Threat Prevention API query not detecting uploaded...

mateus_cruz · ‎2023-11-21

Hello,

I have been trying to query for pdf files that have been uploaded to the threat emulation/threat prevention API. Success messages are given when uploading the file all times, but when I try to use the query endpoint (https://192.168.68.111:18194/tecloud/api/v1/file/query) the file ends up as being "NOT_FOUND". When I upload the file and query right away for it it seems to be pending as it should in the queue while in the emulation process but right after a few moments it shows as NOT_FOUND. Why can't I find the file which I uploaded?

{
"response" : [
{
"features" : [ "te" ],
"md5" : "8e03693af6178f0a3a99ccf0242f15ac",
"sha1" : "ffb15a651523794c466ba791dc07e1bdfc858fb1",
"sha256" : "207f9a03b36c48c14f41d7a65067fcc5ba42c092",
"status" : {
"code" : 1003,
"label" : "PENDING",
"message" : "File is pending"
},
"te" : {
"images" : [
{
"id" : "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"report" : {
"verdict" : "unknown"
},
"revision" : 1,
"status" : "pending"
}
],
"status" : {
"code" : 1003,
"label" : "PENDING",
"message" : "File is pending"
}
}
}
]
}

obs: I have been using a local appliance/vm for testing, so there has been no use of the cloud version of threat prevention nor the intent to do so.

Here is my file upload request and response:

REQUEST....

curl --insecure -X POST --location 'https://192.168.68.111:18194/tecloud/api/v1/file/upload' \
--header 'Content-Type: multipart/form-data' \
-F 'request={
"request":[
{
"features": ["te"],
"md5" : "8e03693af6178f0a3a99ccf0242f15ac",
"sha1" : "ffb15a651523794c466ba791dc07e1bdfc858fb1",
"sha256" : "207f9a03b36c48c14f41d7a65067fcc5ba42c092",

"file_name":"test.pdf",
"te":{
"return_errors": true,
"version_info": true,
"images": [
{
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"revision":1
}
]
}
}
]
}' \
-F 'file=@/home/blueguara/Downloads/test.pdf' \
-k

RESPONSE ...

{
"response" : [
{
"features" : [ "te" ],
"file_name" : "test.pdf",
"file_type" : "pdf",
"md5" : "8e03693af6178f0a3a99ccf0242f15ac",
"sha1" : "ffb15a651523794c466ba791dc07e1bdfc858fb1",
"sha256" : "207f9a03b36c48c14f41d7a65067fcc5ba42c092c89fa5a027882e04f807204a",
"status" : {
"code" : 1002,
"label" : "UPLOAD_SUCCESS",
"message" : "The file was uploaded successfully"
},
"te" : {
"images" : [
{
"id" : "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"report" : {
"verdict" : "unknown"
},
"revision" : 1,
"status" : "not_found"
}
],
"status" : {
"code" : 1002,
"label" : "UPLOAD_SUCCESS",
"message" : "The file was uploaded successfully"
}
}
}
]
}

Here are the request and response after looking for this same file in the query endpoint.

REQUEST ....

curl --location 'https://192.168.68.111:18194/tecloud/api/v1/file/query' \
--header 'Authorization: 9HFAI55GyFSILSEUSVHM8NhfV6zyCbPI' \
--header 'Content-Type: application/json' \
--data '{
"request":[
{
"features": [ "te" ],
"md5" : "8e03693af6178f0a3a99ccf0242f15ac",
"sha1" : "ffb15a651523794c466ba791dc07e1bdfc858fb1",
"sha256" : "207f9a03b36c48c14f41d7a65067fcc5ba42c092",
"te": {
"reports": [ "pdf" ],
"images": [
{
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"revision":1
}
]
}
}
]
}' -k

RESPONSE...

{
"response" : [
{
"features" : [ "te" ],
"md5" : "8e03693af6178f0a3a99ccf0242f15ac",
"sha1" : "ffb15a651523794c466ba791dc07e1bdfc858fb1",
"sha256" : "207f9a03b36c48c14f41d7a65067fcc5ba42c092",
"status" : {
"code" : 1004,
"label" : "NOT_FOUND",
"message" : "Couldn't find the requested file, please upload it"
},
"te" : {
"images" : [
{
"id" : "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"report" : {
"verdict" : "unknown"
},
"revision" : 1,
"status" : "not_found"
}
],
"status" : {
"code" : 1004,
"label" : "NOT_FOUND",
"message" : "Couldn't find the requested file, please upload it"
}
}
}
]
}

Are you a member of CheckMates?

Threat Prevention API query not detecting uploaded pdf file