Recently, Microsoft released an open source set of malicious file hash indicators identified as using COVID-19 themed malicious email attachments in attempted attacks against our customers. Office365 successfully blocked these attempts, but the indicators can be consumed and used by customers to further protect themselves. The feed of indicators is provided as data file on GitHub which can be consumed using MISP.
In this blog post I will show Azure Sentinel customers how to set up a MISP server that can receive any public feeds, including these COVID-19 indicators, and import the data into your Azure Sentinel environment. It is also possible to use this code to import MISP data into Microsoft Defender ATP as well. Haim Goldshtein has already written a blog post on doing this. Instructions here have been tested on Ubuntu 18.04 but should be applicable to many other distributions – even WSL.
The COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.
The Docker MISP instance also requires ‘docker-compose’ so once you have followed the Docker install guide enter the following command.
sudo apt-get install docker-compose
Set up MISP Docker instance
The MISP project has published a Docker compose configuration, you can use this by first entering these commands.
git clone https://github.com/MISP/misp-docker
Next, you will need to edit the configuration file, making sure to set a strong password. If you do not set a strong enough password, you might not be able to sign into your MISP instance. This can be fixed later.
cp template.env .env
Now the Docker image needs to be built. Run these two commands to build the image and start the container.
sudo docker-compose build
sudo docker-compose up
At this point a MISP instance will be running on port 80. You should be able to sign in and begin adding new feeds. If you are hosting this server on the Internet, you will want to look at how to secure this installation further with TLS and restrictions on access to the web front end.
If you are unable to login to the front end, then perhaps the password was not strong enough. You can reset the password with the following commands.
The next step is to add the Microsoft feed to the MISP server. There is good documentation for this but in brief click ‘Sync Actions’ on the main menu then ‘List feeds’ and click ‘Add Feed’. The address of Microsoft’s COVID-19 feed can be found above. Enter this in the URL textbox. Next you will need to select ‘Simple CSV Parsed Feed’ from the list box. Most of the text boxes can be left blank but you must set the ‘Value field(s) in the CSV’ to 2. Set the other properties to reasonable values and click Add. Make sure you have ticked the ‘Enable’ checkbox.
There are several other 3rd party feeds you may also want to enable and have available in your Sentinel workspace. Each of these will need to be enabled separately.
The next step is to ensure that the feed is automatically updated. In the ‘Scheduled Tasks’ section of the Administration menu set the fetch_feeds task frequency to 1h. If you want to fetch on a quicker schedule this can be performed via a cron job.
You should see a new COVID-19 event appear from the Microsoft COVID-19 feed when the sync process starts.
Retrieve your MISP auth key
Within the MISP web interface click ‘Event Actions’ on the menu bar then select ‘Automation’. Your MISP auth key will be listed on the screen, note this down for entry into the script later.
Create an App Registration with the required permissions
In order to connect your MISP server to Sentinel you need to create an App Registration with the required permissions. This is a straightforward process but does require a user with 'Global Administrator', 'Security Administrator' or 'Security Reader' permission to grant access. In brief: