An updated guidance on how to set up the MISP2Sentinel Azure Function to push threat intelligence from MISP to Microsoft Sentinel using the new Upload Indicators API.
So my previous post was about pushing Threat Intelligence from MISP to Microsoft Sentinel, namely the ThreatIntelligenceIndicators
-table. The method for doing this was using the Microsoft Graph API
, which is in the process of being superseded by the new Upload Indicators API
. This means we’ve got some updates to do!
This post will first and foremost be a quick guide on how to set up and deploy the new solution. The majority of the work is being done by Koen van Impe on the python-front, I’m simply helping out in the Azure-department, making sure there’s a version that’s easily deployable that works when running as an Azure Function. You can follow the MISP2Sentinel project on Github for more updates.
NOTE: The installation guide is still a work in progress, but should be sufficient to get you up and running. Any feedback is appreciated, so feel free to open an issue on Github.
Not much will change from my previous post, so most of this guidance will be similar. The only difference is that you don’t need to add Microsoft Graph API
-permissions to your Azure AD app registration, but instead need to add a role on the workspace, namely the Microsoft Sentinel Contributor
-role.
NOTE: This comes with the unwanted side-effect of the current implementation of the multi-tenant push only being able to push to one workspace per tenant.
Create a new Azure VM called MISP running Ubuntu LTS 20.04:
misp
. wget --no-cache -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh
We can now log in to the MISP server using default credentials.
Go to the Feeds
tab.
Enable the two default feeds.
We should be able to see events being pulled from the feeds now if we head over to the Administration
tab and select Jobs
.
URL
(this will be the Azure public IP address of the VM in the format of https://<ip address>/
)API key
(this was in the output when the install finished, but we can also add a new one by going to Administration
and selecting Add authentication key
.)Create a new App Registration in Azure AD called MISP2Sentinel
using all default settings.
Microsoft Sentinel Contributor
role on your Microsoft Sentinel-workspace.Application (client) ID
Directory (tenant) ID
Client secret
MISP2Sentinel-kv
using all default settings.mispkey
mispurl
tenants
tenants
secret is a JSON object containing the tenant ID, client id and secret of each tenant you want to push TI to:
[
{
"tenantId": "<TENANT_ID_WITH_APP_1>",
"id": "<APP_ID>",
"secret": "<APP_SECRET>",
"workspaceId": "<WORKSPACE_ID>"
},
{
"tenantId": "<TENANT_ID_WITH_APP_N>",
"id": "<APP_ID>",
"secret": "<APP_SECRET_N>",
"workspaceId": "<WORKSPACE_ID_N>"
}
]
MISP2Sentinel
After the creation of the Azure Function, add a system managed identity to the Azure Function. This will be used to authenticate with the Key Vault.
tenants
@Microsoft.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/tenants/)
mispkey
@Microsoft.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/mispkey/)
mispurl
https://<url>
or https://<ip address>
)timerTriggerSchedule
timerTriggerSchedule
takes a cron expression. For more information, see Timer trigger for Azure Functions.0 */2 * * *
AzureFunctionsJobHost__functionTimeout
00:10:00
if using the consumption plan, or 02:00:00
if using premium or dedicated plans. This setting is required to prevent the function from timing out when processing large amounts of data.This is how the application settings should look like (I like to start of with a low frequency on the timer trigger to make sure everything is working as expected):
config.py
. This will mainly consist of updating the filter and lifetime of the IOCs.
Azure Function
and select Deploy to Function App…The MISP2Sentinel
function should also show up under the Function App.
Added the option to do a ZIP-deploy. If you want to make changes to the ZIP-file, simply send the contents of the AzureFunction
-folder (minus any .venv
-folder you might have created) to a ZIP-file and upload that.
Publish-AzWebApp -ResourceGroupName <ResourceGroupName> -Name <FunctionName> -ArchivePath .\AzureFunction.zip -Force
az functionapp deployment source config-zip --resource-group <resourcegroupname> --name <functionappname> --src <path to zip file>`.
You can also use the WEBSITE_RUN_FROM_PACKAGE
configuration setting, which will allow you to upload the ZIP-file to a storage account (or Github repository) and have the Azure Function run from there. This is useful if you want to use a CI/CD pipeline to deploy the Azure Function, meaning you can just update the ZIP-file and have the Azure Function automatically update.
Add a redirect URI to the app registration we created earlier, like https://portal.azure.com
To make the app registration work in the other tenants you will need to grant admin consent to the enterprise app in each tenant. This can be done by navigating to the following URL:
https://login.microsoftonline.com/common/adminconsent?client_id=<APP_ID>&sso_reload=true
If done correctly, you should see the following page:
Microsoft Sentinel Contributor
-role on the workspace.
tenants
secret in the Key Vault to include the new tenant ID. The client ID and secret should remain the same.Click on Logs to see the output of the function live, or check the Invocations to see the execution history.
tenants
secretYou can also check the ThreatIntelligenceIndicator
table in the Log Analytics workspace to see the indicators that have been pushed to Sentinel.
MISP2Sentinel is now also available as a solution!
You can find it in the content hub and it will show up as a new data connector (this helps your verify that you are actually ingesting MISP-events over other TI-sources):