Details
Content
Dependencies
Version History

ThreatZone malware analysis sandboxing

ThreatZone Cortex XSOAR Integration Pack

Threat.Zone enrichments are adaptable and can seamlessly integrate into various playbooks, such as sandbox, static-scan, and CDR playbooks, along with incidents and related files marked as indicators for threat intelligence. The integration now supports URL submissions, granular report retrieval, and richer plan metadata coverage.

Supported commands

tz-sandbox-upload-sample — submit files for dynamic analysis with optional module toggles and execution controls.
tz-static-upload-sample — perform static analysis of files without executing them in the sandbox.
tz-cdr-upload-sample — sanitize files using ThreatZone CDR workflows.
tz-url-analysis — submit URLs for detonation and reputation assessment.
tz-get-result — retrieve the submission verdict alongside the raw ThreatZone response payload.
tz-get-indicator-result — retrieve dynamic behaviour indicators via the dedicated endpoint.
tz-get-ioc-result — retrieve Indicators of Compromise for a submission using the dedicated API endpoint.
tz-get-yara-result — retrieve matched YARA rules using the dedicated API endpoint.
tz-get-artifact-result — retrieve analysis artifacts generated during execution.
tz-get-config-result — retrieve configuration extractor results exposed by ThreatZone.
tz-get-sanitized — download the sanitized artifact generated during CDR processing.
tz-download-html-report — fetch the rendered HTML report for a submission.
tz-check-limits — inspect current plan quotas, enabled modules, and workspace metadata.

Use tz-get-result details=true to embed inline sections in the readable output, or call the dedicated commands when you need the enriched objects in context.

Ready-to-Use Playbooks

Analyze File - Sandbox - ThreatZone
Analyze File - Static Scan - ThreatZone
Sanitize File - CDR - ThreatZone
Analyze URL - ThreatZone

ThreatZone Cortex Integration Pack

Supported commands

tz-sandbox-upload-sample — submit files for dynamic analysis with optional module toggles and execution controls.
tz-static-upload-sample — perform static analysis of files without executing them in the sandbox.
tz-cdr-upload-sample — sanitize files using ThreatZone CDR workflows.
tz-url-analysis — submit URLs for detonation and reputation assessment.
tz-get-result — retrieve the submission verdict alongside the raw ThreatZone response payload.
tz-get-indicator-result — retrieve dynamic behaviour indicators via the dedicated endpoint.
tz-get-ioc-result — retrieve Indicators of Compromise for a submission using the dedicated API endpoint.
tz-get-yara-result — retrieve matched YARA rules using the dedicated API endpoint.
tz-get-artifact-result — retrieve analysis artifacts generated during execution.
tz-get-config-result — retrieve configuration extractor results exposed by ThreatZone.
tz-get-sanitized — download the sanitized artifact generated during CDR processing.
tz-download-html-report — fetch the rendered HTML report for a submission.
tz-check-limits — inspect current plan quotas, enabled modules, and workspace metadata.

Use tz-get-result details=true to embed inline sections in the readable output, or call the dedicated commands when you need the enriched objects in context.

Ready-to-Use Playbooks

Analyze File - Sandbox - ThreatZone
Analyze File - Static Scan - ThreatZone
Sanitize File - CDR - ThreatZone
Analyze URL - ThreatZone

Integrations

Name	Description
ThreatZone (Partner Contribution)	ThreatZone malware analysis sandboxing.

Playbooks

Name	Description
Sanitize File - CDR - ThreatZone	Sanitize one file using the ThreatZone CDR integration. Returns relevant reports to the War Room and file reputations to the context data. CDR Scan Extensions: doc, docm, docx, dotm, ppt, pptm, pptx, xls, xlsm, pdf, odc, odt, ott, odp, otp, ods, ots, rtf, tiff, jpeg, png, gif, bmp, webp, jpx, svg, zip, xml, ics, html, lnk, xlsx.
Analyze File - Static Scan - ThreatZone	Analyzes one file using the ThreatZone static scan integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.
Sanitize File - CDR - ThreatZone v2	Sanitize one file using the ThreatZone CDR integration. Returns relevant reports to the War Room and file reputations to the context data. CDR Scan Extensions: doc, docm, docx, dotm, ppt, pptm, pptx, xls, xlsm, pdf, odc, odt, ott, odp, otp, ods, ots, rtf, tiff, jpeg, png, gif, bmp, webp, jpx, svg, zip, xml, ics, html, lnk, xlsx.
Analyze File - Static Scan - ThreatZone v2	Analyzes one file using the ThreatZone static scan integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.
Analyze File - Sandbox - ThreatZone v2	Analyzes one file using the ThreatZone sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. Dynamic Scan Extensions: exe, docx, dochtml, docm, doc, rtf, ps1, bat, cmd, xlw, xltx, xltm, xls, xlsx, odc, csv, xlshtml.
Analyze File - Sandbox - ThreatZone	Analyzes one file using the ThreatZone sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. Dynamic Scan Extensions: exe, docx, dochtml, docm, doc, rtf, ps1, bat, cmd, xlw, xltx, xltm, xls, xlsx, odc, csv, xlshtml.

Integrations

Name	Description
ThreatZone (Partner Contribution)	ThreatZone malware analysis sandboxing.

Playbooks

Name	Description
Sanitize File - CDR - ThreatZone	Sanitize one file using the ThreatZone CDR integration. Returns relevant reports to the War Room and file reputations to the context data. CDR Scan Extensions: doc, docm, docx, dotm, ppt, pptm, pptx, xls, xlsm, pdf, odc, odt, ott, odp, otp, ods, ots, rtf, tiff, jpeg, png, gif, bmp, webp, jpx, svg, zip, xml, ics, html, lnk, xlsx.
Analyze File - Sandbox - ThreatZone v2	Analyzes one file using the ThreatZone sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. Dynamic Scan Extensions: exe, docx, dochtml, docm, doc, rtf, ps1, bat, cmd, xlw, xltx, xltm, xls, xlsx, odc, csv, xlshtml.
Analyze File - Static Scan - ThreatZone	Analyzes one file using the ThreatZone static scan integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.
Sanitize File - CDR - ThreatZone v2	Sanitize one file using the ThreatZone CDR integration. Returns relevant reports to the War Room and file reputations to the context data. CDR Scan Extensions: doc, docm, docx, dotm, ppt, pptm, pptx, xls, xlsm, pdf, odc, odt, ott, odp, otp, ods, ots, rtf, tiff, jpeg, png, gif, bmp, webp, jpx, svg, zip, xml, ics, html, lnk, xlsx.
Analyze File - Static Scan - ThreatZone v2	Analyzes one file using the ThreatZone static scan integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.
Analyze File - Sandbox - ThreatZone	Analyzes one file using the ThreatZone sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. Dynamic Scan Extensions: exe, docx, dochtml, docm, doc, rtf, ps1, bat, cmd, xlw, xltx, xltm, xls, xlsx, odc, csv, xlshtml.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (7)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

2.0.0 - 6920594 (January 28, 2026)

Integrations

ThreatZone

Context outputs now include the ThreatZone.Submission.* structure while preserving legacy ThreatZone.Analysis.* and ThreatZone.IOC.* paths for backward compatibility also new v2 playbooks are available for the ThreatZone.Submission.* outputs.
Added URL detonation support via the tz-url-analysis command, including reporting helpers and HTML report download.
Expanded sandbox submission options with module toggles, analyze config overrides, archive entrypoint/password handling, and auto environment selection.
Introduced dedicated commands to retrieve submission sections (tz-get-indicator-result, tz-get-ioc-result, tz-get-yara-result, tz-get-artifact-result, tz-get-config-result) to fetch granular submission data.
Enhanced tz-get-result formatting: returns the raw submission payload by default, with an optional details=true flag to embed inline detail summaries.
Added a download_sanitized flag to tz-get-result so CDR runs can fetch sanitized files on demand, and ensured the standalone tz-get-sanitized command retrieves files directly.
Improved plan metadata returned by tz-check-limits (includes file size limits, modules, and account information).
Introduced the Analyze URL - ThreatZone playbook to automate URL detonation workflows.
Updated integration documentation, playbooks, and helper scripts to match the new API capabilities.

Playbooks

Analyze File - Sandbox - ThreatZone

Documentation and metadata improvements..

New: Analyze File - Sandbox - ThreatZone v2

Analyzes one file using the ThreatZone sandbox integration.
Returns relevant reports to the War Room and file reputations to the context data.
Dynamic Scan Extensions: exe, docx, dochtml, docm, doc, rtf, ps1, bat, cmd, xlw, xltx, xltm, xls, xlsx, odc, csv, xlshtml.

Analyze File - Static Scan - ThreatZone

Documentation and metadata improvements.

New: Analyze File - Static Scan - ThreatZone v2

Analyzes one file using the ThreatZone static scan integration.
Returns relevant reports to the War Room and file reputations to the context data.
All file types are supported.

Sanitize File - CDR - ThreatZone

Documentation and metadata improvements..

New: Sanitize File - CDR - ThreatZone v2

Sanitize one file using the ThreatZone CDR integration.
Returns relevant reports to the War Room and file reputations to the context data.
CDR Scan Extensions: doc, docm, docx, dotm, ppt, pptm, pptx, xls, xlsm, pdf, odc, odt, ott, odp, otp, ods, ots, rtf, tiff, jpeg, png, gif, bmp, webp, jpx, svg, zip, xml, ics, html, lnk, xlsx.

Documentation and metadata improvements.

Related pull requests:
- 42826
- 41998

Download

1.0.8 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.0.7 - 4770511 (September 4, 2025)

Integrations

ThreatZone

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.0.6 - R3474673 (May 20, 2025)

Integrations

ThreatZone

Metadata and documentation improvements.

Related pull requests:
- 39225

Download

1.0.5 - 1970497 (January 12, 2025)

Integrations

ThreatZone

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 38086

Download

2.0.0 - 6920581 (January 28, 2026)

Integrations

ThreatZone

Context outputs now include the ThreatZone.Submission.* structure while preserving legacy ThreatZone.Analysis.* and ThreatZone.IOC.* paths for backward compatibility also new v2 playbooks are available for the ThreatZone.Submission.* outputs.
Added URL detonation support via the tz-url-analysis command, including reporting helpers and HTML report download.
Expanded sandbox submission options with module toggles, analyze config overrides, archive entrypoint/password handling, and auto environment selection.
Introduced dedicated commands to retrieve submission sections (tz-get-indicator-result, tz-get-ioc-result, tz-get-yara-result, tz-get-artifact-result, tz-get-config-result) to fetch granular submission data.
Enhanced tz-get-result formatting: returns the raw submission payload by default, with an optional details=true flag to embed inline detail summaries.
Added a download_sanitized flag to tz-get-result so CDR runs can fetch sanitized files on demand, and ensured the standalone tz-get-sanitized command retrieves files directly.
Improved plan metadata returned by tz-check-limits (includes file size limits, modules, and account information).
Introduced the Analyze URL - ThreatZone playbook to automate URL detonation workflows.
Updated integration documentation, playbooks, and helper scripts to match the new API capabilities.

Playbooks

Analyze File - Sandbox - ThreatZone

Documentation and metadata improvements..

New: Analyze File - Sandbox - ThreatZone v2

Analyze File - Static Scan - ThreatZone

Documentation and metadata improvements.

New: Analyze File - Static Scan - ThreatZone v2

Analyzes one file using the ThreatZone static scan integration.
Returns relevant reports to the War Room and file reputations to the context data.
All file types are supported.

Sanitize File - CDR - ThreatZone

Documentation and metadata improvements..

New: Sanitize File - CDR - ThreatZone v2

Documentation and metadata improvements.

Related pull requests:
- 42826
- 41998

Download

1.0.8 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.7 - 4761438 (September 4, 2025)

Integrations

ThreatZone

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.0.6 - R3474673 (May 20, 2025)

Integrations

ThreatZone

Metadata and documentation improvements.

Related pull requests:
- 39225

Download

1.0.5 - 1970497 (January 12, 2025)

Integrations

ThreatZone

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 38086

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	October 23, 2023
Last Release	January 28, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.