JoeSandbox File Analyis
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Submits a attachment or set of attachment associated with an office 365 email to JoeSandbox for Analyis.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | JoeSandbox |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
office365 |
Managed | 1 | 2 |
function |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_incident | put | [concat('/Incidents/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/workspaces/',parameters('WorkspaceName'))] |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Threat_Intelligence_-Upload_Indicators_of_Compromise(V2)_(Preview) | post | /V2/ThreatIntelligence/@{encodeURIComponent(triggerBody()?['workspaceId'])}/UploadIndicators/ |
— |
office365 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_an_email_(V2) | post | /v2/Mail |
— |
| Send_an_email_(V2)_for_clean_analysis | post | /v2/Mail |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| GetJoeSanboxFiles | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxSubmitFile')] |
| GetJoeSanboxIOCs | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxGetIOCs')] |
| GetJoeSanbdoxAnalysis | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxGetAnalysisInfo')] |
| GetJoeSanboxSubmissions | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxGetSubmissionInfo')] |
Additional Documentation
📄 Source: JoeSandbox-Submit-File-Outlook-Attachment/readme.md
JoeSandbox File Analysis Playbook
Table of Contents
Overview
This playbook gets triggered when an new email is recieved in the configured mail box and performs the following actions:
- It fetches the attachments objects in the Email.
- Iterates through and submits to JoeSanbox for analysis and fetches the results for each File.
- All the details from JoeSanbox will be added as comments in a tabular format.
Links to deploy Playbook:
- Click on Deploy to Azure
- It will redirect to configuration page
- Please provide the values accordingly
| Fields | Description | |:---------------------|:----------------------------------------------------------- | Subscription | Select the appropriate Azure Subscription | | Resource Group | Select the appropriate Resource Group | | Region | Based on Resource Group this will be uto populated | | Playbook Name | Please provide a playbook name, if needed | | Workspace Name | Please provide Log Analytics Workspace Name | | Workspace ID | Please provide Log Analytics Workspace ID | | Function App Name | Please provide the JoeSandbox enrichment function app name |
- Once you provide the above values, please click on
Review + createbutton.
Authentication
Authentication methods this connector supports:
Prerequisites for using and deploying playbook
- A JoeSanbox API Key.
- JoeSandbox Logic App Custom Connector should be installed.
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions.
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊