MISP and Microsoft Sentinel

MISP and Microsoft Sentinel

A short post with things to consider when integrating MISP threat intelligence with Microsoft Sentinel. There are two documentation resources that describe the integration in detail and should get you started in no-time:

KeyError: ‘access_token’

This error is caused by invalid client secret or missing client ID. One of the steps in the documentation involves creating a new secret. You then have to add this secret to the configuration file (config.py). Do not add the secret ID but the client ID in the client_id field. This sounds obvious but as you’re probably in the “client secret” window pane when copying the client secret to the configuration, it’s easy to get confused and use the secret ID as client ID.

Traceback (most recent call last):
  File "script.py", line 100, in <module>
    main()
  File "script.py", line 65, in main
    RequestManager.read_tiindicators()
  File "/home/user/sentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 78, in read_tiindicators
    access_token = RequestManager._get_access_token(
  File "/home/user/sentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 70, in _get_access_token
    access_token = requests.post(
KeyError: 'access_token'

Also see https://github.com/microsoftgraph/security-api-solutions/issues/110

Auth token does not contain valid permissions or user does not have valid roles

This error is caused because of missing permissions. When you follow the steps in the documentation, you need to grant your newly created MISP application additional permissions (ThreatIndicators.ReadWrite.OwnedBy). Adding the permissions is not sufficient, you also need to Grant Consent. In simple setups you can use the “Grant Admin Consent for …” button in the API permissions pane.

{
  "error": {
    "code": "UnknownError",
    "message": "Auth token does not contain valid permissions or user does not have valid roles.",
    "innerError": {
      "date": "2022-04-20T07:16:57",
      "request-id": "<request id>",
      "client-request-id": "<client id>"
    }
  }
}

No indicators in Sentinel

The Python script pushes the indicators to Microsoft Graph, this will not immediately make them available in Sentinel. To do this, you have to setup a connector in Sentinel. In Sentinel, click ‘Data connectors’ and look for the ‘Threat Intelligence Platforms’ connection. Open the connection pane and click Connect.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.