2 Replies Latest reply on Jul 15, 2016 7:22 PM by kdevmu

    Threat Intelligence with LEM

    kdevmu

      How threat intelligence with LEM works for Syslog traffic received from Firewall/UTM? 

       

      Does it check IP reputation with external threat database or downloads and stores threat database locally on SIEM?

      If it checks with external database, does it check for each source/destination IP every time?

      If it has checked the reputation of one IP once and found it good/bad, if the request from same IP is received in let's say 1 hour or so, will it again go and check with external database? I mean for every request.

      Does it keep a cache of IP Reputation? If yes, how frequently it updates?

      Which all external threat database it checks with?