MISP to Microsoft Sentinel integration
The MISP2Sentinel integration allows you to sync indicators from MISP to Microsoft Sentinel. The old integration relied on the Microsoft Graph API. Microsoft prefers new integrations to rely on the Upload Indicators API. The new MISP to Microsoft (previously Azure) Sentinel or misp2sentinel does just that, it
- Supports integration with the old Graph API, but also
- It supports the new, and preferred, Upload Indicators API.
Installation and configuration
Read the installation and configuration documentation at https://github.com/cudeso/misp2sentinel for more details. Additional details are also available via the MISP website (https://www.misp-project.org/2023/08/26/MISP-Sentinel-UploadIndicatorsAPI.html/).
The Upload Indicators API of Microsoft is STIX based. STIX is a structured language for describing threat information to make sharing information between systems easier. This integration relies on the MISP-STIX library to handle the conversion between MISP and STIX.
Microsoft Azure Market Place
The misp2sentinel solution is in the Market Place or Microsoft Sentinel Content Hub with a corresponding data connector. Note that enabling the solution in Azure isn’t sufficient to sync indicators. You still need to setup the Python environment or use the Azure Function.