Skip to main content
Skip table of contents

Configure Vendor Threat Feeds

You can configure the details of each threat intelligence vendor under the corresponding tab in the Threat Intelligence Service Manager.

The status of each vendor feed is indicated on the tab, either enabled or disabled . For each vendor, you can enable or disable threat feeds, provide connection credentials, specify run settings, and view the run schedule and run history. Configure the details of each vendor feed as follows:

  1. Click the tab for the vendor you want to configure.

    The first time you configure BrightCloud, you must click the link to open the end user license agreement, select the check box indicating that you have read and agree to the license, and then click Accept to view configuration options.

  2. Enable or disable the feed and modify the configuration as follows:

    ParameterDescription
    EnabledSelect this check box to enable the provider, or clear it to disable the provider.
    Check AllSelect all available feeds for the vendor.
    Clear AllDeselect all available feeds for the vendor.
    Remove ProviderCustom providers only. Click to remove the provider.
    Edit ProviderCustom providers only. Click to open the LogRhythm Custom Provider dialog box. for more information, see Add a Custom STIX/TAXII Provider.
    Feed NameFor vendors that provide more than one threat feed, you can enable or disable individual feeds after the provider has been enabled.
    CredentialsConnection credentials required for the selected feed. For information about the details required from each vendor, see Vendor Subscription Information. Click Test to validate the credentials. If the test fails, verify the credentials and type them again.
    Last DownloadedThe date and time when the threat feed was last downloaded.
    Next Run TimeThe next date and time when the service will download the threat feed.
    Download everySelect the download interval for the current feed from the list.
    Download Now

    Click to download the selected feed immediately. This option is only available if the Threat Intelligence Service is currently running.

    You can only download lists in the abuse.ch feed once every 15 minutes. If you try to manually download the feed and any of the lists have been downloaded in the last 15 minutes, an error similar to the following is logged in lrtfmgr.log:

    07/05/2016 03:51:06.410231 [host] Abuse uri download will be attempted after 15 min of last download time 7/5/2016 3:36:29 AM

    First Run atSpecify the time of day when the service should run on the selected feed. Select the hour, minute, or AM/PM values, then click the up or down arrows to make changes.
    Test

    For vendors that require credentials, click Test to validate the supplied values.

    The Test button is disabled or unavailable for vendors who throttle downloads or enforce limits on the number of downloads in a specified time period.

  3. To save the configuration for the selected feed, click Save.

    Clicking Save saves only the configuration for the selected feed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.