Recorded Future Sandbox

this connector integrates recorded future sandbox api with swimlane turbine prerequisites the connector can be authenticated in one of two ways bearer token authentication, which requires an url , and an api token oauth 2 0 client credentials flow, which requires a client id , client secret and token url capabilities this connector provides the following capabilities create a new yara rule delete an existing yara rule get all resources get all yara rules get pcap of analysis get sample by sample id get samples get search samples get summary by sample id post samples update an existing yara rule use cases update an existing yara rule when updating a yara rule the compilation can fail if that is the case the rule name is updated, but the old rule content will remain both name and rule are always required to be filled, even when changing only one of the attributes configurations recorded future sandbox bearer auth authenticates using api token configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional recorded future sandbox oauth 2 0 auth authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create a new yara rule create a new yara rule endpoint url /api/v0/yara method post input argument name type required description data body object required response data name string required name of the resource rule string required parameter for create a new yara rule output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] delete an existing yara rule delete an exising yara rule endpoint url /api/v0/yara/{{rule name}} method delete input argument name type required description rule name string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get all resources list all resources available endpoint url /api/v0/resources method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get all yara rules returns a listing of yara rules that are accessible by the user endpoint url /api/v0/yara method get output parameter type description status code number http status code of the response reason string response reason phrase rules array output field rules name string name of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "rules" \[] } } ] get pcap of analysis retrieves the pcap of the analysis for further manual analysis endpoint url /api/v0/samples/{{sampleid}}/{{taskid}}/dump pcap method get input argument name type required description sampleid string required unique identifier taskid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get sample by id queries the sample with the specified id endpoint url /api/v0/samples/{{sampleid}} method get input argument name type required description sampleid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "id" "190724 hakvlwz8cx", "status" "reported", "kind" "file", "filename" "evil bat", "private" true, "submitted" "2019 07 24t13 32 07 253524z" } } ] get samples queries the collection of samples submitted by requester endpoint url /api/v0/samples method get input argument name type required description subset string optional parameter for get samples output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get search samples the search api endpoint supports all filters and queries which can be used through the web interface, and allow you to search available analyses for a range of iocs or file characteristics endpoint url /api/v0/search method get input argument name type required description query string required parameter for get search samples output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted completed string output field completed next string output field next example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "data" \[], "next" "2020 10 26t16 51 21 232458z" } } ] get summary by sample id returns a short summary of the sample and its analysis tasks endpoint url /api/v0/samples/{{sampleid}}/summary method get input argument name type required description sampleid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase sample string output field sample status string status value custom string output field custom owner string output field owner target string output field target created string output field created completed string output field completed score number score value sha256 string output field sha256 tasks object output field tasks 200606 l5dz9871we behavioral1 object output field 200606 l5dz9871we behavioral1 kind string output field kind status string status value tags array output field tags score number score value target string output field target backend string output field backend resource string output field resource platform string output field platform queue id number unique identifier 200606 l5dz9871we behavioral2 object output field 200606 l5dz9871we behavioral2 kind string output field kind status string status value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "sample" "200606 l5dz9871we", "status" "reported", "custom" "frontend 7de1d1a3 f39b 4dd6 8a8d b9d6bc0e7c81", "owner" "shark2 ams5 hatching io", "target" "05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2", "created" "2020 06 06t00 03 27z", "completed" "2020 06 06t00 06 10z", "score" 10, "sha256" "05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2", "tasks" {} } } ] post samples submits a new sample for analysis this endpoint allows both files and urls to be submitted by setting the kind field to either "file" or "url" respectively endpoint url /api/v0/samples method post input argument name type required description kind string required one of "file", "url" or "fetch" interactive boolean optional if set to true, the analysis profile must be chosen manually after static analysis has finished password string optional a password that may be used to decrypt the provided file, usually an archive (zip/rar/etc) profiles array optional a mapping of one or more files to one or more profiles url string optional the url to use as sample requires kind to be set to "url" or "fetch" form data object optional response data file array optional the file to upload file string optional parameter for post samples file name string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "id" "190724 hakvlwz8cx", "status" "running", "kind" "file", "filename" "evil bat", "private" true, "submitted" "2019 07 24t13 32 07 253524z" } } ] update an existing yara rule update an existing yara rule endpoint url /api/v0/yara/{{rule name}} method put input argument name type required description rule name string required specify the current rule name in the query data body object required response data name string required name of the resource rule string required parameter for update an existing yara rule output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 13 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt notes home page link https //support recordedfuture com/hc/en usapi documentation link https //support recordedfuture com/hc/en us/articles/9907891784211 recorded future sandbox api resources microservices for more information on authentication, see the link recorded future sandbox api authentication link) https //support recordedfuture com/hc/en us/articles/10599138095507 api authentication if you need any further details please visit the recorded future sandbox support facility \[ https //support recordedfuture com/hc/en us https //support recordedfuture com/hc/en us ]