Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Threat Intelligence

Integrating open source threat feeds with MISP and Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 1, 2020
in Threat Intelligence
0
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
5.7kViews
319 Shares Share on Facebook Share on Twitter

Recently, Microsoft released an open source set of malicious file hash indicators identified as using COVID-19 themed malicious email attachments in attempted attacks against our customers. Office365 successfully blocked these attempts, but the indicators can be consumed and used by customers to further protect themselves. The feed of indicators is provided as data file on GitHub which can be consumed using MISP.

In this blog post I will show Azure Sentinel customers how to set up a MISP server that can receive any public feeds, including these COVID-19 indicators, and import the data into your Azure Sentinel environment. It is also possible to use this code to import MISP data into Microsoft Defender ATP as well. Haim Goldshtein has already written a blog post on doing this. Instructions here have been tested on Ubuntu 18.04 but should be applicable to many other distributions – even WSL.

The COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs.  We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

To integrate this feed with your MISP server you will need to use the following URL:

https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19….

Install Docker

The Docker project has already published comprehensive documentation on setting up the most recent version of Docker for your distribution of choice. For this blog I used the Ubuntu instructions.

The Docker MISP instance also requires ‘docker-compose’ so once you have followed the Docker install guide enter the following command.

sudo apt-get install docker-compose

The MISP project has published a Docker compose configuration, you can use this by first entering these commands.

git clone https://github.com/MISP/misp-docker
cd misp-docker

Next, you will need to edit the configuration file, making sure to set a strong password. If you do not set a strong enough password, you might not be able to sign into your MISP instance. This can be fixed later.

cp template.env .env
nano .env

Now the Docker image needs to be built. Run these two commands to build the image and start the container.

sudo docker-compose build
sudo docker-compose up

At this point a MISP instance will be running on port 80. You should be able to sign in and begin adding new feeds. If you are hosting this server on the Internet, you will want to look at how to secure this installation further with TLS and restrictions on access to the web front end.

If you are unable to login to the front end, then perhaps the password was not strong enough. You can reset the password with the following commands.

sudo docker exec -i -t misp_web /bin/bash
/var/www/MISP/app/Console/cake Password admin@admin.test NEWPASSWORD
exit

Add the COVID-19 feed

The next step is to add the Microsoft feed to the MISP server. There is good documentation for this but in brief click ‘Sync Actions’ on the main menu then ‘List feeds’ and click ‘Add Feed’. The address of Microsoft’s COVID-19 feed can be found above. Enter this in the URL textbox. Next you will need to select ‘Simple CSV Parsed Feed’ from the list box. Most of the text boxes can be left blank but you must set the ‘Value field(s) in the CSV’ to 2. Set the other properties to reasonable values and click Add. Make sure you have ticked the ‘Enable’ checkbox.

There are several other 3rd party feeds you may also want to enable and have available in your Sentinel workspace. Each of these will need to be enabled separately.

x1.png

The next step is to ensure that the feed is automatically updated. In the ‘Scheduled Tasks’ section of the Administration menu set the fetch_feeds task frequency to 1h. If you want to fetch on a quicker schedule this can be performed via a cron job.

You should see a new COVID-19 event appear from the Microsoft COVID-19 feed when the sync process starts.

Retrieve your MISP auth key

Within the MISP web interface click ‘Event Actions’ on the menu bar then select ‘Automation’. Your MISP auth key will be listed on the screen, note this down for entry into the script later.

Connect your MISP instance to Sentinel

Much of this section is an abridged version of the Sentinel threat intelligence feed connector and MISP to Microsoft Graph script documentation. You should review this documentation first.

Create an App Registration with the required permissions

In order to connect your MISP server to Sentinel you need to create an App Registration with the required permissions. This is a straightforward process but does require a user with ‘Global Administrator’, ‘Security Administrator’ or ‘Security Reader’ permission to grant access. In brief:

  1. Open the Application Registration Portal and click New registration on the menu bar.
  2. Enter a name, and choose Register, other options can be left with their defaults.
  3. Note down the Application (client) ID and Directory (tenant) ID. You will need to enter these into the script’s configuration file.
  4. Under Certificates & secrets, click New client secret enter a description and click Add. A new secret will be displayed. Copy this for later entry into the script.
  5. Under API permissions, choose Add a permission > Microsoft Graph.
  6. Under Application Permissions, add ThreatIndicators.ReadWrite.OwnedBy

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/integrating-open-source-threat-feeds-with-misp-and-sentinel/ba-p/1350371

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
Threat Intelligence

Tips for Parsing Syslog to Azure Sentinel

December 31, 2020
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
Threat Intelligence

Locate all the Preview Goodies in Your Azure Sentinel Console

December 30, 2020
Microsoft is quietly becoming a cybersecurity powerhouse
Threat Intelligence

How to Prohibit an Azure Sentinel Analyst from Editing a Playbook

December 29, 2020
Next Post
Microsoft is quietly becoming a cybersecurity powerhouse

Using Azure Playbooks to import text-based threat indicators to Azure Sentinel

New analytics to help Azure-based Sentinel identify threats

Microsoft Fixed an Azure Security Vulnerability before Researchers Could Report It

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Microsoft Tunnel Makes Connecting to Corporate Apps Easier from Android and iOS

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Microsoft suspends 18 Azure accounts tied to China-based hackers

3 months ago
Microsoft is quietly becoming a cybersecurity powerhouse

Official Azure Sentinel PowerShell Module Released

2 months ago
Deploying and Managing Azure Sentinel – Ninja style

Deploying and Managing Azure Sentinel – Ninja style

5 months ago
Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Hunting Threats on Linux with Azure Sentinel

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News