Interactive sample submission
Submitting a sample in interactive mode allows for the static report to be inspected before analysis starts and the environments to be tweaked.
Interactive submission consists of at least two steps: 1. Submitting a sample withinteractive: true
. This will pause the sample at thestatic_analysis
status 2. Setting the profiles to continue with the actual sandbox analysis
Submit the file:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-X POST \
-F 'file=@<YOUR_SAMPLE_FILE_PATH>' \
-F '_json={"kind":"file","interactive":true}' \
'https://sandbox.recordedfuture.com/api/v0/samples'
// Response:{"id":"190724-hakvlwz8cx","status":"pending",// ...}
Optional, retrieve the static report to base profile decisions on. It may take some time for the report to become available, Triage will indicate this with theREPORT_NOT_AVAILABLE
error code. If you encounter this, try again after a minute or so.
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>'
https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/reports/static | jq
Now set one or more profiles to start. You should select a profile you created earlier with the profile API or web interface.
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-X POST \
--data-raw '{"profiles":[{"profile":"<PROFILE_ID>"}]}' \
'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}
Alternatively, you can also just continue with profiles that Triage thinks are best by settingauto: true
.
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-X POST \
--data-raw '{"auto":true}' \
'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}
Submitting an archive
It is possible to submit an archive and analyse individual files from this archive.
The files should be selected by using thepick
options, available in both the submission and the profiles selection endpoint.
To select the files immediately when uploading the archive, populate theprofiles
field with the files that should be analysed prefixed withunpack001/
:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-X POST \
-F 'file=@<YOUR_SAMPLE_FILE_PATH>' \
-F '_json={"kind":"file","profiles":[{"pick":"unpack001/evil.bat","profile":"<PROFILE_ID>"}]}' \
'https://sandbox.recordedfuture.com/api/v0/samples'
// Response:{"id":"190724-hakvlwz8cx","status":"pending",// ...}
It is also possible to select the files from the archive when submitting interactively. This also allows you to use the list of extracted files (.files[].relpath
) from the static report if desired. There are two possibilities of selecting the files.
One is to set theprofiles
parameter just as you would when submitting:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-X POST \
--data-raw '{"profiles":[{"pick":"unpack001/evil.bat","profile":"<PROFILE_ID>"}]}' \
'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}
Or you can just select the files by setting them in thepick
field.
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-X POST \
--data-raw '{"pick":["unpack001/evil.bat"]}' \
'https://sandbox.recordedfuture.com/api/v0/samples/<SAMPLE_ID>/profile'
# {}