Recorded Future Sandbox - API - The Dynamic Report

Secops_threat.pngThis is the Go structure definition of the Behavioural JSON report that Recorded Future Sandbox creates.

type(
    TriageReport struct{
        Version    string`json:"version"`
        Sample     TargetDesc             `json:"sample"`
        Task       TargetDesc             `json:"task"`
        Errors     []ReportedFailure      `json:"errors,omitempty"`
        Analysis   ReportAnalysisInfo     `json:"analysis,omitempty"`
        Processes  []Process              `json:"processes,omitempty"`
        Signatures []Signature            `json:"signatures"`
        Network    NetworkReport          `json:"network"`
        Debug      map[string]interface{}`json:"debug,omitempty"`
        Dumped     []Dump                 `json:"dumped,omitempty"`
        Extracted  []Extract              `json:"extracted,omitempty"`}
    TargetDesc struct{
        ID              string`json:"id,omitempty"`
        CompatScore     int`json:"score,omitempty"`
        Submitted       string`json:"submitted,omitempty"`
        CompatCompleted string`json:"completed,omitempty"`
        Target          string`json:"target,omitempty"`
        Pick            string`json:"pick,omitempty"`
        Type            string`json:"type,omitempty"`
        Size            int64`json:"size,omitempty"`
        MD5             string`json:"md5,omitempty"`
        SHA1            string`json:"sha1,omitempty"`
        SHA256          string`json:"sha256,omitempty"`
        SHA512          string`json:"sha512,omitempty"`
        Filetype        string`json:"filetype,omitempty"`
        StaticTags      []string`json:"static_tags,omitempty"`}
    ReportedFailure struct{
        Task    string`json:"task,omitempty"`
        Backend string`json:"backend,omitempty"`
        Reason  string`json:"reason"`}
    ReportAnalysisInfo struct{
        Score          int`json:"score,omitempty"`
        Tags           []string`json:"tags"`
        TTP            []string`json:"ttp,omitempty"`
        Features       []string`json:"features,omitempty"`
        Submitted      string`json:"submitted,omitempty"`
        Reported       string`json:"reported,omitempty"`
        MaxTimeNetwork int64`json:"max_time_network,omitempty"`
        MaxTimeKernel  uint32`json:"max_time_kernel,omitempty"`
        Backend        string`json:"backend,omitempty"`
        Resource       string`json:"resource,omitempty"`
        ResourceTags   []string`json:"resource_tags,omitempty"`
        Platform       string`json:"platform,omitempty"`}
    Process struct{
        ProcID       int32`json:"procid,omitempty"`
        ParentProcID int32`json:"procid_parent,omitempty"`
        PID          uint64`json:"pid"`
        PPID         uint64`json:"ppid"`
        Cmd          interface{}`json:"cmd"`
        Image        string`json:"image,omitempty"`
        Orig         bool`json:"orig"`
        System       bool`json:"-"`
        Started      uint32`json:"started"`
        Terminated   uint32`json:"terminated,omitempty"`}
    Signature struct{
        Label       string`json:"label,omitempty"`
        Name        string`json:"name"`
        Score       int`json:"score,omitempty"`
        TTP         []string`json:"ttp,omitempty"`
        Tags        []string`json:"tags,omitempty"`
        Indicators  []Indicator `json:"indicators,omitempty"`
        YaraRule    string`json:"yara_rule,omitempty"`
        Description string`json:"desc,omitempty"`
        URL         string`json:"url,omitempty"`}
    NetworkReport struct{
        Flows    []NetworkFlow    `json:"flows,omitempty"`
        Requests []NetworkRequest `json:"requests,omitempty"`}
    Dump struct{
        At     uint32`json:"at"`
        PID    uint64`json:"pid,omitempty"`
        ProcID int32`json:"procid,omitempty"`
        Path   string`json:"path,omitempty"`
        Name   string`json:"name,omitempty"`
        Kind   string`json:"kind,omitempty"`
        Addr   uint64`json:"addr,omitempty"`
        Length uint64`json:"length,omitempty"`
        MD5    string`json:"md5,omitempty"`
        SHA1   string`json:"sha1,omitempty"`
        SHA256 string`json:"sha256,omitempty"`
        SHA512 string`json:"sha512,omitempty"`}
    Extract struct{
        DumpedFile  string`json:"dumped_file,omitempty"`
        Resource    string`json:"resource,omitempty"`
        Config      *Config      `json:"config,omitempty"`
        Path        string`json:"path,omitempty"`
        RansomNote  *Ransom      `json:"ransom_note,omitempty"`
        Dropper     *Dropper     `json:"dropper,omitempty"`
        Credentials *Credentials `json:"credentials,omitempty"`}
    Indicator struct{
        IOC          string`json:"ioc,omitempty"`
        Description  string`json:"description,omitempty"`
        At           uint32`json:"at,omitempty"`
        SourcePID    uint64`json:"pid,omitempty"`
        SourceProcID int32`json:"procid,omitempty"`
        TargetPID    uint64`json:"pid_target,omitempty"`
        TargetProcID int32`json:"procid_target,omitempty"`
        Flow         int`json:"flow,omitempty"`
        DumpFile     string`json:"dump_file,omitempty"`
        Resource     string`json:"resource,omitempty"`
        YaraRule     string`json:"yara_rule,omitempty"`}
    NetworkFlow struct{
        ID        int`json:"id,omitempty"`
        Source    string`json:"src,omitempty"`
        Dest      string`json:"dst,omitempty"`
        Proto     string`json:"proto,omitempty"`
        PID       uint64`json:"pid,omitempty"`
        ProcID    int32`json:"procid,omitempty"`
        FirstSeen int64`json:"first_seen,omitempty"`
        LastSeen  int64`json:"last_seen,omitempty"`
        RxBytes   uint64`json:"rx_bytes,omitempty"`
        RxPackets uint64`json:"rx_packets,omitempty"`
        TxBytes   uint64`json:"tx_bytes,omitempty"`
        TxPackets uint64`json:"tx_packets,omitempty"`
        Protocols []string`json:"protocols,omitempty"`
        Domain    string`json:"domain,omitempty"`
        JA3       string`json:"tls_ja3,omitempty"`
        JA3S      string`json:"tls_ja3s,omitempty"`
        SNI       string`json:"tls_sni,omitempty"`
        Country   string`json:"country,omitempty"`
        AS        string`json:"as_num,omitempty"`
        Org       string`json:"as_org,omitempty"`}
    NetworkRequest struct{
        Flow       int`json:"flow,omitempty"`
        Index      int`json:"index,omitempty"`
        At         uint32`json:"at,omitempty"`
        DomainReq  *NetworkDomainRequest  `json:"dns_request,omitempty"`
        DomainResp *NetworkDomainResponse `json:"dns_response,omitempty"`
        WebReq     *NetworkWebRequest     `json:"http_request,omitempty"`
        WebResp    *NetworkWebResponse    `json:"http_response,omitempty"`}
    Config struct{
        Family       string`json:"family,omitempty"`
        Tags         []string`json:"tags,omitempty"`
        Rule         string`json:"rule,omitempty"`
        C2           []string`json:"c2,omitempty"`
        Version      string`json:"version,omitempty"`
        Botnet       string`json:"botnet,omitempty"`
        Campaign     string`json:"campaign,omitempty"`
        Mutex        []string`json:"mutex,omitempty"`
        Decoy        []string`json:"decoy,omitempty"`
        DNS          []string`json:"dns,omitempty"`
        Keys         []Key         `json:"keys,omitempty"`
        Webinject    []string`json:"webinject,omitempty"`
        CommandLines []string`json:"command_lines,omitempty"`
        ListenAddr   string`json:"listen_addr,omitempty"`
        ListenPort   int`json:"listen_port,omitempty"`
        ListenFor    []string`json:"listen_for,omitempty"`
        Shellcode    [][]byte`json:"shellcode,omitempty"`
        ExtractedPE  []string`json:"extracted_pe,omitempty"`
        Credentials  []Credentials `json:"credentials,omitempty"`
        Attributes   interface{}`json:"attr,omitempty"`}
    Ransom struct{
        Family  string`json:"family,omitempty"`
        Target  string`json:"target,omitempty"`
        Emails  []string`json:"emails,omitempty"`
        Wallets []string`json:"wallets,omitempty"`
        URLs    []string`json:"urls,omitempty"`
        Contact []string`json:"contact,omitempty"`
        Note    string`json:"note"`}
    Dropper struct{
        Family   string`json:"family,omitempty"`
        Language string`json:"language"`
        Source   string`json:"source"`
        Deobf    string`json:"deobfuscated"`
        URLs     []DropperURL `json:"urls"`}
    Credentials struct{
        Flow     int`json:"flow,omitempty"`
        Protocol string`json:"protocol"`
        Host     string`json:"host,omitempty"`
        Port     int`json:"port,omitempty"`
        User     string`json:"username"`
        Pass     string`json:"password"`}
    NetworkDomainRequest struct{
        Domains   []string`json:"domains,omitempty"`
        Questions []DNSEntry `json:"questions,omitempty"`}
    NetworkDomainResponse struct{
        Domains []string`json:"domains,omitempty"`
        IP      []string`json:"ip,omitempty"`
        Answers []DNSEntry `json:"answers,omitempty"`}
    NetworkWebRequest struct{
        Method  string`json:"method,omitempty"`
        URL     string`json:"url"`
        Request string`json:"request"`
        Headers []string`json:"headers,omitempty"`}
    NetworkWebResponse struct{
        Status   string`json:"status"`
        Response string`json:"response"`
        Headers  []string`json:"headers,omitempty"`}
    Key struct{
        Kind  string`json:"kind"`
        Key   string`json:"key"`
        Value interface{}`json:"value"`}
    DropperURL struct{
        Type string`json:"type"`
        URL  string`json:"url"`}
    DNSEntry struct{
        Name  string`json:"name"`
        Type  string`json:"type"`
        Value string`json:"value,omitempty"`})
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more