Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use PyMISP instead of ExpandedPyMISP #97

Merged
merged 1 commit into from
Jun 28, 2024
Merged

Use PyMISP instead of ExpandedPyMISP #97

merged 1 commit into from
Jun 28, 2024

Conversation

iglocska
Copy link
Contributor

  • ExpandedPyMISP has superseded PyMISP and has been renamed

  • The alias ExpandedPyMISP throws deprecation errors at this point

  • blind change, still needs to see if it completely fixes the issue, as @UFOSmuggler pointed out in the chat, from pymisp import * might still lead to deprecation warnings om script.py

  • See more about the discussion on MISP/Support on gitter

- ExpandedPyMISP has superseded PyMISP and has been renamed
- The alias ExpandedPyMISP throws deprecation errors at this point

- blind change, still needs to see if it completely fixes the issue, as @UFOSmuggler pointed out in the chat, from pymisp import * might still lead to deprecation warnings om script.py
@cudeso cudeso merged commit f9fd03b into cudeso:main Jun 28, 2024
@cudeso
Copy link
Owner

cudeso commented Jun 28, 2024

Thank you for the update and change. Will have a look in the Gitter conversation shortly.

@iglocska
Copy link
Contributor Author

iglocska commented Jul 2, 2024

Cheers, there are some more questions over there in regards to misp2sentinel if you are having a lot of downtime (sorry, bad joke :))

@rahulb123acc
Copy link

Thankyou for the update. The script now runs without any error but, I don't see any data forwarded to Sentinel. Is there any particular log file that captures error while running the script.py file ?

@rahulb123acc
Copy link

I was able to find the log file and it says the indicators sent to Microsoft Graph security as below but, I don't see any indicators in Sentinel --------

2024-07-02 19:18:27,196 - misp2sentinel - INFO - Sending security indicators to Microsoft Graph Security
2024-07-02 19:18:27,196 - misp2sentinel - INFO - 2206 indicators are parsed from MISP events. Only those that do not exist in Microsoft Graph Security will be sent.
2024-07-02 19:18:27,201 - misp2sentinel - INFO - Script finished running
2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total indicators sent: 417
2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total response success: 417
2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total response error: 0
2024-07-02 19:18:27,201 - misp2sentinel - INFO - Total indicators deleted: 0
2024-07-02 19:18:27,202 - misp2sentinel - INFO - End MISP2Sentinel
2024-07-02 19:31:10,199 - misp2sentinel - INFO - Start MISP2Sentinel
2024-07-02 19:31:10,199 - misp2sentinel - INFO - Fetching and parsing data from MISP ...
2024-07-02 19:31:10,200 - misp2sentinel - INFO - Using Microsoft Graph API
2024-07-02 19:31:11,033 - misp2sentinel - INFO - Sending security indicators to Microsoft Graph Security
2024-07-02 19:31:11,033 - misp2sentinel - INFO - 2206 indicators are parsed from MISP events. Only those that do not exist in Microsoft Graph Security will be sent.
2024-07-02 19:31:11,038 - misp2sentinel - INFO - Script finished running

@cudeso
Copy link
Owner

cudeso commented Jul 3, 2024

Hello @rahulb123acc , can you use this Kusto query to check if there are new indicators in Sentinel?

Kusto ThreatIntelligenceIndicator
| sort by TimeGenerated desc

@rahulb123acc
Copy link

Hi @cudeso
Thanks for the response.
I did run the query in azure log analytic workspace but, I don't see any data from MISP.
Note: I have data from other threat intel sources feeding in to same table
image

@rahulb123acc
Copy link

Hello,
I'm able to now upload the data to sentinel.
The issue was related to SSL communication failing toward the below endpoints while uploading data to sentinel

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='sentinelus.azure-api.net', port=443): Max retries exceeded with url: /551840fc-9571-4acb-8de9-96f1c63909fd/threatintelligence:upload-indicators?api-version=2022-07-01 (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:997)')))

Regards,
Rahul

@cudeso
Copy link
Owner

cudeso commented Jul 3, 2024

Hi, I guess this is then related to a proxy blocking/intercepting the request?

@rahulb123acc
Copy link

yes! the communication to the endpoint - "sentinelus.azure-api.net" on port 443 was blocked at firewall level

@cudeso
Copy link
Owner

cudeso commented Jul 4, 2024

@rahulb123acc good; I'll also add a list of domains that need whitelisting to the documentation; started tracking them in #99

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants