Closed lnfernux closed 1 year ago
Updated today: was an error with the existing indicator hash file which caused each tenant after the first to not recieve any indicators. This is now fixed with some minor updates. Might be a better solution to this, but for multi tenant this is what I came up with:
TL;DR is I've taken this updated version of the misp2sentinel project and spliced with some code from https://github.com/zolderio/misp-to-sentinel to allow for multi-sentinel push. I've updated the documentation and added some best practice implementations like having some of the settings (mispkey, mispurl, timertrigger) be configurable from the Azure Function configuration tab.
It's mostly explained in the INSTALL.MD and in on my blog (https://www.infernux.no/MicrosoftSentinel-PushTIfromMISP/), but to list out some of the changes:
script.py
(now__init__.py
for Azure Function reasons) loops through a json object (tenants
) which is added through a key vault reference.This has been tested on MISP 2.4.171 running on an Azure VM with Ubuntu 20.04 (latest updates) installed. The Azure Function tested was a Python 3.9 Linux function running the consumption plan and no other settings other than default.
The full testing and setup can be found on my blog https://www.infernux.no/MicrosoftSentinel-PushTIfromMISP/