cudeso
commented
1 week ago Thank you for the update and change. Will have a look in the Gitter conversation shortly.
Closed iglocska closed 1 week ago
cudeso
commented
1 week ago Thank you for the update and change. Will have a look in the Gitter conversation shortly.
iglocska
commented
5 days ago Cheers, there are some more questions over there in regards to misp2sentinel if you are having a lot of downtime (sorry, bad joke :))
rahulb123acc
commented
5 days ago Thankyou for the update. The script now runs without any error but, I don't see any data forwarded to Sentinel. Is there any particular log file that captures error while running the script.py file ?
rahulb123acc
commented
5 days ago 2024-07-02 19:18:27,196 - misp2sentinel - INFO - Sending security indicators to Microsoft Graph Security 2024-07-02 19:18:27,196 - misp2sentinel - INFO - 2206 indicators are parsed from MISP events. Only those that do not exist in Microsoft Graph Security will be sent. 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Script finished running 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total indicators sent: 417 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total response success: 417 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total response error: 0 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total indicators deleted: 0 2024-07-02 19:18:27,202 - misp2sentinel - INFO - End MISP2Sentinel 2024-07-02 19:31:10,199 - misp2sentinel - INFO - Start MISP2Sentinel 2024-07-02 19:31:10,199 - misp2sentinel - INFO - Fetching and parsing data from MISP ... 2024-07-02 19:31:10,200 - misp2sentinel - INFO - Using Microsoft Graph API 2024-07-02 19:31:11,033 - misp2sentinel - INFO - Sending security indicators to Microsoft Graph Security 2024-07-02 19:31:11,033 - misp2sentinel - INFO - 2206 indicators are parsed from MISP events. Only those that do not exist in Microsoft Graph Security will be sent. 2024-07-02 19:31:11,038 - misp2sentinel - INFO - Script finished running
cudeso
commented
5 days ago Hello @rahulb123acc , can you use this Kusto query to check if there are new indicators in Sentinel?
Kusto ThreatIntelligenceIndicator
| sort by TimeGenerated descHi @cudeso Thanks for the response. I did run the query in azure log analytic workspace but, I don't see any data from MISP. Note: I have data from other threat intel sources feeding in to same table
rahulb123acc
commented
4 days ago Hello, I'm able to now upload the data to sentinel. The issue was related to SSL communication failing toward the below endpoints while uploading data to sentinel
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='sentinelus.azure-api.net', port=443): Max retries exceeded with url: /551840fc-9571-4acb-8de9-96f1c63909fd/threatintelligence:upload-indicators?api-version=2022-07-01 (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:997)')))
Regards, Rahul
cudeso
commented
4 days ago Hi, I guess this is then related to a proxy blocking/intercepting the request?
rahulb123acc
commented
4 days ago yes! the communication to the endpoint - "sentinelus.azure-api.net" on port 443 was blocked at firewall level
cudeso
commented
4 days ago @rahulb123acc good; I'll also add a list of domains that need whitelisting to the documentation; started tracking them in https://github.com/cudeso/misp2sentinel/issues/99
ExpandedPyMISP has superseded PyMISP and has been renamed
The alias ExpandedPyMISP throws deprecation errors at this point
blind change, still needs to see if it completely fixes the issue, as @ufosmuggler pointed out in the chat, from pymisp import * might still lead to deprecation warnings om script.py
See more about the discussion on MISP/Support on gitter