-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MISP to multiple Sentinel #2
Comments
This is actually a good suggestion for an enhancement @Sp-TT . I'll look into it for a future release. As a short workaround now you can install the script in different directories / venvs and then run it from there with a different config. |
Just did a quick PoC for this; I think if you redo the main function in
and
It would allow for looping through the different workspaces? Also would need to add more SPNs for all the different workspaces, or an enterprise app that's added to all workspaces as a Microsoft Sentinel Contributor. This was just a basic test, so would need to do a proper PoC with push later. But the idea is there 👯 |
Good approach! |
Does this mean that currently when there are >1 entries in tenants this will cause the .py to pull each time it will send (eg. (api request to misp > generate rest request > send to workspace 1 -> then api request to misp > gen rest request > send to workspace 2 ) or (api request to misp > generate rest request > send to workspace 1 -> send to workspace 2) If that's the case, this would be a low hanging fruit to fix and improve perf. |
The Azure function currently supports the multiple Sentinel mode, but as you said @Kaloszer I think we can improve performance by only getting the indicators once, then sending it instead of loop-downloading indicators. |
So something really 'dumb' like this should work I guess #69 (nice) Just put a global var, check if it already exists and use it if it does, else just parse it. Don't have a way to test this year. But I don't see why this wouldn't do the trick. |
Simple, but I like it ;-) . |
Looking into fixing the code that was submitted and I was wondering, why is there such a big drift between init.py / script.py? Shouldn't they be pretty much the same in the grand scheme of things? 2 files that execute pretty much the same logic need to be maintained |
This is my fault, I stripped all the unnecessary functions related to graph support. |
Also logging in Azure Functions works differently if you want it to print compared to local so that's also a diff. |
I think this can be closed @cudeso ? |
If I'm not mistaken this is only in the Azure function, not in the locally hosted Python version. |
Hi, Is there any update on this? The workaround of installing the repo in different directories is quite wasteful of resources. |
Hi @Parasdeepkohli , I have been completely overwhelmed with $dayjob tasks and have not been able to work on it. |
Hey @cudeso Ahhh thats understandable! Thanks for all the work you've been putting in despite your day job workload :-) |
Hi, actually this is a requirement instead of an issue.
Have you considered to add function allow it pushs to multiple Sentinels with one pull. Instead of running multiple codes with different config files.
Cheers
The text was updated successfully, but these errors were encountered: