Closed Prab2010 closed 4 days ago
Can you provide an example of the filters you're using? Either way, the API filters described at https://www.misp-project.org/openapi/#tag/Events/operation/restSearchEvents can be used.
basically I've added the custom tag with each custom feed and trying to filter events(specific instance should receive events only with particular custom tag) and used this following event filters with Tag parameter.
misp_event_filters = { "published": 1, "tags": [ "workflow:state=\"complete\""], "tags": ["feedname=customfeed a"], "enforceWarninglist": True, "includeEventTags": True, "publish_timestamp": "14d", }
In your example,
[ "workflow:state=\"complete\""]
Thanks @cudeso. I will give it a try and is there a better way to achieve this ? i would like to control the feeds for the different sentinel instances.
What would you like to do with the feeds exactly? Send all feed data to Sentinel? Send only a subset of feeds to Sentinel? Some feeds (I think the one from abuse.ch) also have a direct connector in Sentinel. Depending on your use case it might be easier to get them directly in Sentinel, instead of going through MISP. But please explain more what you'd like to do with the feeds.
I'm seeking granular control over feeds. Specifically the ability to selectively push the feed to different sentinel instances. For instance, feed source A should propagated to All sentinel instances in different tenancy and feed Source B should propagated only to specific sentinel instance. unfortunately feeds must pushed through MISP.
i read the documentation from this https://www.infernux.no/MicrosoftSentinel-PushTIfromMISP/ and still controlling the feeds to different sentinel instance is the requirement. Thanks to @lnfernux for the blog post.
@Prab2010 so for this use case you would need one azure function per subset of customers. There's currently no support for applying a specific filter to a certain workspace, nor is there support for grouping workspaces into a group/subset and having a filter for them.
I think it could be great if someone wanted to look at integrating that!
Also some notes to self; if we remove the secret from the json-blob containing the tenantid, id and workspaceid we could in theory (if using a single app reg multi tenant) have one kv-variable for the secret, and then have the other settings as a non-secret application value which would make it easier to manage. We could also then add support for "group": "
@cudeso
Regarding the Event filters, i experienced the conversion error with the filter "tags" : ["tlp:white"], i assume the tag filter looks good.
This is the Error in the logs.
Error when processing data in event 2 from MISP Unexpected properties for Identity: (interoperability).. Most likely a MISP-STIX conversion problem.
The error indicates the object/attribute is not recognised by STIX (or by the conversion). Currently Microsoft Sentinel does not support all STIX objects (also see https://github.com/cudeso/misp2sentinel/?tab=readme-ov-file#stix-instead-of-misp-json) The error is not a blocking one, other MISP attributes, such as IPs, hashes, etc. should still be synchronised.
Closing pending feedback
I'm using Multiple sentinel instances and using PyMISP to push the IOC's to the sentinel instances. i need to filter/control the events pushing to the sentinel. I'm trying with event filters, tags and no luck.