Q: What is the limit of submissions that a client having TI/SecOps license gets for Recorded Future Sandbox
Answer: The maximum allowed number of sandbox analysis jobs/tasks per enterprise per day is 1,000
Q: What are the data points that Recorded Future collects and shares with other customers from the analysis of samples submitted by users of TI/SecOps licenses?
Answer: Full details of the data points are presented here: https://support.recordedfuture.com/hc/en-us/articles/10000318283283-Recorded-Future-Sandbox-Data-sharing
Q: What is the Recorded Future retention policy for the files that are analyzed?
Answer: Files are retained until the end of your contract OR if a user deletes it by themselves or requests Recorded Future to do so. Files stored on the Sandbox servers are never shared elsewhere.
Q: Do any personnel from Recorded Future have access to the files?
Answer: Yes. Our system admins can access the servers that hold the files/analysis results but there are policies around what they can do. Only our 3 most senior engineers have access to the servers. The only other case in which limited Recorded Future personnel will get access is when working on a support ticket submitted by the client.
Q: If a Recorded Future user has access, can that user open and view the content?
Answer: Yes.
Q: Is API access free for the Sandbox?
Answer: Sandbox API access is included when you purchase the Threat Intelligence or SecOps module.
Q: How do I access the API?
Answer: You can find the key under “API Access” at: https://sandbox.recordedfuture.com/account. Details steps can be found in this support article.
Q: What happens if an enterprise hits the 1k limit for malware sandbox submissions per day?
Answer: Your daily quota is actually enforced on a monthly basis with a grace of 10% overage on the month. Service is not blocked unless your usage extends past the point of the allowed monthly overage.
Q: How (in what order) do entries appear for the Files, Registry and Processes tabs?
Answer: All files appear in chronological order. If you want to work out the actual timeline, you should be able to access timestamps with the API version of those logs.
Q: Can I submit a password-protected file for analysis?
Answer: Yes, see this article for instructions on submitting a password-protected file via the API.
Q: Is there a file size limit for the Sandbox?
Answer: 3GB. 1GB for archives
Q: Where is the Sandbox hosted?
Answer: The Sandbox is currently hosted in the EU.
Q: Can the Sandbox be hosted in the United States?
Answer: The Enterprise Sandbox can be hosted in the US, which can be requested during onboarding. The sandbox that is included with the Threat and SecOps Intelligence modules cannot be hosted in the US at this time.
Q: Can we designate access to a specific file and its content to a specific individual? If so, for how long is this event history retained?
Answer: Yes. Files are retained until the end of your contract OR if a user deletes it by themselves or requests Recorded Future to do so.
Q: Is the Sandbox environment snapshotted and flushed for every usage?
Answer: Yes. The VMs used are totally destroyed after each analysis and then respawned from a stored snapshot.
Q: What Office software is pre-installed in the Windows VMs?
Answer:
-
Window 10: Office 2019 with Word, Excel and PowerPoint
-
Windows 7: Office 2010 with Access, Excel, InfoPath Designer/Filler, OneNote, Outlook, PowerPoint, Publisher, SharePoint, Word
Q: What is the upper limit of time for extending the runtime of a VM environment (Beyond the current max execution time range of 30 mins)?
Answer: You can use the Extend analysis
option 15 times, so the total is timeout+15 minutes with the maximum being 45 minutes.
Q: What is typically downtime required by the Triage team for upgrading the VM environment?
Answer: There is no associated downtime; updates are done in such a way as to ensure that there is no noticeable effect to the service.
Q: Can we extract the process tree dump from a running VM?
Answer: Data is only available once the analysis is complete
Q: Can we restrict deletion of the reports functionality only to the admin users?
Answer: This is the default behavior with the Enterprise version, but it is not available with the sandbox that is included with Threat and SecOps Intelligence.
Q: When a URL is extracted from a malicious file (e.g., a PDF), does Recorded Future automatically detonate the URL?
Answer: No, we do not automatically detonate those URLs. We track any execution that starts automatically, but do not trigger them ourselves.
Q: Can an enterprise user request creation of a custom VM environment?
Answer: No, we do not support custom VM images at this time.
Q: Can all organization samples be seen by any user with a sandbox account in that organization?
Answer: For the default Threat/SecOps Intelligence Sandbox, the answer is yes. The Private Enterprise Sandbox has additional options for user access restrictions.
Q: What is the MacOS admin password?
Answer: The password is root.
Q: Is there an option to specify IP/region?
Answer: Not currently, but this request has been noted.
Q: Can full emails be submitted to and opened in the Sandbox?
Answer: Email filetypes are supported as an unpackable archive, but there is not an option to interact with an email on the machine (i.e., we detect and extract URLs and attachments but do not open the email itself).
Q: Why does the same sample sometimes get a different verdict on a different day?
Answer: The sandbox only scores bad behavior, not the signature on the sample. If it detects bad behavior one day doesn’t on the next, the scores will reflect that. For example, the threat actor might take countermeasures (e.g., blocking the sandbox IP from connecting to their infrastructure); the sample may have a C2 configured inside it that has changed, so the malicious infrastructure has changed; or the sample might not have been properly configured for the detonation (eg., not reconfigured for Windows 10).