Breadcrumbs

Configure Vendor Threat Feeds

You can configure the details of each threat intelligence vendor under the corresponding tab in the Threat Intelligence Service Manager.

The status of each vendor feed is indicated on the tab, either enabled or disabled . For each vendor, you can enable or disable threat feeds, provide connection credentials, specify run settings, and view the run schedule and run history. Configure the details of each vendor feed as follows:

  1. Click the tab for the vendor you want to configure.

    The first time you configure BrightCloud, you must click the link to open the end user license agreement, select the check box indicating that you have read and agree to the license, and then click Accept to view configuration options.


  2. Enable or disable the feed and modify the configuration as follows:

    Parameter

    Description

    Enabled

    Select this check box to enable the provider, or clear it to disable the provider.

    Check All

    Select all available feeds for the vendor.

    Clear All

    Deselect all available feeds for the vendor.

    Remove Provider

    Custom providers only. Click to remove the provider.

    Edit Provider

    Custom providers only. Click to open the LogRhythm Custom Provider dialog box. for more information, see

    Add a Custom STIX/TAXII Provider

    .

    Feed Name

    For vendors that provide more than one threat feed, you can enable or disable individual feeds after the provider has been enabled.

    Credentials

    Connection credentials required for the selected feed. For information about the details required from each vendor, see

    Vendor Subscription Information

    . Click Test to validate the credentials. If the test fails, verify the credentials and type them again.

    Last Downloaded

    The date and time when the threat feed was last downloaded.

    Next Run Time

    The next date and time when the service will download the threat feed.

    Download every

    Select the download interval for the current feed from the list.

    Download Now

    Click to download the selected feed immediately. This option is only available if the Threat Intelligence Service is currently running.

    You can only download lists in the abuse.ch feed once every 15 minutes. If you try to manually download the feed and any of the lists have been downloaded in the last 15 minutes, an error similar to the following is logged in lrtfmgr.log:

    07/05/2016 03:51:06.410231 [host] Abuse uri download will be attempted after 15 min of last download time 7/5/2016 3:36:29 AM

    First Run at

    Specify the time of day when the service should run on the selected feed. Select the hour, minute, or AM/PM values, then click the up or down arrows to make changes.

    Test

    For vendors that require credentials, click Test to validate the supplied values.

    The Test button is disabled or unavailable for vendors who throttle downloads or enforce limits on the number of downloads in a specified time period.


  3. To save the configuration for the selected feed, click Save.

    Clicking Save saves only the configuration for the selected feed.