Skip to main content
All CollectionsTemplatesBasic
Recorded Future Sandbox - File Analysis with Cache - Workflow Template
Recorded Future Sandbox - File Analysis with Cache - Workflow Template

Submits a File to Recorded Future Sandbox for full analysis.

Updated over 6 months ago

This workflow template automates file analysis using Recorded Future Sandbox, providing threat intelligence enrichment with an efficient caching mechanism. It processes file URLs and optional hashes to determine a file's reputation by analyzing its content. If the file hash is known, it checks a local cache for previously gathered intelligence, saving time and resources by avoiding unnecessary repeat analyses. New or uncached files are submitted to Recorded Future Sandbox for a comprehensive examination. The results, including a summary and the original analysis data (if desired), are stored in the cache for future use, aiding in rapid threat response and informed decision-making in security operations.

Optional Triggers

"This workflows is intended to be used as a function."

Use Cases

Function, Threat Intelligence Enrichment

Workflow Breakdown

  1. Receives an URL of a file and an optional hash of the file.

  2. If no Hash is provided, then SHA256 is calculated from the file.

  3. Lookup global variables to see if the hash reputation has been saved in the past 24 hours.

  4. If analysis data is found on local cache, the saved data is returned to the parent workflow.

  5. When file is not found on cache and there are not previous analysis, then the file is submitted to analysis.

  6. A summary of the analysis data is created and saved with the original api data.

Vendors

Utils, Torq, Recorded Future Sandbox

Workflow Output

Output information contains Mitre TTPs Summary, related hashes, file properties, malware family and observable's type and subtype as used in Torq Cases.

Tips

Set \"Provide Raw Data Analysis\" to true or false to add or remove original vendor information to the output

Did this answer your question?