Integrating open source threat feeds with MISP and Sentinel

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Recently, Microsoft released an open source set of malicious file hash indicators identified as using COVID-19 themed malicious email attachments in attempted attacks against our customers. Office365 successfully blocked these attempts, but the indicators can be consumed and used by customers to further protect themselves. The feed of indicators is provided as data file on GitHub which can be consumed using MISP.

 

In this blog post I will show Azure Sentinel customers how to set up a MISP server that can receive any public feeds, including these COVID-19 indicators, and import the data into your Azure Sentinel environment. It is also possible to use this code to import MISP data into Microsoft Defender ATP as well. Haim Goldshtein has already written a blog post on doing this. Instructions here have been tested on Ubuntu 18.04 but should be applicable to many other distributions – even WSL. misp.PNG

 

The COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs.  We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

 

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

 

To integrate this feed with your MISP server you will need to use the following URL:

https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv

 

Install Docker

The Docker project has already published comprehensive documentation on setting up the most recent version of Docker for your distribution of choice. For this blog I used the Ubuntu instructions.

The Docker MISP instance also requires ‘docker-compose’ so once you have followed the Docker install guide enter the following command.

 

sudo apt-get install docker-compose

 

 

Set up MISP Docker instance

The MISP project has published a Docker compose configuration, you can use this by first entering these commands.

 

git clone https://github.com/MISP/misp-docker cd misp-docker

 

Next, you will need to edit the configuration file, making sure to set a strong password. If you do not set a strong enough password, you might not be able to sign into your MISP instance. This can be fixed later.

 

cp template.env .env nano .env

 

Now the Docker image needs to be built. Run these two commands to build the image and start the container.

 

sudo docker-compose build sudo docker-compose up

 

At this point a MISP instance will be running on port 80. You should be able to sign in and begin adding new feeds. If you are hosting this server on the Internet, you will want to look at how to secure this installation further with TLS and restrictions on access to the web front end.

 

If you are unable to login to the front end, then perhaps the password was not strong enough. You can reset the password with the following commands.

 

sudo docker exec -i -t misp_web /bin/bash /var/www/MISP/app/Console/cake Password admin@admin.test NEWPASSWORD exit

 

 

Add the COVID-19 feed

The next step is to add the Microsoft feed to the MISP server. There is good documentation for this but in brief click ‘Sync Actions’ on the main menu then ‘List feeds’ and click ‘Add Feed’. The address of Microsoft’s COVID-19 feed can be found above. Enter this in the URL textbox. Next you will need to select ‘Simple CSV Parsed Feed’ from the list box. Most of the text boxes can be left blank but you must set the ‘Value field(s) in the CSV’ to 2. Set the other properties to reasonable values and click Add. Make sure you have ticked the ‘Enable’ checkbox.

 

There are several other 3rd party feeds you may also want to enable and have available in your Sentinel workspace. Each of these will need to be enabled separately.

x1.png

The next step is to ensure that the feed is automatically updated. In the ‘Scheduled Tasks’ section of the Administration menu set the fetch_feeds task frequency to 1h. If you want to fetch on a quicker schedule this can be performed via a cron job.

 

You should see a new COVID-19 event appear from the Microsoft COVID-19 feed when the sync process starts.

 

Retrieve your MISP auth key

Within the MISP web interface click ‘Event Actions’ on the menu bar then select ‘Automation’. Your MISP auth key will be listed on the screen, note this down for entry into the script later.

 

Connect your MISP instance to Sentinel

Much of this section is an abridged version of the Sentinel threat intelligence feed connector and MISP to Microsoft Graph script documentation. You should review this documentation first.

 

Create an App Registration with the required permissions

In order to connect your MISP server to Sentinel you need to create an App Registration with the required permissions. This is a straightforward process but does require a user with 'Global Administrator', 'Security Administrator' or 'Security Reader' permission to grant access. In brief:

  1. Open the Application Registration Portal and click New registration on the menu bar.
  2. Enter a name, and choose Register, other options can be left with their defaults.
  3. Note down the Application (client) ID and Directory (tenant) ID. You will need to enter these into the script’s configuration file.
  4. Under Certificates & secrets, click New client secret enter a description and click Add. A new secret will be displayed. Copy this for later entry into the script.
  5. Under API permissions, choose Add a permission > Microsoft Graph.
  6. Under Application Permissions, add ThreatIndicators.ReadWrite.OwnedBy.

blogc.png

Enable the Sentinel Connector

Open your Azure Sentinel workspace, click ‘Data connectors’ and then look for the ‘Threat Intelligence Platforms’ connection. Open the connector and click Connect.

blogd.png

 

Setup the script

The script can be run on any machine that has access to your MISP infrastructure and the Microsoft Graph API. In order to reduce complexity, I ran the script on the same machine as the MISP instance.

Enter the following commands. These will create an environment for the script to run, download it from GitHub, install the necessary prerequisites and open the configuration file.

 

sudo apt-get install python3-venv python3 -m venv mispToSentinel cd mispToSentinel source bin/activate git clone https://github.com/microsoftgraph/security-api-solutions cd security-api-solutions/Samples/MISP/ pip install -r requirements.txt nano config.py

 

There are a few options that need to be changed in the configuration file:

  • Under the graph_auth key enter the details from the AAD App Registration earlier.
  • Set the ‘<targetProduct>’ to be ‘Azure Sentinel’.
  • I added a # comment at the start of each line in the misp_event_filters section to effectively disable any filtering, all data from the MISP server will be available in Sentinel.
  • Set ‘<action>’ to ‘alert’.
  • Enter you MISP auth key in ‘<misp key>’ and URL in ‘<misp url>’.
  • Finally set the lifetime for this data, I would recommend 30-60 days depending on your use case.

You can now run the script to pull data from the MISP instance and push into your Sentinel workspace.

 

python script.py

 

After a few minutes you should be able to query the ThreatIntelligenceIndicator table in your Sentinel workspace.

bloge.png

Use the data

Now the data is in your Sentinel workspace you can easily search for matching hashes in a variety of datasets. As an example, this query will examine the SecurityEvent table for matching hashes.

 

let BadHashes=ThreatIntelligenceIndicator | summarize by FileHashValue; SecurityEvent | where FileHash in (BadHashes) | count

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.