The <b> MISP to Microsoft Graph Security Script </b> enables you to connect your custom threat indicators or Indicators of Comprosmise (IoCs) and make these available in the following Microsoft products.
* Install Python 3.x version from https://www.python.org/.
* To register your application for access to Microsoft Graph, you'll need either a [Microsoft account](https://www.outlook.com/) or an [Office 365 for business account](https://msdn.microsoft.com/en-us/office/office365/howto/setup-development-environment#bk_Office365Account). If you don't have one of these, you can create a Microsoft account for free at [outlook.com](https://www.outlook.com/).
## Getting Started
After the prerequisites are installed or met, perform the following steps to use these scripts:
To configure the sample, you'll need to register a new application in the Microsoft [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps).
Follow these steps to register a new application:
1. Sign in to the [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) using either your personal or work or school account.
1. Next you'll see the overview page for your app. Copy and save the **Application Id** field. You will need it later to complete the configuration process.
1. Under **Certificates & secrets**, choose **New client secret** and add a quick description. A new secret will be displayed in the **Value** column. Copy this password. You will need it later to complete the configuration process and it will not be shown again.
>Note: See the [Microsoft Graph permissions reference](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) for more information about Graph's permission model.
1. Modify the RequestManager.py file to comment out line 121-124. (This allows the script to run without failing due to line 123 being divided by `avg_speed` incase it starts as `0`.
1. Modify the script.py to add in `config.misp_verifycert` at line 13. Ensure it looks like below.
* published – return only published events (Format: True or False)
A list or a specific value can be passed to the above parameters. If a list is passed to the parameter, the filtered events are the result of the union of provided list.
This field needs to be a list that contains multiple filters. The filtered events are the result of the intersection of provided filters.
#### First Example of How This Field can be Configured
```
misp_event_filters = [
{
"type_attribute": 'mutex'
},
{
"type_attribute": 'filename|md5'
},
]
```
An event meets this filtering criteria if the event has an attribute with attribute type of 'mutex' AND the event has an attribute with attribute type of 'filename|md5'.
#### Second Example of How This Field can be Configured
```
misp_event_filters = [
{
"type_attribute": ['mutex', 'filename|md5']
}
]
```
An event meets this filtering criteria if the event has an attribute with attribute type of 'mutex' OR the event has an attribute with attribute type of 'filename|md5'.
#### Third Example of How This Field can be Configured
```
misp_event_filters = [
{
"values": 'http://www.test.com'
}
]
```
An event meets this filtering criteria if the event has an attribute with attribute value of 'http://www.test.com'.
#### Fourth Example of How This Field can be Configured
This property is used to specify the amount of days the records will expire in Microsoft Graph Security API. The default value for days to expire is 30.
`days_to_expire = 5`
### Misp Key
The Misp Auth Key is required to fetch data from your Misp instance.
This README.md has been adapted from the README.md found in the [Microsoft Graph Security API MISP sample](https://aka.ms/tipmispsample). For most recent changes, visit [Microsoft Graph Security API MISP sample](https://aka.ms/tipmispsample). Provide your feedback on this sample by [filing a GitHub request](https://github.com/microsoftgraph/security-api-solutions/issues/new).