Skip to main content

QuickAction - Analyze Attachment Files in Sandbox - Workflow Template

Send multiple Password-Protected Attachments to multiple Sandbox Engines to be analyzed.

Updated this week

This workflow template enables SOC analysts to analyze multiple password-protected attachments using various sandbox engines. By selecting the desired sandboxes and specifying the password for encrypted files, the workflow automates the process of file decryption, submission to selected sandboxes, and aggregation of analysis results. This streamlined approach enhances case management and threat hunting by providing comprehensive insights into potentially malicious attachments.

Use Cases

Case Management , Threat Hunting

Workflow Breakdown

  1. In the Quick Action Interaction window, select the sandbox engines and the attachment files you want to analyze.

  2. Workflow will download the encrypted attachments, open them with the specified password, and send them to each selected engine.

  3. By default, a summary of the engine's analysis is added as a note.

  4. If the AI Summary parameter is set to True in "Workflow Parameters" step, the system will send all enrichment data to AI to generate a summary.

  5. All enrichment data is added to each Observable in the case.

Vendors

Scripting, Utils, VirusTotal, HTTP, CrowdStrike, Torq, Torq Cases, VMRay, Recorded Future Sandbox

Tips

  • Set "Provide AI Summary" to automatically generate a Summary using AI Task operator.

Did this answer your question?