Recorded Future Sandbox

the recorded future sandbox connector enables automated interactions with recorded future's malware analysis platform, facilitating the submission and examination of samples, and management of yara rules the recorded future sandbox connector enables swimlane turbine users to automate the analysis and management of malware samples and yara rules by integrating with recorded future sandbox, security professionals can create, update, and delete yara rules, submit samples for analysis, and retrieve comprehensive reports and pcaps this integration enhances threat detection and response by providing actionable insights and streamlining the investigation process within the swimlane turbine platform this connector integrates recorded future sandbox api with swimlane turbine prerequisites to effectively utilize the recorded future sandbox connector within swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url endpoint for recorded future sandbox api access api token unique token for authenticating api requests oauth 2 0 client credentials with the following parameters url endpoint for recorded future sandbox api access client id identifier for the oauth client client secret secret key associated with the oauth client token url endpoint for obtaining oauth 2 0 access tokens capabilities this connector provides the following capabilities create a new yara rule delete an existing yara rule download sample get all resources get all yara rules get pcap of analysis get sample by sample id get sample overview get samples get search samples get summary by sample id post samples select profile update an existing yara rule use cases update an existing yara rule when updating a yara rule the compilation can fail if that is the case the rule name is updated, but the old rule content will remain both name and rule are always required to be filled, even when changing only one of the attributes notes https //support recordedfuture com/hc/en us https //support recordedfuture com/hc/en us/articles/9907891784211 recorded future sandbox api resources microservices for more information on authentication, see the link https //support recordedfuture com/hc/en us/articles/10599138095507 api authentication if you need any further details please visit the recorded future sandbox support facility \[ https //support recordedfuture com/hc/en us ] configurations recorded future sandbox bearer auth authenticates using api token configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional recorded future sandbox oauth 2 0 auth authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create a new yara rule generates a new yara rule in recorded future sandbox using the provided data body endpoint url /api/v0/yara method post input argument name type required description data body object required response data data body name string required response data data body rule string required response data input example {"data body" {"name" "arkei yara","rule" "rule family arkei {\n meta \n author = \\"nikos '\\"n0t'\\" totosis\\"\n description = \\"arkei stealer payload\\"\n triage family = \\"arkei\\"\n triage tags = \\"stealer\\"\n\n strings \n $c1 = \\"/c timeout /t 5 & del /f /q \\\\\\"%s\\\\\\" & exit\\" ascii\n $c2 = \\"bcdefghijklmnopqrstuvwxyz1234567890\\" ascii\n\n $s1 = \\"%dx%d\\" ascii\n $s2 = \\"%d/%d/%d %d %d %d\\" ascii\n $s3 = \\"%s / %s\\" ascii\n $s4 = \\"%d mb\\" ascii\n $s5 = \\"utc%d\\" ascii\n $s6 = \\"johndoe\\" ascii\n $s7 = \\"hal9th\\" ascii\n\n condition \n 1 of ($c ) and 4 of ($s )\n}"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} delete an existing yara rule removes a specified yara rule from recorded future sandbox by providing the rule name endpoint url /api/v0/yara/{{rule name}} method delete input argument name type required description path parameters rule name string required parameters for the delete an existing yara rule action input example {"path parameters" {"rule name" "arkei yara"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get all resources retrieve a list of all available resources from recorded future sandbox endpoint url /api/v0/resources method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get all yara rules retrieve a list of all yara rules available to the user in recorded future sandbox endpoint url /api/v0/yara method get output parameter type description status code number http status code of the response reason string response reason phrase rules array output field rules rules name string name of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"rules" \[{},{}]}} download sample downloads the original file submission from recorded future sandbox using the sampleid ensure the file has completed processing before downloading endpoint url /api/v0/samples/{{sampleid}}/sample method get input argument name type required description path parameters sampleid string required sample id returned at submission (e g , 251219 tg9s9sfwst) input example {"path parameters" {"sampleid" "251219 tg9s9sfwst"}} output parameter type description status code number http status code of the response reason string response reason phrase body string raw binary content of the originally submitted file output example {"status code" 200,"response headers" {"content type" "application/octet stream"},"reason" "ok"} get pcap of analysis retrieves the packet capture (pcap) of a specified analysis from recorded future sandbox using sampleid and taskid endpoint url /api/v0/samples/{{sampleid}}/{{taskid}}/dump pcap method get input argument name type required description path parameters sampleid string required parameters for the get pcap of analysis action path parameters taskid string required parameters for the get pcap of analysis action input example {"path parameters" {"sampleid" "190724 hakvlwz8cx","taskid" "25507"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get sample by id retrieves detailed information for a specific sample by its id in recorded future sandbox endpoint url /api/v0/samples/{{sampleid}} method get input argument name type required description path parameters sampleid string required parameters for the get sample by id action input example {"path parameters" {"sampleid" "190724 hakvlwz8cx"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "190724 hakvlwz8cx","status" "reported","kind" "file","filename" "evil bat","private"\ true,"submitted" "2019 07 24t13 32 07 253524z"}} get sample overview retrieve a detailed report on a malware sample from recorded future sandbox, including iocs and mitre att\&ck mappings, using the sampleid endpoint url /api/v0/samples/{{sampleid}}/overview\ json method get input argument name type required description path parameters sampleid string required sample id returned at submission (e g , 251219 tg9s9sfwst) input example {"path parameters" {"sampleid" "251219 tg9s9sfwst"}} output parameter type description status code number http status code of the response reason string response reason phrase version string report format version (e g , 0 2 2) sample object sample metadata and file hashes analysis object high level analysis results (score 0 10, family, tags) signatures array triggered behavioral and yara signatures with mitre ttp targets array per target analysis results with iocs extracted array extracted malware configs, c2, ransom notes tasks object analysis tasks keyed by composite id output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"version" "0 2 2","sample" {"id" "251219 tg9s9sfwst","score" 8,"sha256" "05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2"},"analysis" {"score" 8,"family" \[],"tags" \[]},"signatures" \[],"targets" \[],"extracted" \[],"tasks" {}}} get samples retrieve a list of samples submitted by the requester from recorded future sandbox endpoint url /api/v0/samples method get input argument name type required description parameters subset string optional parameters for the get samples action input example {"parameters" {"subset" "owned"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get search samples retrieve analyses for iocs or file characteristics using filters and queries similar to the recorded future sandbox web interface endpoint url /api/v0/search method get input argument name type required description parameters query string required parameters for the get search samples action input example {"parameters" {"query" "family\ emotet"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data status string response data data kind string response data data filename string response data data private boolean response data data submitted string response data data completed string response data next string output field next output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}],"next" "2020 10 26t16 51 21 232458z"}} get summary by sample id retrieve a concise summary and analysis tasks for a given sample using its unique id in recorded future sandbox endpoint url /api/v0/samples/{{sampleid}}/summary method get input argument name type required description path parameters sampleid string required parameters for the get summary by sample id action input example {"path parameters" {"sampleid" "190724 hakvlwz8cx"}} output parameter type description status code number http status code of the response reason string response reason phrase sample string output field sample status string status value custom string output field custom owner string output field owner target string output field target created string output field created completed string output field completed score number score value sha256 string output field sha256 tasks object output field tasks tasks 200606 l5dz9871we behavioral1 object output field tasks 200606 l5dz9871we behavioral1 tasks 200606 l5dz9871we behavioral1 kind string output field tasks 200606 l5dz9871we behavioral1 kind tasks 200606 l5dz9871we behavioral1 status string status value tasks 200606 l5dz9871we behavioral1 tags array output field tasks 200606 l5dz9871we behavioral1 tags tasks 200606 l5dz9871we behavioral1 score number score value tasks 200606 l5dz9871we behavioral1 target string output field tasks 200606 l5dz9871we behavioral1 target tasks 200606 l5dz9871we behavioral1 backend string output field tasks 200606 l5dz9871we behavioral1 backend tasks 200606 l5dz9871we behavioral1 resource string output field tasks 200606 l5dz9871we behavioral1 resource tasks 200606 l5dz9871we behavioral1 platform string output field tasks 200606 l5dz9871we behavioral1 platform tasks 200606 l5dz9871we behavioral1 queue id number unique identifier tasks 200606 l5dz9871we behavioral2 object output field tasks 200606 l5dz9871we behavioral2 tasks 200606 l5dz9871we behavioral2 kind string output field tasks 200606 l5dz9871we behavioral2 kind tasks 200606 l5dz9871we behavioral2 status string status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"sample" "200606 l5dz9871we","status" "reported","custom" "frontend 7de1d1a3 f39b 4dd6 8a8d b9d6bc0e7c81","owner" "shark2 ams5 hatching io","target" "05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2","created" "2020 06 06t00 03 27z","completed" "2020 06 06t00 06 10z","score" 10,"sha256" "05af0cf40590aef24b28fa04c6b4998b post samples submits a new sample (file or url) for analysis in recorded future sandbox by specifying the 'kind' field endpoint url /api/v0/samples method post input argument name type required description form data object optional response data form data file array optional the file to upload form data file file string optional response data form data file file name string optional response data kind string optional one of "file", "url" or "fetch" interactive boolean optional if set to true, the analysis profile must be chosen manually after static analysis has finished password string optional a password that may be used to decrypt the provided file, usually an archive (zip/rar/etc) profiles array optional a mapping of one or more files to one or more profiles url string optional the url to use as sample requires kind to be set to "url" or "fetch" input example {"form data" {"file" \[{"file" "","file name" "sample txt"}],"kind" "file","interactive"\ false,"password" "password","profiles" \["profile"],"url" "http //example org/"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier status string status value kind string output field kind filename string name of the resource private boolean output field private submitted string output field submitted output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "190724 hakvlwz8cx","status" "running","kind" "file","filename" "evil bat","private"\ true,"submitted" "2019 07 24t13 32 07 253524z"}} select profile selects an analysis profile for a sample in static analysis within recorded future sandbox, using one of auto, pick, or profiles endpoint url /api/v0/samples/{{sampleid}}/profile method post input argument name type required description path parameters sampleid string required sample id returned at submission (e g , 251219 tg9s9sfwst) auto boolean optional if true, automatically select profiles for all files pick array optional for archives; list of filenames to run with automatic profile selection profiles array optional explicit file to profile mappings profiles pick string optional filename within the archive (or 'sample' for the submitted file) profiles profile string optional profile id or name to use for this file input example {"path parameters" {"sampleid" "251219 tg9s9sfwst"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {}} update an existing yara rule updates a specified yara rule in recorded future sandbox using the provided rule name and data body endpoint url /api/v0/yara/{{rule name}} method put input argument name type required description path parameters rule name string required specify the current rule name in the query data body object required response data data body name string required response data data body rule string required response data input example {"path parameters" {"rule name" "arkei yara"},"data body" {"name" "arkei new\ yara","rule" "rule family arkei {\n meta \n author = \\"nikos 'n0t' totosis\\"\n description = \\"arkei stealer payload\\"\n triage family = \\"arkei\\"\n triage tags = \\"stealer\\"\n\n strings \n $c1 = \\"/c timeout /t 5 & del /f /q \\\\\\"%s\\\\\\" & exit\\" ascii\n $c2 = \\"bcdefghijklmnopqrstuvwxyz1234567890\\" ascii\n\n $s1 = \\"%dx%d\\" ascii\n $s2 = \\"%d/%d/%d %d %d %d\\" ascii\n $s3 = \\"%s / %s\\" ascii\n $s4 = \\"%d mb\\" ascii\n $s5 = \\"utc%d\\" ascii\n $s6 = \\"johndoe\\" ascii\n $s7 = \\"hal9th\\" ascii\n\n condition \n 1 of ($c ) and 4 of ($s )\n}"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 13 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 13 dec 2023 20 37 23 gmt