JoeSandbox New Solution #12801
JoeSandbox New Solution #12801
Conversation
v-shukore
added
the
New Solution
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...aybooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/utils.py
Fixed
Show fixed
Hide fixed
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new JoeSandbox solution for Microsoft Sentinel that provides threat intelligence integration and automated analysis capabilities.
Key Changes:
- Adds complete JoeSandbox solution infrastructure with threat intelligence feed integration
- Implements Azure Function apps for file/URL analysis and IOC generation
- Provides Logic Apps for automated incident response and email attachment analysis
Reviewed Changes
Copilot reviewed 39 out of 76 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/JoeSandbox/SolutionMetadata.json | Solution metadata configuration for marketplace deployment |
| Solutions/JoeSandbox/ReleaseNotes.md | Version history and release documentation |
| Solutions/JoeSandbox/README.md | Complete setup and deployment instructions |
| Solutions/JoeSandbox/Package/mainTemplate.json | ARM template for solution deployment infrastructure |
| Solutions/JoeSandbox/Data Connectors/ | Threat intelligence data connector with Azure Functions |
| Solutions/JoeSandbox/Playbooks/ | Logic Apps for URL analysis and email attachment processing |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Solutions/JoeSandbox/README.md
Outdated
| @@ -0,0 +1,227 @@ | |||
| # JoeSandbox Threat Intelligence Feed and Enrichment Integration - Microsoft Sentinel | |||
|
|
|||
| **Latest Version:** **1.0.0** - **Release Date:** **12/09/2025** | |||
There was a problem hiding this comment.
The version in README.md (1.0.0) does not match the version in ReleaseNotes.md (3.0.0). These should be consistent across all documentation files.
| **Latest Version:** **1.0.0** - **Release Date:** **12/09/2025** | |
| **Latest Version:** **3.0.0** - **Release Date:** **12/09/2025** |
Solutions/JoeSandbox/ReleaseNotes.md
Outdated
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | ||
| |-------------|--------------------------------|---------------------------------------------| | ||
| | 3.0.0 | 23-07-2025 | Initial Solution Release | |
There was a problem hiding this comment.
The release date format is inconsistent. ReleaseNotes.md uses DD-MM-YYYY (23-07-2025) while README.md uses DD/MM/YYYY (12/09/2025). Standardize the date format across all files.
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | |
| |-------------|--------------------------------|---------------------------------------------| | |
| | 3.0.0 | 23-07-2025 | Initial Solution Release | | |
| | **Version** | **Date Modified (DD/MM/YYYY)** | **Change History** | | |
| |-------------|--------------------------------|---------------------------------------------| | |
| | 3.0.0 | 23/07/2025 | Initial Solution Release | |
Solutions/JoeSandbox/README.md
Outdated
| 1. Azure functions with Flex Consumption plan. | ||
| Reference: https://learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan | ||
|
|
||
| **Note:** Flex Consumption plans are not available in all regions, please check if the region your are deploying the function is supported, if not we suggest you to deploy the function app with premium plan. |
There was a problem hiding this comment.
Grammatical error: 'your are' should be 'you are'.
| **Note:** Flex Consumption plans are not available in all regions, please check if the region your are deploying the function is supported, if not we suggest you to deploy the function app with premium plan. | |
| **Note:** Flex Consumption plans are not available in all regions, please check if the region you are deploying the function is supported, if not we suggest you to deploy the function app with premium plan. |
| "status": "New", | ||
| "description": "JoeSandbox Email Attachment Scan . From:@{triggerBody()?['from']}. To: @{triggerBody()?['toRecipients']}" | ||
| }, | ||
| "path": "/Incidents/subscriptions/@{encodeURIComponent('7356a8d4-94f5-4210-a777-f4d6329e1c71')}/resourceGroups/@{encodeURIComponent('Joe-Security')}/workspaces/@{encodeURIComponent('JoeSecurity')}" |
There was a problem hiding this comment.
Hardcoded subscription ID, resource group, and workspace names in the Logic App template. These should be parameterized to work with different deployments.
| }, | ||
| "method": "post", | ||
| "body": { | ||
| "To": "[email protected]", |
There was a problem hiding this comment.
Hardcoded email addresses in the Logic App template. This should be parameterized to allow users to specify their own email addresses.
| "WaitSection" | ||
| ], | ||
| "properties": { | ||
| "packageUri": "https://github.com/RamboV/JoeSandboxMSSentinel/raw/refs/heads/main/JoeSandboxThreatIntelligence/FlexCunsumptionPlan/JoeSandboxConn.zip", |
There was a problem hiding this comment.
Typo in URL path: 'FlexCunsumptionPlan' should be 'FlexConsumptionPlan'.
| "packageUri": "https://github.com/RamboV/JoeSandboxMSSentinel/raw/refs/heads/main/JoeSandboxThreatIntelligence/FlexCunsumptionPlan/JoeSandboxConn.zip", | |
| "packageUri": "https://github.com/RamboV/JoeSandboxMSSentinel/raw/refs/heads/main/JoeSandboxThreatIntelligence/FlexConsumptionPlan/JoeSandboxConn.zip", |
| "status": "New", | ||
| "description": "JoeSandbox Email Attachment Scan . From:@{triggerBody()?['from']}. To: @{triggerBody()?['toRecipients']}" | ||
| }, | ||
| "path": "/Incidents/subscriptions/@{encodeURIComponent('7356a8d4-94f5-4210-a777-f4d6329e1c71')}/resourceGroups/@{encodeURIComponent('Joe-Security')}/workspaces/@{encodeURIComponent('JoeSecurity')}" |
There was a problem hiding this comment.
Multiple hardcoded values in the main template including subscription IDs, workspace IDs, and email addresses. These should be replaced with parameters to ensure the template works across different environments.
| "sourcesystem": "JoeSandboxThreatIntelligence", | ||
| "indicators": "@body('GetJoeSanboxIOCs')['custom_response']" | ||
| }, | ||
| "path": "/V2/ThreatIntelligence/4f06a513-315c-41be-8dc2-3dd4da0ba830/UploadIndicators/" |
There was a problem hiding this comment.
Multiple hardcoded values in the main template including subscription IDs, workspace IDs, and email addresses. These should be replaced with parameters to ensure the template works across different environments.
| }, | ||
| "method": "post", | ||
| "body": { | ||
| "To": "[email protected]", |
There was a problem hiding this comment.
Multiple hardcoded values in the main template including subscription IDs, workspace IDs, and email addresses. These should be replaced with parameters to ensure the template works across different environments.
| }, | ||
| "method": "post", | ||
| "body": { | ||
| "To": "[email protected]", |
There was a problem hiding this comment.
Multiple hardcoded values in the main template including subscription IDs, workspace IDs, and email addresses. These should be replaced with parameters to ensure the template works across different environments.
| return indicators | ||
|
|
||
|
|
||
| def check_ip(ip: str) -> Optional[str]: |
Check notice
Code scanning / CodeQL
Explicit returns mixed with implicit (fall through) returns Note
|
Hi @RamboV Kindly check failing Validations. Thanks! |
|
Hi @RamboV Kindly check above comment. Thanks! |
@v-maheshbh We have fixed the failed checks. Kindly review and let me know if any changes required. |
|
Hi @RamboV Thanks! |
|
Hi @v-maheshbh |
|
Hi @v-maheshbh , any update please? |
|
Hi @RamboV Thanks! |
Hello @v-maheshbh , CCF Framework will not work in this scenario, this includes.multuple API calls to process the data, each API calls is dependent on other.. hence we went with function app... please kindly arrange a call to discuss on this further. |
|
Hi @RamboV Thanks! |
Hi @v-maheshbh , already did that.. please proceed with the review we got approval . |
|
Hi @RamboV |
If you still need anything please let me know your emails so that I will add them to the loop |
|
Hi @RamboV Please update the short link and ensure the description is formatted correctly so the author can easily distinguish between the two files. please find below links - and Kindly attach the screenshot of the playbook created. Thanks! |
|
Hi @RamboV Thanks! |
|
Hi @v-maheshbh can you please create a soft link for below zip. |
|
Hi @v-maheshbh any update on soft links please? |
Co-authored-by: v-maheshbh <[email protected]>
|
Hi @v-maheshbh any update on this please? |
)" This reverts commit 803d26e.
)" This reverts commit 20419d8.
Co-authored-by: RamboV <[email protected]>
|
Hello @v-maheshbh I have reverted the commit as suggested. Please kindly move on to the next steps. |
|
Hi @RamboV Kindly resolved the Branch conflict. and revert the changes related to chore files. Thanks! |
)" This reverts commit 60cd42b.
Co-authored-by: RamboV <[email protected]>
)" This reverts commit 18d71db.
|
@v-maheshbh can you please help us here its getting so much delayed, let us sync on a call to resolve the issues and merge the PR |
Thanks! |
4 participants
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present:
Guidance <- remove section before submitting
Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:
Thank you for your contribution to the Microsoft Sentinel Github repo.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Note: If updating a detection, you must update the version field.
Checked that the validations are passing and have addressed any issues that are present:
Note: Let us know if you have tried fixing the validation error and need help.