Threat Intelligence with Azure Sentinel

    If you already have Azure Sentinel configured to receive logs and events from your endpoints and services, you’re already detecting potentially malicious events. Sentinel has dozens of out-of-the-box Analytics Rules. But if you’re ready to amplify your Sentinel threat detection, you should look at enabling a threat intelligence feed.

    A Cyber Threat Intelligence feed provides multiple indicators of compromise (IoCs) to Sentinel in periodic updates. This allows for Sentinel to begin detecting new IoCs as soon as they become available. The IoCs typically include known malicious IP Addresses, URLs, and File Hashes. These IoCs can be correlated against Sentinel’s event data, which can dramatically improve your existing detections’ efficacy rate. Threat intel feeds are provided by a Threat Intelligence Platform, which combines multiple feeds into one unified feed. Sentinel supports several different TIPs, including MISP, ThreatConnect, and Palo Alto MineMeld.

    In this article, I’m going to focus on integrating MISP with Azure Sentinel. MISP is an open-source threat intelligence platform, so it is easy to get started with and gives you access to dozens of feeds. But other TIPs can be integrated similarly. Several articles from Microsoft and MISP detail the integration, but I found that all of them missed a key detail. I’ve included some reference links at the end. The primary work is to set up the MISP TIP on an Azure VM and configure the feeds.

    Create an Azure AD App Registration

    The first step is configuring an Azure AD App Registration that MISP will use to push IoCs into the Azure Security Graph.

    In Azure Active Directory, navigate to App Registrations, and click New Registration. Name the Application: “MISP – Threat Intel Platform” and click Register.

    Configure Permissions

    Click on the newly created Registration and then click API Permissions from the navigation bar. Click Add a permission. Click Microsoft Graph, click Application permissions. In the search box, search for “ThreatIndicators.” Check the box next to ThreatIndicators.ReadWrite.OwnedBy. After you Save, click Grant admin consent. When you are done, it should look like this with Green checkmarks.

    Create Secret

    An API secret is needed to allow the export script to authenticate to Azure Grapth. In the MISP – Threat Intel Platform App Registration, click on Certificates & Secrets. Under Client Secrets, click New client secret. Provide a description for the secret and set an expiration on the secret; click Add. Copy the value now. It will not be available in the future. You’ll need this in a later step.

    Create an Azure VM Instance

    We need to configure a Virtual Machine to host the MISP instance. You could also host this in a data center or on an existing Linux VM if you have one. We’ll create a small Ubuntu Virtual Machine in Azure. I used a Standard B2s (2 vcpus, 4 GiB memory). Once the VM is created, remember to restrict SSH access to your IP address.

    SSH into the VM and download the install script from Github.

    wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh

    Run the install script to install the MISP instance.

    bash /tmp/INSTALL.sh -c -M

    Configure MISP

    Once the install setup is complete, you can begin configuring it via its web interface. You should able to access the web interface using the VMs IP address or DNS name, and log in with the username and password that was created during the setup.

    Change the admin password from the default. Under Administration, edit the Organization, set the Organization name.

    Add Activity Feeds

    Add feed form

    Feeds are structured lists containing indicators that MISP can automatically import based on a regular schedule. Feeds are structured in either the default MISP format, CSV format, or a free-text format. Feeds can be imported into your MISP instance using a URL.

    Recommended Feeds:

    You can find a list of all published feeds at https://www.misp-project.org/feeds/.

    From the Sync Actions menu, select List Feeds. Click Add Feed from the side menu. Populate all the feed details in the form and click Add Feed.

    Once the Feeds are added, make sure you click Fetch and store all feed data.


    You need to get the MISP API key to use in the Export Script. In the MISP web interface, navigate to Event Actions > Automation, and get the API key to connect to the MISP API. You will need this in the next step.

    Setup Export to Azure Graph

    The next step is to configure a script to push the indicators from MISP into the Azure Security Graph. Run the following commands to download and configure the script.

    sudo apt-get install python3-venv
    python3 -m venv mispToSentinel
    cd mispToSentinel
    source bin/activate
    git clone https://github.com/microsoftgraph/security-api-solutions
    cd security-api-solutions/Samples/MISP/
    pip install -r requirements.txt

    Configure the Script

    Run nano config.py to edit the Python file.

    Populate the Azure details and MISP Key that you gathered in the earlier steps.

    Tenant: Azure Tenant (Directory) Id

    Client Id: Client Id from your App Registration

    Client Secret: Client Secret you created in the App Registration

    Action: alert

    MISP_Key: API Key from MISP

    MISP_Domain: The private IP of your MISP instance. You can use a public DNS name or IP if necessary.

    Execute Script

    Run python script.py to execute the export script. It will probably take several minutes to run.

    Schedule Script

    Run crontab -e to edit your Crontab Entries.

    Add the following entry to execute the export script every day at 2 AM.

    0 2 * * * /opt/MISP/jobs/Sample/python script.py

    Configure Azure Sentinel

    After running the export script initially, it is recommended to wait about an hour for the data to show up in the Security Graph. Afterward, open Data Connectors in Azure Sentinel. Locate the Threat Intelligence Platforms connector, and click the Open Connector page.

    Scroll down and click Connect. Click on the Analytics Templates and create Analytics Rules for the relevant templates for your organization.

    To confirm the Indicators are available to Sentinel, check that they are present. In the Sentinel menu, select Threat Intelligence, and you should see thousands of Indicators.

    More Information

    There are a number of additional articles that can help you configure MISP with Sentinel.

    Recent Articles

    Security Trends – Q2 2024

    Small businesses are under increasing cyberattack threat. The global cost of cybercrime is predicted to skyrocket, reaching a staggering $23.84 trillion by...

    Basic Microsoft 365 Security Improvements

    Overview Securing Microsoft 365 tenants involves implementing various measures to protect data, prevent unauthorized access, and mitigate potential...

    Cyber Security Trends for 2024

    Summary The state of cybersecurity in 2024 reflects a dynamic and complex landscape shaped by technological advancements,...

    Content Filtering with Microsoft Defender for Endpoint

    Why is Content Filtering Important? Web content filtering is a critical element of a comprehensive information security strategy.

    Migrating to Azure AD Authentication Methods

    Azure AD Authentication Changes On September 30th, 2024, the legacy multifactor authentication and...

    Related Stories

    1 Comment

    0 0 vote
    Article Rating
    Notify of
    1 Comment
    Newest Most Voted
    Inline Feedbacks
    View all comments
    worrachart chooprasit
    worrachart chooprasit
    2 years ago

    If my MISP locates at my data center. Do I need to open a firewall communication for incoming traffic from outside to my MISP if I need to integrate with Sentinel ?

    Stay on op - Ge the daily news in your inbox

    Would love your thoughts, please comment.x