Package Documentation
Storm Package: synapse-joe-sandbox
The following Commands are available from this package. This documentation is generated for version 0.2.0 of the package.
Storm Commands
This package implements the following Storm Commands.
joe.sandbox.analysis.del
Delete a Joe Sandbox analysis.
Examples:
joe.sandbox.analysis.del 2878355
Usage: joe.sandbox.analysis.del [options] <webid>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
Arguments:
<webid> : Web ID of the analysis to delete.
joe.sandbox.analysis.search
Search for Joe Sandbox analyses and optionally ingest them.
If the --q argument is specified, it will be used to search the md5, sha1, sha256,
filename, threat name, URL, tags, and comments fields of analyses.
Examples:
// Search for analyses matching "foobar" and print the results
joe.sandbox.analysis.search --q foobar
// Filter by md5 hash and ingest matching analyses
joe.sandbox.analysis.search --md5 938c2cc0dcc05f2b68c4287040cfcf71 --ingest
// Specify analyses by Web ID and ingest them
joe.sandbox.analysis.search --webid 2878355 2878357 --ingest
Usage: joe.sandbox.analysis.search [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--webid [<webid> ...] : Search for specific Web IDs. Cannot be used in conjunction with filter or search
params.
--q <q> : A general search string, cannot be used in conjunction with filters.
--filename <filename> : Filter by filename (substring search).
--url <url> : Filter by URL (substring search).
--detection <detection> : Filter by detection value (clean/suspicious/malicious/unknown).
--threatname <threatname> : Filter by threat name (exact match).
--tag <tag> : Filter by tag (substring search).
--comments <comments> : Filter by comments (substring search).
--md5 <md5> : Filter by md5 hash (exact match).
--sha1 <sha1> : Filter by sha1 hash (exact match).
--sha256 <sha256> : Filter by sha256 hash (exact match).
--before-date <before_date> : Filter to only analyses before a specified time.
--after-date <after_date> : Filter to only analyses after a specified time.
--ioc-domain <ioc_domain> : Filter by analyses containing a specific domain IOC (exact match).
--ioc-dropped-file <ioc_dropped_file>: Filter by analyses containing a specific dropped file IOC (substring search of
filename).
--ioc-public-ip <ioc_public_ip>: Filter by analyses containing a specific public IP IOC (exact match).
--ioc-url <ioc_url> : Filter by analyses containing a specific URL IOC (substring search).
--ingest : Ingest results for all analyses matching the filter parameters.
--screenshots : Ingest screenshots from analyses when --ingest is specified.
--yield : Yield the newly created nodes when ingesting.
joe.sandbox.info
Get information about the Joe Sandbox API key in use.
This command queries the /v2/account/info endpoint to get information
about the current quota status for the Joe Sandbox API key in use.
Usage: joe.sandbox.info [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
joe.sandbox.setup.apikey
Manage the Joe Sandbox API key.
Examples:
// Set a global Joe Sandbox API key
joe.sandbox.setup.apikey abcd1234
// Set a Joe Sandbox API key for the current user
joe.sandbox.setup.apikey --self abcd1234
// Display the API key scope of the current key
joe.sandbox.setup.apikey --show-scope
// Display the current API key.
joe.sandbox.setup.apikey --show-apikey
// Remove the current global API key.
joe.sandbox.setup.apikey --remove
// Remove the per-user API key for the current user.
joe.sandbox.setup.apikey --self --remove
Usage: joe.sandbox.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
joe.sandbox.setup.tagprefix
Set the tag prefix used when recording Joe Sandbox tags.
The default tag prefix is "rep.joe.sandbox" if not specified.
Any tags provided by the Joe Sandbox API will be added within the given namespace.
For example, the tag "malicious" would result in "#rep.joe.sandbox.malicious". Any
characters incompatible with tag names are replaced with "_".
Usage: joe.sandbox.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
joe.sandbox.setup.url
Manage the Joe Sandbox API URL.
By default, the base API URL used will be https://jbxcloud.joesecurity.org/api
Examples:
// Set the Joe Sandbox API URL
joe.sandbox.setup.url https://myjbx.org
// Display the current API URL.
joe.sandbox.setup.url --show-url
// Remove the current API URL.
joe.sandbox.setup.url --remove
Usage: joe.sandbox.setup.url [options] <url>
Options:
--help : Display the command usage.
--show-url : Display the API URL value (requires admin perms).
--remove : Remove the configured API URL.
Arguments:
[url] : The base API URL.
joe.sandbox.submit
Submit a sample to Joe Sandbox for analysis.
This command takes a file:bytes or hash:sha256 node as input and submits the
file from the Axon to Joe Sandbox for analysis. After submitting the file,
the command will wait for the analysis to be complete and ingest the results.
Additional optional parameters to may be specified by providing a Storm dictionary
object to the --options argument.
Examples:
// Submit a file:bytes node for analysis
file:bytes:name="cobalt.zip" | joe.sandbox.submit
// Specify additional options for a submission
$opts = ({"archive-password": "mypass"})
file:bytes:name="malware.zip" | joe.sandbox.submit --yield --options $opts
Usage: joe.sandbox.submit [options]
Options:
--help : Display the command usage.
--options <options> : Specify additional options for the submission.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--screenshots : Ingest screenshots from the analysis results.
Storm Modules
This package does not export any Storm APIs.