OSINT Lookups
Step #1 - Open /home/sandbox/sandbox/transform.cfg in a text editor
Step #2 - Modify the configuration by adding or modifying the properties on this page
Step #3 - Save the file and restart the sandbox service
Enable OSINT
To enable reputation lookups and external tools, use the following settings.
runOSINTLookups=truerunExtendedOSINTLookups=falserunOSINTLookupsOnExtractedFiles=falserunOSINTLookupsDistributedTimeoutMs=60000| Property name | Default value | Description |
|---|---|---|
| runOSINTLookups | true | Main switch to enable reputation lookups and external tool integrations on the input sample |
| runExtendedOSINTLookups | false | Enable execution for extracted IOCs |
| runOSINTLookupsOnExtractedFiles | false | Enable execution for extracted files |
| runOSINTLookupsDistributedTimeoutMs | 1 minute | Execution timeout |
Enable OSINT lookups exclusively on the input file hash
To enable reputation lookups to exclusively only perform OSINT lookups on the input file hash, use the following settings.
runOSINTLookups=truerunExtendedOSINTLookups=falserunOSINTLookupsOnExtractedFiles=falserunOSINTLookupsRestrictedResourceTypes=FILE_HASH_SHA256enableFuzzyHashLookup=falsecalculateFuzzyFsioHash=false| Property name | Default value | Description |
|---|---|---|
| runOSINTLookups | true | Main switch to enable reputation lookups and external tool integrations on the input sample |
| runExtendedOSINTLookups | false | Enable execution for extracted IOCs |
| runOSINTLookupsOnExtractedFiles | false | Enable execution for extracted files |
| runOSINTLookupsRestrictedResourceTypes | FILE_HASH_ SHA256, URL, DOMAIN | Type of resource is being looked up during an OSINT query |
| enableFuzzyHashLookup | true | Enable to perform any lookups based on fuzzy hashing |
| calculateFuzzyFsioHash | true | Enable the calculation of fuzzy hashes for files during its lookups |
OPSWAT Reputation
Enable OPSWAT Reputation lookups
enableOpswatReputationAPI=trueopswatReputationAPIURL=https://api.metadefender.com/opswatReputationAPIKey=The API key can be configured by the user manually, or it can be part of the license file. A demo API key is used if not specified by the user or license.
| Property Name | Default Value | Description |
|---|---|---|
| enableOpswatReputationAPI | true | Switch to enable / disable OPSWAT Reputation lookups |
| opswatReputationAPIURL | https://api.metadefender.com/ | API URL |
| opswatReputationAPIKey | API key |
OPSWAT MultiScanning
Enable OPSWAT MultiScanning with MetaDefender Cloud or MetaDefender Core
enableMetaDefenderAPI=falsemetaDefenderUseCloudAPI=truemetaDefenderAPIURL=https://api.metadefender.com/metaDefenderAPIKey=metaDefenderScanRule=metaDefenderScanTimeout=60| Property Name | Default Value | Description |
|---|---|---|
| enableMetaDefenderAPI | false | Switch to enable / disable OPSWAT MultiScanning |
| metaDefenderUseCloudAPI | true | If set to true, multiscan requests will be sent to MetaDefender Cloud If set to false, multiscan requests will be sent to MetaDefender Core |
| metaDefenderAPIURL | https://api.metadefender.com/ | API URL (could also point to local instance of MDCore, e.g.: http://10.0.0.5:8008/ ) |
| metaDefenderAPIKey | API key | |
| metaDefenderScanRule | Workflow rule to use | |
| metaDefenderScanTimeout | 1 minute | Execution timeout |
OPSWAT Fuzzy Hash Lookup
Fuzzy hashes are basically a SHA-256 of a long string that is built using a streamlined order, containing very high-level, but specific attributes of an input file. It is a proprietary algorithm and format developed by OPSWAT to enable detection of clusters of files / unknown malware. MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox) calculates FSIO Fuzzy hash for each appropriate input sample and looks for this hash in a specifically defined list.
Fuzzy hash lookup results are displayed in OSINT Lookup section
Please note, that you may not see result for every scanned malicious data.
The feature is enabled by default. To turn it off do the following steps:
enableFuzzyHashLookup=falseOffline URL Reputation
Enable offline URL reputation lookups based on (Link Removed).
This is an experimental feature, only enabled in offline mode by default.
enableOfflineUrlReputation=falseVirus Total
Enable Virus Total lookups
enableVirusTotalLookups=falsevirusTotalAPIKey=virusTotalQueriesPerMinute=4virusTotalDefaultMaliciousEngineCount=3| Property Name | Default Value | Description |
|---|---|---|
| enableVirusTotalLookups | false | Switch to enable / disable Virus Total lookups |
| virusTotalAPIKey | API key | |
| virusTotalQueriesPerMinute | 4 | Rate limiter for Virus total API queries / second. Value '0' means no rate limit. |
| virusTotalDefaultMaliciousEngineCount | 3 | Malicious lookup verdict if at least the configured number of providers detected the input as malicious |
Broadcom Threat Intel Insight
Enable Broadcom Threat Intel Insights lookups
enableBroadcomInsightAPI=falsebroadcomInsightAPIURL=https://api.sep.eu.securitycloud.symantec.com/broadcomInsightSecret=broadcomNetworkConfidenceThreshold=80broadcomNetworkMaliciousThreatLevel=9broadcomSha256ConfidenceThreshold=80broadcomInsightMaxRetry=2| Property Name | Default Value | Description |
|---|---|---|
| enableBroadcomInsightAPI | false | Switch to enable / disable Broadcom Threat Intel Insight lookups |
| broadcomInsightAPIURL | https://api.sep.eu.securitycloud.symantec.com/ | API URL |
| broadcomInsightSecret | API key | |
| broadcomNetworkConfidenceThreshold | 80 | Network related results are accepted when meeting the confidence threshold |
| broadcomNetworkMaliciousThreatLevel | 9 | Network related threat level threshold to meet for malicious or or likely malicious verdicts. In case confidence treshold is 80 or above the verdict is malicious, otherwise likely malicious. |
| broadcomSha256ConfidenceThreshold | 80 | File (SHA-256) related results are accepted when meeting the confidence threshold |
| broadcomInsightMaxRetry | 2 | Maximum number of retries for API requests |
Google Safe Browsing
Enable Google Safe Browsing lookups
enableSafebrowsingLookups=falsesafebrowsingAPI=| Property Name | Default Value | Description |
|---|---|---|
| enableSafebrowsingLookups | false | Switch to enable / disable Safe Browsing lookups |
| safebrowsingAPI | API key |