Skip to content

Converting Malicious Joe Sandbox Results to MDE IOC Lists and TenantAllowBlockLists

License

Notifications You must be signed in to change notification settings

jkerai1/JoeSandBoxToMDEBlockList

Repository files navigation

GitHub stars GitHub forks GitHub issues GitHub pulls

Joe Sandbox to MDE BlockList

Create a search term to grab IOCs from JSB e.g. "phish" or "malicious" or "malware" or even a TLD like "xyz"

Results can then be uploaded to tenant Allow Block List using the apprioprate powershell scripts

Proof of concept, creates a CSV in the same directory as script that can be uploaded to MDE:

image

image

image

File naming convention is joesandboxiocs+{thedate}.csv

API key goes into the env file

Whitelist is available

Modify tldextract to extract at different levels I have gone for IOC at highest level which may not make sense

No duplication checks between runs :) however MDE natively handles duplicates

Do not blindly upload, validate results before uploading

TABL does not support punycode (xn--)

See also MDE IOC/TABL Repos for

DNSTwist: https://github.com/jkerai1/DNSTwistToMDEIOC
Ransomwatch: https://github.com/jkerai1/RansomWatchToMDEIoC/ TLD: https://github.com/jkerai1/TLD-TABL-Block