Anomali Limo Feeds for Microsoft Sentinel to Expire for Good

If you’re an Anomali customer, you probably received the following email this past week:

Boo on you, Anomali!

If you didn’t receive it, you might check your Spam folder.

On its own, this is not a big deal. Things change. Products get deprecated. But, in the bigger picture, there’s a ton of Microsoft Sentinel customers that use these free feeds. In fact, we’ve recommended them through our Docs and a blog post. And to be honest, I use the heck out of these feeds…

Wherefore art thou, Anomali?

So, this makes the news extra sad, but I wanted to give everyone a heads-up and thank my colleague, Andrew Blumhardt, for letting me know about it. Just like many of you, I also missed the message.

I’m sure there’s some organizational reason why Anomali wants to detach itself from maintaining these feeds.

If you’re like me and use these feeds for Microsoft Sentinel demos, consider querying the ThreatIntelligenceIndicator table for the Limo feeds and exporting the results to save them for later for when the active feed dries up.

| where SourceSystem contains "Limo"

You can then use our new functionality to import flat files into ThreatIntelligence and reuse the continually stale indicators.

See: Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]


2 thoughts on “Anomali Limo Feeds for Microsoft Sentinel to Expire for Good

Leave a Reply