Missing indicators in Sentinel (Threat Intelligence Platforms)

Copper Contributor

I still use the old data connector Threat Intelligence Platforms and SecurityGraphAPI along with it to integrate MISP with Sentinel and unfortunately there's a situation when not all indicators appear in Sentinel.

(I am planning to move soon to Threat Intelligence Upload Indicators API (Preview), but for now TIP connector should be set and working).


Current set up:

  • My 1st MISP VM: only built-in open-source feeds + one custom feed; no filters set, all indicators are parsed and sent.
  • My 2nd MISP VM: built-in open-source feeds + one custom feed + events from another external MISP server; no filters set, only indicators from that external MISP server are parsed and sent -> and here lies the main problem: why the rest of IOCs do not appear in Sentinel? Has there anyone had an issue like that?

Both of these virtual machines have cron to send IOCs periodically.


My checks so far:

1. Ensured that there are no filters set in configuration file (config.py).

2. Ensured each event is set to Published.

3. Ensured that 'to_ids flag set to True.

4. There's nothing particular in error.log.


Documentation: https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP


Any ideas and hints will be extremely helpful!



3 Replies
have you checked to see if there are double ups, Microsoft Security Graph API will automatically delete any double ups of the same IOC based information
Thank you for the reply and I'm aware it takes care of duplicates, but that's not it in this case. Datasets are completely different, I even checked a IOCs just to make sure. :v

IOCs that I want are being sent only when: I set the filter to pick them up and run script manually.

But thank you for the suggestion!
Other thoughts i have without knowing your environment

have you tried the new Threat Intelligence API as a possible workaround for this?
Are the MISP instance names different or the same etc,
Within the python script you can specify the name of the MISP instance, has this been tried?