Query Details
Get To Know Your Misp Threat Intelligence Feed
Query
# Get to know your MISP threat intelligence feed ## Description If you are aggregating a MISP instance for your threat intelligence feed in Microsoft Sentinel (or Unified SecOps, then your ThreatIntelligenceIndicator table will be able to provide some fruitful numbers on how your MISP is overall contributing. The following queries are some ideas that will allow you an overall better understanding of your MISP feed. ### Microsoft Sentinel ``` // Piechart of MISP IoCs by Threat Type ThreatIntelligenceIndicator | where isnotempty(TimeGenerated) and SourceSystem == 'MISP' | summarize count() by ThreatType | render piechart with(title="MISP IoCs by Threat Type") // Piechart of MISP IoCs by TLP ThreatIntelligenceIndicator | where isnotempty(TimeGenerated) and SourceSystem == 'MISP' | summarize count() by TrafficLightProtocolLevel | render piechart with(title="MISP IoCs by Traffic Light Protocol Level") // Count of ingested IoCs over a period of time ThreatIntelligenceIndicator | where isnotempty(TimeGenerated) and SourceSystem == 'MISP' | where TimeGenerated between (datetime(2024-01-01) .. datetime(2024-11-30)) | summarize IoCsCount=count_distinct(IndicatorId) by bin(TimeGenerated, 7d) | render timechart // A barchart of count of Tags ThreatIntelligenceIndicator | where isnotempty(TimeGenerated) and SourceSystem == 'MISP' | mv-expand todynamic(Tags) | summarize count() by tostring(Tags) | render barchart ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 25/11/2024 | Initial publish |
Explanation
This query is designed to help you understand the contribution of your MISP (Malware Information Sharing Platform) threat intelligence feed to Microsoft Sentinel. It does this by analyzing data from the ThreatIntelligenceIndicator table. Here's a simple breakdown of what each part of the query does:
-
Piechart of MISP IoCs by Threat Type: This part of the query creates a pie chart showing the distribution of Indicators of Compromise (IoCs) from MISP, categorized by different threat types. It helps you see which types of threats are most common in your feed.
-
Piechart of MISP IoCs by TLP: This section generates a pie chart that categorizes IoCs based on the Traffic Light Protocol (TLP) level. TLP is a system for classifying the sensitivity of information, and this chart helps you understand the distribution of IoCs by their sensitivity level.
-
Count of ingested IoCs over a period of time: This part of the query counts the number of unique IoCs ingested from MISP over a specified time period (from January 1, 2024, to November 30, 2024) and displays the data in a time chart. This helps you track the volume of threat data over time.
-
Barchart of count of Tags: This section creates a bar chart showing the count of different tags associated with the IoCs. Tags are used to label and categorize IoCs, and this chart helps you see which tags are most frequently used.
Overall, these queries provide a visual and quantitative analysis of your MISP threat intelligence feed, helping you understand its composition and trends.
Details
Michalis Michalos
Released: November 24, 2024
Tables
Keywords
Operators