LogRhythm

Updated 5 hours ago by Elvis Hovor

This document explains how to set up LogRhythm’s Threat Intelligence Services (TIS) to collect Indicators of Compromise (IOC) data from the TruSTAR TAXII server and make that data available for analysis in LogRhythm.

Requirements

  • LogRhythm Threat Intelligence Services
  • LogRhythm Threat Intelligence Module

Refer to LogRhythm’s Threat Intelligence Service User Guide for information on how to configure these modules. The Threat Intelligence Service installer can be downloaded from the LogRhythm Support portal and information can also be found on the LogRhythm Support portal.

The TruSTAR TAXII server will serve IOCs from ALL enclaves that the user account tied to the API credentials used in the poll request has access to. If you want to download from specific enclaves or you want to know the source enclave for the IOCs you are downloading, you should customize enclave access using service accounts. For more information, see Customizing Enclave Access in the TAXII FAQ document.

Configuring the TAXII Client

After you have installed and configured the connection between LogRhythm Threat Intelligence Service Manager and LogRhythm you will need to follow these steps on the Threat Intelligence Service Manager:

  1. Ensure the service has been started by clicking Start Service link at the top of the screen.
  2. Click Add STIX/TAXII Provider.
  3. On the Custom Provider screen, fill in the form details as explained below.

  • Threat Provider Name: Whatever name you choose for the TruSTAR threat intel.
  • TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
  • Username: This is your API Authentication Key available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
  • Password: This is your API Secret available on TruSTAR station. Click here to get it: https://station.trustar.co/settings/api
  • Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
  1. Click Test when finished.
  2. Click OK in the Feeds Found popup box.
  3. Click Save on the Custom Provider screen. You now see “TruSTAR Threat Intel” in the left-side list. In the main portion of the app, you see the nine different feeds the TruSTAR TAXII server provides.
NOTE: Not all of these can be consumed by LogRhythm. See next step to enable specific feeds.
  1. Check the Enabled box to automatically enable all feeds. You can deselect feeds that are not relevant to your LogRhythm correlation rules and investigation processes.
  2. Click the Test button. If the test is successful, you see a confirmation popup.
  3. Click OK to close the dialog box.
  4. Configure the Download every and First Run at parameters based on your operational requirements.
  5. Click Save to store this configuration. If the save is successful, you see a confirmation dialog box.
  6. Click OK to close that box and finish the TAXII client configuration.

FAQ

Q: Where is the STIX package downloaded from the TruSTAR TAXII Server?

A: Navigate to LogRhythm\LogRhythmThreat Intelligence Service Demo\staging and select the folder with the Threat Provider Name you configured when setting up the LogRhythm TAXII service

Please reach out to support@trustar.co for any additional questions.


How Did We Do?