Joe Sandbox
Introduction
TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. Joe Sandbox executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities and compiles it in an extensive analysis report. TruSTAR's integration with Joe Sandbox will allow users to utilize the intelligence from their sandbox analysis within their investigations in a more automated and streamlined manner by correlating their internal cases with Joe Sandbox analysis and all their other intelligence sources in one place.
Prerequisites
This integration requires TruSTAR users to be paying customers of Joe Security and have access to their Joe Sandbox Cloud API keys .
Configure Integration
After you have retrieved your Joe Sandbox API key follow these steps:
- Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Click on Closed Sources.
- Select Joe Sandbox logo and subscribe by filling in your API key.
- Click Submit.
TruSTAR will validate and enable the Joe Sandbox integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration in enabled you should see analysis reports from Joe Sandbox being submitted into an enclave you control.
FAQ
What data do you currently pull from Joe Sandbox?
Our integration currently only pulls reports from Joe Sandbox and can extract and correlate against the cyber IOC’s listed below
These include:
- IP
- URL
- Bitcoin Addresses
Please contact support@trustar if you would like to discuss additional indicators that should be extracted from Joe Sandbox analysis reports
How often is the data pulled?
Our integration retrieves data from Joe Sandbox every 15mins.
Technical Details
Feed based TruStash
API Timeout : 30 seconds
BASE_URL - https://jbxcloud.joesecurity.org
API Mapping:
Credential Type - API Key
Stash Type: stash_joesandboxfeeds
SourceType: Closed Source
Workflow:
- Get all webids using /analysis/list API. (API does not support filtering based on timestamp)
- Loop through all web id
- Get detailed information using /analysis/download API. Otherwise skip current webid iteration.
- Submit report to TruSTAR
Request Example -
1) POST - https://jbxcloud.joesecurity.org/api/v2/analysis/list
Data params -
apikey: xxxxxxxxxxxxxxxxxxxxx
Response -
{
"data": [
{
"webid": "752112"
}
]
}
TruSTAR Report Content Mapping:
Report Title - sample field of target block of json response if available else url field (e.g WbPmrTtnkw)
External ID - Encoded value of (webid) field of first json response (e.g encoded value of (752112))
Report Body - json response fields Below
generalinfo (Full text)
Fileinfo (partial text)
fileinfo":
{"filetype":"entropy":"trid":"def":"filename":"submissionpath":"filesize":"md5":"sha1":"sha256":"sha512":"ssdeep":
Comments (full text)
DomainInfo (full text)
IPInfo (full text)
URLinfo (full text)
droppedinfo (full text)
signature detection (full text)
Mitre attack. (full text)
Time Begun - Combine start_date and start_time field of second json response(e.g. 20/12/2018 19:48:25)
Tags - score and malicious field of signature detections field of json response (e.g. [“confidence:64”, “Maliciousness:true”]
Deeplink - https://jbxcloud.joesecurity.org/analysis/744288/0/html?eg: …/analysis/”analysis id” …
Client Type - PYTHON_SDK
Client Meta Tag - ‘trustash’
Please reach out to support@trustar.co for any additional questions.
