Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > Using the Threat Intelligence Feed

Using the Threat Intelligence Feed

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 972 Votes: 3 Revisions: 5

Overview

This article details how to use the Threat Intelligence Feed in LEM.

Environment

LEM 6.2 or later

Details

Verify your Threat Intelligence Feed is enabled and updating.

  1. Go to Manage > Appliance > Settings.
  2. Verify the feed is enabled as shown below.


    Note: Every morning at 3:14 AM, your LEM updates its Threat Intelligence Feed list. You will find a daily event under Monitor > LEM Internal Events confirming if the update is successful or failed.

 


The Threat Intelligence Feed has a specific field: isThreat. This field is only displayed on network-related events or event groups, such as events with Traffic in its name. If this field is marked as True, one of the source or destination fields hit an IP address or domain that is blacklisted.

 

There are three built-in rule templates you can clone and use to be alerted for any suspicious activity. Enable any of these as appropriate for your environment. There should need no customization besides specifying a user to email an alert to.

Last modified
20:25, 22 Jun 2016

Tags

Classifications

Public