How does the "IsThreat" value determined?

diogenes

Hey guys,

I was curious to see if we can have the "IsThreat" boolean value signal true when an IP in a custom made group appears in an event. The problem is, I don't know how LEM sets the "IsThreat" value in the first place. Is it tied to rules or a default group?

Thanks

-Diogenes

FormerMember

The isThreat value is tied to the threat intelligence/reputation feed integration - the beta post has more detail: Log & Event Manager 6.2 and a Threat Intelligence Feed‌ - it's set when an IP on incoming data matches the feed. Similar concept, but built in to LEM.