Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Architecture for Threat Intelligence connectors

Silver Contributor

We have many Sentinel instances in our company (for monitoring our CSP tenants) that are monitored by Lighthouse. Should we setup MISP with a TI connector in each instance or just do this in one of our primary tenants?

2 Replies

@Dean Gross I would think you would want it activated in each tenant.  If you just enable it in the primary tenant, it would not be able to trickle down into the others without some work.  Not sure if each tenant can point to the same MISP server but that may be an option

I'm extremely curious on best practice in this realm. 

@Dean Gross @Gary Bushey 

What was the final consensus for MSSP- Threat Intelligence deployments?
Do I create a central TI server, and during implementation for customer connect them to this feed?
Then I manage the analytic rules from CI/CD to engage with this feed?

- A curious sailor

 

 

UPDATE!
I plan to deploy our own centralized TAXII/feed/hub/server, and deploy the connector/rules through CI/CD.

These conversations need to happen more on this forum!