Overview
Read about the basics of File Intel
Quick View
| What it does | Retrieves intelligence data for submitted file hashes |
| Supported Languages | |
| Capabilities |
|
| Supported Providers |
What is the File Intel service?
The File Intel service enables you to submit a file’s hash and get the file’s attributes back. Different security providers specialize in collecting file intelligence that provides a file's disposition, ranging from malicious file objects (malware, ransomware, trojan horses, spyware, adware) to good file objects (operating system files, known third party software packages).
Why use the File Intel service?
Pangea serves intelligence data from third party providers, normalizing response data, to help you quickly identify malicious files. All of this happens through a unified API and SDK - with no contracts or direct integrations to the provider required.
For example, if you set ReversingLabs as the provider, you’ll receive a standard verdict that can be easily interpreted in the API response. Armed with this information, you might choose to immediately delete or quarantine a file, send it to your security team, and/or search for any other instances of the file in your environment.
Use Cases
The File Intel API can be embedded directly into your cloud app to determine if file objects are known to be malicious. Common use cases include:
- Determining if a file uploaded by a customer is known to be malicious before it’s opened or shared with others
- Integrating File Intel into your SOAR or threat intelligence platform
- Scanning third party objects in your software build pipeline to identify malicious objects
- Discovering malicious objects in third party software that you may be utilizing before installing
Using multiple Pangea services
The File Intel service provides data on known files that have been previously seen, NOT new or unknown file objects that were not previously analyzed. To determine the disposition of new unknown file objects, use the File Scan service (coming soon!). File Scan performs a real-time scan of the file object and returns a disposition based on an in-depth analysis.
For example, you might use the File Intel service for a hash reputation lookup to determine if a file is known. If no results are found, then perform a real-time scan of the object with the File Scan service. The reason to use File Intel before File Scan is because of performance reasons, as the request to submit a file hash to File Intel is small (SHA256 being 32 bytes) while File Scan requires the entire file object to be sent (many MB or even GB).
Was this article helpful?