The LogRhythm Threat Intelligence Service (TIS) and the LogRhythm Threat Intelligence Module work together to collect and analyze data published by reputable threat data providers to alert users to threats in their environments.
The Threat Intelligence Service installer can be downloaded from the LogRhythm Community.
The Threat Intelligence Module is available in the LogRhythm Knowledge Base (KB) 6.1.295.0 and later.
This document provides information about setting up threat analytics in your LogRhythm deployment. It includes the following steps:
- Run the Threat Intelligence Service Installer
- Modify, Repair, or Remove the Threat Intelligence Service
- Enable and Import the Threat Intelligence Service Modules
- Associate Vendor Lists with LogRhythm Lists
- Enable Threat List AIE Rules
- Start the LogRhythm Threat Intelligence Service
Note the following requirements before installing the Threat Intelligence Service:
- The service must be installed on a computer running Windows Server 2008 64-bit, Windows Server 2008 R2 64-bit, Windows Server 2012 R2 64-bit, or Windows Server 2016 64-bit.
- Ports 80 and 443 on the server must be able to connect to the Internet.
- The server must be able to establish a SQL connection with the Platform Manager's (Event Manager’s) database.
- If you are running the service on a system other than the Platform Manager (Event Manager) appliance, you must do the following:
Share the Job Manager’s list_import directory on the Platform Manager (Event Manager) appliance so that it can be accessed by the service. The directory has the following default location: C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import.
You provide the path to the list_import directory in the List Path box when configuring the connection to LogRhythm (see Threat Intelligence Service User Guide). UNC paths are supported for remote directories, and the account that is running the service must have access to this path to write lists. The path is validated in the Service Manager and when the service starts. If the path is unreachable or if the service does not have access to it, the service will not start.
- Run the service using credentials that have “Change” permissions on the Job Manager’s list_import directory.