This blog is about integrating MISP² Threat Intelligence in Azure Sentinel¹ and Microsoft Defender ATP³ to search IoC (Indicator of Compromise: e.g. IP-address, domain names, hashes, etc.) in all connected log sources (Data collections) to Detect the presence of threats and automate Respond (block).
¹ Microsoft Azure Sentinel is the cloud-native SIEM solution from Microsoft, which leverages the power of the cloud like scaled resources and built-in features like Advanced Analytics, Artificial Intelligence, and Fusion/Machine Learning.
² MISP (Malware Information Sharing Platform) is an open-source solution for threat intelligence (collecting and sharing).
³ Microsoft Defender ATP is the EDR (Endpoint Detection & Response) solution from Microsoft.
MISP setup
This part will describe the setup of the MISP back-end infrastructure in Azure IaaS (Infrastructure as a Service). As Microsoft partner, we use Microsoft Azure to host the Virtual Machine, but any platform is supported. The advantage of Azure is advanced Security features like Linux Threat Detection and JIT (Just-In-Time) Access (more details later in the document).
Kali Linux
Install Kali Linux from the Azure Marketplace in Azure IaaS (in the future we will use containers, more secure, but for now a Virtual Machine will do the job).
Static IP
Because MISP is a web-based solution, configure the public IP in Azure as Static
Ports
MISP uses a different port for different solutions like the MISP Main Web UI, MISP Live Dashboard, Viper Web UI, and modules.
Pro-tip: use Azure Just-In-Time VM Access to close the remote access SSH port (mitigate brute force SSH attacks) and only open the port from a trusted IP-address for a predefined amount of time (e.g., 3 hours), this feature requires the Azure Security Center Standard Tier license.
MISP Installation
This part will describe the installation of MISP on the Kali Linux VM. Login to the VM via PuTTY on the public IP on port 22 (SSH protocol).
First, we need continues root permissions for the installation (in Azure Kali Linux this is not by default).
misp@<machine>:~$ sudo -i
Install MISP
misp@<machine>:~$ wget -O /tmp/misp-kali.sh
https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh && bash /tmp/misp-kali.sh
MISP is successfully installed.
Create a hosts file with a MISP DNS name and the public IP of the Azure VM.
MISP Authentication
This part will describe the configuration of MISP. Login to MISP via a web-browser to the DNS name in the host’s file (e.g., misp.local). For Security add a (self-signed or 3rd party) SSL certificate to prevent credential theft (e.g., Man-in-the-Middle attack).
Change Site Admin Password
Change the default Admin password to a complex password by logging on to the system for the first time with the default credentials (admin@admin.test)
Password policy
• [12]: Ensure that the password is at least 12 characters long
• [A-Z]: contains at least one upper-case
• [0-9| ]: includes a digit or a unique character
• [a-z]: at least one lower-case character
A new Admin will be created at a later stage.
MISP Configuration
The final steps are the configuration of the MISP environment.
SSL configuration
Store the SSL certificate on the Virtual Machine and set the Apache configuration
So access to MISP is secured via SSL. Config file (/etc/apache2/sites-enabled/*.conf) example:
Change the misp.domain.tld and misp.local to a custom owned domain like misp.company.com. The name registered in the certificate.
Reload Apache config:
misp@<machine>:~$ apachectl graceful
Set Domain Name
Set the domain name (e.g. misp.company.com) via ‘Administration’ -> ‘Server Settings & Maintenance’ and change the MISP.baseurl and MISP.external_baseurl.
Set the organization name
Change the organization name:
• Global Actions
• Organisations
• Select the ORGNAME
• Edit Organisation
Activate feeds
Feeds are resources containing IoCs (Indicators of Compromise) that will be automatically imported in MISP at regular intervals. A set of default feeds is available in MISP (e.g. OSINT). To add feeds, select List Feeds from the Sync Actions menu.
Workers
Verify all workers are up-and-running ‘Administration’ -> ‘Server Settings & Maintenance’ -> ‘Workers’. If a worker is stopped, start a worker.
Events
In the Event Actions (List Events) the Event(s) should start to populate.
Using the API
MISP has an API available to leverage and to pull data.
Get the authentication key
The MISP URL and the MISP Authorization key are required for the API. The key is retrieved via ‘Event and Actions’ -> ‘Automation’
Call the API
The goal is to retrieve IoCs (file hash in this example) from MISP. To call the API use the cURL via the Windows Command prompt:
By executing the command, the result is all sha256 checksums last day. Command example and explanation:
“curl –header “Content-Type: application/json” –header “Accept: application/json” –header “<Authorization: KeyHere>” https://misp.company.com/events/hids/sha256/download/false/false/false/1d”
–header
Three headers are set: ‘content type’, ‘accept type’ and the ‘Authorization key’. Without the Authorization key the call will fail with a 403 forbidden response.
The last value is the MISP API URL which contains some parameters.
For more information on the MISP API see https://www.circl.lu/doc/misp/automation/#get-/events/hids-hash—hids-database-export
Results
After completing the previous step, the results are a list of hashes.
With the file hashes, we can investigate in MISP but also use in Azure Sentinel (Detect) and/or Microsoft Defender ATP (Detect & Respond)
Azure Sentinel
Azure Sentinel uses log searches or can leverage Jupyter Notebooks which both use the KQL (Kustom Query Language) queries to (for example) search for IoC’s (file hashes in this example) in all Azure Sentinel log resources (Data connectors).
Below is an example of a log search with a file hash from MISP.
The result is the hash exists in the environment, so the second step is to investigate further (e.g. root cause analysis) or leverage the new Microsoft Defender ATP feature ‘custom Indicator of Compromise’ to audit of block the file (hash).
Microsoft Defender ATP ‘Indicator of Compromise’
The new Indicator feature of Microsoft Defender ATP adds the option to add IoCs (e.g. file hashes, IP addresses or URLs/Domains) to the audit of block malicious Indicators.
For more information on the new MDATP feature, Indicator see https://docs.microsoft.com/en-us/graph/api/tiindicators-post?view=graph-rest-beta&tabs=cs
This blogpost is written by the InSpark SecOps Team. You can contact us below this blogpost, of find us on LinkedIn.
