Integrating Anomali TI data with Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2791194%22%20slang%3D%22en-US%22%3EIntegrating%20Anomali%20TI%20data%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2791194%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Experts%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we%20all%20might%20already%20be%20aware%20that%20we%20can%20connect%20to%20various%20TI%20feeds%20from%20Sentinel%2C%20using%20the%20TAXII%20data%20connectors.%20We%20would%20very%20much%20like%20to%20go%20ahead%20and%20integrate%20it%20with%20Anomali%2C%20however%20had%20a%20few%20questions%20if%20I%20may%20ask%3C%2FP%3E%3CP%3E1)%20In%20the%20TAXII%20data%20connector%20we%20are%20connecting%20to%20specific%20Collection%20IDs%20to%20get%20the%20data%20from%20Anomali.%20Is%20the%20time%20period%20considered%20by%20default%20or%20Anomali%20just%20provides%20us%20with%20whatever%20info%20it%20has%3F%20If%20there%20are%20thousands%20of%20records%20they%20all%20will%20be%20ingested%20into%20the%20workspace.%3C%2FP%3E%3CP%3E2)%20Per%20my%20understanding%20new%20TI%20data%20will%20be%20ingested%20into%20the%20TI%20table%20as%20and%20when%20it%20is%20available.%20What%20is%20the%20size%20of%20each%20record%20and%20will%20connecting%20to%20multiple%20ids%20increase%20the%20amount%20of%20storage%20substantially%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20leads%20on%20this%20would%20be%20appreciated.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-threat-intelligence-taxii%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-threat-intelligence-taxii%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello Experts,

 

As we all might already be aware that we can connect to various TI feeds from Sentinel, using the TAXII data connectors. We would very much like to go ahead and integrate it with Anomali, however had a few questions if I may ask

1) In the TAXII data connector we are connecting to specific Collection IDs to get the data from Anomali. Is the time period considered by default or Anomali just provides us with whatever info it has? If there are thousands of records they all will be ingested into the workspace.

2) Per my understanding new TI data will be ingested into the TI table as and when it is available. What is the size of each record and will connecting to multiple ids increase the amount of storage substantially?

 

Any leads on this would be appreciated. https://docs.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii

0 Replies