Joe Sandbox for Microsoft Sentinel

Solution: JoeSandbox

JoeSandbox Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Stefan Bühlmann
Support Tier	Partner
Support Link	https://www.joesecurity.org/support
Categories	domains
Version	3.0.0
Author	Stefan Bühlmann
First Published	2025-09-12
Last Updated	2026-02-18
Solution Folder	JoeSandbox
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The JoeSandbox Connector for Microsoft Sentinel enhances security operations by providing enriched threat intelligence, enabling faster and more informed responses to security incidents. The integration has two main parts: first, URL detonation and enrichment, which provides detailed insights into suspicious URLs. Second, it automatically generates and feeds threat intelligence for all submissions to JoeSandbox, improving threat detection and incident response in Sentinel. This seamless integration empowers teams to proactively address emerging threats.

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

JoeSandboxThreatIntelligence

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`ThreatIntelligenceIndicator`	JoeSandboxThreatIntelligence	-

Content Items

This solution includes 2 content item(s):

Content Type	Count
Playbooks	2

Playbooks

Name	Description	Tables Used
JoeSandbox File Analyis	Submits a attachment or set of attachment associated with an office 365 email to JoeSandbox for Anal...	-
JoeSandbox URL Analyis	Submits a url or set of urls associated with an incident to JoeSandbox for Analyis.	-

Additional Documentation

📄 Source: JoeSandbox/README.md

JoeSandbox Threat Intelligence Feed and Enrichment Integration - Microsoft Sentinel

Latest Version: 1.0.0 - Release Date: 15/09/2025

Overview

Requirements

Microsoft Sentinel.
JoeSandbox API Key.
Microsoft Azure 1. Azure functions with Flex Consumption plan. Reference: https://learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan

Note: Flex Consumption plans are not available in all regions, please check if the region you are deploying the function is supported, if not we suggest you to deploy the function app with premium plan. Reference: https://learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-how-to?tabs=azure-cli%2Cvs-code-publish&pivots=programming-language-python#view-currently-supported-regions 3. Azure functions Premium plan. Reference: https://learn.microsoft.com/en-us/azure/azure-functions/functions-premium-plan 4. Azure Logic App with Consumption plan. Reference: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing#consumption-multitenant 5. Azure storage with Standard general-purpose v2.

Microsoft Sentinel

Creating Application for API Access

Open https://portal.azure.com/ and search Microsoft Entra ID service.

Click Add->App registration.

02a

Enter the name of application and select supported account types and click on Register.

In the application overview you can see Application Name, Application ID and Tenant ID.

After creating the application, we need to set API permissions for connector. For this purpose,
Click Manage->API permissions tab
Click Microsoft Graph button
Search indicator and click on the ThreatIndicators.ReadWrite.OwnedBy, click Add permissions button below.
Click on Grant admin consent

app_per