Threat Intelligence Service User Guide

TIS 1.9.5

The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work together to collect and analyze data published by subscription-based and open source threat data providers to alert users to threats in their environments.

The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.

The Threat Intelligence Module is available in the LogRhythm Knowledge Base 6.1.295.0 and later.

This document provides information about configuring the Threat Intelligence Service. For information about installation and deployment, please refer to Install and Deploy the Threat Intelligence Service.

Threat List Vendors

The following threat data providers are supported by the Threat Intelligence Service. Each one requires a separately purchased subscription.

• Webroot BrightCloud
• Cisco AMP Threat Grid
• Symantec
• CrowdStrike

The Threat Intelligence Service also collects threat feed data from various open source providers and custom STIX/TAXII providers.

Vendor Subscription Information

With the exception of the open source vendors and custom STIX/TAXII providers, each of the supported threat data vendors requires a subscription. You must know the connection credentials from each vendor before you can configure the service to collect threat feed data.

How the Threat Intelligence Service Works

The Threat Intelligence Service collects threat feed data from open source and subscription-based vendors at scheduled intervals. Subscription credentials for applicable vendors must be provided in the LogRhythm Threat Intelligence Service Manager. For more information, see Configure Vendor Threat Feeds.

The feed data is written to text files that are imported by the Job Manager into the appropriate vendor lists. The Job Manager consumes and deletes the text files, which range in size from 1 to 20 MB. Advanced Intelligence Engine rules in the Threat Intelligence Module detect and alert on threat activity.