Joe Security Sandbox
- Jonas Gonzalez
Joe Sandbox is a multi technology platform which uses instrumentation, simulation, hardware virtualization, hybrid and graph - static and dynamic analysis. Rather than focus on one technology Joe Sandbox combines the best parts of multiple techniques. This enables deep analysis, excellent detection and big evasion resistance.
Connect Joe Security Sandbox with Devo SOAR
Navigate to Automations > Integrations.
Search for Joe Security Sandbox.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: API key for Joe Security Sandbox
URL (Optional. Leave Empty For Default): URL to your Joe Security Sandbox instance. Default is https://jbxcloud.joesecurity.org/api.
ACCEPT JOE SANDBOX CLOUD TERMS AND CONDITIONS: Accept the Terms and Conditions of Joe Sandbox Cloud (https://jbxcloud.joesecurity.org/download/termsandconditions.pdf). This is required if you are using 'Joe Sandbox Cloud'.
After you've entered all the details, click Connect.
Actions for JoeSecurity Sandbox
Analysis Info
Show information about analysis.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
WEB ID COLUMN NAME | Column name from parent table that contains web id. This ID is identified as an analysis. | Required |
Output
The analysis results in JSON format.
Submit File
Submit a file to JoeSecurity Sandbox for analysis.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
File ID Column Name | Column name from parent table that contains file id to be submitted. | Required |
Comment Column Name | Column name from parent table that contains comment for the analysis. | Required |
System | Select Server System to run analysis on. | Required |
Should Wait | Should the command wait for the result of the analysis. | Required |
Internet Access | Enable full internet access. Default is True. | Optional |
Additional Parameters | Enter jinja-templated JSON of additional parameters (optional or otherwise). Note: This will override values (if provided) for the above input fields like System, Comment, and Internet-Access. | Â |
For more information on parameters, refer to https://jbxcloud.joesecurity.org/userguide?sphinxurl=usage/webapi.html#apiv2-submission-new. | Â | Â |
Example: | Optional | Â |
``` {json}{ "systems": null, "fast-mode": true, "export-to-jbxview": true }
### Output
Result in JSON format when should_wait is false.
## Submit URL
Submit a URL to JoeSecurity Sandbox for analysis.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| URL Column Name | Column name from parent table that contains URL to be analyzed. | Required |
| Comment Column Name | Column name from parent table that contains comment for the analysis. | Required |
| System | Select Server System to run analysis on. | Required |
| Should Wait | Should the command wait for the result of the analysis. | Required |
| Internet Access | Enable full internet access. Default is True. | Optional |
| Additional Parameters | Enter [jinja-templated](doc:jinja-template) JSON of additional parameters (optional or otherwise). Note: This will override values (if provided) for the above input fields like System, Comment, Internet-Access.
For more information on parameters, refer to <https://jbxcloud.joesecurity.org/userguide?sphinxurl=usage/webapi.html#apiv2-submission-new>.
Example: | Optional |
``` {json}{
"systems": null,
"fast-mode": true,
"export-to-jbxview": true
}Output
Result in JSON format when should wait is false.
Download Report
Download a resource belonging to a report. This can be the full report, dropped binaries, and so on.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Web ID Column Name | Column name from parent table that contains web ID. | Required |
Report Type | The resource type to download. Defaults to HTML. | Optional |
Output
File ID of the downloaded report in JSON format.
Download Sample
Download the sample file of analysis. for security reasons, the extension will be "dontrun".
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Web ID Column Name | Column name from parent table that contains web ID. | Required |
Output
File ID of the downloaded JSON sample.
Is Online
Check if Joe Sandbox is online or in maintenance mode.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
Status data in JSON format.
List Analyses
List all analyses that are present on JoeSecurity Sandbox.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Explode Results | Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows. | Optional |
Output
Results in JSON format.
Search Analyses
Search through all analyses.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Query Column Name | Column name from parent table that contains a query string. The query string will be used to search. The server considers the following fields: md5, sha1, sha256, filename, URL, comments. | Required |
Output
Search Results in JSON format.
Delete Analysis
Delete analysis by webID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Web ID | Jinja-templated text containing webID. | Required |
Output
Results in JSON format.
``` {json}{
"has_error":false, "result":{"deleted":true}, "error":null
} ```
Release Notes
v2.0.0- Updated architecture to support IO via filesystem