Forum Discussion
Architecture for Threat Intelligence connectors
We have many Sentinel instances in our company (for monitoring our CSP tenants) that are monitored by Lighthouse. Should we setup MISP with a TI connector in each instance or just do this in one of our primary tenants?
2 Replies
Dean_Gross I would think you would want it activated in each tenant. If you just enable it in the primary tenant, it would not be able to trickle down into the others without some work. Not sure if each tenant can point to the same MISP server but that may be an option
I'm extremely curious on best practice in this realm.
What was the final consensus for MSSP- Threat Intelligence deployments?
Do I create a central TI server, and during implementation for customer connect them to this feed?
Then I manage the analytic rules from CI/CD to engage with this feed?- A curious sailor
UPDATE!
I plan to deploy our own centralized TAXII/feed/hub/server, and deploy the connector/rules through CI/CD.These conversations need to happen more on this forum!
