Send IOCs to Microsoft Graph API With MineMeld

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite
No ratings

MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Microsoft Security products via the Microsoft Graph Security API. Azure Sentinel is one of the first Microsoft Security products to ingest IOCs from the Graph Security API for use in alerting and hunting.

The Microsoft Graph Security API supports the following types of Indicators of Compromise (IOCs):

  • Email
  • File
  • IP address
  • URL
  • Domain

There are three steps to connecting MineMeld to the Microsoft Graph Security API:

  1. First, you will need to create an Application in Azure Active Directory. You will assign permissions to this application to access Microsoft Graph APIs. The MineMeld Output Node will be use the credentials tied to the application you created to connect to the Microsoft Graph.
  2. You will then install the Microsoft Graph Security API extension in MineMeld
  3. Finally, you will configure the extension to connect to the Microsoft Graph via the Security API.

 

Azure Active Directory Configuration

  1. Login on Azure Portal – portal.azure.com
  2. Go to Azure Active Directory
  3. Navigate to Enterprise Applications – App Registrations and click on New Application Registration1.png
  1. The Application name will not be used or surfaced as part of this integration, but we recommend you name this to Palo Alto Networks MineMeld or something similar so you can use the correct credentials when you setup your MineMeld output node.
  2. Set the Application type to “Web App / API”
  3. The Sign-on URL is not used, but you still need to put something into this field. 2.png

    Please note, the Application ID and Object ID will be used to configure both the threat feed in your Microsoft Graph Security API tenant and the MineMeld extension.

     3.png

  1. Under Settings go to “Required Permissions” and click on “Add”4.png
  1. Select Microsoft Graph as an API. You can find this by typing “graph” in the search box.5.png
  2. Under “Application Permissions “select “Manage threat indicators this app creates or owns”6.png
  1. Click “Select” and then click “Done”
  2. Click “Grant permissions” and click “Yes”7.png
  3. Under “App Registrations” in the app, under “Settings” go to “Keys” and create a new key with an expiration date. Click on “Save” and copy the value of the key and save it in your notes8.png9.png
  1. Copy the “Application ID” that you will need later10.png
  1. Copy the Tenant ID from Azure Active Directory Properties (Directory ID) 11.png

 

MineMeld Configuration

  1. On MineMeld, go under “System” and “Extensions”. Glick on the Git icon 12.png
  1. Put the URL of the Github repo: https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.git13.png
  1. Select the version (Master) and click “Install” 14.png
    The installation should complete shortly afterwards:15.png
  2. Click on the enable button and confirm:16.png
    The extension will activate shortly, and the API gateway will resent as part of this activation.17.png

 

Integration Configuration

  1. In MineMeld, go to Config - Prototypes18.png
  1. In the search box type “Microsoft”. Find “Microsoft_graph_secapi.output” and click on it.19.png
  2. Click on “Clone”20.png

 

  1. Name for the node and collect it to the Input nodes you want it to use (Threat Intel feeds).21.png
    NOTE: to understand the concepts of input nodes and what to connect to this, refer to Minemeld documentation
  2. Click OK 22.png
  1. Click on Commit23.png
  2. Under Nodes, select the node you created (MicrosoftGraphSecAPI in this example) and look at the SETTINGS page. Edit Client_ID (Azure Application ID), client_secret (Azure Application secret key) and Tenant_ID (Azure Active Directory ID) 24.png
  1. Select the Microsoft services you want to share this Threat Intelligence with by clicking on “Target Product”. NOTE: As of April 2019, Azure Sentinel is the only service capable of consuming third-party threat intelligence.25.png

Testing

Azure Sentinel can be used to validate this is setup correctly. Please review these instructions for turning on Threat Intelligence in Azure Sentinel. NOTE: The MineMeld extension currently specifies the Azure Sentinel service, so that is already done for you.

Once you have this setup, you can review the indicators in the logs section:26.png

Rate this article:
Comments
L0 Member
Spoiler
Hello! 

Thank you for the detailed instructions. However I am stuck at the second step in the "Integration configuration" section; I simply cannot find the "Microsoft_graph_secapi.output" prototype.
 
Is there an alternative to that? Is the timeline to have a prototype that would enable this integration known?
 
Thank you for your feedback
Lorenzo
L0 Member

@Lorenzobaesso  Are you sure you followed the previous steps correctly? Are you sure your Minemeld box has access to GitHub?  Is there anything doing SSL inspection that might prevent this? Also, have you tried restarting the MineMeld engine under the System tab or made sure you don't have any pending "commits" on the Config page? 

 

Feel free to PM me

Jon Bub

 

L0 Member

@JonBub Thank you for your reply. Restarting the VM itself did the trick; I guess restarting the engine wasn't enough in my case.

I am happy to confirm that I could test the integration end-to-end without any other issues! 🙂

 

Additionally I would like to share the configuration I currently have for MS Graph API:

  • 57 miners - All out of the box from the default install and free (no API keys or account registrations required).
  • 14 processors - All out of the box too.
  • 3 output - The Graph API output has a maximum of one input, so I created one for each indicator type I am interested in (Domain, IPv4, and URL). In this configuration I am indeed leveraging only three processors. If I don't mistake, the Graph API output doesn't take other processor types at the moment.

Link to the configuration file: MineMeld_config.txt 

 

Thank you all for the great work

Lorenzo

L0 Member

Hello

I have setup Minemeld as per your the above instructions. It worked for a day and i started the Threat Intel information in Azure Sentinel. But after a day, it stopped working and I can't see any new threat intel in the Sentinel. I have rebooted Minemeld server few times, changed the config few times, nothing seems to be working. Any help to diagnose the issue would be much appreciated.

mboppe_0-1593998405129.png

 

mboppe_1-1593998450032.png

 

My config 

 


Thanks
Malli

L0 Member

@mboppe 

 

I don't think you did anything wrong to make it stop working. I think on the evening of the 2nd of July the SecGraphAPI in Sentinel/Azure got a bug. The indicators are being send over succesfully but they do NOT show up in the threatintelligenceindicator logs. I thought I was going crazy, too. I opened a thread in the Azure community and hopefully it's not just me.

 

Does this information in the link below line up with the issue you are having?

https://techcommunity.microsoft.com/t5/azure-sentinel/tiindicators-not-showing-up-in-threatintellige...

L0 Member

@mboppe 

Try now, It seems they have put a fix in. Let me know 😃

L0 Member

Looking at my connections on the MineMeld server, it looks like the serverr is timing out to all the Azure IP's and consequently isn't sending me any indicators. Am I missing a step or is there something else?

 

L0 Member

@IsaacKuf I configured the extension last week for the first time and did not encounter any specific issue. Did you check your outgoing firewall rules ? Registered application privileges ? Conditionnal access rules ?

  • 20793 Views
  • 8 comments
  • 4 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎10-28-2019 10:58 AM
Updated by:
Retired Member