Detonate File - JoeSecurity

Detonates one or more files using the Joe Security - Joe Sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • Joe Security

Scripts

  • Set

Commands

  • joe-analysis-info
  • joe-download-report
  • joe-analysis-submit-sample

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file object of the file to detonate. The file is taken from the context.NoneFileOptional
IntervalThe duration for executing the pooling (in minutes).1-Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).15-Optional
SystemsThe operating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat.--Optional
CommentsThe comments for the analysis.--Optional
InternetAccessWhether to enable internet access (boolean). The default is "True". "True" means there is internet access. "False" means there is no internet access.True-Optional
ReportFileTypeThe resource type to download. The default is "HTML". The supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yara.--Optional

Playbook Outputs


PathDescriptionType
DBotScore.VendorThe vendor used to calculate the score.string
Joe.Analysis.IDThe web ID.string
Joe.Analysis.StatusThe analysis status.string
Joe.Analysis.CommentsThe analysis comments.string
Joe.Analysis.TimeThe submitted time.date
Joe.Analysis.RunsThe sub-analysis information.unknown
Joe.Analysis.ResultThe analysis results.string
Joe.Analysis.ErrorsThe raised errors during sampling.unknown
Joe.Analysis.SystemsThe analysis OS.unknown
Joe.Analysis.MD5The MD5 hash of analysis sample.string
Joe.Analysis.SHA1The SHA1 hash of analysis sample.string
Joe.Analysis.SHA256The SHA256 hash of analysis sample.string
Joe.Analysis.SampleNameThe sample data. Can be, "file name" or "URL".string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.ScoreThe actual score.number
DBotScore.Malicious.VendorThe vendor used to calculate the score.string
DBotScore.Malicious.DetectionsThe sub-analysis detection statuses.string
DBotScore.Malicious.SHA1The SHA1 hash of the file.string
InfoFile.NameThe filename.string
InfoFile.EntryIDThe EntryID of the sample.string
InfoFile.SizeThe file size.number
InfoFile.TypeThe file type. For example, "PE".string
InfoFile.InfoThe basic information of the file.string
File.ExtensionThe file extension.string
InfoFileThe report file object.unknown
FileThe file object.unknown
Joe.AnalysisThe Joe analysis object.unknown
DBotScoreThe DBotScore object.unknown
DBotScore.MaliciousThe DBotScore malicious object.unknown

Playbook Image


Detonate_File_JoeSecurity