Joe Sandbox Action Bundle
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 5.29.0 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The Joe Sandbox Action Bundle enables ThreatQ users to automate malware analysis by submitting supported URL indicators and ThreatQ files to Joe Sandbox Cloud and retrieving analysis results directly into ThreatQ. The bundle streamlines submission and enrichment workflows, allowing analysts to incorporate Joe Sandbox intelligence into their ThreatQ investigations.
The integration provides the following actions:
- Joe Sandbox - Submit - submits supported URL indicators and ThreatQ files to Joe Sandbox Cloud for analysis. URL indicators can be submitted either as browser URLs or as URL-hosted file samples, depending on the configured submission type.
- Joe Sandbox - Get Report - retrieves the analysis report for an existing Joe Sandbox submission and enriches the associated ThreatQ indicator with report details and related intelligence.
The integration is compatible with the following object types:
- Indicators
- Filename
- MD5
- SHA-1
- SHA-256
- URL
- Files
The integration returns the following enriched object types:
- Indicators
- Indicator Attributes
- Files
- File Attributes
- Reports
- Report Attributes
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A Joe Sandbox API Key.
- A valid Joe Sandbox analysis system such as
w10x64. - A data collection containing at least one of the following object types:
- Indicator
- Filename
- MD5
- SHA-1
- SHA-256
- URL
- File
- Indicator
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the action zip file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the action zip file using one of the following methods:
- Drag and drop the zip file into the dialog box
- Select Click to Browse to locate the zip file on your local machine
- Select the actions to install, when prompted, and click on Install.
ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.
The action(s) will now be installed on your ThreatQ instance. You will still need to configure the action(s).
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description API Key Enter the API key used to authenticate requests to Joe Sandbox. API URL Enter the base URL for the Joe Sandbox API. The default value is https://www.joesandbox.com/api.Default URL Scheme Select the protocol to prepend to URL indicators that do not begin with http://orhttps://. The default value isHTTPS.URL Submission Type Select whether URL indicators are submitted using the Joe Sandbox urlfield or thesample-urlfield.Analysis System Specify the Joe Sandbox analysis system to use for submitted samples. Options include: - Windows 10 x64:
w10x64(Default) - Windows 10 x64 Remote Assistance:
w10x64_ra - Windows 10 x64 Native:
w10x64native - Windows 7 x64:
w7x64 - Ubuntu Linux 20.04 x64:
lnxubuntu20 - Ubuntu Linux 16.04 x64:
lnxubuntu1 - macOS Monterey:
macvm-monterey - Windows 11 x64 Office:
w11x64_office
Enable SSL Certificate Verification Enable this parameter if the action should validate the host-provided SSL certificate. Disable Proxies Enable this parameter if the action should not honor proxies set in the ThreatQ UI. Objects Per Run Specify the maximum number of objects to process during a single execution. The default value is 1000. - Windows 10 x64:
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The following actions are available:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Joe Sandbox - Submit | Submit a URL, URL-hosted sample, or ThreatQ file for analysis | Indicators, Files | Indicator type - URL |
| Joe Sandbox - Get Report | Retrieve a completed or in-progress Joe Sandbox submission report | Indicators, Files | Indicator type - URL, MD5, SHA-1, SHA-256, Filename |
Joe Sandbox - Submit
The Joe Sandbox – Submit action submits supported URL indicators and ThreatQ files to Joe Sandbox for analysis using a common submission endpoint.
POST https://www.joesandbox.com/api/v2/submission/new
For URL indicators, the URL Submission Type parameter determines how the indicator is submitted:
url– Opens and analyzes the URL in the selected Joe Sandbox analysis environment.Sample URL Request:
{ "accept-tac": "1", "systems[]": ["w10x64"], "url": "https://www.example.com" }sample-url– Downloads and analyzes the file hosted at the specified URL.Sample URL-Hosted File Request:
{ "accept-tac": "1", "systems[]": ["w10x64"], "sample-url": "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/All.ElectroRAT/All.ElectroRAT.zip" }
For ThreatQ files, the action downloads the file from ThreatQ and submits it to Joe Sandbox as a multipart file sample.
Sample File Response:
{
"accept-tac": "1",
"systems[]": ["w10x64"],
"sample": {
"filename": "joe_test.txt",
"content_type": "text/plain",
"value": "This is a harmless test file."
}
}
Sample Response:
{
"data": {
"submission_id": "1867086"
}
}
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes | |
|---|---|---|---|---|---|---|
.data.submission_id |
Indicator.Attribute |
Joe Sandbox Submission ID |
N/A |
1867086 |
N/A |
|
.data.submission_id |
File.Attribute |
Joe Sandbox Submission ID |
N/A |
1870001 |
N/A |
Joe Sandbox - Get Report
The Joe Sandbox – Get Report action retrieves the analysis report for an indicator that contains a valid Joe Sandbox Submission ID attribute. The action uses the stored Submission ID to query Joe Sandbox and return the corresponding report details to ThreatQ.
POST https://www.joesandbox.com/api/v2/submission/info
Sample Request:
{
"submission_id": "1867086"
}
Sample Response:
{
"data": {
"submission_id": "1869360",
"name": "https://www.google.com",
"time": "2026-06-23T08:39:18+02:00",
"status": "finished",
"analyses": [
{
"webid": "1932342",
"time": "2026-06-23T08:39:19+02:00",
"runs": [
{
"detection": "clean",
"error": null,
"system": "w10x64",
"yara": false,
"sigma": false,
"suricata": false,
"score": 2
}
],
"tags": [
"malware",
"phishing"
],
"encrypted": false,
"analysisid": "1932342",
"duration": 275,
"md5": "44d88512fea8a8f36de82e1278abb0",
"sha1": "3395856ce81f2b7382dee72062f798",
"sha256": "275a021bbfb6489e54d471899f7db9",
"filename": "sample_report.pdf",
"scriptname": "browseurl.jbs",
"status": "finished",
"comments": "Analysis completed successfully without structural errors.",
"classification": "spyw.evad",
"threatname": "Amadey",
"score": 2,
"detection": "clean",
"has_malwareconfig": false
}
],
"most_relevant_analysis": {
"webid": "1932342",
"detection": "clean",
"score": 2
}
}
}
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
.data.analyses[].analysisid |
Indicator.Attribute |
Joe Sandbox Report ID |
N/A |
1930015 |
Added to the original indicator. |
.data.analyses[].webid |
Indicator.Attribute |
Joe Sandbox Report Link |
N/A |
https://www.joesandbox.com/analysis/1930015 |
Built from the Joe Sandbox report base URL and the webid. |
.data.analyses[].status |
Indicator.Attribute |
Joe Sandbox Status |
N/A |
finished |
Analysis status. |
.data.analyses[].detection |
Indicator.Attribute |
Joe Sandbox Detection |
N/A |
clean |
Analysis detection verdict. |
.data.analyses[].score |
Indicator.Attribute |
Joe Sandbox Score |
N/A |
1 |
Joe Sandbox score. |
.data.analyses[].classification |
Indicator.Attribute |
Joe Sandbox Classification |
N/A |
spyw.evad |
Only mapped when present. |
.data.analyses[].threatname |
Indicator.Attribute |
Joe Sandbox Threat Name |
N/A |
Amadey |
Only mapped when present. |
.data.analyses[].runs[].system |
Indicator.Attribute |
System <system> Detection |
N/A |
System w10x64 Detection: clean |
Added when the run has a detection and no run error. |
.data.analyses[].md5 |
Related Indicator.value |
MD5 |
N/A |
44d88612fea8a8f36de82e1278abb02f |
Created as related indicator when present. |
.data.analyses[].sha1 |
Related Indicator.value |
SHA-1 |
N/A |
3395856ce81f2b7382dee72602f798b642f14140 |
Created as related indicator when present. |
.data.analyses[].sha256 |
Related Indicator.value |
SHA-256 |
N/A |
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f |
Created as related indicator when present. |
.data.analyses[].filename |
Related Indicator.value |
Filename |
N/A |
https://www.example.com |
Created as related indicator when present. |
data.analyses[].analysisid |
Report.Attribute |
Joe Sandbox Report ID |
N/A |
1932342 |
N/A |
data.analyses[].webid |
Report.Attribute |
Joe Sandbox Report Link |
N/A |
https://www.joesandbox.com/analysis/1932342 |
N/A |
data.analyses[].threatname |
Report.Attribute |
Joe Sandbox Threat Name |
N/A |
`` |
N/A |
text |
Report |
Description |
N/A |
<p><strong>Joe Sandbox Report Link:</strong> ...</p> |
N/A |
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
Joe Sandbox - Submit
| Metric | Result |
|---|---|
| Run Time | 2 minutes |
| Indicators | 1 |
| Indicator Attributes | 1 |
| Files | 1 |
| File Attributes | 1 |
Joe Sandbox - Get Report
| Metric | Result |
|---|---|
| Run Time | 2 minutes |
| Indicators | 1 |
| Indicator Attributes | 8 |
| Reports | 1 |
| Report Attributes | 6 |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Joe Sandbox Action Bundle Guide v1.0.0 | 5.29.0 or Greater |