Recorded Future Sandbox - API - Usage Examples

Interactive sample submission

Secops_threat.pngSubmitting a sample in interactive mode allows for the static report to be inspected before analysis starts and the environments to be tweaked.

Interactive submission consists of at least two steps: 1. Submitting a sample withinteractive: true. This will pause the sample at thestatic_analysisstatus 2. Setting the profiles to continue with the actual sandbox analysis

Submit the file:

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST \
    -F 'file=@<YOUR_SAMPLE_FILE_PATH>' \
    -F '_json={"kind":"file","interactive":true}' \
    'https://sandbox.recordedfuture.com/api/v0/samples'
// Response:{"id":"190724-hakvlwz8cx","status":"pending",// ...}

Optional, retrieve the static report to base profile decisions on. It may take some time for the report to become available, Triage will indicate this with theREPORT_NOT_AVAILABLEerror code. If you encounter this, try again after a minute or so.

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>'
    https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/reports/static | jq

Now set one or more profiles to start. You should select a profile you created earlier with the profile API or web interface.

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST \
    --data-raw '{"profiles":[{"profile":"<PROFILE_ID>"}]}' \
    'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}

Alternatively, you can also just continue with profiles that Triage thinks are best by settingauto: true.

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST \
    --data-raw '{"auto":true}' \
    'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}

Submitting an archive

It is possible to submit an archive and analyse individual files from this archive.

The files should be selected by using thepickoptions, available in both the submission and the profiles selection endpoint.

To select the files immediately when uploading the archive, populate theprofilesfield with the files that should be analysed prefixed withunpack001/:

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST \
    -F 'file=@<YOUR_SAMPLE_FILE_PATH>' \
    -F '_json={"kind":"file","profiles":[{"pick":"unpack001/evil.bat","profile":"<PROFILE_ID>"}]}' \
    'https://sandbox.recordedfuture.com/api/v0/samples'
// Response:{"id":"190724-hakvlwz8cx","status":"pending",// ...}

It is also possible to select the files from the archive when submitting interactively. This also allows you to use the list of extracted files (.files[].relpath) from the static report if desired. There are two possibilities of selecting the files.

One is to set theprofilesparameter just as you would when submitting:

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST \
    --data-raw '{"profiles":[{"pick":"unpack001/evil.bat","profile":"<PROFILE_ID>"}]}' \
    'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}

Or you can just select the files by setting them in thepickfield.

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST \
    --data-raw '{"pick":["unpack001/evil.bat"]}' \
    'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more