Threat Intelligence Provider

Update Intel Rules

Log in to the LogRhythm NDR UI.
Click Settings, click Policy Management, and then click Intel Rules.
The Intel Rule page appears.
To complete the fields, use the following table.
Name Description
Provider Name of the threat intelligence provider
File Upload Definitions and Rules CSV file

Click Upload.

If this happens	Then this appears
If there is something wrong with the upload or the wrong format is used	The message "Problem with File, Please Upload correct format" appears.
If the upload is successful	The message "Successfully updated" appears.
If the upload is successful but there are duplicate entries	The message "Successfully updated, Duplicate entries Skipped" appears.

To edit and update an already successful Intel rule, go to the Intel list at the bottom of the page.
Under the Action column, click Update.
The table below the File upload table populates.
Name Description
Provider Name of the threat intelligence provider
Indicator Name of the Indicator
Indicator Type Type of Indicator
If the updation is successful, the message "Intel rule status" appears.

Log in to the LogRhythm NDR UI.
Click Hunt, and click Activity.
The Activity page appears. By default, the legend graph appears, showing the logs and events for the past hour.
The Rules that uploaded in the Intel Rules page appear under IntelEvent.
To view only the IntelEvent instances, click IntelEvent.
All IntelEvent-related entries appear.

Name	Description
Provider	Name of the threat intelligence provider
File Upload	Definitions and Rules CSV file

Name	Description
Provider	Name of the threat intelligence provider
Indicator	Name of the Indicator
Indicator Type	Type of Indicator