Joe Sandbox to MDE BlockList

Create a search term to grab IOCs from JSB e.g. "phish" or "malicious" or "malware" or even a TLD like "xyz"

Results can then be uploaded to tenant Allow Block List using the apprioprate powershell scripts

Proof of concept, creates a CSV in the same directory as script that can be uploaded to MDE:

File naming convention is joesandboxiocs+{thedate}.csv

API key goes into the env file

Whitelist is available

Modify tldextract to extract at different levels I have gone for IOC at highest level which may not make sense

No duplication checks between runs :) however MDE natively handles duplicates

Do not blindly upload, validate results before uploading

TABL does not support punycode (xn--)

See also MDE IOC/TABL Repos for

DNSTwist: https://github.com/jkerai1/DNSTwistToMDEIOC
Ransomwatch: https://github.com/jkerai1/RansomWatchToMDEIoC/ TLD: https://github.com/jkerai1/TLD-TABL-Block