Joe Sandbox

Updated 2 months ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. Joe Sandbox executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities and compiles it in an extensive analysis report. TruSTAR's integration with Joe Sandbox will allow users to utilize the intelligence from their sandbox analysis within their investigations in a more automated and streamlined manner by correlating their internal cases with Joe Sandbox analysis and all their other intelligence sources in one place.

Prerequisites

This integration requires TruSTAR users to be paying customers of Joe Security and have access to their Joe Sandbox Cloud API keys .

Configure Integration

After you have retrieved your Joe Sandbox  API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Select Joe Sandbox logo and subscribe by filling in your API key.
  4. Click Submit.

TruSTAR will validate and enable the Joe Sandbox integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration in enabled you should see analysis reports from Joe Sandbox being submitted into an enclave you control.

FAQ

What data do you currently pull from Joe Sandbox? 

Our integration currently only pulls reports from Joe Sandbox and can extract and correlate against the cyber IOC’s listed below

These include:

  • IP
  • URL
  • Bitcoin Addresses

Please contact support@trustar if you would like to discuss additional indicators that should be extracted from Joe Sandbox analysis reports

How often is the data pulled?

Our integration retrieves data from  Joe Sandbox every 15mins.

Technical Details 

Feed based TruStash

API Timeout : 30 seconds

BASE_URL - https://jbxcloud.joesecurity.org

API Mapping:

Credential Type - API Key

Stash Type: stash_joesandboxfeeds

SourceType: Closed Source

Workflow:

  • Get all webids using /analysis/list API. (API does not support filtering based on timestamp)
  • Loop through all web id
  • Get detailed information using /analysis/download API. Otherwise skip current webid iteration.
  • Submit report to TruSTAR

Request Example -

1) POST - https://jbxcloud.joesecurity.org/api/v2/analysis/list

Data params -

apikey: xxxxxxxxxxxxxxxxxxxxx

Response -

{

   "data": [

       {

           "webid": "752112"

       }

   ]

}

TruSTAR Report Content Mapping:

Report Title - sample field of target block of json response if available else url field  (e.g WbPmrTtnkw)

External ID - Encoded value of (webid) field of first json response (e.g encoded value of (752112))

Report Body - json response fields Below

generalinfo (Full text)

Fileinfo (partial text)

fileinfo":

{"filetype":"entropy":"trid":"def":"filename":"submissionpath":"filesize":"md5":"sha1":"sha256":"sha512":"ssdeep":

Comments (full text)

DomainInfo (full text)

IPInfo (full text)

URLinfo (full text)

droppedinfo (full text)

signature detection (full text)

Mitre attack. (full text)

Time Begun - Combine start_date and start_time field of second json response(e.g. 20/12/2018 19:48:25)

Tags - score and malicious field of signature detections field of json response (e.g. [“confidence:64”, “Maliciousness:true”]

Deeplink - https://jbxcloud.joesecurity.org/analysis/744288/0/html?eg: …/analysis/”analysis id” …

Client Type - PYTHON_SDK

Client Meta Tag - ‘trustash’

Please reach out to support@trustar.co for any additional questions.


How Did We Do?