Joe-Sandbox-Microsoft-Defender-Connector

This script will enrich your Microsoft Defender Alerts with Joe Sandbox analysis data (Score, Detection, Threatname and a link to the full analysis)

Requirements

• Python 3.x with required packages (Required Packages)
• Microsoft Defender for Endpoint
• Joe Sandbox Cloud Pro or Basic API key

Installation & Setup

Clone the repository into your folder.

git clone https://github.com/joesecurity/Joe-Sandbox-Microsoft-Defender-Addon.git

Install the requirements.

pip install -r requirements.txt

Joe Sandbox Setup

Generate an API Key in User Settings - API key and copy it to jbxAPIKey in connectory.py

Microsoft Defender for Endpoint Setup

Creating Application for API Access

• Open https://portal.azure.com/ and click on Microsoft Entra ID
• Click App registrations

• Click New registration button, enter the name Joe Sandbox Sync and click register
• Copy the Applicatin (client) ID and Directory (tenant) ID to msClientId and msTenantId in connectory.py

• Now we need to grant permissions to the App. Click on API permissions then Add a permission

• Choose APIs my organization uses and then type WindowsDefenderATP

• Select Application Permission

• Add Alert.Read.All, Alert.ReadWrite.All and click Add permission

• Goto Certificates and secrets
• Click New client secret
• Copy Value to msAppSecret in connectory.py

• Finally goto API Permissions again and click Grant admin consens for all permissions

Running the Connector

Running with CLI

Simply start the connector via cmdline. You likely want to add it crontab to run it regularly. Adjust the timeSpan in connectory.py to change the search span of alerts.

python connector.py

If the connector finds Joe Sandbox analyses which match Microsoft Defender alerts then a new comment is added: