LogRhythm

Updated 2 months ago by Elvis Hovor

This document explains how to install and use LogRhythm’s Threat Intelligence Services (TIS) to collect Indicator data from the TruSTAR TAXII server and make that data available for analysis in LogRhythm.

  • TruSTAR TAXII Server
  • TAXII FAQ
  • Creating a Service Account, TruSTAR's TAXII server accesses all Enclaves that your API keys can access. Having a Service Account enables you to customize access by Enclave and it also mitigates the risk of resetting API keys. For more information on customizing Enclave access, see the TAXII FAQ document.

Requirements

LogRhythm’s TIS User Guide explains how to configure these modules. You can access the LogRhythm Support Portal to download the TIS installer and documentation.

Configuring the TAXII Client

After you have installed and configured the connection between LogRhythm Threat Intelligence Service Manager and LogRhythm you will need to follow these steps on the Threat Intelligence Service Manager:

  1. Ensure the service has been started by clicking Start Service link at the top of the screen.
  2. Click Add STIX/TAXII Provider.
    LogRhythm_TAXII_Figure1
  3. On the Custom Provider screen, fill in the form details as explained below.
LogRhythm_TAXII_Figure2

  • Threat Provider Name: Whatever name you choose for the TruSTAR threat intel. Best practice is to include TruSTAR in this name so that you can easily identify it later.
  • TAXII Collection Endpoint: https://taxii.trustar.co/services/collection-management
  • Username: Enter your TruSTAR API Key. Finding your API Key and API Secret
  • Password: Enter your your TruSTAR API Secret.
  • Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
  1. Click Test when finished.
  2. Click OK in the Feeds Found popup box.
    LogRhythm_TAXII_Figure3
  3. Click Save on the Custom Provider screen. You now see TruSTAR Threat Intel in the left-side list. In the main portion of the app, you see the nine different feeds the TruSTAR TAXII server provides.
NOTE: Not all TruSTAR feeds can be consumed by LogRhythm. See the next step to enable specific feeds.
  1. Check the Enabled box to automatically enable all available feeds. You can deselect feeds that are not relevant to your LogRhythm correlation rules and investigation processes.
    LogRhythm_TAXII_Figure4
  2. Click the Test button. If the test is successful, you see a confirmation popup.
    LogRhythm_TAXII_Figure5
  3. Click OK to close the dialog box.
  4. Configure the Download every and First Run at parameters based on your operational requirements.
  5. Click Save to store this configuration. If the save is successful, you see a confirmation dialog box.
    LogRhythm_TAXII_Figure6
  6. Click OK to close that box and finish the TAXII client configuration.

FAQ

Q: Where is the STIX package downloaded from the TruSTAR TAXII Server?

A: Navigate to LogRhythm\LogRhythmThreat Intelligence Service Demo\staging and select the folder with the Threat Provider Name you configured when setting up the LogRhythm TAXII service

Please reach out to support@trustar.co for any additional questions.


How Did We Do?