A Replacement for the Defunct Anomali Limo Feeds in Microsoft Sentinel

When I noted that the free Anomali Limo feeds that everyone was using for TI in Microsoft Sentinel were going to be sun-setted there was woe and anguish and then immediate questions about what to replace them with. Unfortunately, we didn’t have much control over this. This was a decision by Anomli.

Just now realizing the feeds aren’t producing results and missed this announcement? See: Anomali Limo Feeds for Microsoft Sentinel to Expire for Good

At once a couple good colleagues of mine (Matt Larkin and Michael Crane) set forth to locate replacement feeds and they’ve come up with a solid solution using the MISP Open Source Threat Intelligence Platform.

The solution requires a VM and some configuration, but the result is an automation solution for feeding MISP directly into Microsoft Sentinel.

Instructions here: MISP Open Source Threat Intelligence Platform to Microsoft Sentinel

If you get the chance, you should thank Matt and Michael for their work on this. They saw a problem, rolled up their sleeves, and dug in deep to produce this solution on their own time.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]