Skip to main content

Joe Security v2

This Integration is part of the Joe Security Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Access the full set of possibilities the Joe Sandbox Cloud provides via RESTful Web API v2. This integration was integrated and tested with version 3.18.0 of jbxapi.

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure Joe Security v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Joe Security v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLTrue
    API KeyTrue
    Source ReliabilityReliability of the source providing the intelligence data.True
    Create relationshipsCreate relationships between indicators as part of Enrichment.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Note: Most of the commands have the full_display boolean argument that when set to true, indicators information, including their DBot Scores, will be displayed.

joe-is-online#


Check if the Joe Sandbox analysis server is online or in maintenance mode.

Base Command#

joe-is-online

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Joe.ServerStatus.OnlineBooleanThe server status.

Command example#

!joe-is-online

Context Example#

{
"Joe": {
"ServerStatus": {
"Online": true
}
}
}

Human Readable Output#

Joe server is online

joe-analysis-info#


Get information about an analysis.

Base Command#

joe-analysis-info

Input#

Argument NameDescriptionRequired
webidThe analysis web ID.Required
full_displayWhen set to true, indicators information, including their DBot Scores, will be displayed. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.Hashes.typeStringThe hash type.
File.Hashes.valueStringThe hash value.
File.NameStringThe full file name.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
URL.DataStringThe URL.
Joe.Analysis.AnalysisIDStringThe analysis ID Joe Security.
Joe.Analysis.ClassificationStringThe classification of the analysis.
Joe.Analysis.CommentsStringComments regarding the analysis.
Joe.Analysis.detectionStringThe analysis detection. Can be one of unknown, clean, suspicious, malicious.
Joe.Analysis.durationNumberThe duration of the analysis in seconds.
Joe.Analysis.encryptedBooleanTrue if the analysis data is encrypted.
Joe.Analysis.filenameStringThe file name of the analysis.
Joe.Analysis.md5StringThe file MD5.
Joe.Analysis.runs.detectionStringThe run detection. Can be one of unknown, clean, suspicious, malicious.
Joe.Analysis.runs.errorUnknownThe run errors.
Joe.Analysis.runs.scoreNumberThe run score.
Joe.Analysis.runs.sigmaBooleanThe run sigma.
Joe.Analysis.runs.snortBooleanThe run snort.
Joe.Analysis.runs.systemStringThe run operation system.
Joe.Analysis.runs.yaraBooleanThe run YARA.
Joe.Analysis.scoreNumberThe run score.
Joe.Analysis.scriptnameStringThe run script name.
Joe.Analysis.sha1StringThe file SHA1.
Joe.Analysis.sha256StringThe file SHA256.
Joe.Analysis.statusStringThe status is one of submitted, running, finished.
Joe.Analysis.threatnameStringThe analysis threat name.
Joe.Analysis.timeDateThe analysis time.
Joe.Analysis.webidStringThe web ID from Joe Security.

Command example#

!joe-analysis-info webid=2722073

Context Example#

{
"Joe": {
"Analysis": [
{
"analysisid": "1",
"classification": "",
"comments": "(example)",
"detection": "clean",
"duration": 558,
"encrypted": false,
"filename": "test_file.txt",
"md5": "11111111111111111111111111111111",
"runs": [
{
"detection": "clean",
"error": null,
"score": 1,
"sigma": false,
"snort": false,
"system": "w10x64_21h1_office",
"yara": false
},
{
"detection": "clean",
"error": null,
"score": 0,
"sigma": false,
"snort": false,
"system": "w7x64_office",
"yara": false
}
],
"score": 1,
"scriptname": "example.jbs",
"sha1": "1111111111111111111111111111111111111111",
"sha256": "1111111111111111111111111111111111111111111111111111111111111111",
"status": "finished",
"tags": [],
"threatname": "Unknown",
"time": "2022-09-15T10:57:20+02:00",
"webid": "1111111"
}
]
}
}

Human Readable Output#

Analysis Result:#

IdSampleNameStatusTimeMD5SHA1SHA256SystemsResultErrorsComments
1test_file.txtfinished2022-09-15T10:57:20+02:001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111w7x64_office,
w10x64_21h1_office
cleanNone(example)

joe-list-analysis#


Lists all analyses.

Base Command#

joe-list-analysis

Input#

Argument NameDescriptionRequired
pagePage number to display.Optional
page_sizeDetermine how many entries to display on each page.Optional
limitLimit the number of entries to display. Default is 50.Optional
full_displayWhen set to true, indicators information, including their DBot Scores, will be displayed. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.Hashes.typeStringThe hash type.
File.Hashes.valueStringThe hash value.
File.NameStringThe full file name.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
URL.DataStringThe URL.
Joe.Analysis.AnalysisIDStringThe analysis ID.
Joe.Analysis.ClassificationStringThe classification of the analysis.
Joe.Analysis.CommentsStringComments regarding the analysis.
Joe.Analysis.detectionStringThe analysis detection. Can be one of unknown, clean, suspicious, malicious.
Joe.Analysis.durationNumberThe duration of the analysis in seconds.
Joe.Analysis.encryptedBooleanTrue if the analysis data is encrypted.
Joe.Analysis.filenameStringThe file name of the analysis.
Joe.Analysis.md5StringThe file MD5.
Joe.Analysis.runs.detectionStringThe run detection. Can be one of unknown, clean, suspicious, malicious.
Joe.Analysis.runs.errorUnknownThe run errors.
Joe.Analysis.runs.scoreNumberThe run score.
Joe.Analysis.runs.sigmaBooleanThe run sigma.
Joe.Analysis.runs.snortBooleanThe run snort.
Joe.Analysis.runs.systemStringThe run operation system.
Joe.Analysis.runs.yaraBooleanThe run YARA.
Joe.Analysis.scoreNumberThe run score.
Joe.Analysis.scriptnameStringThe run script name.
Joe.Analysis.sha1StringThe file SHA1.
Joe.Analysis.sha256StringThe file SHA256.
Joe.Analysis.statusStringThe status is one of submitted, running, finished.
Joe.Analysis.threatnameStringThe analysis threat name.
Joe.Analysis.timeDateThe analysis time.
Joe.Analysis.webidStringThe web ID from Joe Security.

Command example#

!joe-list-analysis limit=1

Context Example#

{
"Joe": {
"Analysis": [
{
"analysisid": "1",
"classification": "",
"comments": "(example)",
"detection": "clean",
"duration": 558,
"encrypted": false,
"filename": "test_file.txt",
"md5": "11111111111111111111111111111111",
"runs": [
{
"detection": "clean",
"error": null,
"score": 1,
"sigma": false,
"snort": false,
"system": "w10x64_21h1_office",
"yara": false
},
{
"detection": "clean",
"error": null,
"score": 0,
"sigma": false,
"snort": false,
"system": "w7x64_office",
"yara": false
}
],
"score": 1,
"scriptname": "example.jbs",
"sha1": "1111111111111111111111111111111111111111",
"sha256": "1111111111111111111111111111111111111111111111111111111111111111",
"status": "finished",
"tags": [],
"threatname": "Unknown",
"time": "2022-09-15T10:57:20+02:00",
"webid": "1111111"
}
]
}
}

Human Readable Output#

Analysis Result:#

IdSampleNameStatusTimeMD5SHA1SHA256SystemsResultErrorsComments
1test_file.txtfinished2022-09-15T10:57:20+02:001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111w7x64_office,
w10x64_21h1_office
cleanNone(example)

joe-download-report#


Download a resource belonging to a report. This can be the full report, dropped binaries, etc. See the integration README for the full list of supported report types.

Base Command#

joe-download-report

Input#

Argument NameDescriptionRequired
webidThe Web ID.Required
typeThe resource type to download. Possible values are: html, json, pcap, pdf, xml, iocjson. Default is html.Optional

Context Output#

PathTypeDescription
InfoFile.NamestringFilename.
InfoFile.EntryIDstringThe entry ID of the report
InfoFile.SizenumberFile size.
InfoFile.TypestringFile type. e.g., "PE".
InfoFile.InfostringBasic information of the file.
File.ExtensionstringFile extension.

Command example#

!joe-download-report webid=1

Context Example#

{
"InfoFile": {
"EntryID": "111@",
"Extension": "html",
"Info": "text/html; charset=utf-8",
"Name": "1_report.html",
"Size": 3823558,
"Type": "HTML document, ASCII text, with very long lines"
}
}

Human Readable Output#

Returned file: 1_report.html Download

joe-download-sample#


Download a sample.

Base Command#

joe-download-sample

Input#

Argument NameDescriptionRequired
webidWeb ID.Required

Context Output#

PathTypeDescription
File.SizenumberFile size.
File.SHA1stringSHA1 hash of the file
File.SHA256stringSHA256 hash of the file
File.NamestringThe sample name.
File.SSDeepstringSSDeep hash of the file.
File.EntryIDstringWar.Room entry ID of the file.
File.InfostringBasic information of the file
File.TypestringFile type, e.g., "PE".
File MD5stringMD5 hash of the file.
File.ExtensionstringFile extension.

Command example#

!joe-download-sample webid=2722073

Context Example#

{
"File": {
"EntryID": "111@",
"Extension": "dontrun",
"Info": "dontrun",
"MD5": "11111111111111111111111111111111",
"Name": "1.dontrun",
"SHA1": "1111111111111111111111111111111111111111",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111",
"SHA512": "11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111",
"SSDeep": "3:PFoESNt/FPl2X1sjO3//lGF/llllBl9SLEZWxIUclll7D8/+l/AltdUshMl//:PgG2s/RIUctM/+l/MusKl//",
"Size": 276,
"Type": "AppleDouble encoded Macintosh file"
}
}

Human Readable Output#

Uploaded file: 1.dontrun Download

file#


Retrieves files information from Joe Security.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA comma-separated list of file names, SHA1, SHA256, or MD5 hashes.Required

Context Output#

PathTypeDescription
File.NameStringName of the file.
File.MD5StringMD5 hash of the file.
File.SHA1StringSHA1 hash of the file.
File.SHA256StringSHA256 hash of the file.
File.TagsStringTags of the file.
File.NameStringName of the file.
Joe.File.MD5StringMD5 hash of the file.
Joe.File.SHA1StringSHA1 hash of the file.
Joe.File.SHA256StringSHA256 hash of the file.
Joe.File.TagsStringTags of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command example#

!file file=example

Context Example#

{
"DBotScore": [
{
"Indicator": "example",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "file",
"Vendor": "JoeSecurityV2"
}
],
"File": {
"Hashes": [
{
"type": "MD5",
"value": "11111111111111111111111111111111"
},
{
"type": "SHA1",
"value": "1111111111111111111111111111111111111111"
},
{
"type": "SHA256",
"value": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"MD5": "11111111111111111111111111111111",
"Name": "example",
"SHA1": "1111111111111111111111111111111111111111",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
},
"Joe": {
"File Name": "example",
"MD5": "11111111111111111111111111111111",
"SHA1": "1111111111111111111111111111111111111111",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
}
}

Human Readable Output#

File Result:#

File NameSha1Sha256Md5
example1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

url#


Retrieves URL information from Joe Security.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs.Required

Context Output#

PathTypeDescription
URL.DataStringThe URL data.
Joe.URL.NameStringName of the URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command example#

!url url=http://google.com

Context Example#

{
"DBotScore": [
{
"Indicator": "http://google.com",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "url",
"Vendor": "JoeSecurityV2"
}
],
"Joe": {
"URL": "http://google.com"
},
"URL": {
"Data": "http://google.com"
}
}

Human Readable Output#

Url Result:#

Url
http://google.com

joe-list–lia-countries#


Retrieve a list of localized internet anonymization countries.

Base Command#

joe-list–lia-countries

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Joe.LIACountryStringA list of localized internet anonymization countries.

Command example#

!joe-list–lia-countries

Context Example#

{
"Joe": {
"LIACountry": [
"Argentina",
"Australia",
"Austria",
"Belgium",
"Brazil"
]
}
}

Human Readable Output#

Results:#

Name
Argentina
Australia
Austria
Belgium
Brazil

joe-list-lang-locales#


Retrieve a list of available language and locale combinations.

Base Command#

joe-list-lang-locales

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Joe.LangLocaleStringA list of available language and locale combinations.

Command example#

!joe-list-lang-locales

Context Example#

{
"Joe": {
"LangLocale": [
"Arabic - Egypt",
"Arabic - Qatar",
"Arabic - Saudi Arabia",
"Chinese - PRC",
"Chinese - Taiwan",
"English - Australia"
]
}
}

Human Readable Output#

Results:#

Name
Arabic - Egypt
Arabic - Qatar
Arabic - Saudi Arabia
Chinese - PRC
Chinese - Taiwan
English - Australia

joe-get-account-quota#


Retrieve the account quota.

Base Command#

joe-get-account-quota

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Joe.AccountQuotaStringThe account quota.
Joe.AccountQuota.quota.daily.currentNumberThe current daily quota.
Joe.AccountQuota.quota.daily.limitNumberThe daily quota limit.
Joe.AccountQuota.quota.daily.remainingNumberThe remaining daily quota.
Joe.AccountQuota.quota.monthly.currentNumberThe current monthly quota.
Joe.AccountQuota.quota.monthly.limitNumberThe monthly quota limit.
Joe.AccountQuota.quota.monthly.remainingNumberThe remaining monthly quota.
Joe.AccountQuota.typeStringThe quota type.

Command example#

!joe-get-account-quota

Context Example#

{
"Joe": {
"AccountQuota": {
"quota": {
"daily": {
"current": 0,
"limit": 100,
"remaining": 100
},
"monthly": {
"current": 150,
"limit": 250,
"remaining": 100
}
},
"type": "ultimate"
}
}
}

Human Readable Output#

Results:#

Quota TypeDaily Quota CurrentDaily Quota LimitDaily Quote RemainingMonthly Quota CurrentMonthly Quota LimitMonthly Quota Remaining
ultimate0100100150250100

joe-submission-info#


Retrieve the submission info.

Base Command#

joe-submission-info

Input#

Argument NameDescriptionRequired
submission_idsA comma-separated list of submission IDs.Required
full_displayWhen set to true, indicators information, including their DBot Scores, will be displayed. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.Hashes.typeStringThe hash type.
File.Hashes.valueStringThe hash value.
File.MD5StringThe MD5 hash of the file.
File.NameStringThe full file name.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
URL.DataStringThe URL.
Joe.Analysis.AnalysisIDStringThe analysis ID.
Joe.Analysis.ClassificationStringThe classification.
Joe.Analysis.CommentsStringThe comments.
Joe.Analysis.detectionStringThe detection.
Joe.Analysis.durationNumberThe duration.
Joe.Analysis.encryptedBooleanWhether the analysis is encrypted.
Joe.Analysis.filenameStringThe filename.
Joe.Analysis.runs.detectionStringThe detection.
Joe.Analysis.runs.errorUnknownThe error.
Joe.Analysis.runs.scoreNumberThe score.
Joe.Analysis.runs.sigmaBooleanThe sigma.
Joe.Analysis.runs.snortBooleanThe snort.
Joe.Analysis.runs.systemStringThe system.
Joe.Analysis.runs.yaraBooleanThe YARA.
Joe.Analysis.scoreNumberThe score.
Joe.Analysis.scriptnameStringThe script name.
Joe.Analysis.statusStringThe status.
Joe.Analysis.threatnameStringThe threat name.
Joe.Analysis.timeDateThe time.
Joe.Analysis.webidStringThe web ID.
Joe.Submission.most_relevant_analysis.detectionStringThe detection.
Joe.Submission.most_relevant_analysis.scoreNumberThe score.
Joe.Submission.most_relevant_analysis.webidStringThe web ID.
Joe.Submission.nameStringThe name.
Joe.Submission.statusStringThe status.
Joe.Submission.submission_idStringThe submission ID.
Joe.Submission.timeDateThe time.

Command example#

!joe-submission-info submission_ids=1111111

Context Example#

{
"DBotScore": [
{
"Indicator": "example.txt",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "file",
"Vendor": "JoeSecurityV2"
}
],
"File": [
{
"Hashes": [
{
"type": "MD5",
"value": "11111111111111111111111111111111"
},
{
"type": "SHA1",
"value": "1111111111111111111111111111111111111111"
},
{
"type": "SHA256",
"value": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"MD5": "11111111111111111111111111111111",
"Name": "example.txt",
"SHA1": "1111111111111111111111111111111111111111",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"Joe": {
"Analysis": [
{
"analysisid": "1",
"classification": "",
"comments": "example comment",
"detection": "clean",
"duration": 500,
"encrypted": false,
"filename": "example.txt",
"md5": "11111111111111111111111111111111",
"runs": [
{
"detection": "clean",
"error": null,
"score": 1,
"sigma": false,
"snort": false,
"system": "w10x64_21h1_office",
"yara": false
},
{
"detection": "clean",
"error": null,
"score": 0,
"sigma": false,
"snort": false,
"system": "w7x64_office",
"yara": false
}
],
"score": 1,
"scriptname": "example.jbs",
"sha1": "1111111111111111111111111111111111111111",
"sha256": "1111111111111111111111111111111111111111111111111111111111111111",
"status": "finished",
"tags": [],
"threatname": "Unknown",
"time": "2022-09-15T10:57:20+02:00",
"webid": "1"
}
],
"Submission": {
"most_relevant_analysis": {
"detection": "clean",
"score": 1,
"webid": "1"
},
"name": "example.zip",
"status": "finished",
"submission_id": "1111111",
"time": "2022-09-15T10:57:14+02:00"
}
}
}

Human Readable Output#

Submission Results:#

Submission IdSample NameTimeStatusWeb IdEncryptedAnalysis IdClassificationThreat NameScoreDetectionSHA256MD5SHA1File Name
1example.zip2022-09-15T10:57:14+02:00finished1false1Unknown1clean1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111example.txt

joe-submit-sample#


Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

joe-submit-sample

Input#

Argument NameDescriptionRequired
entry_idThe War Room entry ID of the file to submit.Required
file_nameThe filename of the submitted sampleOptional
full_displayWhen set to true, indicators information, including their DBot Scores, will be displayed. Possible values are: true, false. Default is true.Optional
timeoutThe timeout for the polling in seconds. Default is 1200.Optional
hide_polling_outputHide polling output.Optional
report_typeThe report type. Possible values are: html, json, pcap, pdf, xml, iocjson. Default is html.Optional
cookbookUploads a cookbook together with the sample. Needs to be a file-like object or a tuple in the shape (filename, file-like object).Optional
commentsA comment to be added to the analysis.Optional
tagsA comma-separated list of tags to be added to the analysis.Optional
systemsA comma-separated list of operating systems to be used for the analysis. Possible values are: w7, w7x64, w7_1, w7_2, w7_4, w7_5, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat.Optional
internet_accessWhether to allow internet access for the analysis. Default is true.Optional
archive_no_unpackWhether to archive the sample without unpacking it. Default is false.Optional
ssl_inspectionWhether to enable SSL inspection. Default is false.Optional
localized_internet_countryThe localized internet anonymization country.Optional
internet_simulationWhether to enable internet simulation. Default is false.Optional
hybrid_code_analysisWhether to enable hybrid code analysis. Default is true.Optional
hybrid_decompilationWhether to enable hybrid decompilation. Default is false.Optional
vba_instrumentationWhether to enable VBA instrumentation. Default is true.Optional
js_instrumentationWhether to enable JS instrumentation. Default is true.Optional
java_jar_tracingWhether to enable Java JAR tracing. Default is true.Optional
dotnet_tracingWhether to enable .NET tracing. Default is true.Optional
amsi_unpackingWhether to enable Microsoft Antimalware Scan Interface unpacking. Default is true.Optional
fast_modeWhether to enable fast mode. It focuses on fast analysis and detection versus deep forensic analysis. Default is false.Optional
secondary_resultsWhether to enable secondary results, such as Yara rule generation, classification via Joe Sandbox Class as well as several detail reports. Default is false.Optional
report_cacheWhether to enable report cache. Default is false.Optional
command_line_argumentA command line argument to be passed to the sample.Optional
live_interactionWhether to enable live interaction. Default is false.Optional
document_passwordThe document password.Optional
archive_passwordThe archive password.Optional
start_as_normal_userWhether to start the analysis as a normal user. Default is false.Optional
language_and_localeChanges the language and locale of the analysis machine.Optional
delete_after_daysThe number of days after which the analysis will be deleted. Default is 30.Optional
encrypt_with_passwordThe password to encrypt the analysis with.Optional
export_to_jbxviewWhether to export the analysis to JBXView. Default is false.Optional
email_notificationSend an email notification once the analysis completes. Default is false.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.Hashes.typeStringThe hash type.
File.Hashes.valueStringThe hash value.
File.MD5StringThe MD5 hash of the file.
File.NameStringThe full file name.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Joe.Analysis.AnalysisIDStringThe analysis ID.
Joe.Analysis.ClassificationStringThe classification.
Joe.Analysis.CommentsStringThe comments.
Joe.Analysis.detectionStringThe detection.
Joe.Analysis.durationNumberThe duration.
Joe.Analysis.encryptedBooleanWhether the analysis is encrypted.
Joe.Analysis.filenameStringThe filename.
Joe.Analysis.runs.detectionStringThe detection.
Joe.Analysis.runs.errorUnknownThe error.
Joe.Analysis.runs.scoreNumberThe score.
Joe.Analysis.runs.sigmaBooleanThe sigma.
Joe.Analysis.runs.snortBooleanThe snort.
Joe.Analysis.runs.systemStringThe system.
Joe.Analysis.runs.yaraBooleanThe YARA.
Joe.Analysis.scoreNumberThe score.
Joe.Analysis.scriptnameStringThe script name.
Joe.Analysis.statusStringThe status.
Joe.Analysis.threatnameStringThe threat name.
Joe.Analysis.timeDateThe time.
Joe.Analysis.webidStringThe web ID.
Joe.Submission.most_relevant_analysis.detectionStringThe detection.
Joe.Submission.most_relevant_analysis.scoreNumberThe score.
Joe.Submission.most_relevant_analysis.webidStringThe web ID.
Joe.Submission.nameStringThe name.
Joe.Submission.statusStringThe status.
Joe.Submission.submission_idStringThe submission ID.
Joe.Submission.timeDateThe time.

Command example#

!joe-submit-sample entry_id=1111@1111111111-1111-1111-1111-1 systems=w10x64

Context Example#

{
"DBotScore": [
{
"Indicator": "example.txt",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "file",
"Vendor": "JoeSecurityV2"
}
],
"File": [
{
"Hashes": [
{
"type": "MD5",
"value": "11111111111111111111111111111111"
},
{
"type": "SHA1",
"value": "1111111111111111111111111111111111111111"
},
{
"type": "SHA256",
"value": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"MD5": "11111111111111111111111111111111",
"Name": "example.txt",
"SHA1": "1111111111111111111111111111111111111111",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
}
],
"Joe": {
"Analysis": [
{
"analysisid": "1",
"classification": "",
"comments": "example comment",
"detection": "clean",
"duration": 500,
"encrypted": false,
"filename": "example.txt",
"md5": "11111111111111111111111111111111",
"runs": [
{
"detection": "clean",
"error": null,
"score": 1,
"sigma": false,
"snort": false,
"system": "w10x64",
"yara": false
}
],
"score": 1,
"scriptname": "example.jbs",
"sha1": "1111111111111111111111111111111111111111",
"sha256": "1111111111111111111111111111111111111111111111111111111111111111",
"status": "finished",
"tags": [],
"threatname": "Unknown",
"time": "2022-09-15T10:57:20+02:00",
"webid": "1"
}
],
"Submission": {
"most_relevant_analysis": {
"detection": "clean",
"score": 1,
"webid": "1"
},
"name": "example.txt",
"status": "finished",
"submission_id": "1111111",
"time": "2022-09-15T10:57:14+02:00"
}
}
}

Human Readable Output#

Submission Results:#

Submission IdSample NameTimeStatusWeb IdEncryptedAnalysis IdClassificationThreat NameScoreDetectionSHA256MD5SHA1File Name
1example.zip2022-09-15T10:57:14+02:00finished1false1Unknown1clean1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111example.txt

joe-submit-url#


Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

joe-submit-url

Input#

Argument NameDescriptionRequired
urlThe URL to submit.Required
url_reputationThe URL reputation. Possible values are: true, false. Default is false.Optional
full_displayWhen set to true, indicators information, including their DBot Scores, will be displayed. Possible values are: true, false. Default is true.Optional
timeoutThe timeout for the polling in seconds. Default is 1200.Optional
hide_polling_outputHide polling output.Optional
report_typeThe report type. Possible values are: html, json, pcap, pdf, xml, iocjson. Default is html.Optional
commentsA comment to be added to the analysis.Optional
tagsA comma-separated list of tags to be added to the analysis.Optional
systemsA comma-separated list of operating systems to be used for the analysis. Possible values are: w7, w7x64, w7_1, w7_2, w7_4, w7_5, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat.Optional
internet_accessWhether to allow internet access for the analysis. Default is true.Optional
archive_no_unpackWhether to archive the sample without unpacking it. Default is false.Optional
ssl_inspectionWhether to enable SSL inspection. Default is false.Optional
localized_internet_countryThe localized internet anonymization country.Optional
internet_simulationWhether to enable internet simulation. Default is false.Optional
hybrid_code_analysisWhether to enable hybrid code analysis. Default is false.Optional
hybrid_decompilationWhether to enable hybrid decompilation. Default is false.Optional
vba_instrumentationWhether to enable VBA instrumentation. Default is true.Optional
js_instrumentationWhether to enable JS instrumentation. Default is true.Optional
java_jar_tracingWhether to enable Java JAR tracing. Default is true.Optional
dotnet_tracingWhether to enable .NET tracing. Default is true.Optional
amsi_unpackingWhether to enable Microsoft Antimalware Scan Interface unpacking. Default is true.Optional
fast_modeWhether to enable fast mode, focuses on fast analysis and detection versus deep forensic analysis. Default is false.Optional
secondary_resultsWhether to enable secondary results, such as Yara rule generation, classification via Joe Sandbox Class as well as several detail reports. Default is false.Optional
report_cacheWhether to enable report cache. Default is false.Optional
command_line_argumentA command line argument to be passed to the sample.Optional
live_interactionWhether to enable live interaction. Default is false.Optional
document_passwordThe document password.Optional
archive_passwordThe archive password.Optional
start_as_normal_userWhether to start the analysis as a normal user. Default is false.Optional
language_and_localeChanges the language and locale of the analysis machine.Optional
delete_after_daysThe number of days after which the analysis will be deleted. Default is 30.Optional
encrypt_with_passwordThe password to encrypt the analysis with.Optional
export_to_jbxviewWhether to export the analysis to JBXView. Default is false.Optional
email_notificationSend an email notification once the analysis completes. Default is false.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
URL.DataStringThe URL.
Joe.Analysis.AnalysisIDStringThe analysis ID.
Joe.Analysis.ClassificationStringThe classification.
Joe.Analysis.CommentsStringThe comments.
Joe.Analysis.detectionStringThe detection.
Joe.Analysis.durationNumberThe duration.
Joe.Analysis.encryptedBooleanWhether the analysis is encrypted.
Joe.Analysis.filenameStringThe filename.
Joe.Analysis.runs.detectionStringThe detection.
Joe.Analysis.runs.errorUnknownThe error.
Joe.Analysis.runs.scoreNumberThe score.
Joe.Analysis.runs.sigmaBooleanThe sigma.
Joe.Analysis.runs.snortBooleanThe snort.
Joe.Analysis.runs.systemStringThe system.
Joe.Analysis.runs.yaraBooleanThe YARA.
Joe.Analysis.scoreNumberThe score.
Joe.Analysis.scriptnameStringThe script name.
Joe.Analysis.statusStringThe status.
Joe.Analysis.threatnameStringThe threat name.
Joe.Analysis.timeDateThe time.
Joe.Analysis.webidStringThe web ID.
Joe.Submission.most_relevant_analysis.detectionStringThe detection.
Joe.Submission.most_relevant_analysis.scoreNumberThe score.
Joe.Submission.most_relevant_analysis.webidStringThe web ID.
Joe.Submission.nameStringThe name.
Joe.Submission.statusStringThe status.
Joe.Submission.submission_idStringThe submission ID.
Joe.Submission.timeDateThe time.

Command example#

!joe-submit-url url=http://example.com

Context Example#

{
"DBotScore": [
{
"Indicator": "example.txt",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "url",
"Vendor": "JoeSecurityV2"
}
],
"URL": [
{
"Data": "http://example.com"
}
],
"Joe": {
"Analysis": [
{
"analysisid": "1",
"classification": "",
"comments": "example comment",
"detection": "clean",
"duration": 500,
"encrypted": false,
"filename": "http://example.com",
"md5": "",
"runs": [
{
"detection": "clean",
"error": null,
"score": 0,
"sigma": false,
"snort": false,
"system": "w7",
"yara": false
}
],
"score": 1,
"scriptname": "example.jbs",
"sha1": "",
"sha256": "",
"status": "finished",
"tags": [],
"threatname": "Unknown",
"time": "2022-09-15T10:57:20+02:00",
"webid": "1"
}
],
"Submission": {
"most_relevant_analysis": {
"detection": "clean",
"score": 0,
"webid": "1"
},
"name": "http://example.com",
"status": "finished",
"submission_id": "1111111",
"time": "2022-09-15T10:57:14+02:00"
}
}
}

Human Readable Output#

Submission Results:#

Submission IdSample NameTimeStatusWeb IdEncryptedAnalysis IdClassificationThreat NameScoreDetectionURL
1http://example.com2022-09-15T10:57:14+02:00finished1false1Unknown1cleanhttp://example.com

Breaking Changes#

Commands#

The following commands were removed in this version:#

  • joe-analysis-submit-sample - this command was replaced by joe-submit-sample.
  • joe-analysis-submit-url - this command was replaced by joe-submit-url.
  • joe-search command, the query argument now supports comma-separated values.

Playbooks#

The following playbooks were deprecated:#

Detonate File - JoeSecurity - Use the joe-submit-sample command instead. Detonate File From URL - JoeSecurity - Use the joe-submit-sample command instead. Detonate URL - JoeSecurity - Use the joe-submit-url command instead.