Microsoft Defender ATP and Malware Information Sharing Platform integration

Pull file hashes (SHA1) from Malware Information Sharing Platform (MISP) and push them to Microsoft Defender ATP 5 Minutes Low complexity Enterprises use threat intelligence to en...

Get-MISP-Hash.zip1 KB

OliverAtkins

Copper Contributor

Aug 09, 2019

Haim Goldshtein
Thanks for the example code.

We tweaked it a little, as we found the indicator upload API is rate-limited, and with more than about 150 indicators returned from MISP the script would run into this and start to receive 429 error responses. In that case, ours will wait 15s and retry the indicator a few times before giving up.

There's also a new batch upload mechanism and we added a parameter (and code) to use that instead - with "-batchUpload 1". This can feed 500 at a time and is much faster.

We also added the "Get-Token.ps1" code to the main script to remove the dependency (oh, and changed to the MISP REST GET format URL per the previous Reply.)

I've attached the result with any company specifics stripped out in case it's useful. Note that some parameters are renamed: atpAction, atpTitle, atpSeverity, atpDescription, and atpRecommendedActions .

Get-MISP-Hash_batch.zip3 KB

TechNashville
Brass Contributor
Aug 01, 2022
Is there a way to ignore the security certificate on the misp server when executing this script while in the testing phase?

Forum Discussion

Microsoft Defender ATP and Malware Information Sharing Platform integration

Share

Resources