File / Folder Structure
Sandbox will be installed in the /home/sandbox/sandbox
directory by default.
If the default options are used, the following top-level folders will be created:
- logs: Contains logfiles collected from various components, see: Logging
- broker: Contains the "broker" component
- transform: Contains the "transform" analyzer engine
- webservice: Contains the Sandbox webservice that implements the top-level Sandbox API
- webservice-front: Contains the Sandbox frontend
- THIRD-PARTY: Contains license information from open-source libraries
The descriptions of potentially relevant folders in /home/sandbox/sandbox/transform
are provided for informational purposes only:
- consumers: This is where a group of Python scripts reside, which can consume reporting data and generate informational signals of different severity levels. These "signals" are often referred to as behavior indicators / signatures by different security vendors. The term "signal" is used to underline the fact that a lot of reporting contains much "noise" (redundant information) of which the relevant signals need to be extracted.
- external: This folder has a variety of definitions (e.g. a list of UUIDs, MITRE techniques/tactics or local whitelists/blacklists). These files are actively maintained, and new versions are provided with each update.
- lib: This folder contains a variety of third-party libraries that are used by the processor node. Do not modify this folder.
- parser: This folder contains a variety of external scripts / integrations that are used by the processor node. Do not modify this folder.
- thirdparty: This folder contains a variety of third-party software not relevant to the core functionality. Do not modify this folder.
- yara: This folder contains a variety of third party and local YARA rules, which are compiled to a master index file and used against the input file and extracted artifacts. In general, do not modify this folder, although it is possible to add custom YARA Rules here.