What Changed
Updated MISP2Sentinel solution (v3.1.0) to fix critical table reference error in the Upload Indicators API connector. All KQL queries now correctly reference ThreatIntelIndicators instead of the deprecated ThreatIntelligenceIndicator table.
Security Impact (Visibility & Fidelity)
Critical Data Blind Spot Resolved: Deployments using MISP2Sentinel v3.0.0 had a complete ingestion failure for threat intelligence indicators. The connector was referencing a non-existent table name ThreatIntelligenceIndicator instead of the correct ThreatIntelIndicators table, causing:
- Zero threat intelligence data ingestion from MISP sources
- Failed connectivity checks preventing detection of ingestion issues
- Broken sample queries returning no results
- Invalid metrics reporting showing no indicators received
This was not a cosmetic fix — the table name mismatch caused the connector to fail at the query execution level, resulting in no MISP indicators being available for threat hunting or detection rules.
Affected Components Fixed
- Connectivity criteria queries: Now properly validate MISP indicator ingestion
- Sample queries: Correctly retrieve MISP threat intelligence data
- Metrics collection: Accurately reports indicator reception rates
- Health monitoring: Properly detects when MISP data stops flowing
Detection Surface Restored
With this fix, MISP threat intelligence indicators are now properly ingested into Microsoft Sentinel, restoring visibility for:
- IOC matching against security events
- Threat hunting queries using MISP indicators
- Analytic rules leveraging threat intelligence data
- Timeline correlation of indicators with security incidents
Organizations using MISP as a threat intelligence source should immediately upgrade to prevent continued detection blind spots.
Affected Files
Solutions/MISP2Sentinel/Data Connectors/MISP2SentinelConnector_UploadIndicatorsAPI.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_MISP2Sentinel.json, mainTemplate.json)