File / Folder Structure

Sandbox will be installed in the /home/sandbox/sandbox directory by default.

If the default options are used, the following top-level folders will be created:

  • logs: Contains logfiles collected from various components, see: Logging

  • broker: Contains the "broker" component

  • transform: Contains the "transform" analyzer engine

  • webservice: Contains the Sandbox webservice that implements the top-level Sandbox API

  • webservice-front: Contains the Sandbox frontend

  • THIRD-PARTY: Contains license information from open-source libraries

The descriptions of potentially relevant folders in /home/sandbox/sandbox/transform are provided for informational purposes only:

  • consumers: This is where a group of Python scripts reside, which can consume reporting data and generate informational signals of different severity levels. These "signals" are often referred to as behavior indicators / signatures by different security vendors. The term "signal" is used to underline the fact that a lot of reporting contains much "noise" (redundant information) of which the relevant signals need to be extracted.

  • external: This folder has a variety of definitions (e.g. a list of UUIDs, MITRE techniques/tactics or local whitelists/blacklists). These files are actively maintained, and new versions are provided with each update.

  • lib: This folder contains a variety of third-party libraries that are used by the processor node. Do not modify this folder.

  • parser: This folder contains a variety of external scripts / integrations that are used by the processor node. Do not modify this folder.

  • thirdparty: This folder contains a variety of third-party software not relevant to the core functionality. Do not modify this folder.

  • yara: This folder contains a variety of third party and local YARA rules, which are compiled to a master index file and used against the input file and extracted artifacts. In general, do not modify this folder, although it is possible to add custom YARA Rules here.