Cisco ThreatGrid

Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledge base, you will understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it.

Integration with LogicHub

Connecting with Cisco ThreatGrid

To connect to Cisco ThreatGrid following details are required:

Actions with Syslog

File Analysis

Submits a file to Threat Grid for analysis and waits for completion. Completion of analysis may take time, so please use appropriate timeout and multi-threading options.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • FILE ID: Column name that contains LogicHub file id to be submitted for analysis.
  • FILE NAME: Column name that contains file name to be submitted. The filename should be with an extension. Example: myfile.csv or test.exe.
  • VM NAME (Optional): Name of the VM to use to analyze. Example: win7-x64 , Windows 7 64-bit. By default, ThreatGrid will select the best VM based on the properties of the submitted sample (file). This supports Jinja template input.
  • PRIVATE (Optional): Select to mark the sample private. Default is True.
  • TAGS (Optional): Comma-separated list of tags applied to this sample. This supports Jinja template input. Example: test, 123, {{some_name}}.
  • PLAYBOOK (Optional): Name of a ThreatGrid playbook to apply to this sample run. To run nothing put "none". By default, it runs the default playbook configured in ThreatGrid. This supports Jinja template input.
  • POLL INTERVAL (Optional): Poll Interval in seconds. It controls how frequently to check if the analysis is complete. The default is 20 seconds.

Output of Action
JSON containing a link to the analysis report:

{
    "lh_report_url": "https://panacea.threatgrid.com/api/v2/samples/53c675af6176f5946e562ad7330565eb/report.html",
    "sample_id": "53c675af6176f5946e562ad7330565eb",
    "error": null,
    "has_error": false
}

URL Analysis

Submits a URL to Threat Grid for analysis and waits for completion. Completion of analysis may take time, we recommend you to use appropriate timeout and multi-threading options.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • URL: Column name that contains URL to be submitted.
  • VM NAME (Optional): Name of the VM to use to analyze. Example: win7-x64 , Windows 7 64-bit. By default, ThreatGrid will select the best VM based on the properties of the submitted sample (URL). This supports Jinja template input.
  • PRIVATE (Optional): Select to mark the sample private. Default is True
  • TAGS (Optional): Comma-separated list of tags applied to this sample. This supports Jinja template input. Example: test, 123, {{some_name}}
  • PLAYBOOK (Optional): Name of a ThreatGrid playbook to apply to this sample run. To run nothing put "none". By default, it runs the default playbook configured in ThreatGrid. This supports Jinja template input.
  • POLL INTERVAL (Optional): Poll Interval in seconds. It controls how frequently to check if the analysis is complete. The default is 20 seconds.

Output of Action
JSON containing a link to the analysis report:

{
    "lh_report_url": "https://panacea.threatgrid.com/api/v2/samples/53c675af6176f5946e562ad7330565eb/report.html",
    "sample_id": "53c675af6176f5946e562ad7330565eb",
    "error": null,
    "has_error": false
}

Search Submissions

Search all public submission records. Use appropriate filter options to control and refine the search queries.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Jinja Template Start Time (Optional): Jinja templated text for start time (Default is Batch start time). Example: 2020-09-01T22:02:24-07:00.
  • Jinja Template End Time (Optional): Jinja templated text for end time (Default is Batch end time). Example: 2020-10-01T22:02:24-07:00.
  • Jinja Template Query (Optional): Jinja-templated text containing query to filter the search results. Example: {{query_column}}.
  • Organization Only (Optional): Select to restrict results to those submitted by the user's organization (Default is False).
  • Use Only (Optional): Select to restrict results to those submitted by the user (Default is False).
  • Jinja Template Sort By (Optional): Jinja-templated text containing fields on which results will be sorted by. Example: {{sort_by_column}}.
  • Sort Order (Optional): Select to mark order of the results (Default is Descending).
  • State (Optional): Select the state of the sample (Default is All).
  • Jinja Template Term (Optional): Jinja-templated text containing comma-delimited list of strings which select groups of submission fields. Example: {{submission_field_column1}}, {{submission_field_column2}}.
  • Limit (Optional): Restrict the number of records returned (Default is 10000).

Output of Action
List Of Submissions

{
  "error": null,
  "has_error": false,
  "item": {
    "analysis": {
      "behaviors": [
        {
          "name": "antivirus-flagged-artifact",
          "threat": 72,
          "title": "Artifact Flagged by Antivirus"
        },
        {
          "name": "pe-encrypted-section",
          "threat": 9,
          "title": "Executable with Encrypted Sections"
        },
        {
          "name": "pe-header-timestamp-prior",
          "threat": 3,
          "title": "PE COFF Header Timestamp is Set to Date Prior to 1999"
        },
        {
          "name": "file-ini-modified",
          "threat": 35,
          "title": "Process Modified INI File"
        },
        {
          "name": "pe-section-shared",
          "threat": 24,
          "title": "PE Has Sections Marked Shareable"
        },
        {
          "name": "pe-tls-callback",
          "threat": 24,
          "title": "PE Contains TLS Callback Entries"
        },
        {
          "name": "modified-file-in-user-dir",
          "threat": 56,
          "title": "Process Modified File in a User Directory"
        },
        {
          "name": "pe-resource-lang-korean",
          "threat": 15,
          "title": "PE Resource Indicates Korean Origin"
        },
        {
          "name": "artifact-flagged-antianalysis",
          "threat": 64,
          "title": "Static Analysis Flagged Artifact As Anti-Analysis"
        },
        {
          "name": "hook-installed",
          "threat": 14,
          "title": "Hook Procedure Detected in Executable"
        },
        {
          "name": "pe-certificate-invalid-signing-date",
          "threat": 30,
          "title": "Executable Signing Date Invalid"
        },
        {
          "name": "artifact-flagged-vm",
          "threat": 56,
          "title": "Static Analysis Flagged Artifact As VM Aware"
        },
        {
          "name": "file-ini-read",
          "threat": 15,
          "title": "Process Read INI File"
        },
        {
          "name": "pe-uses-armadillo",
          "threat": 9,
          "title": "Executable Uses Armadillo"
        },
        {
          "name": "artifact-flagged-anomaly",
          "threat": 48,
          "title": "Static Analysis Flagged Artifact As Anomalous"
        },
        {
          "name": "antivirus-service-flagged-artifact-mid",
          "threat": 66,
          "title": "Artifact Flagged by Antivirus Engines"
        },
        {
          "name": "high-heuristic-score",
          "threat": 85,
          "title": "Specific Set Of Indicators Signaling High Likelihood of Maliciousness Detected"
        },
        {
          "name": "pe-filename-mismatch",
          "threat": 64,
          "title": "File Name of Executable on Disk Does Not Match Original File Name"
        },
        {
          "name": "imports-IsDebuggerPresent",
          "threat": 4,
          "title": "Executable Imported the IsDebuggerPresent Symbol"
        },
        {
          "name": "memory-execute-readwrite",
          "threat": 25,
          "title": "Potential Code Injection Detected"
        },
        {
          "name": "modified-executable",
          "threat": 60,
          "title": "Process Modified an Executable File"
        },
        {
          "name": "artifact-vm-detect",
          "threat": 72,
          "title": "Artifact With Virtual Environment Enumeration Detected"
        },
        {
          "name": "pe-certificate",
          "threat": 10,
          "title": "Executable Signed With Digital Certificate"
        },
        {
          "name": "created-executable-in-user-dir",
          "threat": 57,
          "title": "Process Created an Executable in a User Directory"
        }
      ],
      "metadata": {
        "analyzed_file": {
          "filename": "bdadfd07680c461a34ab09cc15.exe",
          "magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
          "md5": "bdadfbc07680c461a34ab09cc15",
          "sha1": "b7faced14eaaf8652ed1efcd834e1d58e160",
          "sha256": "bd1393d1a67f054d7f312b40e0d3f8227a37db4a0e0ff32352",
          "size": 5937880,
          "type": "exe"
        },
        "general_details": {
          "report_created": "2021-03-30T14:53:53Z",
          "sandbox_id": "-",
          "sandbox_version": "pilot-d"
        },
        "malware_desc": [
          {
            "filename": "bdadfd8c07680c461a34ab09cc15.exe",
            "magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
            "md5": "bdadfd8c07680c461a34ab09cc15",
            "sha1": "b7faced1eaaf8652ed1efcd834e1d58e160",
            "sha256": "bd1393d1a3084ae67367f054d7f312b40e0d3f8227a37db4a0e0ff32352",
            "size": 5937880,
            "type": "exe"
          },
          {
            "filename": "bdadfd8513b680c461a34ab09cc15",
            "magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
            "md5": "bdadfd8507680c461a34ab09cc15",
            "sha1": "b7faced16c04eaaf8652ed1efcd834e1d58e160",
            "sha256": "bd1393d1a3084a367f054d7f312b40e0d3f8227a37db4a0e0ff32352",
            "size": 5937880,
            "type": "exe"
          }
        ],
        "sandcastle_env": {
          "analysis_end": "2021-03-30T14:53:53Z",
          "analysis_features": [],
          "analysis_start": "2021-03-30T14:46:50Z",
          "controlsubject": "-",
          "current_os": "7601.18798.amd64fre.win7sp1_gdr.150316-1654",
          "display_name": "Windows 7 64-bit",
          "run_time": 300,
          "sample_executed": 1617115665,
          "sandcastle": "-",
          "vm": "win7-x64",
          "vm_id": "061f2d9002d08c2113eb4027c082"
        },
        "submitted_file": {
          "filename": "bdadfd851c07680c461a34ab09cc15",
          "magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
          "md5": "bdadfd8513680c461a34ab09cc15",
          "sha1": "b7faced16e4eaaf8652ed1efcd834e1d58e160",
          "sha256": "bd1393d1084ae6bc1b67367f054d7f312b40e0d3f8227a37db4a0e0ff32352",
          "size": 5937880,
          "type": "exe"
        }
      },
      "threat_score": 85
    },
    "filename": "bdadfd8513c07680c461a34ab09cc15",
    "login": null,
    "md5": "bdadfd8513b7680c461a34ab09cc15",
    "organization_id": null,
    "private": false,
    "sample": "061f2d2d08dcb5c2113eb4027c082",
    "sha1": "b7fac04eaaf8652ed1efcd834e1d58e160",
    "sha256": "bd1393d1a32b40e0d3f8227a37db4a0e0ff32352",
    "state": "succ",
    "status": "job_done",
    "submitted_at": "2021-03-30T14:46:46Z",
    "tags": [],
    "vm_runtime": 300
  },
  "matches": {},
  "score": 1000000
}

Search Samples (Beta)

Single-term searches for a specific entity data type. Use appropriate filter options to control and refine the search queries.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Jinja Template Start Time (Optional): Jinja templated text for start time (Default is Batch start time). Example: 2020-09-01T22:02:24-07:00.
  • Jinja Template End Time (Optional): Jinja templated text for end time (Default is Batch end time). Example: 2020-10-01T22:02:24-07:00.
  • Jinja Template Query (Optional): Jinja-templated text containing query to filter the search results. Example: {{query_column}}.
  • Jinja Template Term (Optional): Jinja-templated text containing comma-delimited list of strings which select groups of submission fields. Example: {{submission_field_column1}}, {{submission_field_column2}}.

Output of Action
List Of Samples


Did this page help you?