Joe Sandbox

Integration version: 7.0

Configure Joe Sandbox to work with Google Security Operations SOAR

To obtain API Key, navigate to User Settings in Joe Sandbox - API Key.

Configure Joe Sandbox integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Detonate File

Description

Run a file in Joe Sandbox and retrieve an analysis of results.

Parameters

Parameter Type Default Value Description
File Paths String N/A The paths of the files to scan comma separated.
Comment String N/A The comment to add to the entry.
Report Format String N/A The format of the report.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

Entities are marked as Suspicious (True) if they exceed threshold.

Insights
Severity Description
Warn A warning insight will be created to inform on the malicious status of the enriched file. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious threshold set before scan.
Script Result
Script Result Name Value Options Example
ScriptResult True/False ScriptResult:False
JSON Result
{
   "path\\\\mocks.txt":
      {
         "status": "finished",
         "runs":
           [{
               "detection": "clean",
               "yara": false,
               "system": "w7_1",
               "error": null
             },{
               "detection": "clean",
               "yara": false,
               "system": "w7x64",
               "error": null
            }],
         "sha1": "e96a0e74ed5cfbcaa65c764939b29945e988be9b",
         "tags": [],
         "webid": "773601",
         "comments": "testing",
         "filename": "mocks.txt",
         "scriptname": "default.jbs",
         "time": "2019-01-21T11:21:20+01:00",
         "duration": 530,
         "sha256": "6087f230c0d6ea362f23ca2abb4baf82a9058cb0143af3e82584005f56626f5b",
         "md5": "502cddb08849eb191386017dfca05670",
         "analysisid": "765760"
      }
}

Ping

Description

Verifies that the user has a connection to Joe Sandbox through the user's device.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_connect True/False is_connect:False
JSON Result
N/A

Search Hash

Description

Search for a hash in sandbox records.

Parameters

N/A

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment

Entities are marked as Suspicious (True) if they exceed threshold.

Enrichment Field Name Logic - When to apply
status Returns if it exists in JSON result
runs Returns if it exists in JSON result
sha1 Returns if it exists in JSON result
tags Returns if it exists in JSON result
webid Returns if it exists in JSON result
comments Returns if it exists in JSON result
filename Returns if it exists in JSON result
scriptname Returns if it exists in JSON result
time Returns if it exists in JSON result
duration Returns if it exists in JSON result
sha256 Returns if it exists in JSON result
md5 Returns if it exists in JSON result
analysisid Returns if it exists in JSON result
Insights
Severity Description
Warn A warning insight will be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious threshold set before scan.

Search URL

Description

Search for a URL in sandbox records.

Parameters

N/A

Run On

This action runs on the URL entity.

Action Results

Entity Enrichment

Entities are marked as Suspicious (True) if they exceed threshold.

Enrichment Field Name Logic - When to apply
status Returns if it exists in JSON result
runs Returns if it exists in JSON result
sha1 Returns if it exists in JSON result
tags Returns if it exists in JSON result
webid Returns if it exists in JSON result
comments Returns if it exists in JSON result
filename Returns if it exists in JSON result
scriptname Returns if it exists in JSON result
time Returns if it exists in JSON result
duration Returns if it exists in JSON result
sha256 Returns if it exists in JSON result
md5 Returns if it exists in JSON result
analysisid Returns if it exists in JSON result
Insights
Severity Description
Warn A warning insight will be created to inform on the malicious status of the enriched URL. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious threshold set before scan.
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{
   "EntityResult":
     {
        "status": "finished",
        "runs":
           [{
              "detection": "clean",
              "yara": false,
              "system": "w7_1",
              "error": null
            },{
              "detection": "clean",
              "yara": false,
              "system": "w7x64",
              "error": null
           }],
       "sha1": "e96a0e74ed5cfbcaa65c764939b29945e988be9b",
       "tags": [],
       "webid": "773601",
       "comments": "testing",
       "filename": "mocks.txt",
       "scriptname": "default.jbs",
       "time": "2019-01-21T11:21:20+01:00",
       "duration": 530,
       "sha256": "6087f230c0d6ea362f23ca2abb4baf82a9058cb0143af3e82584005f56626f5b",
       "md5": "502cddb08849eb191386017dfca05670",
       "analysisid": "765760"
      },
   "Entity": "https://sampleweb.com"
}]