{"id":9666,"date":"2019-06-07T11:30:39","date_gmt":"2019-06-07T11:30:39","guid":{"rendered":"https:\/\/www.inspark.nl\/?p=9666"},"modified":"2023-10-20T11:57:17","modified_gmt":"2023-10-20T11:57:17","slug":"misp-threat-intelligence-azure-sentinel","status":"publish","type":"post","link":"https:\/\/www.inspark.nl\/misp-threat-intelligence-azure-sentinel\/","title":{"rendered":"MISP threat intelligence in Azure Sentinel & MDATP ‘IoC’ feature"},"content":{"rendered":"

This blog is about integrating MISP<\/strong>\u00b2 Threat Intelligence in Azure Sentinel<\/strong>\u00b9 and Microsoft Defender ATP<\/strong>\u00b3 to search IoC<\/strong>\u00a0(Indicator of Compromise: e.g. IP-address, domain names, hashes, etc.) in all connected log sources (Data collections) to Detect<\/strong> the presence of threats and automate Respond (block).<\/p>\n

\u00b9 Microsoft Azure Sentinel<\/strong> is the cloud-native SIEM solution from Microsoft, which leverages the power of the cloud like scaled resources and built-in features like Advanced Analytics, Artificial Intelligence, and Fusion\/Machine Learning.<\/p>\n

\u00b2 MISP<\/strong> (Malware Information Sharing Platform<\/strong>) is an open-source solution for threat intelligence (collecting and sharing).<\/p>\n

\u00b3 Microsoft Defender ATP<\/strong> is the EDR (Endpoint Detection & Response) solution from Microsoft.<\/p>\n

MISP setup<\/h2>\n

This part will describe the setup of the MISP back-end infrastructure in Azure IaaS (Infrastructure as a Service<\/em>). As Microsoft partner, we use Microsoft Azure to host the Virtual Machine, but any platform is supported. The advantage of Azure is advanced Security features like Linux Threat Detection and JIT (Just-In-Time) Access (more details later in the document).<\/p>\n

Kali Linux
\n<\/strong>Install Kali Linux from the Azure Marketplace in Azure IaaS (in the future we will use containers, more secure, but for now a Virtual Machine will do the job).<\/p>\n

\"Afbeelding<\/p>\n

Static IP
\n<\/strong>Because MISP is a web-based solution, configure the public IP in Azure as Static<\/p>\n

\"afbeelding<\/p>\n

Ports<\/strong><\/p>\n

MISP uses a different port for different solutions like the MISP Main Web UI, MISP Live Dashboard, Viper Web UI, and modules.<\/p>\n

\"afbeelding<\/p>\n

Pro-tip<\/em>: use Azure Just-In-Time VM Access to close the remote access SSH port (mitigate brute force SSH attacks) and only open the port from a trusted IP-address for a predefined amount of time (e.g., 3 hours), this feature requires the Azure Security Center Standard Tier license.<\/p>\n

MISP Installation<\/h2>\n

This part will describe the installation of MISP on the Kali Linux VM. Login to the VM via PuTTY on the public IP on port 22 (SSH protocol).
\nFirst, we need continues root permissions for the installation (in Azure Kali Linux this is not by default).<\/p>\n

misp@<machine><\/em>:~$ sudo -i
\n<\/em>Install MISP
\nmisp@<machine><\/em>:~$ wget -O \/tmp\/misp-kali.sh<\/p>\n

https:\/\/raw.githubusercontent.com\/MISP\/MISP\/2.4\/INSTALL\/INSTALL.sh && bash \/tmp\/misp-kali.sh<\/a><\/p>\n

MISP is successfully installed.<\/p>\n

Create a hosts file with a MISP DNS name and the public IP of the Azure VM.<\/p>\n

\"Afbeelding<\/p>\n

MISP Authentication<\/h2>\n

This part will describe the configuration of MISP. Login to MISP via a web-browser to the DNS name in the host’s file (e.g., misp.local). For Security add a (self-signed or 3rd party) SSL certificate to prevent credential theft (e.g., Man-in-the-Middle attack).<\/p>\n

Change Site Admin Password<\/strong>
\nChange the default Admin password to a complex password by logging on to the system for the first time with the default credentials (admin@admin.test)<\/p>\n

\"Afbeelding
\n\"Afbeelding<\/p>\n

Password policy<\/strong>
\n\u2022 [12]: Ensure that the password is at least 12 characters long
\n\u2022 [A-Z]: contains at least one upper-case
\n\u2022 [0-9| ]: includes a digit or a unique character
\n\u2022 [a-z]: at least one lower-case character<\/p>\n

A new Admin will be created at a later stage.<\/p>\n

MISP Configuration<\/h2>\n

The final steps are the configuration of the MISP environment.<\/p>\n

SSL configuration<\/h3>\n

Store the SSL certificate on the Virtual Machine and set the Apache configuration
\nSo access to MISP is secured via SSL. Config file (\/etc\/apache2\/sites-enabled\/*.conf) example:<\/p>\n

\"Afbeelding<\/p>\n

Change the misp.domain.tld<\/em> and misp.local<\/em> to a custom owned domain like misp.company.com<\/em>. The name registered in the certificate.<\/p>\n

Reload Apache config:
\nmisp@<machine><\/em>:~$ apachectl graceful<\/p>\n

Set Domain Name<\/h3>\n

Set the domain name (e.g. misp.company.com<\/em>) via \u2018Administration\u2019 -> \u2018Server Settings & Maintenance\u2019 and change the MISP.baseurl<\/em> and MISP.external_baseurl<\/em>.<\/p>\n

\"Afbeelding<\/p>\n

Set the organization name<\/strong>
\nChange the organization name:
\n\u2022 Global Actions
\n\u2022 Organisations
\n\u2022 Select the ORGNAME
\n\u2022 Edit Organisation<\/p>\n

\"afbeelding<\/p>\n

Activate feeds<\/h2>\n

Feeds are resources containing IoCs (Indicators of Compromise) that will be automatically imported in MISP at regular intervals. A set of default feeds<\/a> is available in MISP (e.g. OSINT). To add feeds, select List Feeds from the Sync Actions menu.<\/p>\n

\"afbeelding<\/p>\n

Workers<\/strong>
\nVerify all workers are up-and-running \u2018Administration\u2019 -> \u2018Server Settings & Maintenance\u2019 -> \u2018Workers\u2019. If a worker is stopped, start a worker.<\/p>\n

\"afbeelding<\/p>\n

Events<\/strong>
\nIn the Event Actions (List Events) the Event(s) should start to populate.<\/p>\n

 <\/p>\n

\"afbeelding<\/p>\n

Using the API<\/h2>\n

MISP has an API available to leverage and to pull data.<\/p>\n

Get the authentication key<\/strong>
\nThe MISP URL and the MISP Authorization key are required for the API. The key is retrieved via \u2018Event and Actions\u2019 -> \u2018Automation\u2019<\/p>\n

\"afbeelding<\/p>\n

Call the API<\/strong>
\nThe goal is to retrieve IoCs (file hash in this example) from MISP. To call the API use the cURL via the Windows Command prompt:<\/p>\n

\"afbeelding<\/p>\n

By executing the command, the result is all sha256 checksums last day. Command example and explanation:<\/p>\n

\u201ccurl –header “Content-Type: application\/json” –header “Accept: application\/json” –header “<Authorization: KeyHere>” https:\/\/misp.company.com\/events\/hids\/sha256\/download\/false\/false\/false\/1d<\/a>\u201d
\n–header<\/p>\n

Three headers are set: \u2018content type\u2019, \u2018accept type\u2019 and the \u2018Authorization key\u2019. Without the Authorization key the call will fail with a 403 forbidden response.
\nThe last value is the MISP API URL which contains some parameters.<\/p>\n

\"afbeelding<\/p>\n

For more information on the MISP API see https:\/\/www.circl.lu\/doc\/misp\/automation\/#get-\/events\/hids-hash—hids-database-export<\/a><\/p>\n

Results<\/strong>
\nAfter completing the previous step, the results are a list of hashes.<\/p>\n

\"afbeelding<\/p>\n

With the file hashes, we can investigate in MISP but also use in Azure Sentinel (Detect) and\/or Microsoft Defender ATP (Detect & Respond)<\/p>\n

Azure Sentinel<\/h2>\n

Azure Sentinel uses log searches or can leverage Jupyter Notebooks which both use the KQL (Kustom Query Language) queries to (for example) search for IoC\u2019s (file hashes in this example) in all Azure Sentinel log resources (Data connectors).
\nBelow is an example of a log search with a file hash from MISP.<\/p>\n

\"afbeelding<\/p>\n

The result is the hash exists in the environment, so the second step is to investigate further (e.g. root cause analysis) or leverage the new Microsoft Defender ATP feature \u2018custom Indicator of Compromise\u2019 to audit of block the file (hash).<\/p>\n

Microsoft Defender ATP ‘Indicator of Compromise’<\/h2>\n

The new Indicator feature of Microsoft Defender ATP adds the option to add IoCs (e.g. file hashes, IP addresses or URLs\/Domains) to the audit of block malicious Indicators.<\/p>\n

\"Afbeelding<\/p>\n

For more information on the new MDATP feature, Indicator see https:\/\/docs.microsoft.com\/en-us\/graph\/api\/tiindicators-post?view=graph-rest-beta&tabs=cs<\/a><\/p>\n

This blogpost is written by the InSpark SecOps Team. You can contact us below this blogpost, of find us on LinkedIn.<\/p>\n

Derk van der Woude<\/a>, Mikail Corum<\/a> and Mark Foppen<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

This blog is about integrating MISP\u00b2 Threat Intelligence in Azure Sentinel\u00b9 and Microsoft Defender ATP\u00b3 to search IoC\u00a0(Indicator of Compromise: e.g. IP-address, domain names, hashes, etc.) in all connected log sources (Data collections) to Detect the presence of threats and automate Respond (block). \u00b9 Microsoft Azure Sentinel is the cloud-native SIEM solution from Microsoft, which … Continued<\/a><\/p>\n","protected":false},"author":16,"featured_media":4943,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7389],"tags":[7395,7391],"acf":[],"_links":{"self":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts\/9666"}],"collection":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/comments?post=9666"}],"version-history":[{"count":16,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts\/9666\/revisions"}],"predecessor-version":[{"id":18728,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts\/9666\/revisions\/18728"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/media\/4943"}],"wp:attachment":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/media?parent=9666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/categories?post=9666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/tags?post=9666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}