Joe Sandbox

Updated 1 week ago by Elvis Hovor

This document explains how to set up and use the intel feed from Joe Sandbox.

Joe Sandbox executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities and compiles it in an extensive analysis report.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Intel Type: Premium

Data Types

The integration pulls all observables supported by TruSTAR.

Requirements

  • Registered customer of Joe Security
  • Joe Sandbox Cloud API key
TruSTAR Admin rights are required to activate this Premium Intel feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side menu.
  3. Choose Closed Sources.
  4. Click Subscribe in the Joe Sandbox icon.
  5. Enter your Joe Sandbox API key, then click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Report Mapping

Field 

Explanation

Report Title

Sample field of target block of json response if available, else url field  

Example: WbPmrTtnkw

External ID

Encoded value of (webid) field of first json response

Example: encoded value of (752112)

Report Body

Full JSON response from Joe Sandbox

Time Begun

Combined start_date and start_time field of second json response

Example: 20/12/2018 19:48:25

Tags

Score and malicious field of signature detections field of json response

Example: [“confidence:64”, “Maliciousness:true”]

Deeplink

Example: https://jbxcloud.joesecurity.org/analysis/744288/0/html?eg: …/analysis/”analysis id” …

Client Type

PYTHON SDK

Client Meta Tag

‘trustash’

Known Issues

None reported.

Please reach out to support@trustar.co if you have issues with this integration.


How Did We Do?