Current ThreatQ Version Filter
 

Joe Sandbox CDF

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Joe Sandbox CDF for ThreatQ enables analysts to automatically ingest analysis reports for samples submitted to Joe Sandbox.

The integration provides the following feed:

  • Joe Sandbox Submissions - pulls analysis reports for samples submitted to Joe Sandbox.

The integration ingests the following system objects:

  • Reports
  • Indicators
  • Malware

Along with the system objects listed above, the integration ingests the following support context:

  • Joe Sandbox Link
  • Disposition
  • Classification
  • Threat Score
  • Related Malware
  • Tags
  • Comments
  • Sample MD5 Hash
  • Sample SHA-1 Hash
  • Sample SHA-256 Hash
  • Sample Filename / URL
  • Sandbox Environment
  • Sandbox Script
  • Triggered YARA Rule
  • Triggered Sigma Rule

Prerequisites

The Joe Sandbox CDF integration for ThreatQ requires the following:

  • A Joe Sandbox API Key which can be located under User Settings  for your Joe Sandbox account.  

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Commercial option from the Category dropdown (optional).

    If you are installing the integration for the first time, it will be located under the Disabled tab.

  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Joe Sandbox API Key Your Joe Sandbox API Key.  This can be found under your User Settings in Joe Sandbox site.   
    Disposition Filter Select the dispositions to ingest analysis for in ThreatQ.  Options include:
    • Unknown
    • Clean
    • Malicious (default)
    • Suspicious (default)
    Context Filter Select the pieces of context you would like to be brought in with the sandbox reports.  Options include:
    • Joe Sandbox Link (default)
    • Disposition (default)
    • Classification (default)
    • Threat Score (default)
    • Related Malware (default)
    • Tags (default)
    • Comments
    • Sample MD5 Hash (default)
    • Sample SHA-1 Hash (default)
    • Sample SHA-256 Hash (default)
    • Sample Filename / URL (default)
    • Sandbox Environment (default)
    • Sandbox Script
    • Triggered YARA Rule
    • Triggered Sigma Rule

    Joe Sandbox Configuration Screen
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

Joe Sandbox Submissions (Feed)

The Joe Sandbox Submissions feed automatically pulls analysis reports for samples submitted to Joe Sandbox.

POST https://jbxcloud.joesecurity.org/api/v2/analysis/list

Sample Body (Form Data):

{
    "apikey": "xxxxx"
}

Sample Response:

{
  "data": [
    {
      "webid": "2530138"
    },
    {
      "webid": "2530129"
    },
    {
      "webid": "2530128"
    }
  ],
  "pagination": {}
}

The mappings for this feed are based on the data returned by the Get Analysis Details Supplemental Feed.

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes  
.classification Report.Attribute Classification N/A N/A spyw.evad If enabled
.comments Report.Attribute Comment N/A N/A N/A If enabled
.detection Report.Attribute Disposition N/A N/A malicious If enabled
.runs[0].sigma Report.Attribute Triggered Sigma Rule N/A N/A True If enabled
.runs[0].yara Report.Attribute Triggered YARA Rule N/A N/A False If enabled
.runs[0].system Report.Attribute Sandbox Environment N/A N/A w10x64_office If enabled
.score Report.Attribute Threat Score N/A N/A 88 If enabled
.scriptname Report.Attribute Sandbox Script N/A N/A urldownload.jbs If enabled
.threatname Report.Malware N/A N/A N/A Amadey If enabled
.tags[] Report.Tag N/A N/A N/A N/A If enabled
.analysisid Report.Attribute Joe Sandbox Link Formatted into URL N/A https://jbxcloud.joesecurity.
org/analysis/{{ analysisid }}/0/html		 If enabled
.filename Report.Indicator URL or Filename N/A N/A N/A If enabled; Type depends on value
.md5 Report.Indicator MD5 N/A N/A N/A If enabled
.sha1 Report.Indicator SHA-1 N/A N/A N/A If enabled
.sha256 Report.Indicator SHA-256 N/A N/A N/A If enabled

Get Analysis Details (Supplemental)

The Get Analysis Details supplemental feed fetches the details for a given submission ID.

POST https://jbxcloud.joesecurity.org/api/v2/analysis/list/v2/analysis/info

Sample Body (Form Data):

{
    "apikey": "xxxxx",
    "webid": "1234567"
}

Sample Response:

{
  "data": {
    "webid": "2530138",
    "time": "2022-04-19T15:28:17+02:00",
    "runs": [
      {
        "detection": "malicious",
        "error": null,
        "system": "w10x64_office",
        "yara": true,
        "sigma": false,
        "score": 88
      }
    ],
    "tags": [],
    "encrypted": false,
    "analysisid": "1824743",
    "duration": 491,
    "md5": "",
    "sha1": "",
    "sha256": "",

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Joe Sandbox Submissions

Metric Result
Run Time 1 minute(s)
Reports 4
Report Attributes 25
Indicators 4
Indicator Attributes 8
Malware 1

Change Log

  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
Joe Sandbox CDF Guide v1.0.0 4.40.0 or Greater