Joe Sandbox Solution: ARM Template Fixes and IOC Handling Improvements

What Changed

Joe Sandbox solution updated to v3.0.1 addressing ARM template compatibility issues and improving playbook functionality. Updates include Azure Storage API version alignment and IOC handling improvements.

Security Impact (Visibility & Fidelity)

ARM template compatibility restored: Updated storage account API versions from deprecated versions to 2025-01-01 across all deployment templates — deployments using older API versions were likely failing with compatibility errors, preventing new installations.

IOC processing logic fixed: Removed global INDICATOR_LIST variable and refactored IOC handling in JoeSandboxGetIOCs function — previous implementation had potential data leakage between function invocations and incorrect return handling that could cause IOC extraction failures.

Hash type mapping corrected: Updated hash type field mapping from underscore format (md5_hash, sha1_hash, sha256_hash) to standard format (md5, sha1, sha256) — this aligns with expected threat intelligence indicator format requirements.

Function reference fixes: Corrected case-sensitive variable references in Logic App templates (Functionappname to functionappName) — these template errors would cause deployment failures for new playbook installations.

This update primarily addresses deployment and operational reliability rather than introducing new detection capabilities.

Affected Files

Solutions/JoeSandbox/Data Connectors/JoeSandbox/const.py
Solutions/JoeSandbox/Data Connectors/JoeSandbox/utils.py
Solutions/JoeSandbox/Data Connectors/azuredeploy_JoeSandboxThreatIntelligenceFuncApp_AzureFunction_flex.json
Solutions/JoeSandbox/Data Connectors/azuredeploy_JoeSandboxThreatIntelligenceFuncApp_AzureFunction_premium.json
Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/app.py
Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/utils.py
Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/azuredeploy.json
Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/azuredeploy.json
Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/azuredeploy.json
(packaging artefacts: 3.0.1.zip, JoeSandboxConn.zip, JoeSandboxEnrichment.zip, ReleaseNotes.md, Solution_JoeSandbox.json, mainTemplate.json)