Trellix Sandbox
Version: 1.0.0
Trellix Sandbox (formerly FireEye Detection on Demand) is a cloud-based malware analysis service that provides automated threat detection and analysis capabilities.
Connect Trellix Sandbox
- Navigate to Automations > Integrations.
- Search for Trellix Sandbox.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Key: API key for Trellix Sandbox. It should have all the necessary permissions.
- Base URL: Base URL for Trellix Sandbox API (Example: 'https://feapi.marketplace.apps.fireeye.com' without quotes).
- After you've entered all the details, click Connect.
Actions for Trellix Sandbox
Submit File for Analysis
Submit a single file for malware analysis. Files must be less than 50 MB.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| File Id | Jinja-templated text containing the file ID you want to submit for analysis. | Required |
| Custom File Name | Jinja-templated text containing the custom name for the submitted file to be used in the report. If not provided, the original filename will be used. | Optional |
| Password | Jinja-templated text containing the password to be used by the detection engine to decrypt a password protected file. | Optional |
| Param | Jinja-templated text containing the command line parameter(s) to be used by detection engine when running the file. Mainly applicable to .exe files. For example, setting param to "start -h localhost -p 5555" will make the detection engine run a file named "malicious.exe" as "malicious.exe start -h localhost -p 5555" | Optional |
| Extract Screenshot | Extract screenshot of screen activity during dynamic analysis if enabled. Default is False | Optional |
| Extract Video | Extract video activity during dynamic analysis if enabled. Default is False | Optional |
| Extract Dropped Files | Extract dropped files from VM during dynamic analysis if enabled. Default is False | Optional |
| Extract Memory Dump | Extract memory dump files from VM during dynamic analysis if enabled. Default is False | Optional |
| Extract PCAP | Extract PCAP files from VM during dynamic analysis if enabled. Default is False | Optional |
| Analysis Mode | Analysis mode for submission (sandbox or live). Default is Sandbox | Optional |
| VM Profiles | Jinja-templated JSON containing the profiles to be used for dynamic analysis. Example: ['win7x64-sp1m', 'win7-sp1m'] | Optional |
| Force Analysis | Force submission for this file even if found as duplicate. Default is False | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Submit URLs for Analysis
Submit one or more URLs for analysis. The limit is 5 URLs in a single call.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| URLs | Jinja-templated JSON containing the list of URLs to submit for analysis in the form of ['url1','url2',...]. Maximum of 10 URLs allowed. | Required |
| Extract Screenshot | Extract screenshot of screen activity during dynamic analysis if enabled. Default is False | Optional |
| Extract Video | Extract video activity during dynamic analysis if enabled. Default is False | Optional |
| Extract Dropped Files | Extract dropped files from VM during dynamic analysis if enabled. Default is False | Optional |
| Extract Memory Dump | Extract memory dump files from VM during dynamic analysis if enabled. Default is False | Optional |
| Extract PCAPs | Extract PCAP files from VM during dynamic analysis if enabled. Default is False | Optional |
| Force Analysis | Force submission for this URL even if found as duplicate. Default is False | Optional |
| Analysis Mode | Jinja-templated text containing the analysis mode for submission (live). If analysis mode is set to live then profiles have to be provided. | Optional |
| VM Profiles | Jinja-templated JSON containing the profiles to be used if analysis_mode is set to live. Example: ['win7x64-sp1m', 'win7-sp1m'] | Optional |
| Enable Prefetch | Download and analyze any file that the URL points to. Default is False | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Report by Connector and File ID
Get a single report by connector and file ID. Used as an alternate way to find a report that was submitted by a configured connector.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Connector Type | The type of connector for which you want to search using file_id. | Required |
| File ID | Jinja-templated text containing the file ID to search for a specific connector. | Required |
| Extended Report | Setting extended to true will allow you to see all malware engine reports. | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Report by ID
Get a single report by its report ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Report ID | Jinja-templated text containing the report ID. | Required |
| Extended Report | Setting extended to true will allow you to see all malware engine reports. | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Report by Hash
Get a single report by MD5 or SHA256 hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Hash Value | Jinja-templated text containing the MD5 or SHA256 hash of a submitted file. | Required |
| Extended Report | Setting extended to true will allow you to see all malware engine reports. | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Presigned URL
Get a presigned URL link to a browser viewable report.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Report ID | Jinja-templated text containing the report ID | Required |
| Expiry (Hours) | Expiry (in hours) for browser viewable report presigned URL link. Default value is 72 hours. Minimum is 1 hour, and maximum is 8760 hours (365 days). | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Hash Analysis Results
Get hash analysis results by MD5 hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Hash ID | Jinja-templated text containing the MD5 hash of a file you would like to request the malware analysis results for. | Required |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Extended Hash Analysis Results
Get hash analysis results by MD5 or SHA256 hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Hash Value | Jinja-templated text containing the MD5 or SHA256 hash of a file you would like to request the malware analysis results for. | Required |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Artifacts
Get artifacts for a given report ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Report ID | Jinja-templated text containing the report ID. | Required |
| Artifact UUID | Jinja-templated text containing the artifact UUID. Submitted sample can have more than one artifact. Each artifact will have its own artifact UUID which is reported as part of reports API. | Optional |
| Artifact Type | Type of artifact to download. | Required |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Telemetry Data
Pull results metadata in batches for given time interval.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Batch Size | Count of records requested. Default value is 1000. | Optional |
| Submission Type | Type of submissions to fetch. Default is All | Optional |
| Starting Index | Starting index for pagination. Default is 0. | Optional |
| Time Field | Field to use for start_time and end_time. | Optional |
| Start Time (Epoch) | Epoch Timestamp for starting time. | Optional |
| End Time (Epoch) | Epoch Timestamp for ending time. | Optional |
| Connector Type | Connector type specified, default is 'all', to get API submissions use 'api'. | Optional |
| Include IOC Information | Return IOC information along with telemetry metadata. Default is False | Optional |
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Get Health Status
Get health status of service, subscription and API key.
Input Field
Choose a connection that you have previously created.
Output
JSON containing the following items:
{
"result": {},
"error": null,
"has_error":false,
}
Release Notes
v1.0.0- Initial release
Updated 1 day ago