When I noted that the free Anomali Limo feeds that everyone was using for TI in Microsoft Sentinel were going to be sun-setted there was woe and anguish and then immediate questions about what to replace them with. Unfortunately, we didn’t have much control over this. This was a decision by Anomli.
Just now realizing the feeds aren’t producing results and missed this announcement? See: Anomali Limo Feeds for Microsoft Sentinel to Expire for Good
At once a couple good colleagues of mine (Matt Larkin and Michael Crane) set forth to locate replacement feeds and they’ve come up with a solid solution using the MISP Open Source Threat Intelligence Platform.
The solution requires a VM and some configuration, but the result is an automation solution for feeding MISP directly into Microsoft Sentinel.
Instructions here: MISP Open Source Threat Intelligence Platform to Microsoft Sentinel
If you get the chance, you should thank Matt and Michael for their work on this. They saw a problem, rolled up their sleeves, and dug in deep to produce this solution on their own time.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]