Add Microsoft Defender ATP to misp-book external connector doc

pull/183/head
chinguyen1 2019-12-30 15:53:25 -08:00
parent 999787bf12
commit 001e1da0be
1 changed files with 17 additions and 19 deletions

View File

@ -1,8 +1,8 @@
# External Connectors # External Connectors
Below you will find various tweaks and tips when integrating 3rd party connectors. The <b> MISP to Microsoft Graph Security Script </b> enables you to connect your custom threat indicators or Indicators of Comprosmise (IoCs) and make these available in the following Microsoft products.
## Microsoft Azure Sentinel ## Azure Sentinel
[Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/) [Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/)
@ -11,9 +11,10 @@ Below you will find various tweaks and tips when integrating 3rd party connector
[Microsoft Defender ATP](https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp/) [Microsoft Defender ATP](https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp/)
# MISP to Microsoft Graph Security Script # MISP to Microsoft Graph Security Script
The script provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API. The script provides clients with MISP instances to migrate threat indicators to the [Microsoft Graph Security API](https://aka.ms/graphsecuritydocs).
For more information on Microsoft Security Graph visit [Microsoft Graph] (https://developer.microsoft.com/en-us/graph) For more information on Microsoft Graph Security API visit [Microsoft Graph Security API](https://aka.ms/graphsecuritydocs).
For more information on Microsoft Graph visit [Microsoft Graph](https://developer.microsoft.com/en-us/graph).
## Prerequisites ## Prerequisites
Before installing the sample: Before installing the sample:
@ -29,21 +30,21 @@ After the prerequisites are installed or met, perform the following steps to use
1. To run script, go to the root directory of misp-graph-script and enter `PYTHONHASHSEED=0 python3 script.py` in the command line. 1. To run script, go to the root directory of misp-graph-script and enter `PYTHONHASHSEED=0 python3 script.py` in the command line.
## App Registration ## App Registration
To configure the samples, you'll need to register a new application in the Microsoft [Application Registration Portal](https://apps.dev.microsoft.com/). To configure the sample, you'll need to register a new application in the Microsoft [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps).
### Follow these steps to register a new application Follow these steps to register a new application:
1. Sign in to the [Azure Portal](https://portal.azure.com/) using either your personal or work or school account. 1. Sign in to the [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) using either your personal or work or school account.
1. Under My Azure Active Directory, choose App registrations (if you are suggested to use the preview, use that) choose New registration. 1. Choose **New registration**.
1. Enter an application name, and choose Register 1. Enter an application name, and choose **Register**.
1. Next you'll see the registration page for your app. Copy and save the `Application (client) Id` & `Directory (tenant) ID` field.You will need it later to complete the configuration process. 1. Next you'll see the overview page for your app. Copy and save the **Application Id** field. You will need it later to complete the configuration process.
1. Under Certificates & secrets, choose `New client secret` and give it a name. A new password will be displayed under Client secrets. Copy this password. This will be your `client secret`. You will need it later to complete the configuration process. 1. Under **Certificates & secrets**, choose **New client secret** and add a quick description. A new secret will be displayed in the **Value** column. Copy this password. You will need it later to complete the configuration process and it will not be shown again.
1. Under Authentication, find Implicit grant choose both `Access tokens` & `ID tokens` and save. 1. Under **API permissions**, choose **Add a permission > Microsoft Graph**.
1. Under API permissions click `Add a permission`, choose Microsoft Graph, under `Application permissions`, under ThreatIndicators add ThreatIndicators.ReadWrite.OwnedBy. You will be taken back to the API permissions screen, click `Grant admin consent for Default Directory` 1. Under **Application Permissions**, add the permissions/scopes required for the sample. This sample requires **ThreatIndicators.ReadWrite.OwnedBy**.
>Note: See the [Microsoft Graph permissions reference](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) for more information about Graph's permission model. >Note: See the [Microsoft Graph permissions reference](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) for more information about Graph's permission model.
1. Modify the RequestManager.py file to comment out line 121-124. (This allows the script to run without failing due to line 123 being divided by `avg_speed` incase it starts as `0`. 1. Modify the RequestManager.py file to comment out line 121-124. (This allows the script to run without failing due to line 123 being divided by `avg_speed` incase it starts as `0`.
@ -57,7 +58,7 @@ To configure the samples, you'll need to register a new application in the Micro
As the final step in configuring the script, modify the config.py file in the root folder of your cloned repo. As the final step in configuring the script, modify the config.py file in the root folder of your cloned repo.
Update tenent, client_id, and client_secret in config.py Update tenant, client_id, and client_secret in config.py
``` ```
graph_auth = { graph_auth = {
'tenant': '<tenant id>', 'tenant': '<tenant id>',
@ -155,9 +156,6 @@ Configure a sync user.
`misp_key = '<misp key>'` `misp_key = '<misp key>'`
### Misp Domain
Misp Domain is the base URL of your MISP instance.
### Verify Cert ### Verify Cert
This gives you the option to choose if python should validate the certificate of the misp instance. (This allows ease within testing environments) This gives you the option to choose if python should validate the certificate of the misp instance. (This allows ease within testing environments)
@ -172,7 +170,7 @@ In the command line, run `python3 script.py -r`
* To aggregate all the requests that resulted in errors to a file, run `cat *_error_* > <filename>.txt` in the command line. * To aggregate all the requests that resulted in errors to a file, run `cat *_error_* > <filename>.txt` in the command line.
## Script Output ## Script Output
As the script runs, it prints out the request body sent to the Graph API and the response from the Graph API. As the script runs, it prints out the request body sent to the Microsoft Graph Security API and the response from the Microsoft Graph Security API.
Every request is logged as a json file under the directory "logs". The name of the json file is the datetime of when the request is completed. Every request is logged as a json file under the directory "logs". The name of the json file is the datetime of when the request is completed.
@ -183,4 +181,4 @@ Below is a CRONTAB entry example of running the script every Sunday at 2am
This README.md has been adapted from the README.md found here [Microsoft Graph MISP sample](https://github.com/microsoftgraph/security-api-solutions/blob/master/Samples/MISP/README.md) This README.md has been adapted from the README.md found in the [Microsoft Graph Security API MISP sample](https://aka.ms/tipmispsample). For most recent changes, visit [Microsoft Graph Security API MISP sample](https://aka.ms/tipmispsample). Provide your feedback on this sample by [filing a GitHub request](https://github.com/microsoftgraph/security-api-solutions/issues/new).