Skip to content
/ JoeSandBoxToMDEBlockList Public

Converting Malicious Joe Sandbox Results to MDE IOC Lists and TenantAllowBlockLists

License

GPL-3.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jkerai1/JoeSandBoxToMDEBlockList

BranchesTags

Repository files navigation

GitHub stars GitHub forks GitHub issues GitHub pulls

Joe Sandbox to MDE BlockList

Create a search term to grab IOCs from JSB e.g. "phish" or "malicious" or "malware" or even a TLD like "xyz"

Results can then be uploaded to tenant Allow Block List using the apprioprate powershell scripts

Proof of concept, creates a CSV in the same directory as script that can be uploaded to MDE:

image

image

image

File naming convention is joesandboxiocs+{thedate}.csv

API key goes into the env file

Whitelist is available

Modify tldextract to extract at different levels I have gone for IOC at highest level which may not make sense

No duplication checks between runs :) however MDE natively handles duplicates

Do not blindly upload, validate results before uploading

TABL does not support punycode (xn--)

See also MDE IOC/TABL Repos for

DNSTwist: https://github.com/jkerai1/DNSTwistToMDEIOC
Ransomwatch: https://github.com/jkerai1/RansomWatchToMDEIoC/ TLD: https://github.com/jkerai1/TLD-TABL-Block

About

Converting Malicious Joe Sandbox Results to MDE IOC Lists and TenantAllowBlockLists

Topics

ioc csv sandbox malware defender tip endpoint mde ti threat-intelligence phish jsb dfe tabl joesandbox threathuntingisntiocs tenantallowblocklist

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages