Skip to main content
Skip table of contents

Add a Custom STIX/TAXII Provider

The LogRhythm Threat Intelligence Service supports integration with any threat provider that is STIX/TAXII (versions 1 and 2) compliant and is discoverable through a TAXII service endpoint.

The Structured Threat Information Expression (STIX) is a language for describing cyber threat information in a standardized and structured manner. Trusted Automated Exchange of Indicator Information (TAXII) standardizes the trusted, automated exchange of cyber threat information.

To add a STIX/TAXII (version 1 or 2) provider

  1. In the Threat Intelligence Service Manager, click Add Custom Source.
  2. On the Add STIX/TAXII Provider tab, enter the following provider details.

    ParameterDescription
    Threat Provider Name

    Type the name of the custom provider. This name will be displayed in the List Manager and in the Threat Intelligence Service Manager. You cannot use the name of an existing paid, custom, or open source provider.

    Provider names should not be more than 23 characters long, including spaces. Alphanumeric characters, underscore, dash, and space are supported.

    TAXII Collection EndpointType or paste the HTTP endpoint for the provider
    TAXII VersionSelect the version number
    User nameIf the provider specified by the endpoint requires a user name, type it here.
    Password

    If the provider specified by the endpoint requires a password, type it here.

    The password is masked and encrypted using lrcrypt.

    Certificate Authentication

    Select this check box to enable certificate-based authentication for the selected provider. If enabled, you will need to supply the full path to a PKCS#12/PFX format certificate and the certificate password.

    Certificate PasswordThe certificate password, created when the certificate was exported.
    Certificate Path

    Click the ellipsis [...] to locate and select your certificate. After locating your certificate, select it and click Open.

  3. To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and test the connection again.
  4. After the connection is successful, click Save.
    The new provider is added to the list under Threat Data Providers, and the configuration page for the provider appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an individual basis. For more information, see Configure Vendor Threat Feeds.

    If a feed is added to a custom provider after it has been enabled, you may need to restart the Configuration Manager before configuring the Threat Intelligence Service to consume the new feed.

After a custom provider is saved, the following Lists are created:

  • Provider Name : URL : Malware : All
    • List Type: General Value
    • Use Contexts: Domain, URL
    • Import Filename: {Provider-Name}-URL-Threat-All.txt
    • Parent: -2355 (LR Threat List : URL : Suspicious)
  • Provider Name : File Path : Malware : All
    • List Type: General Value
    • Use Contexts: Object
    • Import Filename: {Provider-Name}-Filepath-Threat-All.txt
    • Parent: -2274 (LR Threat List : File Path : Malware)
  • Provider Name : IP : Malware : All
    • List Type: Host
    • Use Contexts: Host
    • Import Filename: {Provider-Name}-IP-Threat-All.txt
    • Parent: -2252 (LR Threat List : IP : Suspicious)
  • Provider Name : Email Address : Suspicious : All
    • List Type: General Value
    • Use Contexts: Address
    • Import Filename: {Provider-Name}-EmailAddress-Threat-All.txt
    • Parent: -2357 (LR Threat List : Email Address : Suspicious)
  • Provider Name : File Hash : Suspicious : All
    • List Type: General Value
    • Use Contexts: Object
    • Import Filename: {Provider-Name}-FileHash-Threat-All.txt
    • Parent: -2581 (LR Threat List : File Hash : Suspicious)

Each list has the following properties:

  • Auto Import: true
  • Import Options: Replace
  • Expiring: false
  • Read Access: System: Public All Users
  • Write Access: System: Public Global Administrator
  • Entity: Global Entity
  • Owner: N/A

The new lists are appended to the specified parent lists.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.