This code can be used to create an Azure Function that writes threat intelligence from a MISP instance to Microsoft Sentinel. The code is a modified version of the following repository: https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP
For some context about this project, in Dutch, please read the MISP to Microsoft Sentinel Whitepaper:
- An Azure Subscription
- A Microsoft Sentinel Instance (see /doc/SetupMicrosoftSentinel.md)
- API and URL of your MISP instance
Full instructions in INSTALL.md
In summary:
- Create an App in the same Microsoft tenant where the Sentinel instance resides. The app requires the ThreatIndicators.ReadWrite.OwnedBy (Application type) permission.
- Create a Keyvault in your Azure subscription
- Add a new secret with the name "tenants" and the following value (its possible to add multiple Sentinel instances, it will loop all occurences):
{"<TENANT_ID_WITH_APP>": {"id": "<APP_ID>", "secret": "APP_SECRET"} }
- Create an Azure Function in your Azure subscription
- Modify config.py to your needs (misp instance domain, API key, event filter etc). Upload the code to your Azure Function.
- Add a "New application setting" (env variable) to your Azure Function named "tenants". Create a reference to the key vault previously created
Attic Security is a solution by Zolder BV to harden and monitor public cloud solutions. Attic can be connected to a Microsoft365 tenant, and can implement Microsoft Sentinel in an automated fashion. An optional feature is the connection to a MISP server for threat intelligence.
Learn more: https://atticsecurity.com
If the installation was successful, the MISP data should be written to your Sentinel instance on 00:00 every day. Use the following query to test if the data was written successfully:
ThreatIntelligenceIndicator
Find examples of KQL queries and Azure Playbooks in /doc/ExampleKQLandPlaybooks.md