Jun 05 2021 11:28 AM
We have many Sentinel instances in our company (for monitoring our CSP tenants) that are monitored by Lighthouse. Should we setup MISP with a TI connector in each instance or just do this in one of our primary tenants?
Jun 07 2021 04:20 AM
@Dean Gross I would think you would want it activated in each tenant. If you just enable it in the primary tenant, it would not be able to trickle down into the others without some work. Not sure if each tenant can point to the same MISP server but that may be an option
Apr 16 2022 06:01 AM - edited Apr 16 2022 07:57 AM
I'm extremely curious on best practice in this realm.
What was the final consensus for MSSP- Threat Intelligence deployments?
Do I create a central TI server, and during implementation for customer connect them to this feed?
Then I manage the analytic rules from CI/CD to engage with this feed?
- A curious sailor
UPDATE!
I plan to deploy our own centralized TAXII/feed/hub/server, and deploy the connector/rules through CI/CD.
These conversations need to happen more on this forum!