Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version	1.0.0
Compatible with ThreatQ Versions	>= 3.6.0
Support Tier	ThreatQ Supported

Introduction

The Broadcom Content Analysis and Sandboxing (CAS) operation allows a ThreatQ user to submit files to Broadcom's Content Analysis System. You can either submit a file to Broadcom CAS, which will give you scan and reputation information or you can submit a file directly to the sandbox (Bluecoat), which will return a risk score and other sandbox details. The operation can then be used to retrieve PDF reports from Broadcom CAS.

The operation provides the following actions:

• Scan - scans a file by sending it to CAS. A report will be returned to the operation window and a PDF report will be uploaded to ThreatQ and related to the sample.
• Sandbox - sends a file or attachment to CAS Sandbox.

This operation was formerly known as Symantec Content Analysis System (CAS) operation. 

Installation

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Operation option from the Type dropdown (optional).
3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Host URL	The Host or IP of your CAS instance.
   API Token	Your API token from CAS.
   MAA Host URL	The Host or IP of your MAA instance. This host may be the same as your CAS instance. This is an option in case your MAA appliance is different than your CAS instance.
   MAA API Token	Your API token from MAA. This token may be the same as your CAS token.
   Username	The user's username to use as an "owner" for the samples.

5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following actions:

Action	Description	Object Type	Object Subtype
Scan	Scans a file by sending it to CAS. A report will be returned to the operation window and a PDF report will be uploaded to ThreatQ and related to the sample.	File	N/A
Sandbox	Sends a file or attachment to CAS Sandbox.	File	N/A

Scan

The Scan action action allows you to scan a file by sending it to CAS. A report will be returned to the operation window and a PDF report will be uploaded to ThreatQ and related to the sample.

The following fields/sections parsed from the Scan action are supported:

• File Reputation
• Cylance
• Policy
• Symantec
• Sophos
• Last Line
• Fire Eye
• Kaspersky
• Malware Analysis
• Cloud Sandboxing
• Score
• MD5/SHA-1/SHA-256
• User Hash List

Action Parameters

The Scan action offers the following configuration parameters:

Parameter	Description
Sensitivity Level	This controls the threshold and aggressiveness at which Advanced Machine Learning (AML) file blocking occurs. With a high detection sensitivity, AML will be aggressive in its determination of whether a file may be a threat, at the risk of blocking files that may not actually be malicious. With a lower sensitivity, AML will block fewer files, but with a risk of some threats not being detected.
Response Wait Timeout	The amount of time (in milliseconds) to wait for a scan to be finished. This option can be ignored, as it is just informing the user that the operation may take more than 30 seconds to run, depending on the scan. The operation runs synchronously with CAS, and waits for the scan to be finished.

Sandbox

The Sandbox action allows a user to send a file or attachment to CAS's Sandbox (known as MAA). This action will upload the sample and then create a task for that sample. The Task ID will be stored in the ThreatQ Object's attributes, so that you can query for the reports later

Action Parameters

The Scan action offers the following configuration parameters:

Parameter	Description
Sandbox Environment	his option allows a user to change the type of sandbox environment to use. By default, this is set to sbx, which is a simulated windows environment.
IVM Profile Name	Enter in your IVM profile name if you have selected ivm as the sandbox environment.
Priority	Set the priority of the sandbox task. The default setting is Medium.
Description	Give the sample a description.
Sample Label	Set the sample a label.  This field is optional.
Filename	The file name can be overridden here and new sample's filename given.
File Extension	Override a sample's file extension.
Execution Arguments	Override a tasks' execution arguments.
Resubmit the Sample	If this is set to Yes, the operation will submit the sample to the sandbox even if has already submitted it. Setting this to No will prevent samples from being resubmitted (if already submitted)

Known Issues / Limitations

• If a returned result says None, this means the response timed out. This is a limitation of the Broadcom CAS API endpoint, not the operation. This does not mean that the file was not scanned. The file will still be scanned and if it is deemed malicious, it will show up as a threat within Broadcom CAS. Increasing the Response Wait Time parameter may fix the issue, but it is not a guarantee.
• This action waits for Broadcom to return scanning results, so running this action may take more than 30 seconds. We cannot save a scan ID and fetch the results later because the Broadcom CAS API does not provide us with the required endpoints for that.
• The results of this action are not always consistent. For instance, sometimes a scan may return results from Kaspersky. If scanned again, Kaspersky results are not guaranteed to be returned. This is not a limitation of the operation, but rather, of the Broadcom CAS API.

Change Log

• Version 1.0.0
  • Initial release