Incoming feed - JoeSandbox Analysis Feed
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
Specifications |
Transport types |
JoeSandbox Analysis Feed |
Content type |
JoeSandbox Analysis Feed |
Ingested data |
Ingests analysis reports as TTP entities, and related artifacts found during analysis as Indicator entities. |
Processed data |
|
Requirements
JoeSandbox API key.
Configure the incoming feed
Create or edit an incoming feed.
(Important) Disable the Skip extraction of observables from unstructured text option under General.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select JoeSandbox Analysis Feed from the drop-down menu.
Content type*
Select JoeSandbox Analysis Feed from the drop-down menu.
API URL*
Set this to the JoeSandbox REST API endpoint.
By default, this is set to https://jbxcloud.joesecurity.org/api/v2.
API key*
Set this to your JoeSandbox API key.
Ingest Malware Submissions Detected as Clean
Include artifacts that have been detected as ‘clean’ when ingesting as Indicator entities.
By default, the extension only ingests artifacts that have been marked as ‘malicious’, ‘unknown’, or ‘incomplete’.
Process Indicators Detected as Safe
Include indicators of compromise detected as ‘safe’ when ingesting as Observables.
By default, only indicators detected as ‘malicious’ are ingested as Observables.
Include Suspicious Mitre ATT&CK Techniques
Selected by default.
Add found MITRE ATT&CK techniques that have been marked as ‘suspicious’ to the Analysis field in the resulting TTP entity.
If not selected, only MITRE ATT&CK techniques marked as ‘malicious’ are added to the Analysis field.
Include Informative Mitre ATT&CK Techniques
Add found MITRE ATT&CK techniques that have been marked as ‘clean’ to the Analysis field in the resulting TTP entity.
By default, only MITRE ATT&CK techniques marked as ‘malicious’ are added to the Analysis field.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
Store your changes by selecting Save.