A Cisco Threat Grid Appliance provides a safe and highly secure on-premises advanced malware analysis and threat intelligence technology. Cisco Threat Grid empowers organizations operating under various compliance and policy restrictions, to submit malware samples to the appliance. By maintaining a Cisco Threat Grid Appliance on-premises, organizations can send suspicious documents and files to it to be analyzed without leaving the network, thereby protecting the organization.
This document provides information about the Cisco Threat Grid Connector, which facilitates automated interactions, with a Cisco Threat Grid server using FortiSOAR™ playbooks. Add the Cisco Threat Grid Connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to Cisco Threat Grid, retrieving reports for a submitted file, and getting daily feeds from Cisco Threat Grid.
Connector Version: 1.3.0
Authored By: Community
Certified: No
Following enhancements have been made to the Cisco Threat Grid Connector in version 1.3.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-cisco-threatgrid
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Threat Grid connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL for the Cisco Threat Grid server from where the connector gets notifications and to which you will connect and perform automated operations. |
| API Key | API key that is configured for your account for the Cisco Threat Grid server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Submit Sample | Submits a sample file or URL to the Cisco Threat Grid server for analysis. | detonate_file Investigation |
| Search Report | Searches for reports on the Cisco Threat Grid server based on the input text and parameters you have specified. | get_analysis Investigation |
| Get IOCs | Retrieves details of IOCs associated with the submitted sample from the Cisco Threat Grid server. IOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise. | get_iocs Investigation |
| Download Report | Retrieves a report or analysis for a submitted sample from the Cisco Threat Grid server. The report file is stored in the Attachments module in FortiSOAR™. |
get_reputation Investigation |
| Get Status | Retrieves the state of a submitted sample from the Cisco Threat Grid server. There are a number of states that a sample can be in once it is submitted to Cisco Threat Grid. The states are: pending, running, succ, proc, fail, prep, wait, and run. | get_status Investigation |
| Get All Reports | Retrieves organization reports of samples submitted from the Cisco Threat Grid server, based on the input date you have specified. | get_file Investigation |
| Get JSON Report | Retrieves the detailed static and dynamic reports of the submitted sample from the Cisco Threat Grid server. | get_analysis Investigation |
| Search Report by Feeds | Searches for reports from the Cisco Threat Grid server based on the feed you have specified. Feeds are retrieved daily from Cisco Threat Grid and used by organizations and partners for targeted threat intelligence, by focusing on the specific types of threats faced by particular industries. |
get_report Investigation |
| Get Summary | Retrieves the threat summary of a submitted sample from the Cisco Threat Grid server. | get_report Investigation |
| Get Rate Limit Information | Retrieves information for all available submissions from the Cisco Threat Grid server. | get_rate_limit_info Investigation |
| Parameter | Description |
|---|---|
| Submission Type | Select the submission type of the sample that you want to submit to Cisco Threat Grid for analysis. You can choose between Upload File or Submit URL
|
| Tags (CSV / List Format) | (Optional) Tags that applies to the sample that you want to submit to Cisco Threat Grid for analysis. |
| Virtual Machine | (Optional) Select the Sandbox VM on which Cisco Threat Grid will analyze the submitted sample. The available VMs get dynamically populated from the Cisco Threat Grid server. |
| Playbook | (Optional) Select the Name of the playbook that is to applied to this sample during the process of this operation. The available playbooks get dynamically populated from the Cisco Threat Grid server. |
| Network Exit Localization | (Optional) Select the Network Exit Localization for any outgoing network traffic that is generated during the analysis. The available network exit localizations get dynamically populated from the Cisco Threat Grid server. |
| Private Sample | (Optional) Specify whether the sample should be kept private, based on a Boolean value. By default, this parameter is selected, i.e., the sample is kept private. |
| Email Notification | Select this checkbox to send an email to the email address of the user who has submitted the sample, once the sample has been analyzed. |
| Classify | Select this checkbox to submit the sample to the Threat Grid classification service. In this case, only if the classification service considers it interesting will the sample be taken forward for analysis. |
| Sample Password | (Optional) Adds a password that would be used to open the submitted archive or document. |
| Callback URL | (Optional) URL where the results are submitted using the `POST` method, once the sample has been analyzed. |
The JSON output contains the details of the file submitted to the Cisco Threat Grid server.
The output contains the following populated JSON schema:
{
"id": "",
"data": {
"filename": "",
"md5": "",
"sha1": "",
"submission_id": "",
"private": "",
"submitted_at": "",
"id": "",
"tags": [],
"vm": "",
"os": "",
"login": "",
"status": "",
"state": "",
"sha256": ""
},
"api_version": ""
}
| Parameter | Description |
|---|---|
| Text | Text such as SHA 256, MD5, or ID of the sample based on which you want to search for reports on the Cisco Threat Grid server. |
| Filter Submissions | (Optional) Option by which you want to filter submissions. You can choose between the following options: User Only: Submissions are filtered by the current user. Organization Only: Submissions are filtered by the organization of the current user. |
| Before | (Optional) Datetime from when you want to return submissions, i.e., return submissions that were created before the specified DateTime. For example, 2017-08-01T10:58:54Z. |
| After | (Optional) Datetime till when you want to return submissions, i.e., return submissions that were created after the specified DateTime. For example, 2017-08-01T12:58:54Z. |
| State | (Optional) State by which you want to filter submissions. You can choose from the following options: Waiting, Processing, Success, or Fail. |
| Limit | (Optional) Maximum number of records that this operation should return. By default, this option is set as 100. |
Output
The JSON output contains the details of the reports retrieved from the Cisco Threat Grid server, based on the input text and parameters you have specified.
The output contains the following populated JSON schema:
{
"id": "",
"api_version": "",
"data": {
"took": "",
"total": "",
"items_per_page": "",
"current_item_count": "",
"items": [
{
"score": "",
"item": {
"filename": "",
"status": "",
"private": "",
"tags": [],
"properties": {
"metadata": ""
},
"sha1": "",
"state": "",
"sha256": "",
"submitted_at": "",
"organization_id": "",
"login": "",
"analysis": {
"metadata": {
"malware_desc": [
{
"filename": "",
"size": "",
"sha1": "",
"sha256": "",
"type": "",
"magic": "",
"md5": ""
}
],
"sandcastle_env": {
"analysis_start": "",
"vm": "",
"run_time": "",
"current_os": "",
"display_name": "",
"sandcastle": "",
"controlsubject": "",
"vm_id": "",
"sample_executed": "",
"analysis_end": ""
},
"general_details": {
"sandbox_version": "",
"report_created": "",
"sandbox_id": ""
}
},
"behaviors": [
{
"threat": "",
"title": "",
"name": ""
}
],
"threat_score": ""
},
"sample": "",
"vm_runtime": "",
"md5": ""
},
"matches": {
"sample": [
""
]
}
}
],
"index": "",
"timed_out": ""
}
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample for which you want to retrieve associated IOCs from the Cisco Threat Grid server. |
The JSON output contains the details of the IOCs associated with the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"id": "",
"api_version": "",
"data": {
"items": [
{
"hits": "",
"tags": [],
"description": "",
"title": "",
"ioc": "",
"confidence": "",
"truncated": "",
"severity": "",
"data": [
{
"Process_Name": "",
"Address": "",
"Process_ID": ""
}
],
"category": [],
"heuristic_coefficient": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample for which you want to retrieve the report from the Cisco Threat Grid server. |
| Download | Type of report to download. You can choose from the following options: Report HTML, Analysis JSON, Network PCAP, Runtime Video, or Processes JSON. |
The sample output of the Download Report operation, when you choose the report type as Report HTML is an HTML file that contains the report for the sample that is retrieved from the Cisco Threat Grid server, based on the sample ID you have specified. The HTML file is stored in the Attachments module in FortiSOAR™.
The output contains the following populated JSON schema:
{
"report_url": "",
"attachment_datails": {
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample for whose status you want to retrieve from the Cisco Threat Grid server. |
The JSON output contains the status of the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"state": ""
}
| Parameter | Description |
|---|---|
| Before | Specify the datetime in the (ISO 8601) format, for example, 2017-07-31 11:58:54, before which date, the data of all samples that have been submitted by users belonging to a particular organization, are retrieved date-wise. The default timezone is UTC. |
| After | Specify the date in the (ISO 8601) format, for example, 2017-07-31 11:58:54, after which date, the data of all samples that have been submitted by users belonging to a particular organization, are retrieved date-wise. The default timezone is UTC. |
The JSON output contains the data of all samples, date-wise, which have been submitted by users belonging to a particular organization retrieved from the Cisco Threat Grid server, based on the date range you have specified.
The output contains the following populated JSON schema:
{
"score": "",
"item": {
"login": "",
"submitted_at": "",
"md5": "",
"vm_runtime": "",
"state": "",
"sha1": "",
"status": "",
"tags": [],
"properties": {
"metadata": ""
},
"sha256": "",
"analysis": {
"metadata": {
"malware_desc": [
{
"magic": "",
"sha256": "",
"md5": "",
"filename": "",
"size": "",
"type": "",
"sha1": ""
}
],
"general_details": {
"sandbox_id": "",
"report_created": "",
"sandbox_version": ""
},
"sandcastle_env": {
"run_time": "",
"analysis_end": "",
"analysis_start": "",
"vm_id": "",
"display_name": "",
"current_os": "",
"vm": "",
"controlsubject": "",
"sandcastle": "",
"sample_executed": ""
}
},
"threat_score": "",
"behaviors": [
{
"threat": "",
"title": "",
"name": ""
}
]
},
"organization_id": "",
"filename": "",
"private": "",
"sample": ""
},
"matches": ""
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample whose analysis you want to retrieve from the Cisco Threat Grid server. |
The JSON output contains the detailed analysis of the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"status": {
"status": "",
"sha1": "",
"state": "",
"id": "",
"analysis_started_at": "",
"ran": "",
"vm_runtime": "",
"queue": "",
"tags": [],
"ven": "",
"original_filename": "",
"running_on": "",
"origin": "",
"vm": "",
"playbook": "",
"analysis_submitted_at": "",
"sha256": "",
"md5": ""
},
"warnings": [
{
"data": [],
"code": "",
"description": "",
"title": ""
}
],
"disk": {
"partition_tables": {
"changes": {},
"orig": [
{
"start": "",
"type": "",
"size": ""
}
],
"changed": "",
"curr": [
{
"start": "",
"type": "",
"size": ""
}
]
},
"mbr": {
"contents": {
"orig": "",
"curr": ""
},
"changed": "",
"hashes": {
"orig": {
"sha1": "",
"sha256": "",
"md5": ""
},
"curr": {
"sha1": "",
"sha256": "",
"md5": ""
}
}
}
},
"iocs": [
{
"data": [
{
"Process_Name": "",
"Process_ID": "",
"Address": ""
}
],
"confidence": "",
"description": "",
"heuristic_coefficient": "",
"title": "",
"severity": "",
"hits": "",
"category": [],
"tags": [],
"ioc": "",
"truncated": ""
}
],
"dynamic": {
"processes": {}
},
"annotations": {},
"metadata": {
"sandcastle_env": {},
"malware_desc": [],
"general_details": {
"report_created": "",
"sandbox_id": "",
"sandbox_version": ""
}
},
"network": {},
"version": "",
"versions": {
"reversing_labs": "",
"virustotal": "",
"network": {
"version": ""
},
"file": {},
"version": "",
"heuristic_model": "",
"yara": ""
},
"threat": {
"heuristic_raw_score": "",
"threat_score": "",
"bucket": "",
"heuristic_score": ""
},
"artifacts": {}
}
| Parameter | Description |
|---|---|
| Feed Name | Name of feed, in Cisco Threat Grid, from which you want to retrieve data daily. The feed names available are: autorun-registry, banking-dns, dll-hijacking-dns, doc-net-com-dns, downloaded-pe-dns, dynamic-dns, irc-dns, modified-hosts-dns, parked-dns, public-ip-check-dns, ransomware-dns, rat-dns, scheduled-tasks, sinkholed-ip-dns, and stolen-cert-dns. |
| Date | (Optional) Date based on which you will retrieve the feed report. You must enter the date in the format YYYY-MM-DD. |
The JSON output contains the daily feed retrieved from the Cisco Threat Grid server, based on the feed name you have specified.
The output contains the following populated JSON schema:
{
"description": "",
"ips": [],
"sample_md5": "",
"sample": "",
"sample_sha256": "",
"info": "",
"domain": "",
"sample_sha1": "",
"timestamp": ""
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample whose summary you want to retrieve from the Cisco Threat Grid server. |
The JSON output contains the summary of the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"api_version": "",
"data": {
"max-confidence": "",
"max-severity": "",
"count": "",
"bis": [],
"score": "",
"sample": ""
},
"id": ""
}
None.
The JSON output contains details of all available submissions of users and their organizations, retrieved from the Cisco Threat Grid server.
The output contains the following populated JSON schema:
{
"api_version": "",
"data": {
"user": {
"submission-wait-seconds": "",
"submission-rate-limit": [
{
"submission-wait-seconds": "",
"minutes": "",
"submissions-available": "",
"samples": ""
}
],
"submissions-available": ""
},
"organization": {
"submission-wait-seconds": "",
"submission-rate-limit": [
{
"submission-wait-seconds": "",
"minutes": "",
"submissions-available": "",
"samples": ""
}
],
"submissions-available": ""
}
},
"id": ""
}
The Sample - Cisco Threat Grid - 1.3.0 playbook collection comes bundled with the Cisco Threat Grid connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Threat Grid connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
A Cisco Threat Grid Appliance provides a safe and highly secure on-premises advanced malware analysis and threat intelligence technology. Cisco Threat Grid empowers organizations operating under various compliance and policy restrictions, to submit malware samples to the appliance. By maintaining a Cisco Threat Grid Appliance on-premises, organizations can send suspicious documents and files to it to be analyzed without leaving the network, thereby protecting the organization.
This document provides information about the Cisco Threat Grid Connector, which facilitates automated interactions, with a Cisco Threat Grid server using FortiSOAR™ playbooks. Add the Cisco Threat Grid Connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to Cisco Threat Grid, retrieving reports for a submitted file, and getting daily feeds from Cisco Threat Grid.
Connector Version: 1.3.0
Authored By: Community
Certified: No
Following enhancements have been made to the Cisco Threat Grid Connector in version 1.3.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-cisco-threatgrid
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Threat Grid connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL for the Cisco Threat Grid server from where the connector gets notifications and to which you will connect and perform automated operations. |
| API Key | API key that is configured for your account for the Cisco Threat Grid server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Submit Sample | Submits a sample file or URL to the Cisco Threat Grid server for analysis. | detonate_file Investigation |
| Search Report | Searches for reports on the Cisco Threat Grid server based on the input text and parameters you have specified. | get_analysis Investigation |
| Get IOCs | Retrieves details of IOCs associated with the submitted sample from the Cisco Threat Grid server. IOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise. | get_iocs Investigation |
| Download Report | Retrieves a report or analysis for a submitted sample from the Cisco Threat Grid server. The report file is stored in the Attachments module in FortiSOAR™. |
get_reputation Investigation |
| Get Status | Retrieves the state of a submitted sample from the Cisco Threat Grid server. There are a number of states that a sample can be in once it is submitted to Cisco Threat Grid. The states are: pending, running, succ, proc, fail, prep, wait, and run. | get_status Investigation |
| Get All Reports | Retrieves organization reports of samples submitted from the Cisco Threat Grid server, based on the input date you have specified. | get_file Investigation |
| Get JSON Report | Retrieves the detailed static and dynamic reports of the submitted sample from the Cisco Threat Grid server. | get_analysis Investigation |
| Search Report by Feeds | Searches for reports from the Cisco Threat Grid server based on the feed you have specified. Feeds are retrieved daily from Cisco Threat Grid and used by organizations and partners for targeted threat intelligence, by focusing on the specific types of threats faced by particular industries. |
get_report Investigation |
| Get Summary | Retrieves the threat summary of a submitted sample from the Cisco Threat Grid server. | get_report Investigation |
| Get Rate Limit Information | Retrieves information for all available submissions from the Cisco Threat Grid server. | get_rate_limit_info Investigation |
| Parameter | Description |
|---|---|
| Submission Type | Select the submission type of the sample that you want to submit to Cisco Threat Grid for analysis. You can choose between Upload File or Submit URL
|
| Tags (CSV / List Format) | (Optional) Tags that applies to the sample that you want to submit to Cisco Threat Grid for analysis. |
| Virtual Machine | (Optional) Select the Sandbox VM on which Cisco Threat Grid will analyze the submitted sample. The available VMs get dynamically populated from the Cisco Threat Grid server. |
| Playbook | (Optional) Select the Name of the playbook that is to applied to this sample during the process of this operation. The available playbooks get dynamically populated from the Cisco Threat Grid server. |
| Network Exit Localization | (Optional) Select the Network Exit Localization for any outgoing network traffic that is generated during the analysis. The available network exit localizations get dynamically populated from the Cisco Threat Grid server. |
| Private Sample | (Optional) Specify whether the sample should be kept private, based on a Boolean value. By default, this parameter is selected, i.e., the sample is kept private. |
| Email Notification | Select this checkbox to send an email to the email address of the user who has submitted the sample, once the sample has been analyzed. |
| Classify | Select this checkbox to submit the sample to the Threat Grid classification service. In this case, only if the classification service considers it interesting will the sample be taken forward for analysis. |
| Sample Password | (Optional) Adds a password that would be used to open the submitted archive or document. |
| Callback URL | (Optional) URL where the results are submitted using the `POST` method, once the sample has been analyzed. |
The JSON output contains the details of the file submitted to the Cisco Threat Grid server.
The output contains the following populated JSON schema:
{
"id": "",
"data": {
"filename": "",
"md5": "",
"sha1": "",
"submission_id": "",
"private": "",
"submitted_at": "",
"id": "",
"tags": [],
"vm": "",
"os": "",
"login": "",
"status": "",
"state": "",
"sha256": ""
},
"api_version": ""
}
| Parameter | Description |
|---|---|
| Text | Text such as SHA 256, MD5, or ID of the sample based on which you want to search for reports on the Cisco Threat Grid server. |
| Filter Submissions | (Optional) Option by which you want to filter submissions. You can choose between the following options: User Only: Submissions are filtered by the current user. Organization Only: Submissions are filtered by the organization of the current user. |
| Before | (Optional) Datetime from when you want to return submissions, i.e., return submissions that were created before the specified DateTime. For example, 2017-08-01T10:58:54Z. |
| After | (Optional) Datetime till when you want to return submissions, i.e., return submissions that were created after the specified DateTime. For example, 2017-08-01T12:58:54Z. |
| State | (Optional) State by which you want to filter submissions. You can choose from the following options: Waiting, Processing, Success, or Fail. |
| Limit | (Optional) Maximum number of records that this operation should return. By default, this option is set as 100. |
Output
The JSON output contains the details of the reports retrieved from the Cisco Threat Grid server, based on the input text and parameters you have specified.
The output contains the following populated JSON schema:
{
"id": "",
"api_version": "",
"data": {
"took": "",
"total": "",
"items_per_page": "",
"current_item_count": "",
"items": [
{
"score": "",
"item": {
"filename": "",
"status": "",
"private": "",
"tags": [],
"properties": {
"metadata": ""
},
"sha1": "",
"state": "",
"sha256": "",
"submitted_at": "",
"organization_id": "",
"login": "",
"analysis": {
"metadata": {
"malware_desc": [
{
"filename": "",
"size": "",
"sha1": "",
"sha256": "",
"type": "",
"magic": "",
"md5": ""
}
],
"sandcastle_env": {
"analysis_start": "",
"vm": "",
"run_time": "",
"current_os": "",
"display_name": "",
"sandcastle": "",
"controlsubject": "",
"vm_id": "",
"sample_executed": "",
"analysis_end": ""
},
"general_details": {
"sandbox_version": "",
"report_created": "",
"sandbox_id": ""
}
},
"behaviors": [
{
"threat": "",
"title": "",
"name": ""
}
],
"threat_score": ""
},
"sample": "",
"vm_runtime": "",
"md5": ""
},
"matches": {
"sample": [
""
]
}
}
],
"index": "",
"timed_out": ""
}
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample for which you want to retrieve associated IOCs from the Cisco Threat Grid server. |
The JSON output contains the details of the IOCs associated with the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"id": "",
"api_version": "",
"data": {
"items": [
{
"hits": "",
"tags": [],
"description": "",
"title": "",
"ioc": "",
"confidence": "",
"truncated": "",
"severity": "",
"data": [
{
"Process_Name": "",
"Address": "",
"Process_ID": ""
}
],
"category": [],
"heuristic_coefficient": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample for which you want to retrieve the report from the Cisco Threat Grid server. |
| Download | Type of report to download. You can choose from the following options: Report HTML, Analysis JSON, Network PCAP, Runtime Video, or Processes JSON. |
The sample output of the Download Report operation, when you choose the report type as Report HTML is an HTML file that contains the report for the sample that is retrieved from the Cisco Threat Grid server, based on the sample ID you have specified. The HTML file is stored in the Attachments module in FortiSOAR™.
The output contains the following populated JSON schema:
{
"report_url": "",
"attachment_datails": {
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample for whose status you want to retrieve from the Cisco Threat Grid server. |
The JSON output contains the status of the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"state": ""
}
| Parameter | Description |
|---|---|
| Before | Specify the datetime in the (ISO 8601) format, for example, 2017-07-31 11:58:54, before which date, the data of all samples that have been submitted by users belonging to a particular organization, are retrieved date-wise. The default timezone is UTC. |
| After | Specify the date in the (ISO 8601) format, for example, 2017-07-31 11:58:54, after which date, the data of all samples that have been submitted by users belonging to a particular organization, are retrieved date-wise. The default timezone is UTC. |
The JSON output contains the data of all samples, date-wise, which have been submitted by users belonging to a particular organization retrieved from the Cisco Threat Grid server, based on the date range you have specified.
The output contains the following populated JSON schema:
{
"score": "",
"item": {
"login": "",
"submitted_at": "",
"md5": "",
"vm_runtime": "",
"state": "",
"sha1": "",
"status": "",
"tags": [],
"properties": {
"metadata": ""
},
"sha256": "",
"analysis": {
"metadata": {
"malware_desc": [
{
"magic": "",
"sha256": "",
"md5": "",
"filename": "",
"size": "",
"type": "",
"sha1": ""
}
],
"general_details": {
"sandbox_id": "",
"report_created": "",
"sandbox_version": ""
},
"sandcastle_env": {
"run_time": "",
"analysis_end": "",
"analysis_start": "",
"vm_id": "",
"display_name": "",
"current_os": "",
"vm": "",
"controlsubject": "",
"sandcastle": "",
"sample_executed": ""
}
},
"threat_score": "",
"behaviors": [
{
"threat": "",
"title": "",
"name": ""
}
]
},
"organization_id": "",
"filename": "",
"private": "",
"sample": ""
},
"matches": ""
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample whose analysis you want to retrieve from the Cisco Threat Grid server. |
The JSON output contains the detailed analysis of the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"status": {
"status": "",
"sha1": "",
"state": "",
"id": "",
"analysis_started_at": "",
"ran": "",
"vm_runtime": "",
"queue": "",
"tags": [],
"ven": "",
"original_filename": "",
"running_on": "",
"origin": "",
"vm": "",
"playbook": "",
"analysis_submitted_at": "",
"sha256": "",
"md5": ""
},
"warnings": [
{
"data": [],
"code": "",
"description": "",
"title": ""
}
],
"disk": {
"partition_tables": {
"changes": {},
"orig": [
{
"start": "",
"type": "",
"size": ""
}
],
"changed": "",
"curr": [
{
"start": "",
"type": "",
"size": ""
}
]
},
"mbr": {
"contents": {
"orig": "",
"curr": ""
},
"changed": "",
"hashes": {
"orig": {
"sha1": "",
"sha256": "",
"md5": ""
},
"curr": {
"sha1": "",
"sha256": "",
"md5": ""
}
}
}
},
"iocs": [
{
"data": [
{
"Process_Name": "",
"Process_ID": "",
"Address": ""
}
],
"confidence": "",
"description": "",
"heuristic_coefficient": "",
"title": "",
"severity": "",
"hits": "",
"category": [],
"tags": [],
"ioc": "",
"truncated": ""
}
],
"dynamic": {
"processes": {}
},
"annotations": {},
"metadata": {
"sandcastle_env": {},
"malware_desc": [],
"general_details": {
"report_created": "",
"sandbox_id": "",
"sandbox_version": ""
}
},
"network": {},
"version": "",
"versions": {
"reversing_labs": "",
"virustotal": "",
"network": {
"version": ""
},
"file": {},
"version": "",
"heuristic_model": "",
"yara": ""
},
"threat": {
"heuristic_raw_score": "",
"threat_score": "",
"bucket": "",
"heuristic_score": ""
},
"artifacts": {}
}
| Parameter | Description |
|---|---|
| Feed Name | Name of feed, in Cisco Threat Grid, from which you want to retrieve data daily. The feed names available are: autorun-registry, banking-dns, dll-hijacking-dns, doc-net-com-dns, downloaded-pe-dns, dynamic-dns, irc-dns, modified-hosts-dns, parked-dns, public-ip-check-dns, ransomware-dns, rat-dns, scheduled-tasks, sinkholed-ip-dns, and stolen-cert-dns. |
| Date | (Optional) Date based on which you will retrieve the feed report. You must enter the date in the format YYYY-MM-DD. |
The JSON output contains the daily feed retrieved from the Cisco Threat Grid server, based on the feed name you have specified.
The output contains the following populated JSON schema:
{
"description": "",
"ips": [],
"sample_md5": "",
"sample": "",
"sample_sha256": "",
"info": "",
"domain": "",
"sample_sha1": "",
"timestamp": ""
}
| Parameter | Description |
|---|---|
| Sample ID | ID of the sample whose summary you want to retrieve from the Cisco Threat Grid server. |
The JSON output contains the summary of the sample retrieved from the Cisco Threat Grid server, based on the sample ID you have specified.
The output contains the following populated JSON schema:
{
"api_version": "",
"data": {
"max-confidence": "",
"max-severity": "",
"count": "",
"bis": [],
"score": "",
"sample": ""
},
"id": ""
}
None.
The JSON output contains details of all available submissions of users and their organizations, retrieved from the Cisco Threat Grid server.
The output contains the following populated JSON schema:
{
"api_version": "",
"data": {
"user": {
"submission-wait-seconds": "",
"submission-rate-limit": [
{
"submission-wait-seconds": "",
"minutes": "",
"submissions-available": "",
"samples": ""
}
],
"submissions-available": ""
},
"organization": {
"submission-wait-seconds": "",
"submission-rate-limit": [
{
"submission-wait-seconds": "",
"minutes": "",
"submissions-available": "",
"samples": ""
}
],
"submissions-available": ""
}
},
"id": ""
}
The Sample - Cisco Threat Grid - 1.3.0 playbook collection comes bundled with the Cisco Threat Grid connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Threat Grid connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
