Aug 26 2021 04:03 PM
Aug 26 2021 04:03 PM
Is it possible to add our own Custom Detections, either Sigma Rules or indicators from MISP via the api?
Also, is this the best place to ask questions and learn? Is there a slack channel, discord chat?
Aug 31 2021 10:46 AMSolution
May 14 2022 06:52 AM
May 14 2022 09:42 AM - edited May 14 2022 09:47 AM
@mathurin68 To point you in the right direction, I’d need to know more about your use-case.
Do you want to -
Create and update custom signatures, such as static IPs, URLS, Certificates and file hashes:
Best for a tenant-level block list or where you wish to block, allow or quarantine an entity you’ve discovered through investigation.
Create and update custom detection rules, which run every hour, day or week (runs against the data from the prior period):
Best for keeping track of entities or actions, but not good for ensuring a threat is blocked in real-time.
Query the advanced security API:
This option is best when you would create your own queries, schedules, and rules. Dev responsibility falls entirely on your plate here.
You’ll need to be able to:
Create and secure a custom Multi-tenant or single tenant app registered in Azure with permissions to read and interact with the Microsoft security API.
Securely create and access client authentication secrets or certificates (preferred) to engage with the API.
Securely create, update and access a list of your own rules and signatures. This can be a secondary database or (but not limited to)a routinely updated GitHub page like many block lists available today.
My recommendation is to not expose MISP directly to the services querying the security API. There should be isolation between the two.
This is most effective where initial discovery queries can interact with the custom signature list and make additional calls for triggering investigations and quarantining entities where (matches of detection rules) results are found.
Forgive any typos, on the go.
May 16 2022 06:26 PM
Hey Jonathan! I'm talking about KQL queries we've turned into Custom Detections. There doesn't seem to be a way to get to them in the api for Defender for Endpoint. Just being able to download them would be a huge help. I hope I'm wrong but there doesn't seem to be a way to do it. We are GCC by the way.
May 16 2022 09:03 PM
May 20 2022 05:54 AM
I'll check and see. Ugh, thats not good.
What about getting the Defender tables into Sentinel and setting the alerts there? Can't I work with the Custom Detections through the api there?
Thank you for all your answers with this!