STIX feeds (both version 1 and version 2) can be downloaded directly to Threat Intelligence Service, parsed, and made available in LogRhythm lists.
To add a STIX feed
- In the Threat Intelligence Service Manager, click Add Custom Source.
On the Add STIX Feed tab, enter the following details.
Parameter Description Feed Name
Type the name of the feed. This name will be displayed in the List Manager and in the Threat Intelligence Service Manager. You cannot use the name of an existing paid, custom, or open source provider.
Feed names should not be more than 23 characters long, including spaces. Alphanumeric characters, underscore, dash, and space are supported.
Feed from URL /
STIX Indicator Endpoint
If you select this radio button, enter the URL from where the STIX direct feed will be downloaded. Feed from File /
STIX Feed File Location
If you select this radio button, select the location where the feed file is located. The Username, Password, and Certificate Authentication fields are not required. STIX Version Select the version number. User name If the feed specified requires a user name, type it here. Password
If the feed specified requires a password, type it here.
The password is masked and encrypted using lrcrypt.
Select this check box to enable certificate-based authentication for the feed. If enabled, you will need to supply the full path to a PKCS#12/PFX format certificate and the certificate password.
Certificate Password The certificate password, created when the certificate was exported. Certificate Path
Click the ellipsis [...] to locate and select your certificate. After locating your certificate, select it and click Open.
To validate the connection details, click Test. If the test fails, verify that you have entered the correct values and test the connection again.
After the connection is successful, click Save.
The new provider is added to the list under Threat Data Providers, and the configuration page for the provider appears. Feeds discovered at the provider endpoint are listed, and each can be enabled or disabled on an individual basis. For more information, see Configure Vendor Threat Feeds.
If a feed is added to a custom provider after it has been enabled, you may need to restart the Configuration Manager before configuring the Threat Intelligence Service to consume the new feed.
After a custom feed is saved, a custom list is created based on the response from the STIX URL and is appended to the specified parent list. The list will have the following properties:
- Auto Import: true
- Import Options: Replace
- Expiring: false
- Read Access: System: Public All Users
- Write Access: System: Public Global Administrator
- Entity: Global Entity
- Owner: N/A