Recorded Future Sandbox - API - The Overview Report

Secops_threat.pngThis is the Go structure definition of the Overview JSON report that Triage generates.

This report can be fetched through the /samples/{sampleID}/overview.json endpoint.

type(
    OverviewReport struct{
        Version    string`json:"version"`
        Sample     OverviewSample      `json:"sample"`
        Tasks      []TaskSummary       `json:"tasks,omitempty"`
        Analysis   OverviewAnalysis    `json:"analysis"`
        Targets    []OverviewTarget    `json:"targets"`
        Errors     []ReportedFailure   `json:"errors,omitempty"`
        Signatures []Signature         `json:"signatures,omitempty"`
        Extracted  []OverviewExtracted `json:"extracted,omitempty"`}
    OverviewSample struct{
        TargetDesc
        Created   time.Time     `json:"created"`
        Completed time.Time     `json:"completed"`
        IOCs      *OverviewIOCs `json:"iocs,omitempty"`}
    TaskSummary struct{
        Sample   string`json:"sample"`
        Kind     string`json:"kind,omitempty"`
        Name     string`json:"name,omitempty"`
        Status   string`json:"status,omitempty"`
        TTP      []string`json:"ttp,omitempty"`
        Tags     []string`json:"tags,omitempty"`
        Score    int`json:"score,omitempty"`
        Target   string`json:"target,omitempty"`
        Backend  string`json:"backend,omitempty"`
        Resource string`json:"resource,omitempty"`
        Platform string`json:"platform,omitempty"`
        TaskName string`json:"task_name,omitempty"`
        Failure  string`json:"failure,omitempty"`
        QueueID  int64`json:"queue_id,omitempty"`
        Pick     string`json:"pick,omitempty"`}
    OverviewAnalysis struct{
        Score  int`json:"score"`
        Family []string`json:"family,omitempty"`
        Tags   []string`json:"tags,omitempty"`}
    OverviewTarget struct{
        Tasks []string`json:"tasks"`
        TargetDesc
        Tags       []string`json:"tags,omitempty"`
        Family     []string`json:"family,omitempty"`
        Signatures []Signature   `json:"signatures"`
        IOCs       *OverviewIOCs `json:"iocs,omitempty"`}
    ReportedFailure struct{
        Task    string`json:"task,omitempty"`
        Backend string`json:"backend,omitempty"`
        Reason  string`json:"reason"`}
    OverviewExtracted struct{
        Tasks []string`json:"tasks"`*Extract
    }
    TargetDesc struct{
        ID              string`json:"id,omitempty"`
        CompatScore     int`json:"score,omitempty"`
        Submitted       string`json:"submitted,omitempty"`
        CompatCompleted string`json:"completed,omitempty"`
        Target          string`json:"target,omitempty"`
        Pick            string`json:"pick,omitempty"`
        Type            string`json:"type,omitempty"`
        Size            int64`json:"size,omitempty"`
        MD5             string`json:"md5,omitempty"`
        SHA1            string`json:"sha1,omitempty"`
        SHA256          string`json:"sha256,omitempty"`
        SHA512          string`json:"sha512,omitempty"`
        Filetype        string`json:"filetype,omitempty"`
        StaticTags      []string`json:"static_tags,omitempty"`}
    Signature struct{
        Label       string`json:"label,omitempty"`
        Name        string`json:"name"`
        Score       int`json:"score,omitempty"`
        TTP         []string`json:"ttp,omitempty"`
        Tags        []string`json:"tags,omitempty"`
        Indicators  []Indicator `json:"indicators,omitempty"`
        YaraRule    string`json:"yara_rule,omitempty"`
        Description string`json:"desc,omitempty"`
        URL         string`json:"url,omitempty"`}
    Extract struct{
        DumpedFile  string`json:"dumped_file,omitempty"`
        Resource    string`json:"resource,omitempty"`
        Config      *Config      `json:"config,omitempty"`
        Path        string`json:"path,omitempty"`
        RansomNote  *Ransom      `json:"ransom_note,omitempty"`
        Dropper     *Dropper     `json:"dropper,omitempty"`
        Credentials *Credentials `json:"credentials,omitempty"`}
    OverviewIOCs struct{
        URLs    []string`json:"urls,omitempty"`
        Domains []string`json:"domains,omitempty"`
        IPs     []string`json:"ips,omitempty"`}
    Indicator struct{
        IOC          string`json:"ioc,omitempty"`
        Description  string`json:"description,omitempty"`
        At           uint32`json:"at,omitempty"`
        SourcePID    uint64`json:"pid,omitempty"`
        SourceProcID int32`json:"procid,omitempty"`
        TargetPID    uint64`json:"pid_target,omitempty"`
        TargetProcID int32`json:"procid_target,omitempty"`
        Flow         int`json:"flow,omitempty"`
        Stream       int`json:"stream,omitempty"`
        DumpFile     string`json:"dump_file,omitempty"`
        Resource     string`json:"resource,omitempty"`
        YaraRule     string`json:"yara_rule,omitempty"`}
    Config struct{
        Family       string`json:"family,omitempty"`
        Tags         []string`json:"tags,omitempty"`
        Rule         string`json:"rule,omitempty"`
        C2           []string`json:"c2,omitempty"`
        Version      string`json:"version,omitempty"`
        Botnet       string`json:"botnet,omitempty"`
        Campaign     string`json:"campaign,omitempty"`
        Mutex        []string`json:"mutex,omitempty"`
        Decoy        []string`json:"decoy,omitempty"`
        Wallet       []string`json:"wallet,omitempty"`
        DNS          []string`json:"dns,omitempty"`
        Keys         []Key         `json:"keys,omitempty"`
        Webinject    []string`json:"webinject,omitempty"`
        CommandLines []string`json:"command_lines,omitempty"`
        ListenAddr   string`json:"listen_addr,omitempty"`
        ListenPort   int`json:"listen_port,omitempty"`
        ListenFor    []string`json:"listen_for,omitempty"`
        Shellcode    [][]byte`json:"shellcode,omitempty"`
        ExtractedPE  []string`json:"extracted_pe,omitempty"`
        Credentials  []Credentials `json:"credentials,omitempty"`
        Attributes   interface{}`json:"attr,omitempty"`
        Raw          string`json:"raw,omitempty"`}
    Ransom struct{
        Family  string`json:"family,omitempty"`
        Target  string`json:"target,omitempty"`
        Emails  []string`json:"emails,omitempty"`
        Wallets []string`json:"wallets,omitempty"`
        URLs    []string`json:"urls,omitempty"`
        Contact []string`json:"contact,omitempty"`
        Note    string`json:"note"`}
    Dropper struct{
        Family   string`json:"family,omitempty"`
        Language string`json:"language"`
        Source   string`json:"source,omitempty"`
        Deobf    string`json:"deobfuscated,omitempty"`
        URLs     []DropperURL `json:"urls"`}
    Credentials struct{
        Flow     int`json:"flow,omitempty"`
        Protocol string`json:"protocol,omitempty"`
        Host     string`json:"host,omitempty"`
        Port     int`json:"port,omitempty"`
        User     string`json:"username"`
        Pass     string`json:"password"`
        EmailTo  string`json:"email_to,omitempty"`}
    Key struct{
        Kind  string`json:"kind"`
        Key   string`json:"key"`
        Value interface{}`json:"value"`}
    DropperURL struct{
        Type string`json:"type"`
        URL  string`json:"url"`})
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more