@mathurin68 To point you in the right direction, I’d need to know more about your use-case.
Do you want to -
Create and update custom signatures, such as static IPs, URLS, Certificates and file hashes:
Best for a tenant-level block list or where you wish to block, allow or quarantine an entity you’ve discovered through investigation.
Create and update custom detection rules, which run every hour, day or week (runs against the data from the prior period):
Best for keeping track of entities or actions, but not good for ensuring a threat is blocked in real-time.
Query the advanced security API:
This option is best when you would create your own queries, schedules, and rules. Dev responsibility falls entirely on your plate here.
You’ll need to be able to:
Create and secure a custom Multi-tenant or single tenant app registered in Azure with permissions to read and interact with the Microsoft security API.
TenantIDs.
Securely create and access client authentication secrets or certificates (preferred) to engage with the API.
Securely create, update and access a list of your own rules and signatures. This can be a secondary database or (but not limited to)a routinely updated GitHub page like many block lists available today.
My recommendation is to not expose MISP directly to the services querying the security API. There should be isolation between the two.
This is most effective where initial discovery queries can interact with the custom signature list and make additional calls for triggering investigations and quarantining entities where (matches of detection rules) results are found.
Forgive any typos, on the go.
