The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work together to collect and analyze data published by subscription-based and open source threat data providers to alert users to threats in their environments.

The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.

The Threat Intelligence Module is available in the LogRhythm Knowledge Base 6.1.295.0 and later.

This document provides information about configuring the Threat Intelligence Service. For information about installation and deployment, please refer to Install and Deploy the Threat Intelligence Service.

Threat List Vendors

The following threat data providers are supported by the Threat Intelligence Service. Each one requires a separately purchased subscription.

The Threat Intelligence Service also collects threat feed data from various open source providers and custom STIX/TAXII providers.

Vendor Subscription Information

With the exception of the open source vendors and custom STIX/TAXII providers, each of the supported threat data vendors requires a subscription. You must know the connection credentials from each vendor before you can configure the service to collect threat feed data.

VendorCredentials Required
BrightCloudOEM ID, Device ID, and user ID
Cisco AMP Threat GridAPI Key
CrowdStrike

OAuth2 Client ID and Client Secret

Contact CrowdStrike support for help with creating API Client credentials (Client ID and Secret) to configure CrowdStrike in the Threat Intelligence Service.

SymantecUser Name, Password
Open Source AutoShun

API Key (see note above). Users need to register with AutoShun to get an API key for the Threat Intelligence Service.

Go to autoshun.org to register. When finished, you can obtain the API key from the HTML or CSV download links on the My Account page.

You can find the API key between api_key= and &format, highlighted in the example below:

https://www.autoshun.org/download/?api_key=1234567890abcdef123456789&format=html

Open SourceNot applicable
Custom ProviderVaries by provider

How the Threat Intelligence Service Works

The Threat Intelligence Service collects threat feed data from open source and subscription-based vendors at scheduled intervals. Subscription credentials for applicable vendors must be provided in the LogRhythm Threat Intelligence Service Manager. For more information, see Configure Vendor Threat Feeds.

The feed data is written to text files that are imported by the Job Manager into the appropriate vendor lists. The Job Manager consumes and deletes the text files, which range in size from 1 to 20 MB. Advanced Intelligence Engine rules in the Threat Intelligence Module detect and alert on threat activity.