Skip to main content

Detonate File - JoeSecurity V2

This Playbook is part of the Joe Security Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

The Detonate File Playbook using Joe Sandbox Process is designed to streamline and enhance the security assessment of files. This automated system accepts a user-submitted file, sends it for in-depth analysis using Joe Sandbox technology, and returns comprehensive results as attachments to the user. The process is designed to be swift, efficient, and secure, providing users with valuable insights into potential threats and vulnerabilities within their files.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • JoeSecurityV2

Scripts#

  • Set

Commands#

  • joe-download-report
  • joe-submit-sample
  • joe-analysis-info

Playbook Inputs#


NameDescriptionDefault ValueRequired
FileFile object of the file to detonate. The File is taken from the context.FileOptional
IntervalDuration for executing the pooling (in minutes)1Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes)15Optional
SystemsOperating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougatOptional
CommentsComments for the analysis.Optional
InternetAccessEnable internet access (boolean). True= internet access (default), False= no internet access.TrueOptional
ReportFileTypeThe resource type to download. Default is html. Supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yaraOptional

Playbook Outputs#


PathDescriptionType
DBotScore.VendorThe vendor used to calculate the score.string
Joe.Analysis.IDWeb IDstring
Joe.Analysis.StatusAnalysis Statusstring
Joe.Analysis.CommentsAnalysis Commentsstring
Joe.Analysis.TimeSubmitted Timedate
Joe.Analysis.RunsSub-Analysis Informationunknown
Joe.Analysis.ResultAnalysis Resultsstring
Joe.Analysis.ErrorsRaised errors during samplingunknown
Joe.Analysis.SystemsAnalysis OSunknown
Joe.Analysis.MD5MD5 of analysis samplestring
Joe.Analysis.SHA1SHA1 of analysis samplestring
Joe.Analysis.SHA256SHA256 of analysis samplestring
Joe.Analysis.SampleNameSample Data, could be a file name or URLstring
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.ScoreThe actual score.number
DBotScore.Malicious.VendorThe vendor used to calculate the score.string
DBotScore.Malicious.DetectionsThe sub analysis detection statusesstring
DBotScore.Malicious.SHA1The SHA1 of the filestring
InfoFile.NameFileNamestring
InfoFile.EntryIDThe EntryID of the samplestring
InfoFile.SizeFile Sizenumber
InfoFile.TypeFile type e.g. "PE"string
InfoFile.InfoBasic information of the filestring
File.ExtensionFile Extensionstring
InfoFileReport file objectunknown
FileFile objectunknown
Joe.AnalysisJoe Analysis objectunknown
DBotScoreDBotScore objectunknown
DBotScore.MaliciousDBotScore Malicious objectunknown

Playbook Image#


Detonate File - JoeSecurity V2