Joe Security

Overview


Use the Joe Security Sandbox integration to detect and analyze potentially malicious files.
Using the integration you can analyze URL links and sample files on different machine types (Windows, Android, iOS and Mac OS X).

All file types are supported.

This integration was integrated and tested with Joe Security v2.

Playbooks


  • JoeSecurity -Detonate URL
  • JoeSecurity -Detonate File
  • JoeSecurity -Detonate File From URL

Use Cases


  • Add a file to the integrations war room.
  • Sample a file.
  • Get information on an old analysis.
  • Send a URL sample to Joe Security.

Prerequisites


Before you configure the integration, retrieve the API key from your Joe Security environment.

  1. Use this link to log in to the Joe Security platform.
  2. Click the button in the top-right corner and select Settings .
  3. In the API Key section, select the I Agree checkbox.
  4. Click the Generate API key button.
  5. Copy the API key for later use.

Configure the Joe Security Integration on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Joe Security.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • Joe Security URL : URL of the Joe Security server
    • API Key
    • Trust any certificate (not secure)
    • Do not use by default
    • Demisto engine
  4. Click Test to validate the URLs and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Ping the server: joe-is-online
  2. Submit a URL for analysis: joe-analysis-submit-url
  3. Get analysis information: joe-analysis-info
  4. Get analyes list: joe-list-analysis
  5. Submit sample for analysis: joe-analysis-submit-sample
  6. Search Analyses: joe-search
  7. Download a report: joe-download-report
  8. Download analysis file: joe-download-sample
  9. Detonate a file: joe-detonate-file
  10. Detonate a URL: joe-detonate-url

Ping the server


Pings the Joe Security server to verify that it is responsive.

Base Command

joe-is-online

Input

There is no input for this command.

Context Data

There is no context data for this command.

Raw Output

There is not raw output for this command.

Submit a URL for analysis


Submits a URL to Joe Security for analysis.

Base Command

joe-analysis-submit-url

Input
Parameter Required Description
url Required URL to submit for analysis.
should_wait Optional Specifies if the command polls for the result of the analysis.
comments Optional Comments for the analysis.
Systems Optional

Comma separated list of operating systems to run analysis on.

Valid values are:

  • w7
  • w7x64
  • w7_1
  • w7_2
  • w7native
  • android2
  • android3
  • mac1
  • w7l
  • w7x64l
  • w10
  • android4
  • w7x64native
  • w7_3
  • w10native
  • android5native_1
  • w7_4
  • w7_5
  • w10x64
  • w7x64_hvm
  • android6
  • iphone1
  • w7_sec
  • macvm
  • w7_lang_packs
  • w7x64native_hvm
  • lnxubuntu1
  • lnxcentos1android7_nougat
internet-access Optional

If to enable full internet access (boolean).

Default is True.

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.FileName String Sample data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Time submitted
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 hash of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 has of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type String

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String SHA-1 hash of the file

Raw Output

There is no raw output for this command.

Get analysis information


Returns information for a specified analysis.

Base Command

joe-analysis-info

Input
Parameter Required Description
webId Required Web ID. Supports comma-separated arrays.

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.SampleName String Sample Data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Submitted time
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 hash of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 hash of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type string

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String The SHA-1 hash of the file
Raw Output

There is no raw output for this command.

Get analyses list


Returns a list of all analyses.

Base Command

joe-list-analysis

Input

There is no input for this command.

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.SampleName String Sample Data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Submitted time
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 hash of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 hash of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type String

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String The SHA-1 hash of the file
Raw Output

There is no raw output for this command.

Submit sample for analysis


Submits a sample to Joe Security for analysis.

Base Command

joe-analysis-submit-sample

Input
Parameter Required Description
file_id Optional War Room entry of a file (for example, 3245@4).
sample_url Optional URL of a sample file. Supports comma-seperated arrays.
should_wait Optional Specifies if the command polls for the result of the analysis
comments Optional Comments for the analysis
systems Optional

Comma separated list of operating systems to run analysis on.

Valid values are:

  • w7
  • w7x64
  • w7_1
  • w7_2
  • w7native
  • android2
  • android3
  • mac1
  • w7l
  • w7x64l
  • w10
  • android4
  • w7x64native
  • w7_3
  • w10native
  • android5native_1
  • w7_4
  • w7_5
  • w10x64
  • w7x64_hvm
  • android6
  • iphone1
  • w7_sec
  • macvm
  • w7_lang_packs
  • w7x64native_hvm
  • lnxubuntu1
  • lnxcentos1
  • android7_nougat
internet-access Optional Enable full internet access. Default is True.

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.SampleName String Sample data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Submitted time
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 hash of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 hash of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type String

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String The SHA-1 hash of the file
Raw Output

There is no raw output for this command.

Search Analyses


Search through all analyses in Joe Security.

Base Command

joe-search

Input
Parameter Description
query

String to search for in these fields:

  • webID
  • MD5
  • SHA1
  • SHA256
  • filename
  • URL
  • comments

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.SampleName String Sample data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Submitted time
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 has of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 has of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type String

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String The SHA-1 hash of the file

Raw Output

There is no raw output for this command.

Download a report


Downloads a resource associated to a report. This can be the full report, dropped binaries, and so on.

Base Command

joe-download-report

Input
Parameter Required Description
webid Required

Web ID

type Optional

Resource type to download, default is html

Context Data
Path Type Description
InfoFile.Name String Name of the file
InfoFile.EntryID String The entry ID of the sample
InfoFile.Size Number The size of the file
InfoFile.Type String File type (for example, PE )
InfoFile.Info String Basic information about the file
File.Extension String File extension

Raw Output

There is no raw output for this command.

Download analysis file


Downloads the sample file of an analysis. For security considerations, the extension is dontrun .

Base Command

joe-download-sample

Input
Parameter Required Description
webid Required

Web ID

Context Data
Path Type Description
File.Size Number The size of the file
File.SHA1 String SHA-1 hash of the file
File.SHA256 String SHA-256 hash of the file
File.Name String The sample name
File.SSDeep String ssdeep hash of the file
File.EntryID String War room entry ID of the file
File.Info String Basic information of the file
File.Type String File type (for example PE )
File MD5 String MD5 hash of the file
File.Extension String File extension

Raw Output

There is no raw output for this command.

Detonate a file


Submits a file for analysis.

Base Command

joe-detonate-file

Input
Parameter Required Description
file_id Optional War room entry of a file (for example, 3245@4)
sample_url Optional URL of a sample file
comments Optional Comments for the analysis
systems Optional

Comma separated list of operating systems to run the analysis on.

Valid values are:

  • w7
  • w7x64
  • w7_1
  • w7_2
  • w7native
  • android2
  • android3
  • mac1
  • w7l
  • w7x64l
  • w10
  • android4
  • w7x64native
  • w7_3
  • w10native
  • android5native_1
  • w7_4
  • w7_5
  • w10x64
  • w7x64_hvm
  • android6
  • iphone1
  • w7_sec
  • macvm
  • w7_lang_packs
  • w7x64native_hvm
  • lnxubuntu1
  • lnxcentos1
  • android7_nougat
internet-access Optional If to enable full internet access. Default is True

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.SampleName String Sample Data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Submission time
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 hash of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 hash of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type String

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String The SHA-1 has of the file
Raw Output

There is no raw output for this command.

Detonate a URL


Submits a URL for analysis.

Base Command

joe-detonate-url

Input
Parameter Required Description
url Required sample URL
comments Optional Comments for the analysis
systems Optional

Comma separated list of operating systems to run the analysis on.

Valid values are:

  • w7
  • w7x64
  • w7_1
  • w7_2
  • w7native
  • android2
  • android3
  • mac1
  • w7l
  • w7x64l
  • w10
  • android4
  • w7x64native
  • w7_3
  • w10native
  • android5native_1
  • w7_4
  • w7_5
  • w10x64
  • w7x64_hvm
  • android6
  • iphone1
  • w7_sec
  • macvm
  • w7_lang_packs
  • w7x64native_hvm
  • lnxubuntu1
  • lnxcentos1
  • android7_nougat
internet-access Optional If to enable full internet access. Default is True.

Context Data
Path Type Description
Joe.Analysis.WebID String Web ID
Joe.Analysis.SampleName String Sample data, could be a file name or URL
Joe.Analysis.Status String Analysis status
Joe.Analysis.Comments String Analysis comments
Joe.Analysis.Time Date Submission time
Joe.Analysis.Runs Unknown Sub-analysis information
Joe.Analysis.Result String Analysis results
Joe.Analysis.Errors Unknown Errors raised during sampling
Joe.Analysis.Systems Unknown Analysis operating system
Joe.Analysis.MD5 String MD5 hash of the analysis sample
Joe.Analysis.SHA1 String SHA-1 hash of the analysis sample
Joe.Analysis.SHA256 String SHA-256 hash of the analysis sample
DBotScore.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Indicator Unknown The name of the sample file or URL
DBotScore.Type String

url - for URL samples

file - for anything not URL sample

DBotScore.Score String

Demisto Dbot Score:

  • Bad
  • Suspicious
  • Good
DBotScore.Malicious.Vendor String The name of the vendor (JoeSecurity)
DBotScore.Malicious.Detections String The sub analysis detection statuses
DBotScore.Malicious.SHA1 String The SHA-1 hash of the file

Raw Output

There is no raw output for this command.