The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work together to collect and analyze data published by subscription-based and open source threat data providers to alert users to threats in their environments.
The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.
The Threat Intelligence Module is available in the LogRhythm Knowledge Base 6.1.295.0 and later.
This document provides information about configuring the Threat Intelligence Service. For information about installation and deployment, please refer to Install and Deploy the Threat Intelligence Service.
Threat List Vendors
The following threat data providers are supported by the Threat Intelligence Service. Each one requires a separately purchased subscription.
The Threat Intelligence Service also collects threat feed data from various open source providers and custom STIX/TAXII providers.
Vendor Subscription Information
With the exception of the open source vendors and custom STIX/TAXII providers, each of the supported threat data vendors requires a subscription. You must know the connection credentials from each vendor before you can configure the service to collect threat feed data.
|BrightCloud||OEM ID, Device ID, and user ID|
|Cisco AMP Threat Grid||API Key|
OAuth2 Client ID and Client Secret
Contact CrowdStrike support for help with creating API Client credentials (Client ID and Secret) to configure CrowdStrike in the Threat Intelligence Service.
|Symantec||User Name, Password|
|Open Source AutoShun|
API Key (see note above). Users need to register with AutoShun to get an API key for the Threat Intelligence Service.
Go to autoshun.org to register. When finished, you can obtain the API key from the HTML or CSV download links on the My Account page.
You can find the API key between api_key= and &format, highlighted in the example below:
|Open Source||Not applicable|
|Custom Provider||Varies by provider|
How the Threat Intelligence Service Works
The Threat Intelligence Service collects threat feed data from open source and subscription-based vendors at scheduled intervals. Subscription credentials for applicable vendors must be provided in the LogRhythm Threat Intelligence Service Manager. For more information, see Configure Vendor Threat Feeds.
The feed data is written to text files that are imported by the Job Manager into the appropriate vendor lists. The Job Manager consumes and deletes the text files, which range in size from 1 to 20 MB. Advanced Intelligence Engine rules in the Threat Intelligence Module detect and alert on threat activity.