Use Threat Intelligence Service Integration
The LogRhythm Threat Intelligence Service (TIS) collects threat feed data from supported vendors at scheduled intervals. Subscription details from each vendor must be provided in the LogRhythm Threat Intelligence Service Manager. For more information on the threat data providers that are supported and how to configure their feeds, see Threat Intelligence Service User Guide.
After threat feeds are configured, their content is stored in LogRhythm lists. You can browse select fields in the Analyzer grid to see if the values exist in any of your Threat Intelligence Service lists.
To use Threat Intelligence Service Integration:
- On the lower-right side of the page, click the Logs.
- Click on a metadata field type that is supported by TIS. If the Inspector panel is not already open, you must click on the Configuration icon to view results. Supported field types are
- Domain
- Host (Impacted)
- Host (Origin)
- Hostname (Impacted)
- Hostname (Origin)
- IP Address (Impacted)
- IP Address (Origin)
- Object
URL
When you click on a field type that is not supported by TIS, the Threat Intelligence interface does not appear in the Inspector panel.
The Inspector panel displays the threat feed provider name and any available information about the threat.
- (Optional) Next to the available information, click More to run an API query against the threat feed to get more information. You can add any additional information returned to a case as well. The More button only appears when the threat feed has an API available. In Web Console 7.2.2, only the Cisco AMP Threat Grid supports this feature.
Information from a threat feed can be added as a note in a case from the Inspector panel.
To add TIS information to a case:
- Select a case in the Current Case panel. For more information on selecting a case, see Work with the Current Case Panel.
- Click Add All to Case in the Threat Intelligence interface in the Inspector panel. All information in the Threat Intelligence interface is copied as a note into the case.
- (Optional) Type additional information into the note.
- On the left side of the dashboard layout, click the Current Case tab to open the Current Case panel, if necessary.
- In the upper-right corner of the note, click the Configuration icon.
- Click the Edit icon.
- In the Add Note to Case dialog box, edit the text as needed.
- Click Save.