Configure Vendor Threat Feeds

You can configure the details of each threat intelligence vendor under the corresponding tab in the Threat Intelligence Service Manager.

The status of each vendor feed is indicated on the tab, either enabled or disabled . For each vendor, you can enable or disable threat feeds, provide connection credentials, specify run settings, and view the run schedule and run history. Configure the details of each vendor feed as follows:

1. Click the tab for the vendor you want to configure.

   

   The first time you configure BrightCloud, you must click the link to open the end user license agreement, select the check box indicating that you have read and agree to the license, and then click Accept to view configuration options.

2. Enable or disable the feed and modify the configuration as follows:

   Parameter	Description
   Enabled	Select this check box to enable the provider, or clear it to disable the provider.
   Check All	Select all available feeds for the vendor.
   Clear All	Deselect all available feeds for the vendor.
   Remove Provider	Custom providers only. Click to remove the provider.
   Edit Provider	Custom providers only. Click to open the LogRhythm Custom Provider dialog box. for more information, see Add a Custom STIX/TAXII Provider.
   Feed Name	For vendors that provide more than one threat feed, you can enable or disable individual feeds after the provider has been enabled.
   Credentials	Connection credentials required for the selected feed. For information about the details required from each vendor, see Vendor Subscription Information. Click Test to validate the credentials. If the test fails, verify the credentials and type them again.
   Last Downloaded	The date and time when the threat feed was last downloaded.
   Next Run Time	The next date and time when the service will download the threat feed.
   Download every	Select the download interval for the current feed from the list.
   Download Now	Click to download the selected feed immediately. This option is only available if the Threat Intelligence Service is currently running. You can only download lists in the abuse.ch feed once every 15 minutes. If you try to manually download the feed and any of the lists have been downloaded in the last 15 minutes, an error similar to the following is logged in lrtfmgr.log: 07/05/2016 03:51:06.410231 [host] Abuse uri download will be attempted after 15 min of last download time 7/5/2016 3:36:29 AM
   First Run at	Specify the time of day when the service should run on the selected feed. Select the hour, minute, or AM/PM values, then click the up or down arrows to make changes.
   Test	For vendors that require credentials, click Test to validate the supplied values. The Test button is disabled or unavailable for vendors who throttle downloads or enforce limits on the number of downloads in a specified time period.

3. To save the configuration for the selected feed, click Save.

   

   Clicking Save saves only the configuration for the selected feed.