Joe Sandbox is a dynamic malware analysis platform that executes files, URLs, documents, and scripts in instrumented environments to reveal behavior, IOCs, and detection signals.
Overview
- What you get: verdicts/scores, process trees, network/file/registry activity, extracted indicators, and deep-dive HTML/PDF reports.
- Why connect it to Qevlar: investigations are automatically enriched with sandbox results and links back to the full Joe Sandbox report.
Prerequisites
- A Joe Sandbox account (Cloud BASIC or enterprise/private).
- An API key with access to the Web API.
- If using Cloud BASIC, understand that submissions are public (see Security & privacy below).
Step 1: Open Integrations in Qevlar
From the left navigation, open Integrations.
Use the search to find Joe Sandbox and click the + button to start configuration.
Step 2: Get your Joe Sandbox API key
2.1: Open User Settings in Joe Sandbox
Log in to Joe Sandbox Cloud BASIC (or your enterprise instance). Open the user menu (top-right).
Click User Settings to access your account configuration.
2.2: Generate a new API key (Cloud BASIC)
Go to the API Key tab. On the free Cloud BASIC tier you must acknowledge:
- Terms and Conditions
- Data Protection Policy
- Publication of all data (your submissions and results are public)
Then click Generate API key.
2.3: Copy the key
Your new key appears in the API Key tab. Copy it to your clipboard.
Step 3: Finish setup in Qevlar
In the Joe Sandbox connector dialog, paste the API key and select Test & Save.
Once saved, the connector is active for your workspace.
Validate the integration
- Open or start an Investigation in Qevlar.
- When a file hash, URL, or related artifact is present, Qevlar queries Joe Sandbox and returns:
- Verdict / score
- Behavioral summary
- Extracted IOCs (domains, IPs, dropped files)
- A link to the full Joe Sandbox report
- Follow the report link for a deep dive (process tree, screenshots, network traces, dropped artifacts).