Incoming feed - JoeSandbox Analysis Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

JoeSandbox Analysis Feed

Content type

JoeSandbox Analysis Feed

Ingested data

Ingests analysis reports as TTP entities, and related artifacts found during analysis as Indicator entities.

Processed data

  • Creates TTP entities for each analysis report.

  • Creates Indicator entities for each artifact related to the report.

  • Creates Observables for each indicator of compromise identified for found artifacts.

Requirements#

  • JoeSandbox API key.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. (Important) Select the Skip extraction of observables from unstructured text option under General.

  3. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select JoeSandbox Analysis Feed from the drop-down menu.

    Content type*

    Select JoeSandbox Analysis Feed from the drop-down menu.

    API URL*

    Set this to the JoeSandbox REST API endpoint.

    By default, this is set to https://jbxcloud.joesecurity.org/api/v2.

    API key*

    Set this to your JoeSandbox API key.

    Ingest Malware Submissions Detected as Clean

    Include artifacts that have been detected as ‘clean’ when ingesting as Indicator entities.

    By default, the extension only ingests artifacts that have been marked as ‘malicious’, ‘unknown’, or ‘incomplete’.

    Process Indicators Detected as Safe

    Include indicators of compromise detected as ‘safe’ when ingesting as Observables.

    By default, only indicators detected as ‘malicious’ are ingested as Observables.

    Include Suspicious Mitre ATT&CK Techniques

    Selected by default.

    Add found MITRE ATT&CK techniques that have been marked as ‘suspicious’ to the Analysis field in the resulting TTP entity.

    If not selected, only MITRE ATT&CK techniques marked as ‘malicious’ are added to the Analysis field.

    Include Informative Mitre ATT&CK Techniques

    Add found MITRE ATT&CK techniques that have been marked as ‘clean’ to the Analysis field in the resulting TTP entity.

    By default, only MITRE ATT&CK techniques marked as ‘malicious’ are added to the Analysis field.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

  4. Store your changes by selecting Save.