 l5dz9871we behavioral1 tags tasks 200606 l5dz9871we behavioral1 score number score value tasks 200606 l5dz9871we behavioral1 target string output field tasks 200606 l5dz9871we behavioral1 target tasks 200606 l5dz9871we behavioral1 backend string output field tasks 200606 l5dz9871we behavioral1 backend tasks 200606 l5dz9871we behavioral1 resource string output field tasks 200606 l5dz9871we behavioral1 resource tasks 200606 l5dz9871we behavioral1 platform string output field tasks 200606 l5dz9871we behavioral1 platform tasks 200606 l5dz9871we behavioral1 queue id number unique identifier tasks 200606 l5dz9871we behavioral2 object output field tasks 200606 l5dz9871we behavioral2 tasks 200606 l5dz9871we behavioral2 kind string output field tasks 200606 l5dz9871we behavioral2 kind tasks 200606 l5dz9871we behavioral2 status string status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"sample" "200606 l5dz9871we","status" "reported","custom" "frontend 7de1d1a3 f39b 4dd6 8a8d b9d6bc0e7c81","owner" "shark2 ams5 hatching io","target" "05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2","created" "2020 06 06t00 03 27z","completed" "2020 06 06t00 06 10z","score" 10,"sha256" "05af0cf40590aef24b28fa04c6b4998b post samples submits a new sample for analysis this endpoint allows both files and urls to be submitted by setting the kind field to either "file" or "url" respectively endpoint url /api/v0/samples method post input argument name type required description form data object optional response data form data file array optional the file to upload form data file file string optional response data form data file file name string optional response data kind string optional one of "file", "url" or "fetch" interactive boolean optional if set to true, the analysis profile must be chosen manually after static analysis has finished password string optional a password that may be used to decrypt the provided file, usually an archive (zip/rar/etc) profiles array optional a mapping of one or more files to one or more profiles url string optional the url to use as sample requires kind to be set to "url" or "fetch" input example {"form data" {"file" \[{"file" "","file name" "sample txt"}],"kind" "file","interactive"\ false,"password" "password","profiles" \["profile"],"url" "http //example org/"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "190724 hakvlwz8cx","status" "running","kind" "file","filename" "evil bat","private"\ true,"submitted" "2019 07 24t13 32 07 253524z"}} update an existing yara rule update an existing yara rule endpoint url /api/v0/yara/{{rule name}} method put input argument name type required description path parameters rule name string required specify the current rule name in the query data body object required response data data body name string required response data data body rule string required response data input example {"path parameters" {"rule name" "arkei yara"},"data body" {"name" "arkei new\ yara","rule" "rule family arkei {\n meta \n author = \\"nikos 'n0t' totosis\\"\n description = \\"arkei stealer payload\\"\n triage family = \\"arkei\\"\n triage tags = \\"stealer\\"\n\n strings \n $c1 = \\"/c timeout /t 5 & del /f /q \\\\\\"%s\\\\\\" & exit\\" ascii\n $c2 = \\"bcdefghijklmnopqrstuvwxyz1234567890\\" ascii\n\n $s1 = \\"%dx%d\\" ascii\n $s2 = \\"%d/%d/%d %d %d %d\\" ascii\n $s3 = \\"%s / %s\\" ascii\n $s4 = \\"%d mb\\" ascii\n $s5 = \\"utc%d\\" ascii\n $s6 = \\"johndoe\\" ascii\n $s7 = \\"hal9th\\" ascii\n\n condition \n 1 of ($c ) and 4 of ($s )\n}"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt