Add a Custom STIX/TAXII Provider

The LogRhythm Threat Intelligence Service supports integration with any threat provider that is STIX/TAXII (versions 1 and 2) compliant and is discoverable through a TAXII service endpoint.

The Structured Threat Information Expression (STIX) is a language for describing cyber threat information in a standardized and structured manner. Trusted Automated Exchange of Indicator Information (TAXII) standardizes the trusted, automated exchange of cyber threat information.

To add a STIX/TAXII (version 1 or 2) provider

In the Threat Intelligence Service Manager, click Add Custom Source.

On the Add STIX/TAXII Provider tab, enter the following provider details.

Parameter	Description
Threat Provider Name	Type the name of the custom provider. This name will be displayed in the List Manager and in the Threat Intelligence Service Manager. You cannot use the name of an existing paid, custom, or open source provider. Provider names should not be more than 23 characters long, including spaces. Alphanumeric characters, underscore, dash, and space are supported.
TAXII Collection Endpoint	Type or paste the HTTP endpoint for the provider
TAXII Version	Select the version number
User name	If the provider specified by the endpoint requires a user name, type it here.
Password	If the provider specified by the endpoint requires a password, type it here. The password is masked and encrypted using lrcrypt.
Certificate Authentication	Select this check box to enable certificate-based authentication for the selected provider. If enabled, you will need to supply the full path to a PKCS#12/PFX format certificate and the certificate password.
Certificate Password	The certificate password, created when the certificate was exported.
Certificate Path	Click the ellipsis [...] to locate and select your certificate. After locating your certificate, select it and click Open.

To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and test the connection again.
After the connection is successful, click Save.
The new provider is added to the list under Threat Data Providers, and the configuration page for the provider appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an individual basis. For more information, see Configure Vendor Threat Feeds.

If a feed is added to a custom provider after it has been enabled, you may need to restart the Configuration Manager before configuring the Threat Intelligence Service to consume the new feed.

After a custom provider is saved, the following Lists are created:

Provider Name : URL : Malware : All
- List Type: General Value
- Use Contexts: Domain, URL
- Import Filename: {Provider-Name}-URL-Threat-All.txt
- Parent: -2355 (LR Threat List : URL : Suspicious)
Provider Name : File Path : Malware : All
- List Type: General Value
- Use Contexts: Object
- Import Filename: {Provider-Name}-Filepath-Threat-All.txt
- Parent: -2274 (LR Threat List : File Path : Malware)
Provider Name : IP : Malware : All
- List Type: Host
- Use Contexts: Host
- Import Filename: {Provider-Name}-IP-Threat-All.txt
- Parent: -2252 (LR Threat List : IP : Suspicious)
Provider Name : Email Address : Suspicious : All
- List Type: General Value
- Use Contexts: Address
- Import Filename: {Provider-Name}-EmailAddress-Threat-All.txt
- Parent: -2357 (LR Threat List : Email Address : Suspicious)
Provider Name : File Hash : Suspicious : All
- List Type: General Value
- Use Contexts: Object
- Import Filename: {Provider-Name}-FileHash-Threat-All.txt
- Parent: -2581 (LR Threat List : File Hash : Suspicious)

Each list has the following properties:

Auto Import: true
Import Options: Replace
Expiring: false
Read Access: System: Public All Users
Write Access: System: Public Global Administrator
Entity: Global Entity
Owner: N/A

The new lists are appended to the specified parent lists.