Joe Security Sandbox

21 min

joe security sandbox automates malware analysis, providing detailed insights into file and url behavior to aid in threat detection and response joe security sandbox is a robust malware analysis service that provides automated, deep analysis of suspicious files and urls this connector enables swimlane turbine users to submit files or urls for analysis, retrieve detailed reports, and download specific resources such as full reports or dropped binaries by integrating with joe security sandbox, security teams can enhance their incident response capabilities with automated malware investigations, enriching their security playbooks with actionable intelligence and reducing manual analysis efforts prerequisites to effectively utilize the joe security sandbox connector within swimlane turbine, ensure you have the following joe security joe sandbox api authentication with the necessary parameter api key your unique identifier to authenticate requests to joe security sandbox capabilities the connector provides the following capabilities submit file or url get analysis search analyses download resource analysis capabilities notes download resource the following table details all available values for the resource type according to the v2 api docs https //jbxcloud joesecurity org/userguide?sphinxurl=usage/webapi html#v2 analysis download report category values human readable reports html, lighthtml, executive, pdf, classhtml, xml xml, lightxml, classxml, clusterxml, irxml json json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed other shoots (screenshots), ishots (interesting screen shots), maec, misp, stix, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked pe files), unpack, ida, pcap, pcapslim, memdumps, yara, functionlogs, powershelllogs, eventlogs, classsightml configurations joe security joe sandbox api key authentication joe security joe sandbox api authentication configuration parameters parameter description type required api key joe security joe sandbox api key string required host the hostname of the joe sandbox instance if it is on prem defaults to cloud url string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions download report resource retrieve a specific resource such as the full report or dropped binaries from a joe security sandbox report, requiring webid and type input argument name type required description webid number required unique identifier run number optional parameter for download report resource type string required type of the resource output parameter type description file array output field file file string output field file file name string name of the resource example \[ { "file" \[] } ] get analysis retrieve detailed analysis for a specific submission in joe security sandbox using the submission id input argument name type required description submission id string required unique identifier output parameter type description submission id string unique identifier name string name of the resource status string status value time string time value most relevant analysis object output field most relevant analysis webid string unique identifier detection string output field detection score number score value analyses array output field analyses webid string unique identifier time string time value runs array output field runs detection string output field detection error object error message if any system string output field system yara boolean output field yara tags array output field tags file name string name of the resource file string output field file analysisid string unique identifier duration number output field duration md5 string output field md5 sha1 string output field sha1 sha256 string output field sha256 filename string name of the resource example \[ { "json body" { "submission id" "140", "name" "sample exe", "status" "finished", "time" "2019 04 15t08 05 05+00 00", "most relevant analysis" {}, "analyses" \[] } } ] submit file submits a file sample to joe security sandbox for analysis, requiring an attachment as input input argument name type required description attachments array required file to be submitted file string required parameter for submit file file name string required name of the resource params object optional customize the sandbox parameters they are described in more detail in the default submission parameters cookbook array optional cookbook to be used file string required parameter for submit file file name string required name of the resource output parameter type description submission id string unique identifier example \[ { "json body" { "submission id" "140" } } ] submit url submits a url to joe security sandbox for comprehensive analysis and returns the analysis results input argument name type required description url string required url endpoint for the request params object optional customize the sandbox parameters they are described in more detail in the default submission parameters output parameter type description submission id string unique identifier example \[ { "json body" { "submission id" "140" } } ] notes the submission id is only available through the integration, the id shown in the browser is not the submission id