I still use the old data connector Threat Intelligence Platforms and SecurityGraphAPI along with it to integrate MISP with Sentinel and unfortunately there's a situation when not all indicators appear in Sentinel.
(I am planning to move soon to Threat Intelligence Upload Indicators API (Preview), but for now TIP connector should be set and working).
Current set up:
- My 1st MISP VM: only built-in open-source feeds + one custom feed; no filters set, all indicators are parsed and sent.
- My 2nd MISP VM: built-in open-source feeds + one custom feed + events from another external MISP server; no filters set, only indicators from that external MISP server are parsed and sent -> and here lies the main problem: why the rest of IOCs do not appear in Sentinel? Has there anyone had an issue like that?
Both of these virtual machines have cron to send IOCs periodically.
My checks so far:
1. Ensured that there are no filters set in configuration file (config.py).
2. Ensured each event is set to Published.
3. Ensured that 'to_ids flag set to True.
4. There's nothing particular in error.log.
Documentation: https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP
Any ideas and hints will be extremely helpful!
