Tuesday, May 23, 2017

Joe Sandbox + Phantom

Good news! You now can use Joe Sandbox in the Phantom: Security Automation and Orchestration Platform!




What is Phantom exactly? It is an awesome tool to intelligently combine and automate various security products to build a full incident response chain:


There are already a huge number of apps that use Phantom:


The configuration of the Joe Sandbox app is very simple. Just add your API key:




The aforementioned combination and automation is then done via so-called playbooks. Let us have a look at the Joe Sandbox playbook:


In the playbook you choose various actions (from start to end). Actions are directly related to the apps. The Joe Sandbox app currently supports the following actions:

  • test connectivity - Validate credentials provided for connectivity
  • detonate file - Run the file in Joe Sandbox and retrieve analysis results
  • detonate URL - Load URL in Joe Sandbox and retrieve analysis results
  • check status - Check status of sample (file or URL) submitted for analysis
  • get report - Download report of a completed analysis in Joe Sandbox and add it to vault
  • get PCAP - Download PCAP file of a completed analysis in Joe Sandbox and add it to vault
  • file reputation - Query Joe Sandbox for file reputation
  • URL reputation - Query Joe Sandbox for URL reputation

The Joe Sandbox playbook starts with the detonate file / URL action. Each action has a return value. In the case of detonate action an ID is returned. The ID is then fed into the check status action which will check if the analysis is already finished:

If the status is "finished" it will move to the next decision. Otherwise, it will loop. The second decision will check if the Joe Sandbox detection is malicious. If so, it will fetch a report. You can choose from various analysis reports and artifacts which include ratings, signatures, scores, IPs, dropped files etc.:



Finally, the report is passed to the investigate playbook which informs the IR team as an example.

The outlined Joe Sandbox playbook is just a simple example of how you can use our product in Phantom. Due to the power of Phantom combined with the Deep Analysis of Joe Sandbox you can easily achieve the following goals & use cases:

  • Detonate sample, if malicious, get report, extract malicious IP, block malicious IP (e.g. via firewall)
  • Detonate sample, if malicious, get report, extract dropped file hash, scan endpoints for hash
  • Detonate sample, if malicious, get report, extract Yara rules, scan endpoints

You can download the Joe Sandbox App here.

Thanks again to the Phantom team for the great integration work!