I would like the ability to use the Zscaler ‘Sandbox’ to do a MD5 lookup of a hash for Data Enrichment. The API parameters appear to be rather simple and here is the config of the GET request:
Sample Request - Full Report (Python)
import http.client
conn = http.client.HTTPSConnection("HOSTNAME")
headers = {
'content-type': "application/json",
'cache-control': "no-cache",
'cookie': "JSESSIONID=xxxxxxx"
}
conn.request("GET", "/api/v1/sandbox/report/8350dED6D39DF158E51D6CFBE36FB012?details=full", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
Sample Request - Summary Report (Python)
import http.client
conn = http.client.HTTPConnection("HOSTNAME")
headers = {
'content-type': "application/json",
'cache-control': "no-cache",
'cookie': "JSESSIONID=xxxxxxx"
}
conn.request("GET", "/api/v1/sandbox/report/8350dED6D39DF158E51D6CFBE36FB012?details=summary", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
Sample Response - Summary Report for a Malicious File
{
"Summary": {
"Summary": {
"Status": "COMPLETED",
"Category": "EXECS",
"FileType": "DLL",
"StartTime": 1522111841,
"Duration": 481690
},
"Classification": {
"Type": "MALICIOUS",
"Category": "MALWARE_BOTNET",
"Score": 82,
"DetectedMalware": "Win32/TrojanDownloader.Banload.TNJ trojan"
},
"FileProperties": {
"FileType": "DLL",
"FileSize": 2358272,
"MD5": "b3b13c2fe5710507612106cb11ceced3",
"SHA1": "6f30404f8b30812758acc06455bc95348c86f9f2",
"Sha256": "c77ab4c60b73c8f8135d54162813ab7c63432058f17ff00754d5fd547c22db76",
"Issuer": "",
"DigitalCerificate": "",
"SSDeep": "49152:mQU0HSp/RcGuBLe/PESBbFVZ86MfBWPvGZxnBGVV3NcKRLFcTOJP:mQUn6LsPQp6vkoiKt",
"RootCA": ""
}
}
}
This is the site for what is included in a 'Full Report:
https://help.zscaler.com/zia/sandbox-report-use-cases
Thank you