Skip to main content
Skip table of contents

Threat Intelligence Service User Guide

TIS 1.9.5

The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work together to collect and analyze data published by subscription-based and open source threat data providers to alert users to threats in their environments.

The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.

The Threat Intelligence Module is available in the LogRhythm Knowledge Base 6.1.295.0 and later.

This document provides information about configuring the Threat Intelligence Service. For information about installation and deployment, please refer to Install and Deploy the Threat Intelligence Service.

Threat List Vendors

The following threat data providers are supported by the Threat Intelligence Service. Each one requires a separately purchased subscription.

The Threat Intelligence Service also collects threat feed data from various open source providers and custom STIX/TAXII providers.

Vendor Subscription Information

With the exception of the open source vendors and custom STIX/TAXII providers, each of the supported threat data vendors requires a subscription. You must know the connection credentials from each vendor before you can configure the service to collect threat feed data.

VendorCredentials Required
BrightCloud
  • OEM ID
  • Device ID
  • User ID
Cisco AMP Threat GridAPI Key
CrowdStrike
  • OAuth2 Client ID and Client Secret. Contact CrowdStrike support for help with creating API Client credentials (Client ID and Secret) to configure CrowdStrike in the Threat Intelligence Service.
  • Base URL. Base URL assigned to you based on where your environment resides. You should be able to see this displayed on CrowdStrike’s API Clients and Keys page (https://falcon.crowdstrike.com/support/api-clients-and-keys).
Symantec
  • Username
  • Password
Open SourceNot applicable
Custom ProviderVaries by provider

How the Threat Intelligence Service Works

The Threat Intelligence Service collects threat feed data from open source and subscription-based vendors at scheduled intervals. Subscription credentials for applicable vendors must be provided in the LogRhythm Threat Intelligence Service Manager. For more information, see Configure Vendor Threat Feeds.

The feed data is written to text files that are imported by the Job Manager into the appropriate vendor lists. The Job Manager consumes and deletes the text files, which range in size from 1 to 20 MB. Advanced Intelligence Engine rules in the Threat Intelligence Module detect and alert on threat activity.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.