Sandbox
Use Sandbox to analyze suspicious files and URLs in isolated virtual environments. This enables the detection of malicious behavior, extraction of indicators, and generation of actionable threat intelligence without exposing live systems.
Before you Start
Ensure that your user group has the following permissions:
View Sandbox Records
Create Sandbox Records
Steps
To perform a sandbox analysis, follow these steps:
Go to the Main Menu and select Sandbox under Analysis.
In the Sandbox tab, choose one of the following submission types:
Upload File: Click the Drag & Drop or Browse area to select a file from your system. For more information on supported file formats and size limits, see Supported File Types and Size .
Enter URL: Paste the URL into the input field.
Provide the following details:
Community: The destination for your submission. Only private communities are currently supported, meaning access is limited to specific organizations or user groups.
Sandbox Provider: Select one of the following:
CAPE: Execute the file or URL in a Windows 10 virtual environment
win-10-build-19041
.Triage: Offers multiple environments, including Windows, Linux, and Android.
Note
The environments available during analysis depend on the type of file or URL submitted.
Internet Access: Choose whether the sandbox environment has internet connectivity. When enabled (default), the sample can connect to external servers, fetch payloads, and trigger behaviors that require internet access. Disable it to run the analysis in a fully isolated environment.
Click Submit.
After submission, the file or URL appears in the Sandbox listing table with the corresponding analysis status.
Supported Actions
After the analysis is complete, you can take the following actions:
View Reports: Review the results and behavioral analysis.
Download Report: Save the full report in HTML format for offline use.
Create Intel: Generate threat intelligence from the analyzed data. For more information, see Create Intel from Sandbox.
These actions help you quickly pivot from sandbox analysis to threat investigation and intelligence creation.
View Sandbox Submissions
The Sandbox table displays all your submissions with key information for quick reference. Each row includes the following details:
Field | Description |
---|---|
Title | Name of the submitted file or the full URL. |
Sandbox Provider | Sandbox engine and the selected virtual machine environment used for analysis. For example, CAPE – win-10-build-19041. |
Status | Indicates the current sandox status: In Progress, Completed, or Failed. |
Malicious Score | Numerical score representing the threat level of the submitted file or URL. |
Verdict | Outcome of the analysis, such as Malicious, Suspicious, or Benign. |
Type | Type of submission: FILE or URL. |
Submitted By | Email ID of the user who submitted the artifact. |
Submitted On | Date and time when the analysis was completed. |
You can also search and sort records using filters and column headers to efficiently locate specific sandboxed records.
View Sandbox Report
Open any record with a success status to view the sandbox report. It includes the following sections:
IOCs
This tab lists threat data identified during the analysis.
Field | Description |
---|---|
Type | Type of threat indicator or STIX object. For example, Attack Pattern, SHA256. |
Value | Extracted IOC value. For example, T1057, file hash. |
Risk Score | Threat score associated with the IOC, if available. |
You can view the full details of an IOC by opening the corresponding threat data object in the Threat Data module.
Analysis Report
This tab provides technical insights from the sandbox provider. The information is organized into the following sections:
Environment: Displays the provider name and the virtual machine used for analysis. For example, CAPE: Microsoft Windows 10 Pro.
Network: Lists any network activity observed during execution, such as contacted domains, IP addresses, or DNS queries.
Dropped Files: Shows files created or downloaded by the submitted sample during analysis.
Analysis: Includes detailed behavioral observations and technical logs captured during the execution.
Verdict Types
After a file or URL is sandboxed, a verdict is generated to indicate the outcome of the analysis. The following table lists the possible verdicts and their descriptions.
Verdict Types | Description |
---|---|
Malicious | Confirms the presence of harmful behavior or known malicious indicators. |
Suspicious | Indicates behavior that may be harmful but lacks definitive evidence. |
Benign | Confirms the content is safe and does not exhibit malicious. |
Unknown | Indicates that a conclusive determination could not be made due to insufficient evidence or limited observed activity. |
Not Applicable | The analysis could not be completed or was skipped based on the configuration. |
Supported File Types and Size
Artifact Type | Supported Formats | Size |
---|---|---|
Files | .dll, .upx, .exe, .msi, .chm, .hta, .iqy, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pub, .pub2016, .zip, .one, .mht, .hwp, .ich, .inp, .pdf, .rtf, .slk, .swf, .html, .bat, .ps1, .js, .jse, .vbe, .pl, .py, .vbs, .wsf, .apk, .dex, .jar, .lnk, .url, .jnlp, .reg, .xslt, .xps. | 32 MB |
URLs | Must begin with | - |