Forum Discussion

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Jun 05, 2021

Architecture for Threat Intelligence connectors

We have many Sentinel instances in our company (for monitoring our CSP tenants) that are monitored by Lighthouse. Should we setup MISP with a TI connector in each instance or just do this in one of o...
GaryBushey's avatar
GaryBushey
Bronze Contributor
Jun 07, 2021

Dean_Gross I would think you would want it activated in each tenant.  If you just enable it in the primary tenant, it would not be able to trickle down into the others without some work.  Not sure if each tenant can point to the same MISP server but that may be an option

bradleyfell's avatar
bradleyfell
Copper Contributor
Apr 16, 2022

I'm extremely curious on best practice in this realm. 

Dean_Gross GaryBushey 

What was the final consensus for MSSP- Threat Intelligence deployments?
Do I create a central TI server, and during implementation for customer connect them to this feed?
Then I manage the analytic rules from CI/CD to engage with this feed?

- A curious sailor

 

 

UPDATE!
I plan to deploy our own centralized TAXII/feed/hub/server, and deploy the connector/rules through CI/CD.

These conversations need to happen more on this forum!

Resources