This workflow template enables SOC analysts to analyze multiple password-protected attachments using various sandbox engines. By selecting the desired sandboxes and specifying the password for encrypted files, the workflow automates the process of file decryption, submission to selected sandboxes, and aggregation of analysis results. This streamlined approach enhances case management and threat hunting by providing comprehensive insights into potentially malicious attachments.
Use Cases
Case Management , Threat Hunting
Workflow Breakdown
In the Quick Action Interaction window, select the sandbox engines and the attachment files you want to analyze.
Workflow will download the encrypted attachments, open them with the specified password, and send them to each selected engine.
By default, a summary of the engine's analysis is added as a note.
If the AI Summary parameter is set to True in "Workflow Parameters" step, the system will send all enrichment data to AI to generate a summary.
All enrichment data is added to each Observable in the case.
Vendors
Scripting, Utils, VirusTotal, HTTP, CrowdStrike, Torq, Torq Cases, VMRay, Recorded Future Sandbox
Tips
Set "Provide AI Summary" to automatically generate a Summary using AI Task operator.