Key Concepts#

Sample#

A file that may or may not be malicious. A sample can be uploaded and downloaded via the API if the user has the appropriate access.

See the samples section for a description of the available API endpoints and how to use them.

Classification#

A classification contains basic information about the sample, such as file type, size, mime type, and platform. A sample is automatically classified after it is uploaded. The classification information is exposed when fetching sample metadata.

Analysis#

The data produced from an analysis of a sample. This analysis can contain information about f.ex., specific characteristics from executing the sample, like network traffic, loaded libraries, or other things.

See the analysis section for a description of the available API endpoints and how to use them.

Evidence#

An entity added to an analysis. An evidence entry can contain information such as mime type and other data resulting from the analysis.

See the evidence section for a description of the available API endpoints and how to use them.

An entity used to indicate a relationship between samples. If, f.ex. a sample downloads or loads another sample, they have a relationship of that given type.

See the link section below for a description of the available API endpoints and how to use them.

Submission#

A recorded event of a spotted sample in the wild. This is typically submitted by a customer that has spotted a sample on their network in some way. A submission contains information about f.ex., file name, mime type of the sample, and the timestamp when it was discovered.

See the submission section for a description of the available API endpoints and how to use them.

Challenge#

A challenge the user must solve in order to prove that he/she possesses a given sample. The challenge solution is used when adding a sample submission.

See the challenge section for a description of the available API endpoints and how to use them.

Job#

A job represents the analysis of a sample and is used to track its progress. On its own it holds no analysis results or verdicts, but contains information such as when an analysis job was started and completed, and whether it failed or not. A job also contains one or more job tasks.

See the job section for a description of the available API endpoints and how to use them.

Job task#

A job task is always part of a job. A job task represents the progress and outcome of a single analysis step of a sample; typically an analysis worker. It contains information such as when the worker started and completed, whether it failed or not, and a reference to the analysis result (if it completed successfully).

See the job task section for a description of the available API endpoints and how to use them.

Verdict#

A verdict contains an assessment about the sample such as whether or not it is malicious. The verdict is created automatically based on analysis results as part of an analysis job. A verdict can also be added manually by using the add verdict API endpoint.

See the verdict section for a description of the available API endpoints and how to use them.

Analysis Worker#

An Analysis Worker is responsible for doing analysis on a submission. The analysis worker then generates and returns an analysis result.

See the analysis worker section for a description of the available API endpoints and how to use them.

Analysis Policy#

An Analysis Policy will say which analysis workers are executed and what options are sent to the analysis workers (e.g. allow internet access). The standard policy will be used if there are no custom analysis rules.

See the analysis policy section for a description of the available API endpoints and how to use them.

Analysis Rule#

A custom Analysis Rule that refines the default policy. A custom rule can be matched by customer, classification type/superType or submission meta data. These are special rules that will override the default analysis policy.

See the analysis rule section for a description of the available API endpoints and how to use them.