Getting More Out of MISP and Microsoft Sentinel

Getting More Out of MISP and Microsoft Sentinel
July 10, 2024

Wouldn’t it be nice to have an all-seeing, omnipresent creature overseeing all the shenanigans in your organisation? Perhaps a Sentinel of some kind?

Sadly, there is only one Roz, and she’s already got a job.

If you are reading this, I’m going to assume that you fall into a couple of the following categories:

  1. You’re using MISP as a source of Threat Intelligence and want to monitor and hunt for indicators of compromise (IoCs) you’re collecting.
  2. You use Microsoft Sentinel and want to get more Indicators into the platform.
  3. You like Monsters Inc. as much as I do.

If you are in category C, apologies, that's the last reference to Roz or Monsters Inc. you are going to find in this article. (Or is it?)

A day in the life of a security operations analyst

Typically, SecOps analysts will have many daily routines, one of which will be to check their favourite Threat Intelligence Platforms, read the latest threats and note down any that are worthy of attention. Next, they’ll manually add those threats to a central log analysis and alerting platform (e.g. Microsoft Sentinel) as something to look for.

Depending on how many feeds analysts are watching and how active the bad actors are, this manual entry can be a very time consuming process.

What if we could get MISP and Microsoft Sentinel to talk directly without wasting analyst time?

So we did a thing. Introducing Cosive SIEM Sync.

We have our hosted MISP service, CloudMISP, and our customers have Microsoft Sentinel. We wanted to make life easier for security operations analysts. We all agree that copy-paste operations are bad, and that frequent tasks that can be automated, should be automated. 

Cosive SIEM sync is an integration piece that was designed to automatically promote CloudMISP Event Attributes to Microsoft Sentinel Threat Intelligence Objects.

We at Cosive understand all too well that there is a cognitive load that comes with having too many browser tabs open, so with that in mind we followed the same standard as we do with other integrations. 

SIEM sync is integrated directly in your CloudMISP instance and controlled via Tags, meaning analysts can hand-pick and export data to Sentinel without ever leaving MISP (or their current browser tab).

In MISP we now have this:

… and in Sentinel we now have this:

Wait, why am I blocking doihaveinternet.com? Or the importance of IoC aging

So, here is the conundrum: our security analysts have read the morning news and determined that there is a threat we need to follow. That threat contains a Domain Name and a couple IP addresses associated with it. 

Our analyst drops the indicators into Sentinel and the actions start alerting on c2.monstersinc.local (hey look, another Monsters Inc. reference!) and the IP addresses this domain resolves to.

Mischief managed. We’ll now know if we see this domain in our environment’s logs.

A couple of weeks later, the support portal lights up. Multiple tickets roll through Level One Support stating that the staff’s favourite tool, doihaveinternet.com, has stopped working.

Here’s the essential service that this site provides:

doihaveinternet.com

You have probably guessed it. The IP addresses logged by the analyst have been recycled and are now serving legitimate services. The original malicious domain is now hosted elsewhere.

This highlights a fairly common issue with blocking IP addresses: IP assignments are fluid, and they are a limited lifespan resource.

Not every attribute in a MISP event is worth watching in Microsoft Sentinel forever. While a domain name might be something that sticks around, the IP address that domain resolves to might be ephemeral or might only be relevant for a short time before the bad actor shifts the domain to a different IP or loses access to a compromised host. 

In comparison, a command and control (C2) domain operated by a threat actor could be used for malicious purposes indefinitely. In this case, we would want to alert on this domain forever. Giving analysts the flexibility to set appropriate expiration dates was a key design idea when building this MISP Sentinel integration.

In line with this, we wanted to provide the analyst with more options than just “Monitor a thing” or “Everything gets monitored for X days”. We made use of Sentinel’s “Valid From and Valid To Date” feature to provide more granular control over how long to monitor a given indicator.

So many tags, so little time

You might be looking at some of the above diagrams and wondering why there are so many options for tagging an attribute in MISP. It all comes down to Threat Intelligence Object Aging.

Having multiple tagging options provides the analyst with greater choice when it comes to instructing Microsoft Sentinel on what is important, and for how long. 

As with our integration with AssemblyLine, MISP tags give us a familiar means of control and feedback that MISP users are likely already be familiar with. 

These tags can either be applied in bulk by an automated script or MISP Workflow, or manually applied by an analyst. Analysts can choose which method is most appropriate based on the quality and content of any particular feed.

Next steps

If you’re interested in levelling up your MISP skills we have two MISP Kickstart training workshops coming up soon with available session times to suit both EU/North American business hours and APAC business hours.

If you use Microsoft Sentinel we’d be happy to discuss and demonstrate how it integrates with our MISP SaaS, CloudMISP. We'll show you the specific ways in which Sentinel and MISP are each more powerful and useful when synced together. Reach out to us to learn more.