View Sandbox Submissions
After submission, sandbox records are available in the listing with their analysis status and verdict. You can review the summary details and access the detailed report for further analysis.
View Sandbox Listing
You can view all sandbox submissions made by you and other users in your organization in the Sandbox listing, allowing you to track submissions, review analysis outcomes, and access key details for each record. View the submissions using the following information:
The sandbox submission list displays the following information:
Title: Name of the submitted artifact.
Sandbox Provider: Sandbox provider and the selected virtual machine environment used for analysis. For example, CAPE – win-10-build-19041.
Status: Current analysis state of the submission, such as Initiated, In Progress, Success, or Failed.
Malicious Score: Numerical score representing the assessed threat level of the submitted artifact. The score ranges from 0 (benign) to 10 (highly malicious). If the analysis fails or does not complete successfully, the score is displayed as N/A.
Verdict: Outcome of the analysis, such as Malicious, Suspicious, or Benign. If the analysis fails or does not complete successfully, the verdict is displayed as N/A. For more information, see Verdict Types.
Type: Type of submission for analysis.
Submitted By: Email ID of the user who submitted the artifact.
Submitted On: Date and time when the analysis was completed.
You can filter submissions by Submitted On, Status, and Verdict. Additionally, you can directly enter your query in the search bar to locate specific records.
You can sort the list by Submitted On in ascending or descending order, and click Refresh to view the latest results. By default, the list is sorted by Submitted On in descending order.
For each sandbox record, you can also perform the following actions:
Download PDF: Save the analysis report as a PDF file. The download may take some time, depending on the report size.
Download HTML: Save the full report in HTML format for offline access.
Delete: Delete the sandbox submission to remove it from the listing when it is no longer required.
View Sandbox Report
You can view the detailed sandbox analysis report for a submitted artifact with a Success status. The report includes submission summary details such as Type, Sandbox Provider, Verdict, Sandboxed on, and Submitted by, along with detailed findings organized into the following sections:
View the following detailed analysis findings generated by the sandbox provider:
Environment: Displays information about the sandbox provider and analysis environment, providing context for interpreting the analysis results. For example, CAPE: Microsoft Windows 10 Pro.
Network: Lists any network activity observed during execution, such as contacted domains, IP addresses, or DNS queries, helping you identify external connections made by the artifact.
Dropped Files: Displays files created or downloaded by the submitted artifact during analysis.
Analysis: Displays detected signatures, MITRE techniques, and observed process activity to help you evaluate suspicious behavior and understand how the artifact operated during execution.
View the list of threat data identified during sandbox analysis. Each entry includes the following fields:
Field | Description |
|---|---|
Type | The type of threat indicator or STIX object. For example, Attack Pattern. |
Value | The extracted indicator or identifier associated with the object. For example, T1057. |
Risk Score | The threat score associated with the IOC to indicate its risk level. This score is shown only if the object exists in Intel Exchange. If the object does not exist, click Create Intel to create a new object. |
View the list of files generated or collected during sandbox analysis. You can select individual files or multiple files across categories and click Download ZIP to download them as a ZIP archive for offline analysis. The downloaded ZIP archive requires a password for extraction. Use infected as the default password to access them.
Note
This section is available only in Intel Exchange v3.7.6.2 and Collaborate v3.8.11.2 onwards. Artifacts that were sandboxed in previous versions and later upgraded will not support this functionality.
Supported Actions
You can perform the following actions from the sandbox report:
View Threat Data: View this report as a threat data object in Intel Exchange to access complete intelligence details, including related context, relations, enrichment details, and more. This option remains disabled until you create an intel object using Create Intel.
Create Intel: Generate threat intelligence from the analyzed data. For more information, see Create Intel from Sandbox.
Download: Download the sandbox report in HTML or PDF format for sharing or offline analysis.
Note
View Threat Data and Create Intel actions are only supported in Intel Exchange.
Verdict Types
After sandboxing, a verdict is generated to indicate the outcome of the analysis. Use the following information to understand the possible verdict types:
Verdict Types | Description |
|---|---|
Malicious | Confirms the presence of harmful behavior or known malicious indicators. |
Suspicious | Indicates behavior that may be harmful but lacks definitive evidence. |
Benign | Confirms the content is safe and does not exhibit malicious. |
Unknown | Indicates that a conclusive determination could not be made due to insufficient evidence or limited observed activity. |
Not Applicable (N/A) | Indicates that the analysis could not be completed. |