This code can be used to create an Azure Function that writes threat intelligence from a MISP instance to Microsoft Sentinel. The code is a modified version of the following repository: https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP

For some context about this project, in Dutch, please read the MISP to Microsoft Sentinel Whitepaper:

• An Azure Subscription
• A Microsoft Sentinel Instance (see /doc/SetupMicrosoftSentinel.md)
• API and URL of your MISP instance

Full instructions in INSTALL.md

In summary:

1. Create an App in the same Microsoft tenant where the Sentinel instance resides. The app requires the ThreatIndicators.ReadWrite.OwnedBy (Application type) permission.
2. Create a Keyvault in your Azure subscription
3. Add a new secret with the name "tenants" and the following value (its possible to add multiple Sentinel instances, it will loop all occurences):

{"<TENANT_ID_WITH_APP>": {"id": "<APP_ID>", "secret": "APP_SECRET"} }

4. Create an Azure Function in your Azure subscription
5. Modify config.py to your needs (misp instance domain, API key, event filter etc). Upload the code to your Azure Function.
6. Add a "New application setting" (env variable) to your Azure Function named "tenants". Create a reference to the key vault previously created

Attic Security is a solution by Zolder BV to harden and monitor public cloud solutions. Attic can be connected to a Microsoft365 tenant, and can implement Microsoft Sentinel in an automated fashion. An optional feature is the connection to a MISP server for threat intelligence.

Learn more: https://atticsecurity.com

If the installation was successful, the MISP data should be written to your Sentinel instance on 00:00 every day. Use the following query to test if the data was written successfully:

ThreatIntelligenceIndicator

Find examples of KQL queries and Azure Playbooks in /doc/ExampleKQLandPlaybooks.md