Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Using the Threat Intelligence Feed in LEM

Using the Threat Intelligence Feed in LEM

Created by Jason Dee, last modified by Jason Dee on Sep 21, 2017

Views: 369 Votes: 3 Revisions: 7

Updated September 21, 2017

Overview

This article details how to use the Threat Intelligence Feed in LEM, and what is needed to allow updating threat feeds.

Environment

LEM 6.2 or later

Details

Proxy Server
Currently, LEM cannot be configured to use a proxy server, so it will need internet access through the firewall to reach the Threat Feeds website on port 443. Threat Feeds use a different port and website, as compared to the automated Connector Updates.

 

 

Internet Access needed for Threat Feeds

     Threat Feeds:

https://rules.emergingthreats.net    (Possible IP's: 96.43.137.99 & 204.12.217.19 & 54.231.64.20 & 69.20.68.177)

     Connector Updates:

Connector Updates uses port 80 to http://downloads.solarwinds.com.
          (Possible IP's: 23.212.53.182 & 23.212.53.190 & 64.48.225.51 & 64.48.225.99)

 


Verify your Threat Intelligence Feed is enabled and updating.

  1. Go to Manage > Appliance > Settings.
  2. Verify the feed is enabled as shown below.


    Note: Every morning at 3:14 AM, your LEM updates its Threat Intelligence Feed list. You will find a daily event under Monitor > LEM Internal Events confirming if the update is successful or failed.

 


The Threat Intelligence Feed has a specific field: isThreat. This field is only displayed on network-related events or event groups, such as events with Traffic in its name. If this field is marked as True, one of the source or destination fields hit an IP address or domain that is blacklisted.

 

There are three built-in rule templates you can clone and use to be alerted for any suspicious activity. Enable any of these as appropriate for your environment. They should need no customization besides specifying a user to receive the email alert.

 

 

Threat Feeds help monitor DDoS attacks, Malware, Botnets, Spam and more. 
This helps to detect or pinpoint potential security issues like Phishing attempts, Malware infections, and external attacks from bad hosts.

 

 

Last modified
14:36, 21 Sep 2017

Tags

Classifications

Public