Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > Using the Threat Intelligence Feed in LEM

Using the Threat Intelligence Feed in LEM

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 1,103 Votes: 3 Revisions: 5

Overview

This article details how to use the Threat Intelligence Feed in LEM.

Environment

LEM 6.2 or later

Details

Verify your Threat Intelligence Feed is enabled and updating.

  1. Go to Manage > Appliance > Settings.
  2. Verify the feed is enabled as shown below.


    Note: Every morning at 3:14 AM, your LEM updates its Threat Intelligence Feed list. You will find a daily event under Monitor > LEM Internal Events confirming if the update is successful or failed.

 


The Threat Intelligence Feed has a specific field: isThreat. This field is only displayed on network-related events or event groups, such as events with Traffic in its name. If this field is marked as True, one of the source or destination fields hit an IP address or domain that is blacklisted.

 

There are three built-in rule templates you can clone and use to be alerted for any suspicious activity. Enable any of these as appropriate for your environment. There should need no customization besides specifying a user to email an alert to.

Last modified
20:25, 22 Jun 2016

Tags

Classifications

Public