Merge pull request #84 from cudeso/new

MISP2Sentinel with Upload Indicators API

content/blog/MISP-Sentinel-UploadIndicatorsAPI.md

@@ -0,0 +1,72 @@
+---
+title: MISP to Microsoft Sentinel integration with Upload Indicators API
+date: 2023-08-26
+layout: post
+authors:
+- Koen Van Impe
+tags: ["sentinel", "microsoft", "integration", "azure", "MISP", "Threat Intelligence"]
+categories: []
+banner: /img/blog/misp2sentinel_header.png
+---
+
+# MISP to Microsoft Sentinel integration
+
+## Introduction
+
+The MISP to Microsoft Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on **PyMISP** to get indicators from MISP and an **Azure App** to connect to Sentinel. 
+
+## Graph API and Upload Indicators API
+
+In April 2023 the [MISP to Azure Sentinel](https://www.misp-project.org/2023/04/03/MISP-Sentinel.html/) integration was covered. This integration used the Microsoft Graph API. Since then, Microsoft [deprecated](https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview) the Graph API, and preferred new integrations to rely on the [Upload Indicators API](https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api). The new MISP to Microsoft (previously Azure) Sentinel or [misp2sentinel](https://github.com/cudeso/misp2sentinel) does just that, it 
+- Supports integration with the old **Graph API**, but most importantly,
+- It supports the new, and preferred, **Upload Indicators API**.
+
+To get started you need
+
+- An **Azure App**, with read and write permissions on your Microsoft Sentinel workspace and a threat intelligence **Data Connector**;
+- A MISP **API key** to pull data out of MISP;
+- The [misp2sentinel](https://github.com/cudeso/misp2sentinel/) code in a Python3 virtual environment or as an Azure Function, with the necessary libraries such as [MISP-STIX](https://github.com/MISP/misp-stix).
+
+## Microsoft Azure Market Place
+
+The [misp2sentinel](https://github.com/cudeso/misp2sentinel) solution is in the Market Place or [Microsoft Sentinel Content Hub](https://portal.azure.com/#create/microsoftsentinelcommunity.azure-sentinel-solution-misp2sentinel) with a corresponding data connector. Note that enabling the solution in Azure isn't sufficient to sync indicators. You still need to setup the *Python environment* or use the *Azure Function*.
+
+![misp2sentinel.png-2](/img/blog/misp2sentinel-2.png)
+
+![misp2sentinel.png-1](/img/blog/misp2sentinel-1.png)
+
+## Python environment
+
+The setup of the Python virtual environment is described in the [README](https://github.com/cudeso/misp2sentinel/blob/main/README.md). Basically you need to clone the repository, setup the Python3 environment, install the necessary libraries and then update the configuration file.
+
+In general this should not take longer than 10 minutes.
+
+## Azure Function
+
+Next to a "traditional" Python environment installation, there is an option to do the integration via an [Azure Function](https://github.com/cudeso/misp2sentinel/tree/main/AzureFunction). The code is contributed by [Infernux](https://github.com/lnfernux) and provides you a great approach to have the integration running directly within Sentinel.
+
+## STIX
+
+ The Upload Indicators API of Microsoft is STIX based. [STIX](https://stixproject.github.io/) is a structured language for describing threat information to make sharing information between systems easier. This integration relies on the [MISP-STIX](https://github.com/MISP/misp-stix) library to handle the conversion between MISP and STIX. 
+
+![misp2sentinel.png](/img/blog/misp2sentinel.png)
+
+ From a functional point of view, all indicators that can be synchronised via the Graph API, can be synchronised via the Upload Indicators API. There are some features missing in the STIX implementation of Sentinel and as a result some context information (identity, attack patterns) is lost. But it is only a matter of time before these are implemented on the Sentinel side, after which you can fully benefit from the STIX conversion.
+
+## Sentinel Workspaces
+
+In addition to the change to STIX, the new API also supports **Sentinel Workspaces**. This means you can send indicators to just one workspace, instead of pushing them globally.
+
+## Configuration changes
+
+If you used the old Graph API version before then it's worth having a look at the new [configuration settings](https://github.com/cudeso/misp2sentinel#what-are-the-configuration-changes-compared-to-the-old-graph-api-version) and [requirements](https://github.com/cudeso/misp2sentinel/blob/main/requirements.txt) before upgrading.
+
+## GitHub repository
+
+The code and documentation is at [https://github.com/cudeso/misp2sentinel](https://github.com/cudeso/misp2sentinel).
+
+## Workflow
+
+The 'workflow' of the integration is outlined in this diagram.
+
+ ![misp2sentinel-workflow.png](/img/blog/misp2sentinel-workflow.png)

content/blog/curation-with-org-confidence-level.md

@@ -2,6 +2,10 @@
 title: Curate events with an organisation confidence level
 date: 2022-11-14
 layout: post
+authors:
+- Koen Van Impe
+tags: ["curation"]
+categories: []
 ---
 
 ## Quality of threat intelligence

content/tools.md

@@ -109,10 +109,11 @@ For the additional software created by the MISP project, check our [MISP project
 * [MISP-IOC-Validator](https://github.com/tom8941/MISP-IOC-Validator/) validates the format of the different IOC from MISP and to remove false positive by comparing these IOC to existing known false positive.
 * [misp-extractor](https://github.com/00gxd14g/misp-extractor) - Connects to a MISP instance and retrieves attributes of specific types src-ip,dst-ip,url,domain The retrieved attributes are then written to separate files.
 * [misp-to-sentinel (Azure Function)](https://github.com/zolderio/misp-to-sentinel/) - Azure Function to export MISP intel to Azure Sentinel
-* [misp-to-sentinel (on MISP server)](https://www.misp-project.org/2023/04/03/MISP-Sentinel.html/) - The MISP to Azure / Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.
+* [misp-to-sentinel (on MISP server)](http://localhost:1313/2023/08/26/MISP-Sentinel-UploadIndicatorsAPI.html/) - The MISP to Microsoft (Azure) Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure. This version supports the Upload Indicators API and the Graph API.
 * [eCrimeLabs MISP Purge Events tool](https://github.com/eCrimeLabs/MISP-PurgeEvents) A python script to perform cleanup of old or unwanted events, including Blacklisted Events.
 * [misp-takedown](https://github.com/rommelfs/misp-takedown) - A curses-style interface for automatic takedown notification based on MISP events.
 * [misp-scraper](https://github.com/cudeso/misp-scraper) -  A web scraper to create MISP events and reports 
+* [misp_to_zeek](https://github.com/cudeso/misp_to_zeek) - Export MISP indicators to Zeek intel framework
 * [OpenDXL-ATD-MISP](https://github.com/mohl1/OpenDXL-ATD-MISP) - Automated threat intelligence collection with McAfee ATD, OpenDXL and MISP.
 * [OpenDXL-MISP-IntelMQ-Output](https://github.com/mohl1/OpenDXL-MISP-IntelMQ-Output) - This use case is focusing on the automated real-time threat sharing with MISP (Malware Intelligence Sharing Platform), orchestration tool (IntelMQ) and OpenDXL. IntelMQ is used to collect data from the Malware Intelligence Sharing Platform (MISP), to parse and push intelligence via OpenDXL.
 * [otx_misp](https://github.com/gcrahay/otx_misp/) imports Alienvault OTX pulses to a MISP instance.