MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

Add Microsoft Defender ATP to misp-book connector doc

pull/183/head
chinguyen1 2019-12-30 12:17:22 -08:00
parent c6bfe2aaa9
commit 999787bf12
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
connectors/README.md
View File

@ -2,10 +2,14 @@
Below you will find various tweaks and tips when integrating 3rd party connectors. Below you will find various tweaks and tips when integrating 3rd party connectors.
## Microsoft Azure Sentinel ## Microsoft Azure Sentinel
[Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/) [Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/)
## Microsoft Defender ATP
[Microsoft Defender ATP](https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp/)
# MISP to Microsoft Graph Security Script # MISP to Microsoft Graph Security Script
The script provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API. The script provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API.
@ -66,6 +70,8 @@ Once changes are complete, save the config file.
## Configurations ## Configurations
### Target Product ### Target Product
`targetProduct = "Azure Sentinel"` `targetProduct = "Azure Sentinel"`
**or**
`targetProduct = "Microsoft Defender ATP"`
### Misp Event Filter ### Misp Event Filter
Filters can be set in the config.py file under the "misp_event_filters" property Filters can be set in the config.py file under the "misp_event_filters" property
@ -131,6 +137,8 @@ misp_event_filters = []
This gets all events. This gets all events.
### Action ### Action
Possible **action** values are: `alert`, `allow`, `block`.
`action = "alert"` (This is default). `action = "alert"` (This is default).
### Passive Only ### Passive Only
@ -147,6 +155,9 @@ Configure a sync user.
`misp_key = '<misp key>'` `misp_key = '<misp key>'`
### Misp Domain
Misp Domain is the base URL of your MISP instance.
### Verify Cert ### Verify Cert
This gives you the option to choose if python should validate the certificate of the misp instance. (This allows ease within testing environments) This gives you the option to choose if python should validate the certificate of the misp instance. (This allows ease within testing environments)