Request Type: Question
Are there currently any examples / thoughts on how to deal with file extraction / unpacking upon submission? An example of this would be an extractor such as the EmlParser finding an attachment and returning that file somehow (maybe in the report base64'd, or a url link to a filestore associated with Cortex). Other examples are Cuckoo returning a new file that has been dumped as an observable - how should these files be returned?
If analyzers are able to return extracted files, this could then lead to recursion of extraction. For example a very simple zip extractor could extract files, detect their type and resubmit to those particular analyzers automatically. Going along with the EmlParser example: Being able to automatically run IP analyzers against any IP's found in the eml. And the same with Cuckoo.
Has this already been considered? If so, what's the status? TIA!
Request Type: Question
Are there currently any examples / thoughts on how to deal with file extraction / unpacking upon submission? An example of this would be an extractor such as the EmlParser finding an attachment and returning that file somehow (maybe in the report base64'd, or a url link to a filestore associated with Cortex). Other examples are Cuckoo returning a new file that has been dumped as an observable - how should these files be returned?
If analyzers are able to return extracted files, this could then lead to recursion of extraction. For example a very simple zip extractor could extract files, detect their type and resubmit to those particular analyzers automatically. Going along with the EmlParser example: Being able to automatically run IP analyzers against any IP's found in the eml. And the same with Cuckoo.
Has this already been considered? If so, what's the status? TIA!