In the “Reports” section Recorded Future Sandbox provides a search dedicated section that can be accessed by clicking on the “Search” tab option, and that will enable users to look for specific reports based on various characteristics:
Logic Operators
Most operators can be combined using basic logic operators to better filter/refine the results. Triage supports the following logic:
Examples
Search Operators
Search By |
Details |
Examples |
File Hash |
Search based on the hash of a sample using one of the supported operators:
Note: in the web UI it is not necessary to define an operator for hash lookups. However it is recommended to define it manually in API requests. |
md5:2dc87224ef9349f4b 281f11fb43ed3f4 sha1:5ff465afaabcbf0150 d1a3ab2c2e74f3a4426467 |
Family |
Search based on the family tag assigned by Triage after analysis |
family:emotet NOT family:emotet family:gozi_ifsb |
Tags |
Search for analyses with a specific behaviour tag applied (see "Available Tags" below for more details) |
tag:ransomware tag:miner |
Platform/OS |
Filter for Android or Linux analyses. Uses the tag operator like above. |
tag:android tag:linux |
Extracted C2 Data |
Search for URLs/domains/IPs dumped by Triage configuration extractors. Multiple fields supported:
Note: defining the operator is not required by Triage but is recommended where possible when using the API to reduce chance of misidentification in an automated setup. |
url:cloudinoren.club ip:212.186.191.177 domain:smtp.globaloff s-site.com |
Cryptocurrency Wallets |
Search based on cryptocurrency wallet addresses dumped by Triage configuration extractors (e.g. from ransom notes) |
wallet:398sW5eMDvyr9 3CJHKRD3eYE9vK5ELVrHP |
Date and/or Time of Analysis |
Filter analyses based on the time/date at which behavioural analysis was completed. Note that if a sample does not have any behavioural tasks - e.g. because it is an unsupported file type, or was only submitted to the static phase, then the task does not count as complete and will not be returned as part of these results. Operators:
Dates and times are supported in the yyyy-mm-dd HH:MM:SS format. Operators can be used together to define periods of time. |
from:2021-05-01T10:59:00 from:2021-05-01 to:2021-05-31 from:2021-05 to:2021-06-01 T23:59:00 |
Available Tags
Below is a list of all the currently available tags used in Triage signatures. They can be used in search queries with the tag: selector.