Import Threat Intel Rules

LogRhythm NDR imports emerging threats on a daily basis and alerts the customer. The customer can upload their own intel rule to monitor activities related to their rules.

Feature Value

This feature helps the customer identify any attacks that may happen related to emerging threats by generating alert events. Additionally, the customer can upload their own intel rule in LogRhythm NDR through the UI. If any malware attacks are detected with respect to the rule, it will alert the customer by generating an intel event with the provider's name.

Getting Started

The intel rules can be utilized in one of the following ways:

Taking rules from emerging threat rules and alerting the customer if something occurs.
The emerging threat intel rules are updated through this URL https://rules.emergingthreats.net/open/snort-2.9.0/ on a daily basis by running a cron job.
It will delete the old entries and create new ones in probe nodes with the help of salt in the following paths:
- /opt/zeek/feeds,
- /opt/zeek/feeds_csv
- /opt/zeek/feeds_json
If any attacks are found with respect to these rules, it will alert the customer by generating an alert event.
Adding their own intel rule and alerting the customer if something occurs with those indicators.
The customer can upload their own intel rule through the UI (Settings→ Policy Management → Intel Rules) by uploading a file with a .csv extension. The indicator type will either be IP, or MD5, or URL.

Upload an Intel Rule

Log in to the LogRhythm NDR UI.
Click the Settings tab and then select Intel Rules from the drop-down menu under Policy Management.
The Intel Rules page is displayed with the list of rules in a table and options to upload or update the rules.
Enter the name of the provider to upload a rule.
Click Choose File and select the intel rule file to be uploaded.
The file should be in CSV format and must include the indicator and indicator type. The indicator type will either be IP, or MD5, or URL.
Click the Upload button to upload the rules.
The details are validate while uploading and any duplicate entries are skipped.
The "Successfully Uploaded" message appears once the rules are uploaded.
The customer can see these newly added rules in the table once they are uploaded.
Click the Deploy button to store these rules in all the nodes.

Edit an Intel Rule

To make any changes to an existing rule, do the following:

Log in to the LogRhythm NDR UI.
Click the Settings tab and then select Intel Rules from the drop-down menu under Policy Management.
The Intel Rules page is displayed with the list of rules in a table and options to upload or update the rules.
In the Intel Rule table, click the green Edit icon in the Actions column to edit a rule.
The details of the selected rule is displayed in the Intel page.
Once changes have been made, click the Update Indicator button.
The updated intel rule is displayed in the table.
Click the Deploy button to store these rules in all the nodes.

Delete an Intel Rule

To delete an existing Intel rule, do the following:

Log in to the LogRhythm NDR UI.
Click the Settings tab and then select Intel Rules from the drop-down menu under Policy Management.
The Intel Rules page is displayed with the list of existing rules in a table and options to upload or update the rules.
In the Intel Rule table, click the red Delete icon in the Actions column to delete a rule.
Click Yes to confirm the action.
The selected rule is deleted.
Click the Deploy button to remove the deleted rule from all the nodes.

Functionality

Some basic functionalities are as follows:

Once deployed, the rules are updated in the CCN node under the respective indicator type.
The rules are then copied from CCN to the probe node with the help of salt.

When the network analytics engine detects any of these indicators, it generates an intel_trigger.log in the log path.

When the dispatcher loads this intel_trigger.log, it generates an intel event in the Hunt Activity page of the UI.