Joe Sandbox

Updated 6 days ago by Elvis Hovor

This document explains how to set up and use the intel feed from Joe Sandbox.

Joe Sandbox executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities and compiles it in an extensive analysis report.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Source Type: Closed Feed


  • Registered customer of Joe Security
  • Joe Sandbox Cloud API key
TruSTAR Admin rights are required to activate this closed source feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side menu.
  1. Choose Closed Sources.
  2. Click Subscribe in the Joe Sandbox icon and enter your API key in the dialog box.
  3. Click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

How It Works

Report Mapping



Report Title

Sample field of target block of json response if available, else url field  

Example: WbPmrTtnkw

External ID

Encoded value of (webid) field of first json response

Example: encoded value of (752112)

Report Body

generalinfo (Full text)

Fileinfo (partial text)



Comments (full text)

DomainInfo (full text)

IPInfo (full text)

URLinfo (full text)

droppedinfo (full text)

signature detection (full text)

Mitre attack. (full text)

Time Begun

Combined start_date and start_time field of second json response

Example: 20/12/2018 19:48:25


Score and malicious field of signature detections field of json response

Example: [“confidence:64”, “Maliciousness:true”]


Example: …/analysis/”analysis id” …

Client Type


Client Meta Tag



Q. What data do you currently pull from Joe Sandbox? 

A. This integration pulls reports from Joe Sandbox and can extract and correlate against the cyber IOC’s listed below:

  • IP
  • URL
  • Bitcoin Addresses

Contact TruSTAR to discuss additional indicators that can be queried from Joe Sandbox.

Known Issues

None reported.

Please reach out to if you have issues with this integration.

Technical Details 

API Timeout : 30 seconds


API Mapping:

  • Credential Type - API Key
  • Stash Type: stash_joesandboxfeeds
  • SourceType: Closed Source


  • Get all webids using /analysis/list API. (API does not support filtering based on timestamp)
  • Loop through all web id
  • Get detailed information using /analysis/download API. Otherwise skip current webid iteration.
  • Submit report to TruSTAR

Request Example -

1) POST -

Data params -

apikey: xxxxxxxxxxxxxxxxxxxxx

Response -


   "data": [


           "webid": "752112"




How Did We Do?