This script will enrich your Microsoft Defender Alerts with Joe Sandbox analysis data (Score, Detection, Threatname and a link to the full analysis)
- Python 3.x with required packages (Required Packages)
- Microsoft Defender for Endpoint
- Joe Sandbox Cloud Pro or Basic API key
Clone the repository into your folder.
git clone https://github.com/joesecurity/Joe-Sandbox-Microsoft-Defender-Addon.git
Install the requirements.
pip install -r requirements.txt
Generate an API Key in User Settings
- API key
and copy it to jbxAPIKey
in connectory.py
- Open https://portal.azure.com/ and click on
Microsoft Entra ID
- Click
App registrations
- Click
New registration button
, enter the nameJoe Sandbox Sync
and clickregister
- Copy the
Applicatin (client) ID
andDirectory (tenant) ID
tomsClientId
andmsTenantId
in connectory.py
- Now we need to grant permissions to the App. Click on
API permissions
thenAdd a permission
- Choose
APIs my organization uses
and then typeWindowsDefenderATP
- Select
Application Permission
- Add
Alert.Read.All
,Alert.ReadWrite.All
and clickAdd permission
- Goto
Certificates and secrets
- Click
New client secret
- Copy
Value
tomsAppSecret
in connectory.py
- Finally goto
API Permissions
again and clickGrant admin consens
for all permissions
Simply start the connector via cmdline. You likely want to add it crontab to run it regularly. Adjust the timeSpan
in connectory.py to change the search span of alerts.
python connector.py
If the connector finds Joe Sandbox analyses which match Microsoft Defender alerts then a new comment is added: