Detonate URL - JoeSecurity

Detonates one or more URLs using the Joe Security Sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • Joe Security

Scripts

  • Set

Commands

  • joe-download-report
  • joe-analysis-submit-url
  • joe-analysis-info

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
URLThe URL to detonate.DataURLOptional
IntervalThe duration for executing the pooling (in minutes).1-Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).15-Optional
SystemsThe operating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat.--Optional
CommentsThe comments for the analysis.--Optional
InternetAccessWhether internet access is enabled. (boolean). The default is "True". "True" means the is internet access. "False" means the is no internet access.True-Optional
ReportFileTypeThe resource type to download. The default is "html". Supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yara.html-Optional

Playbook Outputs


PathDescriptionType
DBotScore.VendorThe vendor used to calculate the score.string
Joe.Analysis.IDThe web ID.string
Joe.Analysis.StatusThe analysis status.string
Joe.Analysis.CommentsThe analysis comments.string
Joe.Analysis.TimeThe submitted time.date
Joe.Analysis.RunsThe sub-analysis information.unknown
Joe.Analysis.ResultThe analysis results.string
Joe.Analysis.ErrorsThe errors raised during sampling.unknown
Joe.Analysis.SystemsThe analysis OS.unknown
Joe.Analysis.MD5The MD5 hash of the analysis sample.string
Joe.Analysis.SHA1The SHA1 hash of the analysis sample.string
Joe.Analysis.SHA256The SHA256 hash of the analysis sample.string
Joe.Analysis.SampleNameThe sample data. Can be, "filename" or "URL".string
DBotScore.IndicatorThe name of the sample file or URL.string
DBotScore.TypeThe URL for URL samples, otherwise file.string
DBotScore.ScoreThe actual score.number
DBotScore.Malicious.VendorThe vendor used to calculate the score.string
DBotScore.Malicious.DetectionsThe sub-analysis detection statuses.string
DBotScore.Malicious.SHA1The SHA1 hash of the file.string
InfoFile.NameThe filename.string
InfoFile.EntryIDThe EntryID of the sample.string
InfoFile.SizeThe file size.number
InfoFile.TypeThe file type. For example, "PE".string
InfoFile.InfoThe basic information of the file.string
File.ExtensionThe file extension.string
InfoFileThe report file object.unknown
FileThe file object.unknown
Joe.AnalysisThe Joe Analysis object.unknown
DBotScoreThe DBotScore object.unknown
DBotScore.MaliciousThe DBotScore malicious object.unknown

Playbook Image


Detonate_URL_JoeSecurity