This document provides a description how to utilize LogRhythm’s Threat Intelligence Services (TIS) to collect Indicators of Compromise (IOC) data from TruSTAR and make it available for analysis in LogRhythm.
This integration requires LogRhythm Threat Intelligence Services and the LogRhythm Threat Intelligence Module. Please refer to LogRhythm’s Threat Intelligence Service User Guide for additional information on how to configure these modules. The Threat Intelligence Service installer can be downloaded from the LogRhythm Support portal and further information can also be found on the LogRhythm Support portal.
LogRhythm TIS Overview
The LogRhythm TIS supports integration with any threat intelligence provider that is STIX/TAXII compliant and is discoverable through a TAXII service endpoint. TruSTAR utilizes this feature of LogRhythm to let LogRhythm users take full advantage of TruSTAR’s high quality threat data.
Configure TruSTAR Integration
After you have installed and configured the connection between LogRhythm Threat Intelligence Service Manager and LogRhythm you will need to follow these steps on the Threat Intelligence Service Manager:
- Ensure the service has been started by clicking on the Start Service link at the top.
- Click on Add STIX/TAXII Provider button.
- You will see this screen
- Fill the form with the following details:
- TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
- Username: This is your API Authentication Key available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
- Password: This is your API Secret available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
- Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
- Threat Provider Name: TruSTAR Threat Intel (you can use any name your of choice.)
- Click on Test button. You should see the following pop up
- Click on OK and then Save.
- You will see “TruSTAR Threat Intel” in the left hand side list. In the main portion of the app you should see 9 different feeds. NOTE: Not all of these can be consumed by LogRhythm. See next step to enable specific feeds.
- Check the Enabled box. This will automatically enable all feeds. Deselect the feeds that are not relevant to your LogRhythm correlation rules and investigation processes.
- Click on the Test button. You should a pop up with the message Test connection is successful. Click on OK button.
- You can configure the “Download every” and “First Run at” parameters based on your operational requirements.
- Click on Save button. You will the following pop up message. Click on OK button.
Q: Where can i find the STIX package that is downloaded from the TruSTAR TAXII Server
A: Navigate to LogRhythm\LogRhythmThreat Intelligence Service Demo\staging and select the folder with the Threat Provider Name you configured when setting up the LogRhythm TAXII service