JoeSandbox URL Analyis
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Submits a url or set of urls associated with an incident to JoeSandbox for Analyis.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | JoeSandbox |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 5 |
function |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_URLs | post | /entities/url |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Threat_Intelligence_-Upload_Indicators_of_Compromise(V2)_(Preview) | post | /V2/ThreatIntelligence/@{encodeURIComponent(triggerBody()?['workspaceId'])}/UploadIndicators/ |
— |
| Add_comment_to_incident_(V3)_1 | post | /Incidents/Comment |
— |
| Add_Comment_to_incident | post | /Incidents/Comment |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| joesandboxenrichttb-JoeSandboxGetIOCs | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxGetIOCs')] |
| joesandboxenrichttb-JoeSandboxGetAnalysisInfo | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxGetAnalysisInfo')] |
| joesandboxenrichttb-JoeSandboxGetSubmissionInfo | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxGetSubmissionInfo')] |
| joesandboxenrichttb-JoeSandboxSubmitUrl | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('functionappName'), '/functions/JoeSandboxSubmitUrl')] |
Additional Documentation
JoeSandbox URL Analysis Playbook
Table of Contents
Overview
When a new Azure Sentinel Incident is created, this playbook gets triggered and performs the following actions:
- It fetches all the URL objects in the Incident.
- Iterates through the URL objects and submits to JoeSanbox for analysis and fetches the results for each URL.
- All the details from JoeSanbox will be added as comments in a tabular format.
Links to deploy Playbook:
- Click on Deploy to Azure
- It will redirect to configuration page
- Please provide the values accordingly
| Fields | Description | |:---------------------|:----------------------------------------------------------- | Subscription | Select the appropriate Azure Subscription | | Resource Group | Select the appropriate Resource Group | | Region | Based on Resource Group this will be uto populated | | Playbook Name | Please provide a playbook name, if needed | | Workspace ID | Please provide Log Analytics Workspace ID | | Function App Name | Please provide the JoeSandbox enrichment function app name |
- Once you provide the above values, please click on
Review + createbutton.
Authentication
Authentication methods this connector supports:
Prerequisites for using and deploying playbook
- A JoeSanbox API Key.
- JoeSandbox CustomConnector
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions.
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
b. Configurations in Sentinel:
- In Azure Sentinel, analytical rules should be configured to trigger an incident with URL indicators.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊