Least Privileged User: TIS, Windows
Purpose
The Threat Intelligence Service (TIS) downloads threat intelligence from external providers and writes the resulting list data to the LogRhythm SIEM for use in list-based alarming and analytics. TIS can be installed on the Platform Manager (PM) or on a standalone server. When installed on a non-PM server, a domain service account must be used so the service can access the PM's list_import share remotely.
By default, TIS installs with the service running as Local System. To run under a least-privileged domain account, the permissions described below must be granted.
This page covers the Windows TIS service (lrtfsvc) and the TIS Config Manager (lrthreatfeedmgr). Both components use the same service account.
Shared Resources
Directory | Read | Write | Read & Execute | Modify | Full Control | Children Inherent |
|---|---|---|---|---|---|---|
| X | X | ||||
| X | X | ||||
| X | X |
The TIS installation directory is stored in the registry at HKLM\SOFTWARE\LogRhythm\lrtfsvc → HPATH. The default path is C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\.
Both the share-level permission and the NTFS permission on list_import must be set to Modify. Setting only the NTFS permission is insufficient; the share permission is evaluated first and will deny access if not configured.
Registry Access
Directory | Read Control | Write Owner | Write DAC | Delete | Create Link | Enumerate Subkeys | Set Value | Query Value | Full Control | Children Inherent |
|---|---|---|---|---|---|---|---|---|---|---|
| X | X | X | X |
Database Access
TIS connects to the LogRhythm EMDB (SQL Server) on the PM server to read list metadata and write auto-import flags. All database access uses the default SQL Server port 1433.
Authentication mode is configured in the TIS Config Manager:
Windows Integrated Security (recommended): Enable Log in with Windows account. The service account must have a SQL Server login mapped to the EMDB database with the permissions below.
SQL Authentication: A separate SQL account can be provided. That account requires the same database permissions.
The service account (or its mapped SQL login) requires the following permissions on the EMDB database:
SELECT, INSERT, UPDATE on list-related tables
EXECUTE on list management stored procedures (used by SetAutoImportFlagsUsingInlineScript and related operations on config save)
Ports
Port | Default Port | Inbound/Outbound | Purpose |
|---|---|---|---|
SQL Server (EMDB) | 1433 | Outbound to PM | Database connection for list management |
SMB (list_import share) | 445 | Outbound to PM | Write threat list CSV files to PM list_import share |
HTTPS (threat feeds) | 443 | Outbound to Internet | Download threat intelligence from external providers (CrowdStrike, Symantec, AlienVault, PhishTank, etc.) |
HTTP (threat feeds)* | 80 | Outbound to Internet | Download from providers that use HTTP (if configured) |
If port is configured.
Other Resources
Resource | Requirement |
|---|---|
Log on as a service | The service account must be granted the Logon as a service (SeServiceLogonRight) user right on the TIS host server. Configure via secpol.msc → Local Policies → User Rights Assignment. |
Create global objects | The service account must be granted the Create global objects (SeCreateGlobalPrivilege) user right on the TIS host server. This is required because TIS uses a Windows Named Mutex in the Global\ kernel object namespace (Global\TISUpdateJSONFile) to synchronize config file writes between the service and Config Manager. Configure via secpol.msc → Local Policies → User Rights Assignment. |
list_import share | If the list_import directory on the PM does not have a Windows share configured, one must be created before TIS can access it via UNC path. Right-click the directory → Properties → Sharing → Advanced Sharing. |