Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2 User
Guide
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work
together to collect and analyze data published by subscription-based and open source threat data providers
to alert users to threats in their environments.
The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.
The Threat Intelligence Module is available in the LogRhythm Knowledge Base 6.1.295.0 and later.
This document provides information about configuring the Threat Intelligence Service. For information
about installation and deployment, please refer to Install and Deploy the Threat Intelligence Service.
UNC paths are supported for remote directories, and the account that is running the service
must have access to this path to write lists. The path is validated in the Service Manager
when the service starts. If the path is unreachable or if the service does not have access to it,
the service will not start.
Log in with Windows account Select the check box to log in with your current Windows
account credentials.
Password The password for the account specified in the User Name box.
4. Click Test Connection. If the test fails, ensure the connections details are correct and test the connection again.
5. In the List Path box, type the file path where you want the Threat Intelligence Service to create its threat feed
lists. This should be the Job Manager's list_import directory.
The default path is C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\. If the service is
not installed locally on the Event Manager or Platform Manager appliance, enter a UNC path to the Job
Manager’s list_import directory (for example, \\Server1\list_import\).
The directory specified in the List Path box must be on a Windows host.
Upon saving, the Configuration Manager looks up the server address via DNS. If the address is not
registered, a warning message displays. If you want to continue with the specified address, click Yes
to save the configuration and close. To return to the Proxy Configuration without saving, click No.
The first time you configure BrightCloud, you must click the link to open the end user license
agreement, select the check box indicating that you have read and agree to the license, and
then click Accept to view configuration options.
Enabled Select this check box to enable the provider, or clear it to disable the
provider.
Edit Provider Custom providers only. Click to open the LogRhythm Custom Provider
dialog box. for more information, see Add a Custom STIX/TAXII
Provider (TIS v.1.9.2).
Feed Name For vendors that provide more than one threat feed, you can enable or
disable individual feeds after the provider has been enabled.
Credentials Connection credentials required for the selected feed. For information
about the details required from each vendor, see Vendor Subscription
Information. Click Test to validate the credentials. If the test fails,
verify the credentials and type them again.
Last Downloaded The date and time when the threat feed was last downloaded.
Next Run Time The next date and time when the service will download the threat feed.
Download every Select the download interval for the current feed from the list.
Parameter Description
Download Now
Click to download the selected feed immediately. This option is only
available if the Threat Intelligence Service is currently running.
You can only download lists in the abuse.ch feed once every
15 minutes. If you try to manually download the feed and
any of the lists have been downloaded in the last 15 minutes,
an error similar to the following is logged in lrtfmgr.log:
07/05/2016 03:51:06.410231 [host] Abuse uri
download will be attempted after 15 min of last
download time 7/5/2016 3:36:29 AM
First Run at Specify the time of day when the service should run on the selected
feed. Select the hour, minute, or AM/PM values, then click the up or
down arrows to make changes.
Test
For vendors that require credentials, click Test to validate the supplied
values.
Clicking Save saves only the configuration for the selected feed.
TAXII Collection Endpoint Type or paste the HTTP endpoint for the provider
User name If the provider specified by the endpoint requires a user name,
type it here.
Password
If the provider specified by the endpoint requires a password, type
it here.
Certificate Authentication
Select this check box to enable certificate-based authentication
for the selected provider. If enabled, you will need to supply the
full path to a PKCS#12/PFX format certificate and the certificate
password.
Parameter Description
Certificate Password The certificate password, created when the certificate was
exported.
Certificate Path
Click the ellipsis [...] to locate and select your certificate. After
locating your certificate, select it and click Open.
3. To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and
test the connection again.
4. After the connection is successful, click Save.
The new provider is added to the list under Threat Data Providers, and the configuration page for the provider
appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an
individual basis. For more information, see Configure Vendor Threat Feeds (TIS v.1.9.2).
If a feed is added to a custom provider after it has been enabled, you may need to restart the
Configuration Manager before configuring the Threat Intelligence Service to consume the
new feed.
Feed Name
Type the name of the feed. This name will be displayed in the List
Manager and in the Threat Intelligence Service Manager. You
cannot use the name of an existing paid, custom, or open source
provider.
Feed from URL / If you select this radio button, enter the URL from where the STIX
STIX Indicator Endpoint direct feed will be downloaded.
Feed from File / If you select this radio button, select the location where the feed
STIX Feed File Location file is located. The Username, Password, and Certificate
Authentication fields are not required.
User name If the feed specified requires a user name, type it here.
Password
If the feed specified requires a password, type it here.
Certificate Authentication
Select this check box to enable certificate-based authentication
for the feed. If enabled, you will need to supply the full path to a
PKCS#12/PFX format certificate and the certificate password.
Parameter Description
Certificate Password The certificate password, created when the certificate was
exported.
Certificate Path
Click the ellipsis [...] to locate and select your certificate. After
locating your certificate, select it and click Open.
3. To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and
test the connection again.
4. After the connection is successful, click Save.
The new provider is added to the list under Threat Data Providers, and the configuration page for the provider
appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an
individual basis. For more information, see Configure Vendor Threat Feeds (TIS v.1.9.2).
If a feed is added to a custom provider after it has been enabled, you may need to restart the
Configuration Manager before configuring the Threat Intelligence Service to consume the
new feed.
After a custom feed is saved, a custom list is created based on the response from the STIX URL and is
appended to the specified parent list. The list will have the following properties:
• Auto Import: true
• Import Options: Replace
• Expiring: false
• Read Access: System: Public All Users
• Write Access: System: Public Global Administrator
• Entity: Global Entity
• Owner: N/A
7. Stop the Threat Intelligence Service, and exit the Threat Intelligence Service Manager.
8. Open the lrtfsvnconfig.json file in a text editor (e.g., Notepad). The default path is C:\Program
Files\LogRhythm\LogRhythm Threat Intelligence Service\config for the lrtfsvnconfig.json file.
11. The following are the recommended settings for Cisco CTA:
To include matching URLs with http(s):// and www in the URL, change the IncludeOriginal
parameter to true.
This logging is optional and should not be done unless necessary, as it significantly increases log
volume.
Source URL
CrowdStrike https://intelapi.crowdstrike.com/indicator/v2/search
ThreatStream https://api.threatstream.com
Webroot
https://api.bcss.brightcloud.com/1.0/localdb/getipfile?localdb={0} |0|0|0&oemid={1}
&deviceid={2}&uid={3}
Memory
The Threat Intelligence Service does not have a cap on memory usage. It can be expected to consume
between 40 and 100k when running. Some small spikes in memory usage can be expected when processing
downloads.
List Size
List size ranges between 1 and 20 MBs. Lists are processed and then removed from the system, and
maintenance is not required.