Third Party Threat List Integration Guide
Various organizations track malicious IP addresses and domains associated with botnet Command & Control infrastructure or other malicious activities, and then provide their collected data to the public free of charge. With LogRhythm’s 3rd Party Threat List Integration module, you can configure this third-party data into the LogRhythm SIEM for enhanced threat-detection monitoring.
This document describes how to integrate third-party threat lists, which includes the following steps:
- Import and enable the KB module. As a first step, make sure the module is imported and enabled in the LogRhythm Console.
- Determine which lists to implement. Review the list descriptions and decide which ones you want to configure in your SIEM environment.
- Schedule tasks to automatically update the lists. Download and configure LogRhythm’s PowerShell scripts as scheduled tasks in Windows, so they periodically download and import threat-list updates from the third-party organizations.
- Populate the LogRhythm threat lists. The “Security : 3rd Party Threat List Integration” module includes empty lists that you populate with third-party data. In this last step, you import text files that include the third-party data.
After completing these tasks, you can then use these lists in a variety of LogRhythm features to monitor and trigger alarms on any suspicious activity from the tracked IPs and domains. For assistance, refer to the LogRhythm SIEM Help or contact your Support Representative. The Help and LogRhythm contact information are available on the LogRhythm Support Portal.
Import and Enable the KB Module
The KB Module Security : 3rd Party Threat List Integration is part of the SIEM’s Knowledge Base, which is updated and released every two weeks. If your Knowledge Base is configured to update automatically, you should already have the module available. If the Knowledge Base is not configured for automatic updates, you need to manually update it.
Make sure you have the 3rd Party Threat List Integration module imported and enabled, as described in this section.
In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.
To open the Knowledge Base Manager, the Deployment Manager must be closed.- Under Knowledge Base Modules, find the Security: 3rd Party Threat List integration module.
If the module is available, you will see Security : 3rd Party Threat List Integration in the grid. If the module name does not appear, update the Knowledge Base by doing either of the following:- Automatic Download. Click Check for Knowledge Base Updates, and then click Synchronize Stored Knowledge Base.
- Manual Download. For manual download instructions, see Import a Knowledge Base.
- Locate the Enabled column in the grid. If the box is checked, the Module is already enabled and available to users in the SIEM deployment. If the Enabled box is not checked, enable the Module by selecting its Action check box, right-clicking the Module name, clicking Actions, and then clicking Enable Module.
A dialog box appears to enable the selected module(s). - Leave the Enable Intelligent Indexing on Module Objects cleared unless you fully understand the effects of this setting. For more information, see Intelligent Indexing.
Determine Which Lists to Implement
The 3rd Party Threat List Integration module includes the lists described in the table below. You can implement all of these lists into the SIEM, or just the ones you want.
List Name | Description |
|---|---|
Threat List : abuse.ch SpyEye Domain | Tracks SpyEye domains, as reported by the Swiss Security blog: abuse.ch. Note: SpyEye is a malware toolkit that steals money from online bank accounts. |
Threat List : abuse.ch SpyEye IPs | Tracks SpyEye IP addresses, as reported by the Swiss Security blog: abuse.ch. Note: SpyEye is a malware toolkit that steals money from online bank accounts. |
Threat List : abuse.ch Zeus Domain | Tracks ZeuS domains, as reported by the Swiss Security blog: abuse.ch. Note: ZeuS is a crimeware kit, which steals credentials from various online services like social networks, online banking accounts, ftp accounts, and email accounts. |
Threat List : abuse.ch Zeus IPs | Tracks ZeuS IPs, as reported by the Swiss Security blog: abuse.ch. |
Threat List : AlienVault IPs | Tracks Malicious IPs, as reported by the AlienVault open threat exchange. |
Threat List : Malware Domains | Tracks malicious domains, as reported by Malware Domains. |
Threat List : MalwarePatrol URLs* | Tracks suspicious URLs, as reported by MalwarePatrol. |
Threat List : SRI Malware Threat Center IPs | Tracks malicious IPs, as reported by the SRI Malware Threat Center. |
Threat List : Tor Exit Nodes | Looks for IP addresses known to be Tor Exit Nodes. |
Threat List : Tor Servers | Looks for IP addresses associated with the Tor network. |
* The MalwarePatrol threat list requires a separate subscription. The subscription is free. For additional information, see 52808457.
Schedule Tasks to Automatically Update the Lists
LogRhythm provides PowerShell scripts that you can configure as scheduled tasks to periodically download, format, and import threat data from third-party organizations. For each list you want to implement, you must run its corresponding PowerShell script so the list is always up to date.
These PowerShell scripts are provided in a compressed folder on the LogRhythm Support Portal. Download the file from the Portal, unzip the folder, and place the files on your EM or XM server. You only need the scripts that correspond to the lists you want. Refer to table below for the script names.
List Name | PowerShell Script Name |
|---|---|
Threat List : abuse.ch SpyEye Domain | abuse.ch_SpyEye_Domain.ps1 |
Threat List : abuse.ch SpyEye IPs | abuse.ch_SpyEye_IP.ps1 |
Threat List : abuse.ch Zeus Domain | abuse.ch_Zeus_Domain.ps1 |
Threat List : abuse.ch Zeus IPs | Abuse.ch_Zeus_IP.ps1 |
Threat List : AlienVault IPs | Alienvault_IP.ps1 |
Threat List : Malware Domains | MalwareDomains_Domain.ps1 |
Threat List : MalwarePatrol URLs* | MalwarePatrol_URL.ps1 |
Threat List : SRI Malware Threat Center IPs | SRI_MalwareThreatCenter_IP.ps1 |
Threat List : Tor Exit Nodes | TorNodes.ps1 |
Threat List : Tor Servers | TorNodes.ps1 |
* You must obtain a receipt ID for the MalwarePatrol subscription (free) and enter the receipt ID as an argument to the PowerShell script in the scheduled task. For additional information, see 52808457.
To configure the scripts as scheduled tasks, follow the appropriate steps below for Windows Server 2003 or Windows Server 2008.
Windows 2003 Configuration
- From the LogRhythm EM or XM server, launch the Windows Scheduled Task wizard.
- On the Windows Start menu, click Control Panel, Scheduled Tasks, and then click Add Scheduled Task.
Click Next. - Select Windows PowerShell from the list, and then click Next.
Enter a descriptive name for the task and select its frequency.
You can select any frequency, but LogRhythm recommends that you run the task daily.- Configure the start time and date, and then click Next.
- To accept the current user as the account under which to run this task, click Next. Otherwise, change the user name and password.
- Select the Open advanced properties… check box and click Finish.
- In the next dialog, in the Run: field, enter the folder location and the PowerShell script name. See the table under the Schedule Tasks to Automatically Update the Lists heading above for script names. If other script information already appears in this field, append the PowerShell script to the end. No other settings need to be modified.
- Click OK.
Windows 2008 Configuration
- From the LogRhythm EM or XM server, launch the Windows Task Scheduler.
- On the Windows Start menu, click All Programs, and then click Administrative Tools.
- From the Actions menu on the right, select Create Task.
- In the General tab, do the following:
- In the Name field, enter a unique name for the task.
- Select the Run whether user is logged on or not check box.
- Select the Triggers tab and do the following:
- To open the New Trigger dialog, select New.
- Configure the schedule you want. LogRhythm recommends a schedule of Daily at 1:00 AM.
- Select the Actions tab and do the following:
- To open the New Action dialog, select New.
- Leave the Action field at Start a program.
- Under Program/script, enter PowerShell.exe.
- In Add arguments (optional), enter the script as follows: &’[folder]\[script name]’
For example: &’C:\abuse.ch_Zeus_IP.ps1’
- Click OK.
- You are then prompted for the account under which you want the task to run. Enter the user name and password.
The task then appears under the Task Scheduler Library.
Populate the LogRhythm Threat Lists
The 3rd Party Threat List Integration module includes empty lists that you must populate with threat data. In this step, you associate a list with a LogRhythm-provided Auto Import File, shown in the table below. Each Auto Import file contains the threat data from the third-party organization.
List Name | List Type | Auto Import Filename |
|---|---|---|
Threat List : abuse.ch SpyEye Domain | Gen. Value : URL | abuse.ch_SpyEye_Domain.txt |
Threat List : abuse.ch SpyEye IPs | Host : IP | abuse.ch_SpyEye_IPSpyEyeIP.txt |
Threat List : abuse.ch Zeus Domain | Gen. Value : URL | abuse.ch_Zeus_Domain.txt |
Threat List : abuse.ch Zeus IPs | Host : IP | abuse.ch_Zeus_IP.txt |
Threat List : AlienVault IPs | Host : IP | Alienvault_IP.txt |
Threat List : Malware Domains | Gen. Value : URL | MalwareDomains_Domains.txt |
Threat List : MalwarePatrol URLs* | Gen. Value : URL | MalwarePatrol_URL.txt |
Threat List : SRI Malware Threat Center IPs | Host : IP | SRI_MalwareThreatCenter_IP.txt |
Threat List : Tor Exit Nodes | Host : IP | Tor_Exit_Nodes.txt |
Threat List : Tor Servers | Host : IP | Tor_Servers.txt |
For each list you want to configure, perform the following tasks:
- From the LogRhythm Console, open List Manager.
- To filter on the available Threat Lists, click under the Name column and start typing “threat list.”
- From the List Manager, double-click the list name to open List Properties.
- Under Basic Configuration, do the following:
- Select the Enable check box.
- Select the Replace existing items check box.
- Determine if the list is an IP or URL type by referring to the table above (see the List Type column), and then do one of the following:
- If you are importing an IP list, leave Import items as patterns unchecked.
- If you are importing a domain or URL list, select Import items as patterns.
- In the File name field, enter that Auto Import file name that corresponds to the List name. See the table under the Populate the LogRhythm Threat Lists heading above for file names.
For example, if you are enabling the “abuse.ch SpyEye Domain” threat list, you must enter the “abuse.ch_SpyEye_Domain.txt” file name. - Click OK.
- Repeat Steps 3 and 4 above to configure additional lists.
MalwarePatrol URL Threat List
The MalwarePatrol URL threat list requires a separate subscription. You can obtain a free subscription from the MalwarePatrol web site (www.malwarepatrol.net). When you have a receipt, add the receipt ID as an argument to the PowerShell script in the scheduled task.