Recorded Future Sandbox - Searching & Tags

Secops_threat.pngIn the “Reports” section Recorded Future Sandbox provides a search dedicated section that can be accessed by clicking on the “Search” tab option, and that will enable users to look for specific reports based on various characteristics:

Recorded_Future_Sandbox_-_Searching___Tags_-_1.png

Logic Operators

Most operators can be combined using basic logic operators to better filter/refine the results. Triage supports the following logic:

Recorded_Future_Sandbox_-_Searching___Tags_-_2.png

Examples

Recorded_Future_Sandbox_-_Searching___Tags_-_3.png

Search Operators

Search By

Details

Examples

File Hash

Search based on the hash of a sample using one of the supported operators:


  • md5
  • sha1
  • sha256
  • sha512

Note: in the web UI it is not necessary to define an operator for hash lookups. However it is recommended to define it manually in API requests.

md5:2dc87224ef9349f4b 281f11fb43ed3f4

sha1:5ff465afaabcbf0150 d1a3ab2c2e74f3a4426467

Family

Search based on the family tag assigned by Triage after analysis

family:emotet

NOT family:emotet

family:gozi_ifsb

Tags

Search for analyses with a specific behaviour tag applied (see "Available Tags" below for more details)

tag:ransomware

tag:miner

Platform/OS

Filter for Android or Linux analyses. Uses the tag operator like above.

tag:android

tag:linux

Extracted C2 Data

Search for URLs/domains/IPs dumped by Triage configuration extractors. Multiple fields supported:


  • url
  • domain
  • ip

Note: defining the operator is not required by Triage but is recommended where possible when using the API to reduce chance of misidentification in an automated setup.

url:cloudinoren.club

ip:212.186.191.177

domain:smtp.globaloff s-site.com

Cryptocurrency Wallets

Search based on cryptocurrency wallet addresses dumped by Triage configuration extractors (e.g. from ransom notes)

wallet:398sW5eMDvyr9

3CJHKRD3eYE9vK5ELVrHP

Date and/or Time of Analysis

Filter analyses based on the time/date at which behavioural analysis was completed. Note that if a sample does not have any behavioural tasks - e.g. because it is an unsupported file type, or was only submitted to the static phase, then the task does not count as complete and will not be returned as part of these results.


Operators:

  • from
  • to

Dates and times are supported in the yyyy-mm-dd HH:MM:SS format. Operators can be used together to define periods of time.

from:2021-05-01T10:59:00

from:2021-05-01 to:2021-05-31

from:2021-05 to:2021-06-01 T23:59:00

 

Available Tags

Below is a list of all the currently available tags used in Triage signatures. They can be used in search queries with the tag: selector.

Recorded_Future_Sandbox_-_Searching___Tags_-_4.png

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more