Forum Discussion
Microsoft Defender ATP and Malware Information Sharing Platform integration
Haim Goldshtein - Thank you for the guide, just some clarifications from MISP's side: MISP supports a long list of hashing algorithms, I think you may have ended up on an old API documentation, the /hids endpoints are deprecated. Instead we have transitioned to the restSearch APIs (/events/restSearch and /attributes/restSearch) that allow you to search and export any of the supported types (which for hashes includes sha256, various fuzzy hashing algorithms like ssdeep, import hashes, etc).
An example of using the modern APIs:
https://<your_MISP_URL>/events/hids/sha1/download/false/false/false/4d
would be
POST to https://<your_MISP_URL>/attributes/restSearch
payload:
{
"returnFormat": "text",
"publish_timestamp": "4d",
"type": "sha1"
}
Type of course could be sha256 or ssdeep for example.
If you prefer URL parameters and GET requests it would look like this:
GET to https://<your_MISP_URL>/attributes/restSearch/returnFormat:text/type:sha1/publish_timestamp:4d
The best resource for the API is the built in documentation under event actions -> automation or alternatively the REST client with the query builder (Event actions -> REST client).
Hope this helps and thanks for the integration and associated guide!
- Oleg_ZakharchenkoMay 15, 2024Copper ContributorThanks for scripts. Rework and adopt it, add some functionality.
https://medium.com/@zolegz/integrating-misp-with-microsoft-defender-for-endpoint-and-for-threat-intelligence-automation-5a523e721779