Skip to main content

Detonate and Analyze File - JoeSecurity

This Playbook is part of the Joe Security Pack.#


Use the joe-submit-sample command instead.

Detonates one or more files using the Joe Security - Joe Sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.






  • joe-get-account-quota
  • joe-is-online
  • joe-submit-sample

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileFile object of the file to detonate. The file is taken from the context.File.NoneOptional
IntervalDuration for executing the pooling (in minutes).1Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).1200Optional
SystemsComma-separated list of operating systems to run the analysis on. Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougatOptional
CommentsComments for the analysis.Optional
InternetAccessEnable internet access (boolean). True= internet access (default), False= no internet access.TrueOptional
ReportFileTypeThe resource type to download. Default is html. Supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yaraOptional
CookbookUploads a cookbook together with the sample. Needs to be a file-like object or a tuple in the format (filename, file-like object)Optional
FullDisplayIf set to true, will display the full indicators and dbot_scores. If set to false, will display only the summary.TrueOptional
TagsA comma-separated list of tags to be added to the analysis.Optional
SSLInspectionWhether to enable SSL inspection.FalseOptional
HybridCodeAnalysisWhether to enable hybrid code analysis.TrueOptional
FastModeWhether to enable fast mode. Focuses on fast analysis and detection versus deep forensic analysis.falseOptional
CommandLineArgumentA command line argument is to be passed to the sample.Optional
LiveInteractionWhether to enable live interaction.FalseOptional
DocumentPasswordThe document password.Optional
ArchivePasswordAn archive password.Optional
EmailNotificationSend an email notification once the analysis completes.FalseOptional
StartAsNormalUserWhether to start the analysis as a normal user.FalseOptional
EncryptWithPasswordThe password to encrypt the analysis with.Optional

Playbook Outputs#

DBotScore.VendorThe vendor used to calculate the score.string
Joe.Analysis.IDWeb ID.string
Joe.Analysis.StatusAnalysis status.string
Joe.Analysis.CommentsAnalysis comments.string
Joe.Analysis.RunsSub-Analysis information.unknown
Joe.Analysis.ResultAnalysis results.string
Joe.Analysis.ErrorsRaised errors during sampling.unknown
Joe.Analysis.SystemsAnalysis operating system.unknown
Joe.Analysis.MD5MD5 hash of analysis sample.string
Joe.Analysis.SHA1SHA1 hash of analysis sample.string
Joe.Analysis.SHA256SHA256 hash of analysis sample.string
Joe.Analysis.SampleNameSample data. Can be a file name or URL.string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.ScoreThe actual score.number
DBotScore.Malicious.VendorThe vendor used to calculate the score.string
DBotScore.Malicious.DetectionsThe sub-analysis detection statuses.string
DBotScore.Malicious.SHA1The SHA1 hash of the file.string
InfoFile.NameFile name.string
InfoFile.EntryIDThe entry ID of the sample.string
InfoFile.SizeFile size.number
InfoFile.TypeFile type, e.g., "PE".string
InfoFile.InfoBasic information of the file.string
File.ExtensionFile extension.string
InfoFileReport file object.unknown
FileFile object.unknown
Joe.AnalysisJoe analysis object.unknown
DBotScoreDBotScore object.unknown
DBotScore.MaliciousDBotScore malicious object.unknown
DBotScore.ReliabilityReailbilty of the score itself.unknown
File.HashesThe hashes of the file.unknown
File.Hashes.typeTypes of the hashes.unknown
File.Hashes.valueHash value.unknown
File.MD5MD5 hash value.unknown
File.NameFile name.unknown
File.SHA1SHA1 hash value.unknown
File.SHA256SHA256 hash value.unknown
Joe.Analysis.analysisidJoe Security Sandbox analysis ID value.unknown
Joe.Analysis.classificationJoe Security Sandbox analysis classification.unknown
Joe.Analysis.commentsJoe Security Sandbox analysis comments (if any).unknown
Joe.Analysis.detectionJoe Security Sandbox analysis detection.unknown
Joe.Analysis.durationJoe Security Sandbox analysis duration.unknown
Joe.Analysis.encryptedJoe Security Sandbox value that indicates if the results are encrypted.unknown
Joe.Analysis.filenameThe filename information listed in the analysis.unknown
Joe.Analysis.md5MD5 hash value.unknown
Joe.Analysis.scoreJoe Security Sandbox score for the anlaysis.unknown
Joe.Analysis.scriptnameJoe Security Sandbox anlysis script name.unknown
Joe.Analysis.sha1SHA1 hash value.unknown
Joe.Analysis.sha256SHA256 hash value.unknown
Joe.Analysis.statusAnlaysis Status in Joe Security Sandbox.unknown
Joe.Analysis.threatnameThreat name assoicated with the Joe Security Sandbox analysis verdict.unknown
Joe.Analysis.timeAnalysis time.unknown
Joe.Analysis.webidWebID value for the analysis in Joe Security Sandbox.unknown
Joe.Analysis.runsAnalysis running informaiotn.unknown
Joe.Analysis.runs.detectionDetection in that particular run.unknown
Joe.Analysis.runs.errorIndicates if any errors occured during the analysis.unknown
Joe.Analysis.runs.scoreAnalysis score for that particular run.unknown
Joe.Analysis.runs.sigmaSigma value.unknown
Joe.Analysis.runs.snortAny snort detected rules.unknown
Joe.Analysis.runs.systemThe system that was involved in the analysis.unknown
Joe.Analysis.runs.yaraDetected YARA rulesunknown
Joe.Submission.most_relevant_analysisJoe Security Sandbox most relevant analysis information.unknown
Joe.Submission.most_relevant_analysis.detectionJoe Security Sandbox most relevant analysis detection.unknown
Joe.Submission.most_relevant_analysis.scoreJoe Security Sandbox most relevant analysis score.unknown
Joe.Submission.most_relevant_analysis.webidJoe Security Sandbox most relevant analysis web ID.unknown
Joe.SubmissionJoe Security Sandbox submission information.unknown
Joe.Submission.nameJoe Security Sandbox submission name.unknown
Joe.Submission.statusJoe Security Sandbox Ssbmission status.unknown
Joe.Submission.submission_idJoe Security Sandbox submission submission ID.unknown
Joe.Submission.timeJoe Security Sandbox submission time.unknown
JoeJoe Secuirity Sandbox information.unknown
Joe.AccountQuotaThe account quota.unknown
Joe.AccountQuota.quota.dailyThe current daily quota information.unknown
Joe.AccountQuota.quota.daily.currentThe current daily quota.unknown
Joe.AccountQuota.quota.daily.limitThe daily quota limit.unknown
Joe.AccountQuota.quota.daily.remainingThe remaining daily quota.unknown
Joe.AccountQuota.quota.monthlyThe remaining monthly quota information.unknown
Joe.AccountQuota.quota.monthly.currentThe current monthly quota.unknown
Joe.AccountQuota.quota.monthly.limitThe monthly quota limit.unknown
Joe.AccountQuota.quota.monthly.remainingThe remaining monthly quota.unknown
Joe.AccountQuota.typeThe quota type.unknown
Joe.ServerStatus.OnlineThe server status.unknown
Joe.ServerStatusJoe Security Sandbox server Status.unknown

Playbook Image#

Detonate and Analyze File - JoeSecurity