JoeSandboxMCP

Instructions

Implementation Reference

• jbxmcp/tools.py:645-702 (handler)

  The core handler function implementing the logic for 'get_signature_info'. It fetches the analysis report XML, parses the 'signatureinfo/sig' elements, filters based on impact score, and extracts up to 3 supporting indicators per signature detection.
  @mcp.tool() async def get_signature_info(webid: str, run: int = 0, only_malicious_indicators: bool = True) -> Dict[str, Any]: """ Retrieve high-impact signature detections from a sandbox analysis report. This tool extracts detection signatures triggered during the specified analysis run. These signatures reflect behavioral or static patterns typically associated with malware, such as code injection, credential theft, or suspicious memory activity as well as general behavioural indicators. Optional filtering parameters allow control over the inclusion of all signatures or only those with high impact. Args: webid (required): The submission ID of the analysis. run (optional, default = 0): Index of the sandbox run to inspect (from the `runs` array in analysis info). Use 0 for the first run. only_malicious_indicators (default: True): If True, limits the returned signatures to those considered high impact by the detection logic. Returns: A dictionary containing a list of triggered detection signatures. Each entry includes: - desc: Description of the detected malicious behavior or technique. - indicators: List of up to three supporting observations. Each indicator includes: - desc: Action or operation that triggered the detection (e.g., "Section loaded"). - context: Process name or source related to the event. - evidence: Supporting detail, such as file paths, memory dumps, or rule names. - impact: Either "high" or "low", indicating the severity or confidence of the detection. High-impact indicators are strongly associated with malicious behavior or confirmed threats. Low-impact indicators reflect general behavior or environmental traits that may not be malicious on their own. """ try: root = await get_or_fetch_report(webid, run) if root is None: return {"error": f"Could not retrieve or parse report for submission ID '{webid}' run {run}"} siginfo = root.findall("./signatureinfo/sig") sigs = [] for entry in siginfo: attrs = entry.attrib is_malicious_indicator = float(attrs.get("impact", 0.0)) >= 2.0 if is_malicious_indicator or not only_malicious_indicators: sources = [] for source_entry in entry.findall("./sources/source"): source_attrib = source_entry.attrib source = { "desc": source_attrib.get("op"), "context": source_attrib.get("process"), "evidence" : source_entry.text, "impact": "high" if is_malicious_indicator else "low" } sources.append(source) if len(sources) >= 3: break sig = { "desc": attrs.get("desc"), "indicators": sources } sigs.append(sig) return sigs except Exception as e: return { "error": f"Failed to get signature info for submission ID '{webid}' run {run}. " f"Reason: {str(e)}" }
• jbxmcp/tools.py:2-17 (registration)

  The __all__ list exports 'get_signature_info' along with other tools, indicating it is part of the public API.
  __all__ = [ 'submit_analysis_job', 'search_analysis', 'get_analysis_info', 'get_ai_summaries', 'get_dropped_info', 'get_domain_info', 'get_ip_info', 'get_url_info', 'get_signature_info', 'get_unpacked_files', 'get_pcap_file', 'get_list_of_recent_analyses', 'get_process_info', 'get_memory_dumps' ]
• jbxmcp/server.py:19-19 (registration)

  Import of tools.py module in the server, which executes the @mcp.tool() decorators to register all tools including get_signature_info.
  import jbxmcp.tools as tools
• jbxmcp/server.py:11-11 (handler)

  Documentation in server instructions listing 'get_signature_info' as one of the IOC query tools.
  3. IOCs can be queried (get_ioc_for_dropped_files, get_ioc_for_domains, get_ioc_for_ips, get_ioc_for_urls, get_signature_info, get_process_info, get_ai_summaries) by passing the webid. By default only malicious IOCs are returned.