Create a search term to grab IOCs from JSB e.g. "phish" or "malicious" or "malware" or even a TLD like "xyz"
Results can then be uploaded to tenant Allow Block List using the apprioprate powershell scripts
Proof of concept, creates a CSV in the same directory as script that can be uploaded to MDE:
File naming convention is joesandboxiocs+{thedate}.csv
API key goes into the env file
Whitelist is available
Modify tldextract to extract at different levels I have gone for IOC at highest level which may not make sense
No duplication checks between runs :) however MDE natively handles duplicates
Do not blindly upload, validate results before uploading
TABL does not support punycode (xn--)
DNSTwist: https://github.com/jkerai1/DNSTwistToMDEIOC
Ransomwatch: https://github.com/jkerai1/RansomWatchToMDEIoC/
TLD: https://github.com/jkerai1/TLD-TABL-Block