Palo Alto - Cortex XSOAR

Palo Alto XSOAR is a security orchestration, automation and response (SOAR) platform, which allows security teams to automate and streamline security processes. By integrating MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox) with Palo Alto XSOAR, security teams can automate the process of scanning files for malware and other security threats. This integration allows security teams to quickly and easily scan files for potential threats, and take immediate action to mitigate any risks that are identified.

With the integration, you can send a file or URL scan request from XSOAR to Sandbox, or search for previously scanned reports in Sandbox.

You can find more information about XSOAR here.

MetaDefender Sandbox integration in the XSOAR marketplace available here.

Installation

Step #1 - Search for MetaDefender Sandbox in the marketplace

Step #2 - Click on the Install button in the top right corner.

Integration is then added to the basket. (The integration is free.)

Step #3 - Add an instance.

For that go to Settings -> Integrations, search for 'OPSWAT' and click on 'Add instance' at the right side.

A Sandbox API key is required to use the integration.

You can use the Activation Key that you received from your OPSWAT Sales Representative, and follow the instructions on the License Activation page or you can create an API key on the Community site under API Key tab.

You need to add your API key, and if you have on-prem version of MetaDefender Sandbox, you can add your own server's URL. The default URL is the Filescan.io free community.

You can validate it under the 'Test results':

Available commands

Scan URL

metadefender-sandbox-scan-url

Scan URL resource with Sandbox POST - Scan URLAPI

Command Arguments

DescriptionDefault valueRequired
urlThe URL to submityes
timeoutThe timeout for the polling in seconds600
hide_polling_outputHide polling output.true
descriptionUploaded file/url description
tagsTags array to propagate
passwordCustom password, in case uploaded archive is protected
is_privateIf file should not be available for download by other usersfalse

Command example

!metadefender-sandbox-scan-url https://www.google.com

Output example

Scan File

metadefender-sandbox-scan-file

Scan file resource with Sandbox POST - Scan FileAPI

Command Arguments

DescriptionDefault valueRequired
entry_idThe War Room entry ID of the file to submit.yes
timeoutThe timeout for the polling in seconds1200
hide_polling_outputHide polling output.true
descriptionUploaded file/url description
tagsTags array to propagate
passwordCustom password, in case uploaded archive is protected
is_privateIf file should not be available for download by other usersfalse

Command example

!metadefender-sandbox-scan-file entry_id=<paste your entry id here> retry-interval=1

Output example

metadefender-sandbox-search-query

Search for reports. Finds reports and uploaded files by various tokens. Use GET - Search ReportAPI endpoint.

Arguments

DescriptionDefault valueRequired
queryThe query stringyes
pagePage number, starting from 1
page_sizePage size. Can be 5, 10 or 20
limitNumber of total results. Maximum 50. (If page and page_size was also provided, then it will be ignored.)10

Command example

!metadefender-sandbox-search-query query=theuselessweb limit=3

Output example

Compatibility

Integration nameVersionSandbox 1.9.*Sandbox 2.0.*
OPSWAT-Filescan (deprecated)1.*.* Yes No
OPSWAT-MetaDefender-Sandbox1.0.0 Yes No
1.0.1 Yes Yes
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard