• State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 22 subscribers
  • Views 1348 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Using a Threat Intelligence Feed with LEM?

byrona

I am curious if anybody out there is using LEM in conjunction with a Threat Intelligence feed?  I realize that LEM doesn't currently accept any of the feed protocols; however, I have seen that some feeds provide human readable dashboards which can then be used in conjunction with a SIEM such as LEM.

Parents
  • FormerMember
    0 FormerMember

    We keep an eye on this question to see what we can integrate with natively, but so far haven't heard much of it. We have had some people import feed info via CSVs to User-Defined Groups to use in correlation rules or filters, but so far that's about it (and it's somewhat infrequent or vague).

    Maybe some others will chime in with their experience, but that's what I've heard from the tower.

  • 0 in reply to FormerMember

    We keep an eye on this question to see what we can integrate with natively, but so far haven't heard much of it.

    I guess my question would be; what options do you provide for Threat Intelligence Feeds to integrate into LEM?  If you are waiting to see what you can integrate with natively, what native options do you support?

    We have had some people import feed info via CSVs to User-Defined Groups to use in correlation rules or filters, but so far that's about it (and it's somewhat infrequent or vague).

    How do you import CSV into a user defined group?  If I was able to get CSV data from some other source I would love to import a list of IP's into a group that LEM would then use as a watch list.

Reply
  • 0 in reply to FormerMember

    We keep an eye on this question to see what we can integrate with natively, but so far haven't heard much of it.

    I guess my question would be; what options do you provide for Threat Intelligence Feeds to integrate into LEM?  If you are waiting to see what you can integrate with natively, what native options do you support?

    We have had some people import feed info via CSVs to User-Defined Groups to use in correlation rules or filters, but so far that's about it (and it's somewhat infrequent or vague).

    How do you import CSV into a user defined group?  If I was able to get CSV data from some other source I would love to import a list of IP's into a group that LEM would then use as a watch list.

Children
  • FormerMember
    0 FormerMember in reply to byrona

    Right now the only real option IS the import CSV to UDG. Effectively the "Import" on a UDG can import a CSV. Mentioned here: Log & Event Manager v5.7 RC Now Available: Scheduled Searching, License Recycling, and More! - here's the copy/paste for that section (it's super brief):

    IMPORT USER-DEFINED GROUPS FROM CSV FILES

    A commonly requested feature is the ability to import CSV files to automatically populate groups, rather than having to edit data elements by hand, which we've implemented in this RC. From Build>Groups, go to (top right) Gear>Import, change to "All File Types" and choose your CSV file. The format of the file is basically what you see in Build>Groups:

    UDG, UDG Name, UDG Description

    Element Name, Element Data, Element Description

    Element 2 Name, Element 2 Data, Element 2 Description

    If you could get the data as a big list (text?), you could create a CSV with the other 2 columns (name/description) and pull it in. Data is the column/field that's actually used for the comparison.

  • 0 in reply to FormerMember

    Awesome, thanks Nicole!  I will go ahead and give this a try as soon as I can.

  • 0 in reply to FormerMember

    nicole pauls if you get a chance you should check out the service that the folks over at ThreatStream have put together.  I just had a conversation with them today and what they have is pretty awesome.  I did mention that we use LEM as our SIEM and therefore have no native ability to consume the data from their feed.  They noted that since they are a newer company they are very agile at working with different SIEM solution providers to integrate with their technologies and he suggested that they may be reaching out to you as another SIEM to work to integrate with.  They have already integrated with different SIEM solutions and consider themselves "SIEM agnostic" despite the fact they were born from ex-ArcSight employees.  I just thought I should point this all out.

  • 0 in reply to FormerMember

    Sorry for bumping this old thread.

    It seems like this feature does not work anymore. I am on 6.3.1 HF5 and am unable to import CSV lists into User Defined Groups

    I followed instructions form your post and I get this error

    csv-to-udg.jpg

    Has anyone got this feature working ?

    Edit: I found that this feature now works only with .txt files

    Import a text file to create a User Defined Group (UDG) - SolarWinds Worldwide, LLC. Help and Support

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.