Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Using the Threat Intelligence Feed in LEM

Using the Threat Intelligence Feed in LEM

Created by Jason Dee, last modified by Jason Dee on Sep 21, 2017

Views: 1,680 Votes: 3 Revisions: 7

Updated September 21, 2017

Overview

This article details how to use the Threat Intelligence Feed in LEM, and what is needed to allow updating threat feeds.

Environment

LEM 6.2 or later

Details

Proxy Server
Currently, LEM cannot be configured to use a proxy server, so it will need internet access through the firewall to reach the Threat Feeds website on port 443. Threat Feeds use a different port and website, as compared to the automated Connector Updates.

 

 

Internet Access needed for Threat Feeds

     Threat Feeds:

https://rules.emergingthreats.net    (Possible IP's: 96.43.137.99 & 204.12.217.19 & 54.231.64.20 & 69.20.68.177)

     Connector Updates:

Connector Updates uses port 80 to http://downloads.solarwinds.com.
          (Possible IP's: 23.212.53.182 & 23.212.53.190 & 64.48.225.51 & 64.48.225.99)

 


Verify your Threat Intelligence Feed is enabled and updating.

  1. Go to Manage > Appliance > Settings.
  2. Verify the feed is enabled as shown below.


    Note: Every morning at 3:14 AM, your LEM updates its Threat Intelligence Feed list. You will find a daily event under Monitor > LEM Internal Events confirming if the update is successful or failed.

 


The Threat Intelligence Feed has a specific field: isThreat. This field is only displayed on network-related events or event groups, such as events with Traffic in its name. If this field is marked as True, one of the source or destination fields hit an IP address or domain that is blacklisted.

 

There are three built-in rule templates you can clone and use to be alerted for any suspicious activity. Enable any of these as appropriate for your environment. They should need no customization besides specifying a user to receive the email alert.

 

 

Threat Feeds help monitor DDoS attacks, Malware, Botnets, Spam and more. 
This helps to detect or pinpoint potential security issues like Phishing attempts, Malware infections, and external attacks from bad hosts.

 

 

Last modified

Tags

Classifications

Public