Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.
This document provides information about the Joe Sandbox Cloud connector, which facilitates automated interactions, with Joe Sandbox Cloud server using FortiSOAR™ playbooks. Add the Joe Sandbox Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Joe Sandbox Cloud server for analyzes and searching for and retrieving reports from the Joe Sandbox Cloud server.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Joe Sandbox Cloud Pro Version Tested on: 2.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Joe Sandbox Cloud connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-joe-sandbox-cloud
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Joe Sandbox Cloud connector row, and in the Configuration tab enter the required configuration details.
| Parameter | Description |
|---|---|
| Server URL | URL of the Joe Sandbox Cloud server to which you will connect and perform automated operations. |
| API Key | API Key that is configured for your account for the Joe Sandbox server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, it is selected, i.e., set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get All System Information | Retrieves a list of all systems and their details from your configured Joe Sandbox Cloud server. | get_all_system_information Investigation |
| Submit File | Submits a file to the Joe Sandbox Cloud server for analyzes from your FortiSOAR™ Attachmentmodule. |
detonate_file Investigation |
| Submit URL | Submits a URL to the Joe Sandbox Cloud server for analyzes. | detonate_url Investigation |
| Get Submission Status | Retrieves the status of a submitted file or URL from your configured Joe Sandbox Cloud server, based on the Web ID you have specified. A Web ID is a unique ID for a report. | get_submitted_sample_state Investigation |
| Search Report | Retrieves a list of Web IDs (Unique ID for a report) from your configured Joe Sandbox Cloud server, based on the query you have specified. | search_report Investigation |
| Get Report | Retrieves the report of a submitted file or URL from your configured Joe Sandbox Cloud server, based on the Web ID you have specified. A Web ID is a unique ID for a report. | get_report Investigation |
| Get All Analysed Sample Details | Retrieves details of all analyzed samples (Web IDs) from your configured Joe Sandbox Cloud server. | get_details Investigation |
| Get Account Information | Retrieves details of all accounts configured on your Joe Sandbox Cloud server. | get_account_info Investigation |
None.
The output contains the following populated JSON schema:
{
"result_data": {
"webids": []
}
}
Note: You can only upload files to the Joe Sandbox Cloud channels on your configured Joe Sandbox Cloud from the FortiSOAR™ Attachment module.
| Parameter | Description |
|---|---|
| File ID | ID or IRI value of the file that you want to submit for analyzes from the FortiSOAR™ Attachments module to your configured Joe Sandbox Cloud server. The File ID or File IRI is used to access the file in the Attachments module of FortiSOAR™.In the playbook, this defaults to the {{vars.attachment_id}} value if you have specified the file ID, or {{vars.file_iri}} value if you have specified the file IRI. |
| System | (Optional) Systems on which you want to analyze the file. You can specify more than one system in this field. For example, on Windows, if you do not specify any systems then systems are automatically selected for this field, such as ["w7x64", "w7", "w10"] |
| Comments | (Optional) Comments to add to the file that you are submitting to your configured Joe Sandbox Cloud server. |
| Analysis Time | (Optional) Analysis time in seconds that you want to set for the file that you are submitting to your configured Joe Sandbox Cloud server. You can set any time between 20 to 500 seconds. By default, this is set to 120 seconds. |
| Office Files Passwords | (Optional) Password to decrypt Microsoft Office documents. |
| Internet Access | Select this option (set it to true) to enable full internet access.By default, this is set as false. |
| Hybrid Code Analysis | Select this option (set it to true) to enable Hybrid Code Analysis (HCA).By default, this is set as false. |
| Hybrid Decompilation | Select this option (set it to true) to enable Hybrid Decompilation (DEC).By default, this is set as false. |
| Report Cache | Select this option (set it to true) to enable report cache, i.e, check the cache for existing report before running a full analyzes.By default, this is set as false. |
| Static Only | Select this option (set it to true) to perform only static analyzes.By default, this is set as false, i.e., both static and dynamic analyzes is performed. |
| SSL Inspection | Select this option (set it to true) to enable HTTPS Inspection.By default, this is set as false. |
| VBA Instrumentation | Select this option (set it to true) to enable VBA Instrumentation.By default, this is set as false. |
| JS Instrumentation | Select this option (set it to true) to enable JavaScript Instrumentation.By default, this is set as false. |
| Java Jar Tracing | Select this option (set it to true) to enable Java Jar Tracing, i.e., two analyzes are performed.By default, this is set as false. |
| Email Notification | Email address that should be sent a notification once the analyzes of the submitted file is completed. |
The output contains the following populated JSON schema:
{
"result_data": {
"webids": []
}
}
| Parameter | Description |
|---|---|
| URL | URL that you want to submit for analyzes to your configured Joe Sandbox Cloud server. |
| System | (Optional) Systems on which you want to analyze the URL. You can specify more than one system in this field. By default, the system that is chosen is dependent on the file extension of the submitted file or URL. For example, on Windows, if you do not specify any systems then systems are automatically selected for this field, such as ["w7x64", "w7", "w10"]. |
| Comments | (Optional) Comments to add to the URL that you are submitting to your configured Joe Sandbox Cloud server. |
| Analysis Time | (Optional) Analysis time in seconds that you want to set for the URL that you are submitting to your configured Joe Sandbox Cloud server. You can set any time between 20 to 500 seconds. By default, this is set to 120 seconds. |
| Office Files Passwords | (Optional) Password to decrypt Microsoft Office documents. |
| Internet Access | Select this option (set it to true) to enable full internet access.By default, this is set as false. |
| Hybrid Code Analysis | Select this option (set it to true) to enable Hybrid Code Analysis (HCA).By default, this is set as false. |
| Hybrid Decompilation | Select this option (set it to true) to enable Hybrid Decompilation (DEC).By default, this is set as false. |
| Report Cache | Select this option (set it to true) to enable report cache, i.e, check the cache for existing report before running a full analyzes.By default, this is set as false. |
| Static Only | Select this option (set it to true) to perform only static analyzes.By default, this is set as false, i.e., both static and dynamic analyzes is performed. |
| SSL Inspection | Select this option (set it to true) to enable HTTPS Inspection.By default, this is set as false. |
| VBA Instrumentation | Select this option (set it to true) to enable VBA Instrumentation.By default, this is set as false. |
| JS Instrumentation | Select this option (set it to true) to enable JavaScript Instrumentation.By default, this is set as false. |
| Java Jar Tracing | Select this option (set it to true) to enable Java Jar Tracing, i.e., two analyzes are performed.By default, this is set as false. |
| Email Notification | Email address that should be sent a notification once the analyzes of the submitted URL is completed. |
The output contains the following populated JSON schema:
{
"result_data": {
"webids": []
}
}
| Parameter | Description |
|---|---|
| API (Web) ID | ID of the submitted file or URL for which you want to retrieve the status information from your configured Joe Sandbox Cloud server. When you submit a file or URL to your configured Joe Sandbox Cloud server, the output of those operations contains the API ID (or Web ID) associated with the submitted file or URL. |
The output contains the following populated JSON schema:
{
"result_data": {
"runs": [],
"sha256": "",
"analysisid": "",
"filename": "",
"tags": [],
"sha1": "",
"scriptname": "",
"md5": "",
"status": "",
"webid": "",
"time": "",
"comments": ""
}
}
| Parameter | Description |
|---|---|
| Query | Query based on which you want to retrieve reports (Web IDs) from your configured Joe Sandbox Cloud server. A Web ID is a unique ID for a report. While searching for a report, the Joe Sandbox Cloud server considers the following fields: webid, md5, sha1, sha256, filename, URL, and comments. |
The output contains the following populated JSON schema:
{
"result_data": [
{
"webid": ""
}
]
}
| Parameter | Description |
|---|---|
| API (Web) ID | ID of the submitted file or URL for which you want to retrieve the report information from your configured Joe Sandbox Cloud server. When you submit a file or URL to your configured Joe Sandbox Cloud server, the output of those operations contains the API ID (or Web ID) associated with the submitted file or URL. |
The output contains the following populated JSON schema:
{
"analysis": {
"successnotices": {},
"droppedinfo": {},
"avhit": {},
"context": {},
"yara": {},
"runtimemessages": "",
"signaturedetections": {},
"sigscore": {},
"patches": {},
"domaininfo": {},
"signatureconfidence": {},
"generalinfo": {},
"patterninfo": {},
"comments": {},
"behavior": {},
"fileinfo": {},
"signatureclassifications": {},
"analysistime": {},
"errorinfo": {},
"ipinfo": {},
"behaviorgraph": {},
"eventlog": {},
"signatureinfo": {},
"simulations": {},
"warninginfo": {}
}
}
None.
The output contains the following populated JSON schema:
{
"result_data": [
{
"webid": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"result_data": {
"quota": {
"daily": {
"current": "",
"limit": "",
"remaining": ""
},
"monthly": {
"current": "",
"limit": "",
"remaining": ""
}
},
"type": ""
}
}
The Sample - Joe Sandbox Cloud - 1.2.0 playbook collection comes bundled with the Joe Sandbox Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Joe Sandbox Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Sample - Joe Sandbox Cloud - 1.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for File Hash and URL indicator types. The pluggable enrichment playbooks are in the format: indicatorType > Joe Sandbox Cloud > Enrichment. For example, URL > Joe Sandbox Cloud > Enrichment.
The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types.
The following table lists the variable names and their default values:
| Variable Name | Default value (score) |
|---|---|
good_score |
0 |
suspicious_score |
1, 2 |
malicious_score |
3, 4, 5 |
Based on the above default values, the Joe Sandbox Cloud integration API response returns the verdict, cti_score, and other variables.
| Variable Name | Description | Return Value |
|---|---|---|
verdict |
This connector returns a high-reliability value called verdict. Use this verdict to find the reputation of the various types of indicators. |
|
cti_name |
The name of the connector is the CTI (Cyber Threat Intelligence) name. | Joe Sandbox Cloud |
cti_score |
The verdict value returned by the integration API. | score |
source_data |
The source_data response returned by the integration API. |
A JSON response object containing the source data of the threat intelligence integration. |
field_mapping |
The mapping of the FortiSOAR™ Indicator module fields with the Joe Sandbox response fields. | A JSON response object containing the field mapping of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the Description field of the specified FortiSOAR™ indicator record. | The following image displays a sample of the populated Description field in a FortiSOAR indicator record:
|
Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.
This document provides information about the Joe Sandbox Cloud connector, which facilitates automated interactions, with Joe Sandbox Cloud server using FortiSOAR™ playbooks. Add the Joe Sandbox Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files to the Joe Sandbox Cloud server for analyzes and searching for and retrieving reports from the Joe Sandbox Cloud server.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Joe Sandbox Cloud Pro Version Tested on: 2.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Joe Sandbox Cloud connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-joe-sandbox-cloud
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Joe Sandbox Cloud connector row, and in the Configuration tab enter the required configuration details.
| Parameter | Description |
|---|---|
| Server URL | URL of the Joe Sandbox Cloud server to which you will connect and perform automated operations. |
| API Key | API Key that is configured for your account for the Joe Sandbox server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, it is selected, i.e., set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get All System Information | Retrieves a list of all systems and their details from your configured Joe Sandbox Cloud server. | get_all_system_information Investigation |
| Submit File | Submits a file to the Joe Sandbox Cloud server for analyzes from your FortiSOAR™ Attachmentmodule. |
detonate_file Investigation |
| Submit URL | Submits a URL to the Joe Sandbox Cloud server for analyzes. | detonate_url Investigation |
| Get Submission Status | Retrieves the status of a submitted file or URL from your configured Joe Sandbox Cloud server, based on the Web ID you have specified. A Web ID is a unique ID for a report. | get_submitted_sample_state Investigation |
| Search Report | Retrieves a list of Web IDs (Unique ID for a report) from your configured Joe Sandbox Cloud server, based on the query you have specified. | search_report Investigation |
| Get Report | Retrieves the report of a submitted file or URL from your configured Joe Sandbox Cloud server, based on the Web ID you have specified. A Web ID is a unique ID for a report. | get_report Investigation |
| Get All Analysed Sample Details | Retrieves details of all analyzed samples (Web IDs) from your configured Joe Sandbox Cloud server. | get_details Investigation |
| Get Account Information | Retrieves details of all accounts configured on your Joe Sandbox Cloud server. | get_account_info Investigation |
None.
The output contains the following populated JSON schema:
{
"result_data": {
"webids": []
}
}
Note: You can only upload files to the Joe Sandbox Cloud channels on your configured Joe Sandbox Cloud from the FortiSOAR™ Attachment module.
| Parameter | Description |
|---|---|
| File ID | ID or IRI value of the file that you want to submit for analyzes from the FortiSOAR™ Attachments module to your configured Joe Sandbox Cloud server. The File ID or File IRI is used to access the file in the Attachments module of FortiSOAR™.In the playbook, this defaults to the {{vars.attachment_id}} value if you have specified the file ID, or {{vars.file_iri}} value if you have specified the file IRI. |
| System | (Optional) Systems on which you want to analyze the file. You can specify more than one system in this field. For example, on Windows, if you do not specify any systems then systems are automatically selected for this field, such as ["w7x64", "w7", "w10"] |
| Comments | (Optional) Comments to add to the file that you are submitting to your configured Joe Sandbox Cloud server. |
| Analysis Time | (Optional) Analysis time in seconds that you want to set for the file that you are submitting to your configured Joe Sandbox Cloud server. You can set any time between 20 to 500 seconds. By default, this is set to 120 seconds. |
| Office Files Passwords | (Optional) Password to decrypt Microsoft Office documents. |
| Internet Access | Select this option (set it to true) to enable full internet access.By default, this is set as false. |
| Hybrid Code Analysis | Select this option (set it to true) to enable Hybrid Code Analysis (HCA).By default, this is set as false. |
| Hybrid Decompilation | Select this option (set it to true) to enable Hybrid Decompilation (DEC).By default, this is set as false. |
| Report Cache | Select this option (set it to true) to enable report cache, i.e, check the cache for existing report before running a full analyzes.By default, this is set as false. |
| Static Only | Select this option (set it to true) to perform only static analyzes.By default, this is set as false, i.e., both static and dynamic analyzes is performed. |
| SSL Inspection | Select this option (set it to true) to enable HTTPS Inspection.By default, this is set as false. |
| VBA Instrumentation | Select this option (set it to true) to enable VBA Instrumentation.By default, this is set as false. |
| JS Instrumentation | Select this option (set it to true) to enable JavaScript Instrumentation.By default, this is set as false. |
| Java Jar Tracing | Select this option (set it to true) to enable Java Jar Tracing, i.e., two analyzes are performed.By default, this is set as false. |
| Email Notification | Email address that should be sent a notification once the analyzes of the submitted file is completed. |
The output contains the following populated JSON schema:
{
"result_data": {
"webids": []
}
}
| Parameter | Description |
|---|---|
| URL | URL that you want to submit for analyzes to your configured Joe Sandbox Cloud server. |
| System | (Optional) Systems on which you want to analyze the URL. You can specify more than one system in this field. By default, the system that is chosen is dependent on the file extension of the submitted file or URL. For example, on Windows, if you do not specify any systems then systems are automatically selected for this field, such as ["w7x64", "w7", "w10"]. |
| Comments | (Optional) Comments to add to the URL that you are submitting to your configured Joe Sandbox Cloud server. |
| Analysis Time | (Optional) Analysis time in seconds that you want to set for the URL that you are submitting to your configured Joe Sandbox Cloud server. You can set any time between 20 to 500 seconds. By default, this is set to 120 seconds. |
| Office Files Passwords | (Optional) Password to decrypt Microsoft Office documents. |
| Internet Access | Select this option (set it to true) to enable full internet access.By default, this is set as false. |
| Hybrid Code Analysis | Select this option (set it to true) to enable Hybrid Code Analysis (HCA).By default, this is set as false. |
| Hybrid Decompilation | Select this option (set it to true) to enable Hybrid Decompilation (DEC).By default, this is set as false. |
| Report Cache | Select this option (set it to true) to enable report cache, i.e, check the cache for existing report before running a full analyzes.By default, this is set as false. |
| Static Only | Select this option (set it to true) to perform only static analyzes.By default, this is set as false, i.e., both static and dynamic analyzes is performed. |
| SSL Inspection | Select this option (set it to true) to enable HTTPS Inspection.By default, this is set as false. |
| VBA Instrumentation | Select this option (set it to true) to enable VBA Instrumentation.By default, this is set as false. |
| JS Instrumentation | Select this option (set it to true) to enable JavaScript Instrumentation.By default, this is set as false. |
| Java Jar Tracing | Select this option (set it to true) to enable Java Jar Tracing, i.e., two analyzes are performed.By default, this is set as false. |
| Email Notification | Email address that should be sent a notification once the analyzes of the submitted URL is completed. |
The output contains the following populated JSON schema:
{
"result_data": {
"webids": []
}
}
| Parameter | Description |
|---|---|
| API (Web) ID | ID of the submitted file or URL for which you want to retrieve the status information from your configured Joe Sandbox Cloud server. When you submit a file or URL to your configured Joe Sandbox Cloud server, the output of those operations contains the API ID (or Web ID) associated with the submitted file or URL. |
The output contains the following populated JSON schema:
{
"result_data": {
"runs": [],
"sha256": "",
"analysisid": "",
"filename": "",
"tags": [],
"sha1": "",
"scriptname": "",
"md5": "",
"status": "",
"webid": "",
"time": "",
"comments": ""
}
}
| Parameter | Description |
|---|---|
| Query | Query based on which you want to retrieve reports (Web IDs) from your configured Joe Sandbox Cloud server. A Web ID is a unique ID for a report. While searching for a report, the Joe Sandbox Cloud server considers the following fields: webid, md5, sha1, sha256, filename, URL, and comments. |
The output contains the following populated JSON schema:
{
"result_data": [
{
"webid": ""
}
]
}
| Parameter | Description |
|---|---|
| API (Web) ID | ID of the submitted file or URL for which you want to retrieve the report information from your configured Joe Sandbox Cloud server. When you submit a file or URL to your configured Joe Sandbox Cloud server, the output of those operations contains the API ID (or Web ID) associated with the submitted file or URL. |
The output contains the following populated JSON schema:
{
"analysis": {
"successnotices": {},
"droppedinfo": {},
"avhit": {},
"context": {},
"yara": {},
"runtimemessages": "",
"signaturedetections": {},
"sigscore": {},
"patches": {},
"domaininfo": {},
"signatureconfidence": {},
"generalinfo": {},
"patterninfo": {},
"comments": {},
"behavior": {},
"fileinfo": {},
"signatureclassifications": {},
"analysistime": {},
"errorinfo": {},
"ipinfo": {},
"behaviorgraph": {},
"eventlog": {},
"signatureinfo": {},
"simulations": {},
"warninginfo": {}
}
}
None.
The output contains the following populated JSON schema:
{
"result_data": [
{
"webid": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"result_data": {
"quota": {
"daily": {
"current": "",
"limit": "",
"remaining": ""
},
"monthly": {
"current": "",
"limit": "",
"remaining": ""
}
},
"type": ""
}
}
The Sample - Joe Sandbox Cloud - 1.2.0 playbook collection comes bundled with the Joe Sandbox Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Joe Sandbox Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Sample - Joe Sandbox Cloud - 1.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for File Hash and URL indicator types. The pluggable enrichment playbooks are in the format: indicatorType > Joe Sandbox Cloud > Enrichment. For example, URL > Joe Sandbox Cloud > Enrichment.
The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types.
The following table lists the variable names and their default values:
| Variable Name | Default value (score) |
|---|---|
good_score |
0 |
suspicious_score |
1, 2 |
malicious_score |
3, 4, 5 |
Based on the above default values, the Joe Sandbox Cloud integration API response returns the verdict, cti_score, and other variables.
| Variable Name | Description | Return Value |
|---|---|---|
verdict |
This connector returns a high-reliability value called verdict. Use this verdict to find the reputation of the various types of indicators. |
|
cti_name |
The name of the connector is the CTI (Cyber Threat Intelligence) name. | Joe Sandbox Cloud |
cti_score |
The verdict value returned by the integration API. | score |
source_data |
The source_data response returned by the integration API. |
A JSON response object containing the source data of the threat intelligence integration. |
field_mapping |
The mapping of the FortiSOAR™ Indicator module fields with the Joe Sandbox response fields. | A JSON response object containing the field mapping of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the Description field of the specified FortiSOAR™ indicator record. | The following image displays a sample of the populated Description field in a FortiSOAR indicator record:
|