MISP and Microsoft Sentinel
A short post with things to consider when integrating MISP threat intelligence with Microsoft Sentinel. There are two documentation resources that describe the integration in detail and should get you started in no-time:
KeyError: ‘access_token’
This error is caused by invalid client secret or missing client ID. One of the steps in the documentation involves creating a new secret. You then have to add this secret to the configuration file (config.py). Do not add the secret ID but the client ID in the client_id field. This sounds obvious but as you’re probably in the “client secret” window pane when copying the client secret to the configuration, it’s easy to get confused and use the secret ID as client ID.
Traceback (most recent call last):
File "script.py", line 100, in <module>
main()
File "script.py", line 65, in main
RequestManager.read_tiindicators()
File "/home/user/sentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 78, in read_tiindicators
access_token = RequestManager._get_access_token(
File "/home/user/sentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 70, in _get_access_token
access_token = requests.post(
KeyError: 'access_token'
Also see https://github.com/microsoftgraph/security-api-solutions/issues/110
Auth token does not contain valid permissions or user does not have valid roles
This error is caused because of missing permissions. When you follow the steps in the documentation, you need to grant your newly created MISP application additional permissions (ThreatIndicators.ReadWrite.OwnedBy). Adding the permissions is not sufficient, you also need to Grant Consent. In simple setups you can use the “Grant Admin Consent for …” button in the API permissions pane.
{
"error": {
"code": "UnknownError",
"message": "Auth token does not contain valid permissions or user does not have valid roles.",
"innerError": {
"date": "2022-04-20T07:16:57",
"request-id": "<request id>",
"client-request-id": "<client id>"
}
}
}
No indicators in Sentinel
The Python script pushes the indicators to Microsoft Graph, this will not immediately make them available in Sentinel. To do this, you have to setup a connector in Sentinel. In Sentinel, click ‘Data connectors’ and look for the ‘Threat Intelligence Platforms’ connection. Open the connection pane and click Connect.
When considering MISP threat intelligence with Microsoft Sentinel does it imply that Microsoft Sentinel does not have its own complete Threat intel platform or sources? In short, if I am using Microsoft Sentinel’s native Threat intel feed what are the advantages of having MISP threat intelligence?
Thank you
Hello,
Microsoft does have their own sources. The data obtained through MISP can however be complementary, or more tuned for your organisation. For example getting TI from your national CSIRT or sectorial ISAC can provide much more value than “generic” TI.
MISP allow you to correlate (and enrich) the TI coming from both “generic” and “specific sources.
Also have a look at this post: https://www.vanimpe.eu/2023/04/03/misp-to-sentinel-integration/
Cheers!