Closed iglocska closed 1 week ago
Thank you for the update and change. Will have a look in the Gitter conversation shortly.
Cheers, there are some more questions over there in regards to misp2sentinel if you are having a lot of downtime (sorry, bad joke :))
Thankyou for the update. The script now runs without any error but, I don't see any data forwarded to Sentinel. Is there any particular log file that captures error while running the script.py file ?
2024-07-02 19:18:27,196 - misp2sentinel - INFO - Sending security indicators to Microsoft Graph Security 2024-07-02 19:18:27,196 - misp2sentinel - INFO - 2206 indicators are parsed from MISP events. Only those that do not exist in Microsoft Graph Security will be sent. 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Script finished running 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total indicators sent: 417 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total response success: 417 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total response error: 0 2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total indicators deleted: 0 2024-07-02 19:18:27,202 - misp2sentinel - INFO - End MISP2Sentinel 2024-07-02 19:31:10,199 - misp2sentinel - INFO - Start MISP2Sentinel 2024-07-02 19:31:10,199 - misp2sentinel - INFO - Fetching and parsing data from MISP ... 2024-07-02 19:31:10,200 - misp2sentinel - INFO - Using Microsoft Graph API 2024-07-02 19:31:11,033 - misp2sentinel - INFO - Sending security indicators to Microsoft Graph Security 2024-07-02 19:31:11,033 - misp2sentinel - INFO - 2206 indicators are parsed from MISP events. Only those that do not exist in Microsoft Graph Security will be sent. 2024-07-02 19:31:11,038 - misp2sentinel - INFO - Script finished running
Hello @rahulb123acc , can you use this Kusto query to check if there are new indicators in Sentinel?
Kusto ThreatIntelligenceIndicator
| sort by TimeGenerated desc
Hi @cudeso Thanks for the response. I did run the query in azure log analytic workspace but, I don't see any data from MISP. Note: I have data from other threat intel sources feeding in to same table
Hello, I'm able to now upload the data to sentinel. The issue was related to SSL communication failing toward the below endpoints while uploading data to sentinel
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='sentinelus.azure-api.net', port=443): Max retries exceeded with url: /551840fc-9571-4acb-8de9-96f1c63909fd/threatintelligence:upload-indicators?api-version=2022-07-01 (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:997)')))
Regards, Rahul
Hi, I guess this is then related to a proxy blocking/intercepting the request?
yes! the communication to the endpoint - "sentinelus.azure-api.net" on port 443 was blocked at firewall level
@rahulb123acc good; I'll also add a list of domains that need whitelisting to the documentation; started tracking them in https://github.com/cudeso/misp2sentinel/issues/99
ExpandedPyMISP has superseded PyMISP and has been renamed
The alias ExpandedPyMISP throws deprecation errors at this point
blind change, still needs to see if it completely fixes the issue, as @ufosmuggler pointed out in the chat, from pymisp import * might still lead to deprecation warnings om script.py
See more about the discussion on MISP/Support on gitter