Threat Intelligence Provider

Update Intel Rules

1. Log in to the LogRhythm NDR UI.

2. Click Settings, click Policy Management, and then click Intel Rules.
   The Intel Rule page appears.

3. To complete the fields, use the following table.

   Name	Description
   Provider	Name of the threat intelligence provider
   File Upload	Definitions and Rules CSV file

   
   

4. Click Upload.

   If this happens	Then this appears
   If there is something wrong with the upload or the wrong format is used	The message "Problem with File, Please Upload correct format" appears.
   If the upload is successful	The message "Successfully updated" appears.
   If the upload is successful but there are duplicate entries	The message "Successfully updated, Duplicate entries Skipped" appears.

   
   

5. To edit and update an already successful Intel rule, go to the Intel list at the bottom of the page.

6. Under the Action column, click Update. 
   The table below the File upload table populates.

   Name	Description
   Provider	Name of the threat intelligence provider
   Indicator	Name of the Indicator
   Indicator Type	Type of Indicator

   If the updation is successful, the message "Intel rule status" appears.

View IntelEvent Instances

1. Log in to the LogRhythm NDR UI.

2. Click Hunt, and click Activity.
   The Activity page appears. By default, the legend graph appears, showing the logs and events for the past hour.
   The Rules that uploaded in the Intel Rules page appear under IntelEvent.

3. To view only the IntelEvent instances, click IntelEvent.
   All IntelEvent-related entries appear.