Closed Prab2010 closed 4 days ago
cudeso
commented
1 month ago Can you provide an example of the filters you're using? Either way, the API filters described at https://www.misp-project.org/openapi/#tag/Events/operation/restSearchEvents can be used.
Prab2010
commented
3 weeks ago basically I've added the custom tag with each custom feed and trying to filter events(specific instance should receive events only with particular custom tag) and used this following event filters with Tag parameter.
misp_event_filters = { "published": 1, "tags": [ "workflow:state=\"complete\""], "tags": ["feedname=customfeed a"], "enforceWarninglist": True, "includeEventTags": True, "publish_timestamp": "14d", }
cudeso
commented
3 weeks ago In your example,
[ "workflow:state=\"complete\""]Prab2010
commented
3 weeks ago Thanks @cudeso. I will give it a try and is there a better way to achieve this ? i would like to control the feeds for the different sentinel instances.
cudeso
commented
3 weeks ago What would you like to do with the feeds exactly? Send all feed data to Sentinel? Send only a subset of feeds to Sentinel? Some feeds (I think the one from abuse.ch) also have a direct connector in Sentinel. Depending on your use case it might be easier to get them directly in Sentinel, instead of going through MISP. But please explain more what you'd like to do with the feeds.
Prab2010
commented
3 weeks ago I'm seeking granular control over feeds. Specifically the ability to selectively push the feed to different sentinel instances. For instance, feed source A should propagated to All sentinel instances in different tenancy and feed Source B should propagated only to specific sentinel instance. unfortunately feeds must pushed through MISP.
i read the documentation from this https://www.infernux.no/MicrosoftSentinel-PushTIfromMISP/ and still controlling the feeds to different sentinel instance is the requirement. Thanks to @lnfernux for the blog post.
lnfernux
commented
3 weeks ago @Prab2010 so for this use case you would need one azure function per subset of customers. There's currently no support for applying a specific filter to a certain workspace, nor is there support for grouping workspaces into a group/subset and having a filter for them.
I think it could be great if someone wanted to look at integrating that!
Also some notes to self; if we remove the secret from the json-blob containing the tenantid, id and workspaceid we could in theory (if using a single app reg multi tenant) have one kv-variable for the secret, and then have the other settings as a non-secret application value which would make it easier to manage. We could also then add support for "group": "
Prab2010
commented
2 weeks ago @cudeso
Regarding the Event filters, i experienced the conversion error with the filter "tags" : ["tlp:white"], i assume the tag filter looks good.
This is the Error in the logs.
Error when processing data in event 2 from MISP Unexpected properties for Identity: (interoperability).. Most likely a MISP-STIX conversion problem.
cudeso
commented
2 weeks ago The error indicates the object/attribute is not recognised by STIX (or by the conversion). Currently Microsoft Sentinel does not support all STIX objects (also see https://github.com/cudeso/misp2sentinel/?tab=readme-ov-file#stix-instead-of-misp-json) The error is not a blocking one, other MISP attributes, such as IPs, hashes, etc. should still be synchronised.
cudeso
commented
4 days ago Closing pending feedback
I'm using Multiple sentinel instances and using PyMISP to push the IOC's to the sentinel instances. i need to filter/control the events pushing to the sentinel. I'm trying with event filters, tags and no luck.