Sei sulla pagina 1di 28

Threat Intelligence Service v.1.9.

2 User
Guide

August 12, 2019


© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under
the End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the
use of the Software. This Software may be used or copied only in accordance with the Agreement. No part of
this Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com

Phone Support (7am - 6pm, Monday-Friday)


Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Threat List Vendors ........................................................................................................ 4
Vendor Subscription Information ................................................................................. 4
How the Threat Intelligence Service Works.................................................................. 5
Launch the Service Manager (TIS v.1.9.2) ..................................................................... 6
Configure the Connection to LogRhythm (TIS v.1.9.2)................................................. 7
Configure Proxy Settings (TIS v.1.9.2)........................................................................... 8
Configure Vendor Threat Feeds (TIS v.1.9.2) ................................................................ 9
Add a Custom STIX/TAXII Provider (TIS v.1.9.2).......................................................... 11
Add a STIX Feed (TIS v.1.9.2) ............................................................................................................... 14
CustomObjectType in STIX/TAXII Feeds (TIS v.1.9.2) ......................................................................... 16
Enabling Cisco CTA ...............................................................................................................................................................16

Start and Stop the Service (TIS v.1.9.2)....................................................................... 19


Configure the Threat Intelligence Service v.1.9.2 Whitelist ....................................... 20
URL Normalization (TIS v.1.9.2) .................................................................................. 21
Request Response Logging (TIS v.1.9.2) ..................................................................... 22
View Log Files (TIS v.1.9.2)........................................................................................... 23
Troubleshoot the Threat Intelligence Service v.1.9.2 ................................................ 24
Firewall Blocking Open Source URLs (TIS v.1.9.2).............................................................................. 25
Log Files (TIS v.1.9.2)............................................................................................................................ 26
Resource Utilization (TIS v.1.9.2) ........................................................................................................ 27
Memory..................................................................................................................................................................................27
List Size..................................................................................................................................................................................27
Threat Intelligence Service v.1.9.2 Will Not Start ............................................................................... 28

LogRhythm, Inc. | Contents 3


Threat Intelligence Service v.1.9.2 User Guide

The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work
together to collect and analyze data published by subscription-based and open source threat data providers
to alert users to threats in their environments.
The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.
The Threat Intelligence Module is available in the LogRhythm Knowledge Base 6.1.295.0 and later.
This document provides information about configuring the Threat Intelligence Service. For information
about installation and deployment, please refer to Install and Deploy the Threat Intelligence Service.

Threat List Vendors


The following threat data providers are supported by the Threat Intelligence Service. Each one requires a
separately purchased subscription.
• Webroot BrightCloud
• Cisco AMP Threat Grid
• Symantec
• CrowdStrike
The Threat Intelligence Service also collects threat feed data from various open source providers and
custom STIX/TAXII providers.

Vendor Subscription Information


With the exception of the open source vendors and custom STIX/TAXII providers, each of the supported
threat data vendors requires a subscription. You must know the connection credentials from each vendor
before you can configure the service to collect threat feed data.

Vendor Credentials Required

BrightCloud OEM ID, Device ID, and user ID

Cisco AMP Threat Grid API Key

CrowdStrike API ID, API Key

Symantec User Name, Password

Threat List Vendors 4


Threat Intelligence Service v.1.9.2 User Guide

Vendor Credentials Required

Open Source AutoShun


API Key (see note above). Users need to register with AutoShun to get
an API key for the Threat Intelligence Service.
Go to autoshun.org to register. When finished, you can obtain the API
key from the HTML or CSV download links on the My Account page.
You can find the API key between api_key= and &format, highlighted
in the example below:
https://www.autoshun.org/download/?
api_key=1234567890abcdef123456789&format=html

Open Source Not applicable

Custom Provider Varies by provider

How the Threat Intelligence Service Works


The Threat Intelligence Service collects threat feed data from open source and subscription-based vendors
at scheduled intervals. Subscription credentials for applicable vendors must be provided in the LogRhythm
Threat Intelligence Service Manager. For more information, see Configure Vendor Threat Feeds (TIS v.1.9.2).
The feed data is written to text files that are imported by the Job Manager into the appropriate vendor lists.
The Job Manager consumes and deletes the text files, which range in size from 1 to 20 MB. Advanced
Intelligence Engine rules in the Threat Intelligence Module detect and alert on threat activity.

How the Threat Intelligence Service Works 5


Threat Intelligence Service v.1.9.2 User Guide

Launch the Service Manager (TIS v.1.9.2)


On the host where the service is installed:
1. Click Start, and then click All Programs.
2. Click the LogRhythm folder. 
3. Right-click Threat Intelligence Service Configuration Manager, and then click Run as Administrator. 
4. Use the Threat Intelligence Service Manager to do the following:
• Configure the connection to LogRhythm
• Configure the proxy settings
• Configure vendor threat feeds
• Add a custom STIX or TAXII provider
• Start and stop the service
• Request response logging
• View log files

Launch the Service Manager (TIS v.1.9.2) 6


Threat Intelligence Service v.1.9.2 User Guide

Configure the Connection to LogRhythm (TIS v.1.9.2)


To configure the connection between the Threat Intelligence Service and LogRhythm:
1. If it is not already running, launch the Service Manager. For more information, see Launch the Service Manager
(TIS v.1.9.2).
2. Click the File menu, and then click LogRhythm Service Configuration. 
The LogRhythm Server Configuration dialog box appears.

UNC paths are supported for remote directories, and the account that is running the service
must have access to this path to write lists. The path is validated in the Service Manager
when the service starts. If the path is unreachable or if the service does not have access to it,
the service will not start.

3. Enter the connection details as described in the table below.


Parameter Description

Server The host name of the Event Manager or Platform Manager


appliance. Type localhost if the Threat Intelligence Service is
installed locally on the appliance.

Database The name of the Event Manager or Platform Manager database,


which is usually LogRhythmEMDB.

Log in with Windows account Select the check box to log in with your current Windows
account credentials.

User Name If not using a Windows account, type LogRhythmJobMgr or the


SQL user you created with permissions to edit the Lists table in
EMDB. To grant these permissions, assign the
LogRhythmGlobalJobMgr to the account.

Password The password for the account specified in the User Name box.
4. Click Test Connection. If the test fails, ensure the connections details are correct and test the connection again.
5. In the List Path box, type the file path where you want the Threat Intelligence Service to create its threat feed
lists. This should be the Job Manager's list_import directory.
The default path is C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\. If the service is
not installed locally on the Event Manager or Platform Manager appliance, enter a UNC path to the Job
Manager’s list_import directory (for example, \\Server1\list_import\).

The directory specified in the List Path box must be on a Windows host.

6. Click Next to save the configuration and close the dialog box.

Configure the Connection to LogRhythm (TIS v.1.9.2) 7


Threat Intelligence Service v.1.9.2 User Guide

Configure Proxy Settings (TIS v.1.9.2)


To configure a proxy server for accessing vendor threat feeds
1. Click the Configure link next to the current Proxy Settings status near the top of the Service Manager window.
2. To enable the connection via a proxy server, select the Enable proxy server check box, then complete the
following:
• Server Address. Type the URL of the proxy server to use for connecting to vendor threat feeds.
• Port. Type the proxy server port to use.
• Enable Proxy Server Authentication. Select this check box if the proxy server requires login or
authentication credentials. If server authentication is enabled, type the appropriate credentials in the
User Name, Password, and Domain boxes.
3. To validate the current proxy configuration, click Test. If the validation fails, an error message is displayed. In
this case, verify the configuration and try again.
4. To save the configuration and close the dialog box, click Save.

Upon saving, the Configuration Manager looks up the server address via DNS. If the address is not
registered, a warning message displays. If you want to continue with the specified address, click Yes
to save the configuration and close. To return to the Proxy Configuration without saving, click No.

Configure Proxy Settings (TIS v.1.9.2) 8


Threat Intelligence Service v.1.9.2 User Guide

Configure Vendor Threat Feeds (TIS v.1.9.2)


You can configure the details of each threat intelligence vendor under the corresponding tab in the Threat
Intelligence Service Manager.
The status of each vendor feed is indicated on the tab, either enabled or disabled . For each vendor, you can
enable or disable threat feeds, provide connection credentials, specify run settings, and view the run
schedule and run history. Configure the details of each vendor feed as follows:
1. Click the tab for the vendor you want to configure.

The first time you configure BrightCloud, you must click the link to open the end user license
agreement, select the check box indicating that you have read and agree to the license, and
then click Accept to view configuration options.

2. Enable or disable the feed and modify the configuration as follows:


Parameter Description

Enabled Select this check box to enable the provider, or clear it to disable the
provider.

Check All Select all available feeds for the vendor.

Clear All Deselect all available feeds for the vendor.

Remove Provider Custom providers only. Click to remove the provider.

Edit Provider Custom providers only. Click to open the LogRhythm Custom Provider
dialog box. for more information, see Add a Custom STIX/TAXII
Provider (TIS v.1.9.2).

Feed Name For vendors that provide more than one threat feed, you can enable or
disable individual feeds after the provider has been enabled.

Credentials Connection credentials required for the selected feed. For information
about the details required from each vendor, see Vendor Subscription
Information. Click Test to validate the credentials. If the test fails,
verify the credentials and type them again.

Last Downloaded The date and time when the threat feed was last downloaded.

Next Run Time The next date and time when the service will download the threat feed.

Download every Select the download interval for the current feed from the list.

Configure Vendor Threat Feeds (TIS v.1.9.2) 9


Threat Intelligence Service v.1.9.2 User Guide

Parameter Description

Download Now
Click to download the selected feed immediately. This option is only
available if the Threat Intelligence Service is currently running.

You can only download lists in the abuse.ch feed once every
15 minutes. If you try to manually download the feed and
any of the lists have been downloaded in the last 15 minutes,
an error similar to the following is logged in lrtfmgr.log:
07/05/2016 03:51:06.410231 [host] Abuse uri
download will be attempted after 15 min of last
download time 7/5/2016 3:36:29 AM

First Run at Specify the time of day when the service should run on the selected
feed. Select the hour, minute, or AM/PM values, then click the up or
down arrows to make changes.

Test
For vendors that require credentials, click Test to validate the supplied
values.

The Test button is disabled or unavailable for vendors who


throttle downloads or enforce limits on the number of
downloads in a specified time period.

3. To save the configuration for the selected feed, click Save.

Clicking Save saves only the configuration for the selected feed.

Configure Vendor Threat Feeds (TIS v.1.9.2) 10


Threat Intelligence Service v.1.9.2 User Guide

Add a Custom STIX/TAXII Provider (TIS v.1.9.2)


The LogRhythm Threat Intelligence Service supports integration with any threat provider that is STIX/TAXII
(versions 1 and 2) compliant and is discoverable through a TAXII service endpoint.
The Structured Threat Information Expression (STIX) is a language for describing cyber threat information in
a standardized and structured manner. Trusted Automated Exchange of Indicator Information (TAXII)
standardizes the trusted, automated exchange of cyber threat information.
To add a STIX/TAXII (version 1 or 2) provider
1. In the Threat Intelligence Service Manager, click Add Custom Source.
2. On the Add STIX/TAXII Provider tab, enter the following provider details.
Parameter Description

Threat Provider Name


Type the name of the custom provider. This name will be
displayed in the List Manager and in the Threat Intelligence
Service Manager. You cannot use the name of an existing paid,
custom, or open source provider.

Provider names should not be more than 23 characters


long, including spaces. Alphanumeric characters,
underscore, dash, and space are supported.

TAXII Collection Endpoint Type or paste the HTTP endpoint for the provider

TAXII Version Select the version number

User name If the provider specified by the endpoint requires a user name,
type it here.

Password
If the provider specified by the endpoint requires a password, type
it here.

The password is masked and encrypted using lrcrypt.

Certificate Authentication
Select this check box to enable certificate-based authentication
for the selected provider. If enabled, you will need to supply the
full path to a PKCS#12/PFX format certificate and the certificate
password.

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 11


Threat Intelligence Service v.1.9.2 User Guide

Parameter Description

Certificate Password The certificate password, created when the certificate was
exported.

Certificate Path
Click the ellipsis [...] to locate and select your certificate. After
locating your certificate, select it and click Open.

3. To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and
test the connection again.
4. After the connection is successful, click Save.
The new provider is added to the list under Threat Data Providers, and the configuration page for the provider
appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an
individual basis. For more information, see Configure Vendor Threat Feeds (TIS v.1.9.2).

If a feed is added to a custom provider after it has been enabled, you may need to restart the
Configuration Manager before configuring the Threat Intelligence Service to consume the
new feed.

After a custom provider is saved, the following Lists are created:


• Provider Name : URL : Malware : All
• List Type: General Value
• Use Contexts: Domain, URL
• Import Filename: {Provider-Name}-URL-Threat-All.txt
• Parent: -2355 (LR Threat List : URL : Suspicious)
• Provider Name : File Path : Malware : All
• List Type: General Value
• Use Contexts: Object
• Import Filename: {Provider-Name}-Filepath-Threat-All.txt
• Parent: -2274 (LR Threat List : File Path : Malware)
• Provider Name : IP : Malware : All
• List Type: Host
• Use Contexts: Host
• Import Filename: {Provider-Name}-IP-Threat-All.txt
• Parent: -2252 (LR Threat List : IP : Suspicious)
• Provider Name : Email Address : Suspicious : All
• List Type: General Value
• Use Contexts: Address
• Import Filename: {Provider-Name}-EmailAddress-Threat-All.txt
• Parent: -2357 (LR Threat List : Email Address : Suspicious)
• Provider Name : File Hash : Suspicious : All

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 12


Threat Intelligence Service v.1.9.2 User Guide

• List Type: General Value


• Use Contexts: Object
• Import Filename: {Provider-Name}-FileHash-Threat-All.txt
• Parent: -2581 (LR Threat List : File Hash : Suspicious)
Each list has the following properties:
• Auto Import: true
• Import Options: Replace
• Expiring: false
• Read Access: System: Public All Users
• Write Access: System: Public Global Administrator
• Entity: Global Entity
• Owner: N/A
The new lists are appended to the specified parent lists.

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 13


Threat Intelligence Service v.1.9.2 User Guide

Add a STIX Feed (TIS v.1.9.2)


STIX feeds (both version 1 and version 2) can be downloaded directly to Threat Intelligence Service, parsed,
and made available in LogRhythm lists.
To add a STIX feed
1. In the Threat Intelligence Service Manager, click Add Custom Source.
2. On the Add STIX Feed tab, enter the following details.
Parameter Description

Feed Name
Type the name of the feed. This name will be displayed in the List
Manager and in the Threat Intelligence Service Manager. You
cannot use the name of an existing paid, custom, or open source
provider.

Feed names should not be more than 23 characters


long, including spaces. Alphanumeric characters,
underscore, dash, and space are supported.

Feed from URL / If you select this radio button, enter the URL from where the STIX
STIX Indicator Endpoint direct feed will be downloaded.

Feed from File / If you select this radio button, select the location where the feed
STIX Feed File Location file is located. The Username, Password, and Certificate
Authentication fields are not required.

STIX Version Select the version number.

User name If the feed specified requires a user name, type it here.

Password
If the feed specified requires a password, type it here.

The password is masked and encrypted using lrcrypt.

Certificate Authentication
Select this check box to enable certificate-based authentication
for the feed. If enabled, you will need to supply the full path to a
PKCS#12/PFX format certificate and the certificate password.

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 14


Threat Intelligence Service v.1.9.2 User Guide

Parameter Description

Certificate Password The certificate password, created when the certificate was
exported.

Certificate Path
Click the ellipsis [...] to locate and select your certificate. After
locating your certificate, select it and click Open.

3. To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and
test the connection again.
4. After the connection is successful, click Save.
The new provider is added to the list under Threat Data Providers, and the configuration page for the provider
appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an
individual basis. For more information, see Configure Vendor Threat Feeds (TIS v.1.9.2).

If a feed is added to a custom provider after it has been enabled, you may need to restart the
Configuration Manager before configuring the Threat Intelligence Service to consume the
new feed.

After a custom feed is saved, a custom list is created based on the response from the STIX URL and is
appended to the specified parent list. The list will have the following properties:
• Auto Import: true
• Import Options: Replace
• Expiring: false
• Read Access: System: Public All Users
• Write Access: System: Public Global Administrator
• Entity: Global Entity
• Owner: N/A

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 15


Threat Intelligence Service v.1.9.2 User Guide

CustomObjectType in STIX/TAXII Feeds (TIS v.1.9.2)


For any custom STIX/TAXII (version 1 or 2) provider, the LogRhythm Threat Intelligence Service consumes
email addresses, file hashes, and CustomObjectTypes in order to correlate them with log data. Select which
fields are consumed by configuring the lrtfsvcconfig.json file. For more information about enabling
CustomObjectTypes, see the following example for enabling Cisco CTA.

Enabling Cisco CTA


1. Click Add Custom Source and add Cisco CTA on the Add STIX/TAXII Provider tab. For more information on
completing the fields, see Add a Custom STIX/TAXII Provider (TIS v.1.9.2).
2. After you save the source, click Start Service on the Threat Intelligence Service Manager main page.
3. Select the Cisco CTA provider from the options on the left, and select Enabled.
4. Click Download Now.
5. After the download completes, click the File menu and then click View Logs.
6. Open the lrtfmgr.log and lrtfsvc.log in a text editor (e.g., Notepad), and look for Provider Cisco CTA
contains a CustomObjectType.

7. Stop the Threat Intelligence Service, and exit the Threat Intelligence Service Manager.
8. Open the lrtfsvnconfig.json file in a text editor (e.g., Notepad). The default path is C:\Program
Files\LogRhythm\LogRhythm Threat Intelligence Service\config for the lrtfsvnconfig.json file.

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 16


Threat Intelligence Service v.1.9.2 User Guide

9. Find the Cisco CTA provider you added.

10. The CustomObjectType field contains the following fields:


• Enabled. Whether or not the field displays in the output. By default, this field is set to false.
• ObservableType. The type of field (Currently supported: URL, Domain, IP, FileHash, FilePath).
• PropertyName. The Name attribute of the field from the Provider (e.g., scMD5).

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 17


Threat Intelligence Service v.1.9.2 User Guide

11. The following are the recommended settings for Cisco CTA:

12. Save the lrtfsvcconfig.json file.


13. Open the Threat Intelligence Service Manager and Start the service.
14. Click Download Now for the Cisco CTA provider.

Cisco CTA only allows one download every 10 minutes.

Add a Custom STIX/TAXII Provider (TIS v.1.9.2) 18


Threat Intelligence Service v.1.9.2 User Guide

Start and Stop the Service (TIS v.1.9.2)


The Service Manager displays the status of the Threat Intelligence Service next to LogRhythm Service, either
Stopped or Running. You have the following options:
• To start the service, click the Start Service link.
• To stop the service, click the Stop Service link.

Start and Stop the Service (TIS v.1.9.2) 19


Threat Intelligence Service v.1.9.2 User Guide

Configure the Threat Intelligence Service v.1.9.2 Whitelist


The LogRhythm Threat Intelligence Service includes a whitelist configuration file that filters out trusted IP
addresses and IP ranges.
To add trusted IP addresses and ranges to the whitelist configuration file:
1. Go to the file path specified in the Threat Intelligence Service configuration. The default path is C:\Program
Files\LogRhythm\LogRhythm Job Manager\config\. For more information about configuring the Threat
Intelligence Service connection, see Configure the Connection to LogRhythm (TIS v.1.9.2).
2. Open the whitelist.json file in a text editor (e.g., Notepad) to add IP addresses or ranges to the whitelist.
3. To add single IP addresses to the whitelist, type the following after "WLIPAddresses": [:
{"
Address": "xx.xx.xx.xx"
},
where "xx.xx.xx.xx" is the trusted IP address.
4. To add a range of IP addresses to the whitelist, type the following after "WLIPRanges": [:
{"
Range": "xx.xx.xx.xx - xx.xxx.xxx.xxx"
},
where "xx.xx.xx.xx - xx.xxx.xxx.xxx" is the trusted IP range.
5. Save the whitelist.json file.

Configure the Threat Intelligence Service v.1.9.2 Whitelist 20


Threat Intelligence Service v.1.9.2 User Guide

URL Normalization (TIS v.1.9.2)


The Threat Intelligence Service transforms received URLs into a normalized format, so that all URLs match
the formats utilized by a wide variety of log sources. For example, Check Point firewalls include full URLs,
whereas Palo Alto firewalls only provide the fully qualified domain name on the URL.
1. Go to the file path specified in the Threat Intelligence Service configuration. The default path is C:\Program
Files\LogRhythm\LogRhythm Threat Intelligence Service\config. For more information about configuring the
Threat Intelligence Service connection, see Configure the Connection to LogRhythm (TIS v.1.9.2).
2. Open the URLNormalizationList.json file in a text editor (e.g., Notepad) to view the URL normalization rule.
3. The following parameters are defined by default:
• Enabled: false
• IncludeOriginal: false
• RuleDescription: "TestRule"
• MatchRegularExpression: "https?:\\/\\/(www\\.)?([-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6})\\b([-a-zA-
Z0-9@:%_\\+.~#?&//=]*)"
• SubstitutionRegularExpression: [{SubstituteExpression: "$2$3"}]
4. Configure the desired parameters and save the URLNormalizationList.json file.
The URL normalization rule matches any URL that starts with http:// and https://, and removes the http(s)://
and www from the URL. The output from the Threat Intelligence Service is any URLs that does not match the
pattern, as well as the matching URLs with http(s):// and www removed.

To include matching URLs with http(s):// and www in the URL, change the IncludeOriginal
parameter to true.

URL Normalization (TIS v.1.9.2) 21


Threat Intelligence Service v.1.9.2 User Guide

Request Response Logging (TIS v.1.9.2)


The Threat Intelligence Service allows you to request and view raw HTTP requests and responses to aid in
diagnosing issues with downloading feeds.

This logging is optional and should not be done unless necessary, as it significantly increases log
volume.

To request raw HTTP requests and responses:


1. If it is not already running, launch the Service Manager. For more information, see Launch the Service Manager
(TIS v.1.9.2).
2. On the Options menu, click Request Logging. Both HTTP and HTTPS requests are included.
3. On the File menu, click View Logs to view the requests and responses for each provider. Any request, including
normally scheduled downloads, is included in the logs.
To turn logging off again, on the Options menu, click Request Logging. When logging is on, a green icon displays
next to Request Logging . When logging is off, a red icon displays.

Request Response Logging (TIS v.1.9.2) 22


Threat Intelligence Service v.1.9.2 User Guide

View Log Files (TIS v.1.9.2)


To view logs for the Threat Feed Manager and the Threat Feed Service, in the Threat Intelligence Service
Manager on the File menu, click View Logs. The logs directory in the Threat Intelligence Service installation
directory is displayed in Windows Explorer. For more information, see Log Files (TIS v.1.9.2).

View Log Files (TIS v.1.9.2) 23


Threat Intelligence Service v.1.9.2 User Guide

Troubleshoot the Threat Intelligence Service v.1.9.2


This section contains information that may help diagnose or resolve issues with the Threat Intelligence
Service.

Troubleshoot the Threat Intelligence Service v.1.9.2 24


Threat Intelligence Service v.1.9.2 User Guide

Firewall Blocking Open Source URLs (TIS v.1.9.2)


In the event that a firewall is blocking open source URLs, you can add the following open source feed URLs
as firewall exclusions:

Source URL

Abuse Bad IPs Feed https://zeustracker.abuse.ch/blocklist.php?download=badips

Abuse Bad URL Feed https://zeustracker.abuse.ch/blocklist.php?download=baddomains

AlienVault Feed https://reputation.alienvault.com/reputation.data

AutoShun Feed https://www.autoshun.org/files/shunlist.csv

Cisco Threat Grid https://panacea.threatgrid.com

CrowdStrike https://intelapi.crowdstrike.com/indicator/v2/search

Feodo IP Blocklist https://feodotracker.abuse.ch/downloads/ipblocklist.txt

Hail a Taxii Feed http://hailataxii.com/taxii-discovery-service

Malware Domain Feed http://dns-bh.sagadc.org/domains.txt

PhishTank Feed http://data.phishtank.com/data/online-valid.json

Ransomware Tracker http://ransomwaretracker.abuse.ch/feeds/csv/

SANS-ISC IP Feed https://isc.sans.edu/api/sources/attacks/

ThreatStream https://api.threatstream.com

TOR Network Feed (Exit


https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
Nodes and Network
Server)

Webroot
https://api.bcss.brightcloud.com/1.0/localdb/getipfile?localdb={0} |0|0|0&oemid={1}
&deviceid={2}&uid={3}

Troubleshoot the Threat Intelligence Service v.1.9.2 25


Threat Intelligence Service v.1.9.2 User Guide

Log Files (TIS v.1.9.2)


The Threat Intelligence Service writes log files that can be used to troubleshoot its operation — lrtfmgr.log
and lrtfsvc.log. The lrtfmgr log contains the results of software integrity tests. The lrtfsvc log contains records
of every attempted connection and download. Any failures when trying to connect to a third party threat
feed are logged here.
Log files are saved in the C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\logs
directory.

Troubleshoot the Threat Intelligence Service v.1.9.2 26


Threat Intelligence Service v.1.9.2 User Guide

Resource Utilization (TIS v.1.9.2)

Memory
The Threat Intelligence Service does not have a cap on memory usage. It can be expected to consume
between 40 and 100k when running. Some small spikes in memory usage can be expected when processing
downloads.

List Size
List size ranges between 1 and 20 MBs. Lists are processed and then removed from the system, and
maintenance is not required.

Troubleshoot the Threat Intelligence Service v.1.9.2 27


Threat Intelligence Service v.1.9.2 User Guide

Threat Intelligence Service v.1.9.2 Will Not Start


If the Threat Intelligence Service fails to start, check the following:
• SQL Server Service is Running
The Threat Intelligence Service requires the SQL Server (MSSQLSERVER) service to be running on the EMDB host.
The Threat Intelligence Service updates the List table in EMDB database. If MSSQLSERVER is not running when
the Threat Intelligence Service is started or restarted, the Threat Intelligence Service throws error and stops.
If the Threat Intelligence Service has started successfully, stopping or restarting MSSQLSERVER has no impact
on the Threat Intelligence Service.
• Correct EMDB User Name and Password
Attempting to connect to the EMDB with invalid credentials may result in either of the following errors:
• An error occurred while saving LogRhythm configuration. Please contact your system administrator.
• Unable to connect to database.

Troubleshoot the Threat Intelligence Service v.1.9.2 28