This document explains how to install and use LogRhythm’s Threat Intelligence Services (TIS) to collect IOC data from the TruSTAR TAXII server and make that data available for analysis in LogRhythm.
- TruSTAR TAXII Server
- TAXII FAQ
- Creating a Service Account, TruSTAR's TAXII server accesses all enclaves that your API keys can access. Having a Service Account enables you to customize access by enclave and it also mitigates the risk of resetting API keys. For more information on customizing enclave access, see the TAXII FAQ document.
- LogRhythm Threat Intelligence Services
- LogRhythm Threat Intelligence Module
- Access to your TruSTAR API Key and API Secret.
Configuring the TAXII Client
After you have installed and configured the connection between LogRhythm Threat Intelligence Service Manager and LogRhythm you will need to follow these steps on the Threat Intelligence Service Manager:
- Ensure the service has been started by clicking Start Service link at the top of the screen.
- Click Add STIX/TAXII Provider.
- On the Custom Provider screen, fill in the form details as explained below.
- Threat Provider Name: Whatever name you choose for the TruSTAR threat intel.
- TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
- Username: This is your API Authentication Key available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
- Password: This is your API Secret available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
- Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
- Click Test when finished.
- Click OK in the Feeds Found popup box.
- Click Save on the Custom Provider screen. You now see “TruSTAR Threat Intel” in the left-side list. In the main portion of the app, you see the nine different feeds the TruSTAR TAXII server provides.
- Check the Enabled box to automatically enable all feeds. You can deselect feeds that are not relevant to your LogRhythm correlation rules and investigation processes.
- Click the Test button. If the test is successful, you see a confirmation popup.
- Click OK to close the dialog box.
- Configure the Download every and First Run at parameters based on your operational requirements.
- Click Save to store this configuration. If the save is successful, you see a confirmation dialog box.
- Click OK to close that box and finish the TAXII client configuration.
Q: Where is the STIX package downloaded from the TruSTAR TAXII Server?
A: Navigate to LogRhythm\LogRhythmThreat Intelligence Service Demo\staging and select the folder with the Threat Provider Name you configured when setting up the LogRhythm TAXII service