Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Using the Threat Intelligence Feed in LEM

Using the Threat Intelligence Feed in LEM

Updated September 21, 2017


This article details how to use the Threat Intelligence Feed in LEM, and what is needed to allow updating threat feeds.

Additional resource: Threat intelligence feed in SolarWinds Log and Event Manager video.


LEM 6.2 or later


Proxy Server
Currently, LEM cannot be configured to use a proxy server, so it will need internet access through the firewall to reach the Threat Feeds website on port 443. Threat Feeds use a different port and website, as compared to the automated Connector Updates.



Internet Access needed for Threat Feeds

     Threat Feeds:    (Possible IP's: & & &

     Connector Updates:

Connector Updates uses port 80 to
          (Possible IP's: & & &


Verify your Threat Intelligence Feed is enabled and updating.

  1. Go to Manage > Appliance > Settings.
  2. Verify the feed is enabled as shown below.

    Note: Every morning at 3:14 AM, your LEM updates its Threat Intelligence Feed list. You will find a daily event under Monitor > LEM Internal Events confirming if the update is successful or failed.


The Threat Intelligence Feed has a specific field: isThreat. This field is only displayed on network-related events or event groups, such as events with Traffic in its name. If this field is marked as True, one of the source or destination fields hit an IP address or domain that is blacklisted.


There are three built-in rule templates you can clone and use to be alerted for any suspicious activity. Enable any of these as appropriate for your environment. They should need no customization besides specifying a user to receive the email alert.



Threat Feeds help monitor DDoS attacks, Malware, Botnets, Spam and more. 
This helps to detect or pinpoint potential security issues like Phishing attempts, Malware infections, and external attacks from bad hosts.



Last modified