With LEM 6.2 RC going on, and the impending release of 6.2, I've been using and abusing Threat Intelligence Feeds to find out some of the ways that this can fail.
- These rules will only produce results on LEM 6.2 or later
- These rules were written and tested on 6.2RC1 (as of Aug 21 2015)
- There are three rules in the pack:
- LEM Threat Feeds Administratively Disabled - Action if a LEM admin administratively turns off Threat Feeds
- LEM Threat Feeds Error Synchronizing - Action if the LEM is unable to reach the Threat Feeds source for synchronization. May fire multiple times before the issue is resolved or...
- LEM Threat Feeds Error Disabled - Action if the LEM hits its retry threshold and disables Threat Feeds. At this point, a user must manually re-enable Threat Intelligence Feeds in "Manage --> Appliance" to sync again
Obviously a LEM admin could disable the rule before they disable Threat Feeds, so this won't alert on someone being "intelligent and malicious," but "malicious and stupid" and "made a mistkae" [sic] would get picked up.
All three rules send an e-mail, and the "Error Disabled" will create an Incident. I used the Default template because everyone will have it and it'll populate, but I recommend creating or using a more detailed template for these messages, especially the "Administratively Disabled" if you want to know which user disabled the Threat Feeds.