lnfernux
commented
1 year ago Updated today: was an error with the existing indicator hash file which caused each tenant after the first to not recieve any indicators. This is now fixed with some minor updates. Might be a better solution to this, but for multi tenant this is what I came up with:
- RequestManager now takes tenant as input
- RequestManager now postfixes the files with the tenantid to allow for separate files for each tenant
- New function in the init.py script that handles the run for each push
- pmain() only covers the loading of the json tenant object and the loop
- constants.py updated to remove file endings .txt and .json
TL;DR is I've taken this updated version of the misp2sentinel project and spliced with some code from https://github.com/zolderio/misp-to-sentinel to allow for multi-sentinel push. I've updated the documentation and added some best practice implementations like having some of the settings (mispkey, mispurl, timertrigger) be configurable from the Azure Function configuration tab.
It's mostly explained in the INSTALL.MD and in on my blog (https://www.infernux.no/MicrosoftSentinel-PushTIfromMISP/), but to list out some of the changes:
script.py(now__init__.pyfor Azure Function reasons) loops through a json object (tenants) which is added through a key vault reference.This has been tested on MISP 2.4.171 running on an Azure VM with Ubuntu 20.04 (latest updates) installed. The Azure Function tested was a Python 3.9 Linux function running the consumption plan and no other settings other than default.
The full testing and setup can be found on my blog https://www.infernux.no/MicrosoftSentinel-PushTIfromMISP/