MISP to Sentinel integration

MISP to Sentinel integration

I published a blog article on the MISP project website on how to do the MISP to Azure / Sentinel integration. This integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.

Read the full article at MISP project website : MISP to Sentinel integration.

The integration is available via GitHub at https://github.com/cudeso/misp2sentinel

This repository is started from the Microsoft Graph Security API GitHub repository. Because the Microsoft repository seems no longer maintained a separate repository was started, stripped of the non-MISP items and with updated Python code. Compared to the original Microsoft repository, this now includes

  • Handle attributes in objects
  • Handle URLs that do not have http/https included
  • Handle network direction (network_ignore_direction)
  • Adjust logging – verbosity
  • Ignore local tags (misp_ignore_localtags)
  • Properly deal with tags on attribute level
  • Add defaultConfidenceLevel
  • Add sentinel-threattype
  • Convert KillChain labels for Azure

One thought on “MISP to Sentinel integration

  1. This integration enables the seamless exchange of information, allowing for real-time threat sharing and analysis, ultimately improving incident response and mitigation strategies. The collaboration between MISP and Sentinel demonstrates the importance of interoperability and information sharing in today’s evolving cybersecurity landscape, reinforcing the collective defense against cyber threats and promoting a safer digital environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.