Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > Using the Threat Intelligence Feed in LEM

Using the Threat Intelligence Feed in LEM

Created by Jason Dee, last modified by Tim Rush on Jul 07, 2017

Views: 187 Votes: 3 Revisions: 6


This article details how to use the Threat Intelligence Feed in LEM, and what is needed to allow updating threat feeds.


LEM 6.2 or later


Proxy Server
Currently, LEM cannot be configured to use a proxy server, so it will need internet access through the firewall to reach the Threat Feeds website on port 443. Threat Feeds use a different port and website, as compared to the automated Connector Updates.



Internet Access needed for Threat Feeds

     Threat Feeds:    (possible IP's: & & &

     Connector Updates:

Connector updates uses port 80 to
          (possible IP's: & & &


Verify your Threat Intelligence Feed is enabled and updating.

  1. Go to Manage > Appliance > Settings.
  2. Verify the feed is enabled as shown below.

    Note: Every morning at 3:14 AM, your LEM updates its Threat Intelligence Feed list. You will find a daily event under Monitor > LEM Internal Events confirming if the update is successful or failed.


The Threat Intelligence Feed has a specific field: isThreat. This field is only displayed on network-related events or event groups, such as events with Traffic in its name. If this field is marked as True, one of the source or destination fields hit an IP address or domain that is blacklisted.


There are three built-in rule templates you can clone and use to be alerted for any suspicious activity. Enable any of these as appropriate for your environment. There should need no customization besides specifying a user to email an alert to.



Threat Feeds help monitor DDoS attacks, Malware, Botnets, Spam and more. 
This helps to detect or pinpoint potential security issues like Phishing attempts, Malware infections, and external attacks from bad hosts.



Last modified
18:25, 6 Jul 2017