Skip to content

Added Sentinel TI integration features. #532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ianhelle merged 19 commits into from
Nov 13, 2022
Merged

Added Sentinel TI integration features. #532

ianhelle merged 19 commits into from
Nov 13, 2022

Conversation

@petebryan
Copy link
Contributor

@petebryan petebryan commented Oct 1, 2022
edited
Loading

New Sentinel Threat Intelligence Integration Features

We have expanded the Microsoft Sentinel API integrations to provide a method to integrate with the Threat Intelligence feature.
This provides users with the ability to:

  • Get a list of all indicators in a Workspace
  • Get details of a specific indicator
  • Query for indicators by key values
  • Create indicators, individually and in bulk
  • Update indicators
  • Delete indicators

These features integrate with the existing Microsoft Sentinel model.

Getting Indicators

Getting all indicators is as simple as:

import msticpy as mp
sent = mp.MicrosoftSentinel()
sent. Connect()

sent.get_all_indicators()

image

Updating Indicators

Indicators can be updated using update_indicator and passing in the incident ID to update:

sent.update_indicator(indicator_id="89805941-6adf-424a-b0f6-32bb5e93bf35", confidence=90)

Full details of these features can be found in the MSTICPy documentation.

@petebryan petebryan added the enhancement New feature or request label Oct 1, 2022
@petebryan petebryan added this to the Release 2.2.0 milestone Oct 1, 2022
@petebryan petebryan linked an issue Oct 1, 2022 that may be closed by this pull request
Sentinel Threat Intelligence Create/update TI #342
Closed
@petebryan petebryan requested a review from ianhelle October 1, 2022 03:15
@petebryan petebryan marked this pull request as ready for review October 1, 2022 15:23
ianhelle and others added 5 commits October 12, 2022 15:34
@ianhelle
Add de-fanging support for iocextract.py
f45c34a 
Add email ioc support for iocextract.py
Add processor for re-fanging potentially de-fanged IoCs for TI lookup in preprocess_observable.py
Added unit test for defanged IoCs in test_ioc_extractor.py and test_tiproviders.py
@petebryan
Merge branch 'main' into pebryan/22_9_27_SentinelTI
cc94859
@ianhelle
Moved defang, refang functions to utility.format.py
33c5373
@petebryan
Added defang feature and updated MDE alert queries
aeb8d87
@petebryan
Updated return value for TI creation
b28ffe8
ianhelle
ianhelle previously approved these changes Oct 28, 2022
View reviewed changes
Copy link
Contributor

@ianhelle ianhelle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!
A few comments.
Maybe we merge this and then the defang PR, since that has a few extra bits.

@petebryan
Copy link
Contributor Author

petebryan commented Oct 31, 2022

Merges in changes from #536

ianhelle
ianhelle previously approved these changes Nov 4, 2022
View reviewed changes
@ianhelle
Re-merging main - phase 1
c76df00
@ianhelle
Merge remote-tracking branch 'origin/main' into pebryan/22_9_27_Senti…
7ca14e3 
…nelTI

# Conflicts:
#	msticpy/context/preprocess_observable.py
#	msticpy/context/provider_base.py
@ianhelle ianhelle merged commit 2a68320 into main Nov 13, 2022
@ianhelle ianhelle deleted the pebryan/22_9_27_SentinelTI branch November 13, 2022 04:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianhelle ianhelle ianhelle approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

Release 2.2.0

Development

Successfully merging this pull request may close these issues.

Sentinel Threat Intelligence Create/update TI

3 participants

@petebryan @ianhelle