Add the ability to do a 'Sandbox Report' on a MD5 hash

I would like the ability to use the Zscaler ‘Sandbox’ to do a MD5 lookup of a hash for Data Enrichment. The API parameters appear to be rather simple and here is the config of the GET request:

Sample Request - Full Report (Python)

import http.client

conn = http.client.HTTPSConnection("HOSTNAME")

headers = {
    'content-type': "application/json",
    'cache-control': "no-cache",
    'cookie': "JSESSIONID=xxxxxxx"
}

conn.request("GET", "/api/v1/sandbox/report/8350dED6D39DF158E51D6CFBE36FB012?details=full", headers=headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

Sample Request - Summary Report (Python)

import http.client

conn = http.client.HTTPConnection("HOSTNAME")

headers = {
    'content-type': "application/json",
    'cache-control': "no-cache",
    'cookie': "JSESSIONID=xxxxxxx"
}

conn.request("GET", "/api/v1/sandbox/report/8350dED6D39DF158E51D6CFBE36FB012?details=summary", headers=headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

Sample Response - Summary Report for a Malicious File

{
    "Summary": {
        "Summary": {
            "Status": "COMPLETED",
            "Category": "EXECS",
            "FileType": "DLL",
            "StartTime": 1522111841,
            "Duration": 481690
        },
        "Classification": {
            "Type": "MALICIOUS",
            "Category": "MALWARE_BOTNET",
            "Score": 82,
            "DetectedMalware": "Win32/TrojanDownloader.Banload.TNJ trojan"
        },
        "FileProperties": {
            "FileType": "DLL",
            "FileSize": 2358272,
            "MD5": "b3b13c2fe5710507612106cb11ceced3",
            "SHA1": "6f30404f8b30812758acc06455bc95348c86f9f2",
            "Sha256": "c77ab4c60b73c8f8135d54162813ab7c63432058f17ff00754d5fd547c22db76",
            "Issuer": "",
            "DigitalCerificate": "",
            "SSDeep": "49152:mQU0HSp/RcGuBLe/PESBbFVZ86MfBWPvGZxnBGVV3NcKRLFcTOJP:mQUn6LsPQp6vkoiKt",
            "RootCA": ""
        }
    }
}

This is the site for what is included in a 'Full Report:
https://help.zscaler.com/zia/sandbox-report-use-cases

Thank you

1 Like

@tony_hamil thanks for posting, we started working on this action last week. It should be shipping soon :+1: will post back when it’s out.

1 Like

Thank you for your reply… I figured it was in the works but just checking.

Have a great day

@tony_hamil - Are you planning on building this into a larger workflow or purely the MD5 lookup?
I’m just trying to figure out how I may be able to leverage similar functionality.

1 Like

Sir,

For me, I have a workflow that I am ‘Finally’ putting together now that I have Custom IDR Alerts. It will take all URL’s from my different Custom Alert Sources and hit them against everything possible (PhishTank, Virus Total, etc…) and now Zscaler to try and figure out if the URL’s are malicious or not. It will then take these URL’s (if deemed malicious) and add them back to Zscaler’s Blacklist and our Cisco SourceFire URL Blacklist as well.

Hope that helps

1 Like

Hey all, we shipped an action for this and it’s available in the Extension Library. Let us know if you have any feedback on it.

Thanks

3 Likes