Joe Security's Blog
Dive deeper with the Joe Sandbox Splunk Add-On
Published on: 14.05.2019
Joe Sandbox is known to provide very deep analysis reports on malware. As a result, the size of the output data is enormous. In a recent blog post, we have outlined how you can master the large volume of the generated data. In this blog post, we will present the new Splunk Add-on, which also helps to handle the behavior data Joe Sandbox captures.
Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Splunk is often used as a SIEM within SOCs, CERTs and CIRTs. Various data streams from firewalls, endpoints and sandboxes are sent to Splunk, which then correlates the data.
The Joe Sandbox Splunk Add-on is a connector between Joe Sandbox and Splunk. It fully automates the import of behavior data from Joe Sandbox to Splunk:
Installing the Joe Sandbox Splunk Add-on
Installing the Add-on is easy. Download the Add-on from our Github repository. In Splunk, go to Manage Apps and then choose installation from file. Once Splunk has restarted go to apps - Joe Sandbox Add-on and create an input:
You have to provide a name and add your Joe Sandbox API Key. The API Key can be found in the user settings of the Joe Sandbox web interface. If you like to perform deep searches, untick the use small report checkbox and once done, hit Add. The Add-on will then start importing all your behavior reports. Please note the Add-on will continuously import new behavior reports generated by Joe Sandbox.
Rich Reports allow deep Searches
In order to run queries, you have to use the sourcetype jbx. Here are a couple of simple searches:
- List all samples with the name id and detection verdict
sourcetype=jbx | table fileinfo.filename, generalinfo.target.url, generalinfo.id, fileinfo.md5, signaturedetections.strategy{}.detection- Search for dropped PE files
sourcetype=jbx | rename "droppedinfo.hash{}.@type" as dropped_type, "droppedinfo.hash{}.@file" as dropped_file, "generalinfo.id" as id | eval temp=mvzip(dropped_type,dropped_file, "|") | mvexpand temp | eval dropped_type=mvindex(split(temp,"|"),0) | eval dropped_file=mvindex(split(temp,"|"),1) | search dropped_type="PE*" | table id, dropped_type, dropped_file- Search for all samples which connected to a specific IP address
sourcetype=jbx | search "ipinfo.ip{}.@ip"="172.217.168.34" | table fileinfo.filename, generalinfo.target.url, generalinfo.id- Search for all samples which connected to a malicious IP address
sourcetype=jbx | rename "ipinfo.ip{}.@malicious" as ip_malicious, "ipinfo.ip{}.@ip" as ip_value, "generalinfo.id" as id | eval temp=mvzip(ip_malicious,ip_value, "|") | mvexpand temp | eval ip_malicious=mvindex(split(temp,"|"),0) | eval ip_value=mvindex(split(temp,"|"),1) | search ip_malicious="true" | table id, ip_value- Search for all samples which connected to a malicious URL
sourcetype=jbx | rename "urlinfo.url{}.@malicious" as url_malicious, "urlinfo.url{}.@name" as url_value, "generalinfo.id" as id | eval temp=mvzip(url_malicious,url_value, "|") | mvexpand temp | eval url_malicious=mvindex(split(temp,"|"),0) | eval url_value=mvindex(split(temp,"|"),1) | search url_malicious="true" | table id, url_value- Search for all samples which connected to a malicious domain
sourcetype=jbx | rename "domaininfo.domain{}.@malicious" as domain_malicious, "domaininfo.domain{}.@name" as domain_value, "generalinfo.id" as id | eval temp=mvzip(domain_malicious,domain_value, "|") | mvexpand temp | eval domain_malicious=mvindex(split(temp,"|"),0) | eval domain_value=mvindex(split(temp,"|"),1) | search domain_malicious="true" | table id, domain_value
As you can see, the behavior data is nicely structured in JSON. Here is a quick overview of what data is available:
Fileinfo contains static information on the file. E.g. if the submitted file is an Office document you will find the OLE streams as well as the VBA code inside this object. Behavior contains detailed system-level behavior, such as all files created, opened, written, deleted, etc. It also contains network traffic such as all TCP, UDP, HTTP, HTTPS streams. Domaininfo, ipinfo, urlinfo and droppedinfo are classic IOC objects. They contain the created files with MD5 and SHA hashes, IP, domain and URL information. Signaturedetections, signatureclassficiation, mitreattack and signatureinfo include all the matching behavior rules, the detection verdict (clean, suspicious or malicious), detection score and classification (ransomware, banker, worm etc). Eventlog includes all the Windows event log data including PowerShell logs. Finally yara and avhit list Yara and Antivirus matches.
All those objects can be easily searched. Here are some more advanced search queries:
- Search for all samples with a valid PE certificate
sourcetype=jbx | search "fileinfo.pe.signature.sigvalid"="true"- Search for all samples which created a file in C:\Windows
source=jbx | rename "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "generalinfo.id" as id | mvexpand fileCreated_path | search fileCreated_path="C:\\Windows\\*" | table id, fileCreated_path- Search for all samples which injected into explorer.exe
sourcetype=jbx | search behavior.system.processes.process{}.general.name="explorer.exe" | search behavior.system.processes.process{}.general.reason="extstingprocessinject" | table "generalinfo.id", "fileinfo.filename"- Search PowerShell event log (transcript)
sourcetype=jbx | search "behavior.system.processes.process{}.powershellactivities.eventlog.call{}.name"="ScriptBlockText" | table "generalinfo.id", "behavior.system.processes.process{}.powershellactivities.eventlog.call{}.execution"- Search for all samples which use a specific MITRE ATT&CK technique
sourcetype=jbx | search mitreattack.tactic{}.technique{}.id="t1022" | table "generalinfo.id", "mitreattack.tactic{}.technique{}.id"
If you are looking for more example searches and visualizations please check out the Joe Sandbox Add-on Github page.
For each search, you can define custom alerts. E.g. if you would like to get informed whenever you analyze a malware sample with a valid PE file:
Joe Sandbox and Splunk - a powerful combination
Thanks to the free Joe Sandbox Splunk Add-on, cybersecurity analysts can automatically import rich Joe Sandbox behavior data into Splunk.
The behavior data is extensive and nicely structured. As a result, analysts can easily perform deep searches to reveal e.g. related malware samples. They can also easily build visualizations, statistics and much more.
The behavior data is extensive and nicely structured. As a result, analysts can easily perform deep searches to reveal e.g. related malware samples. They can also easily build visualizations, statistics and much more.
Want to try Joe Sandbox and use the Joe Sandbox Splunk Add-on? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!