Using a Threat Intelligence Feed with LEM?
Sep 5, 2014 3:25 PM
Sep 5, 2014 3:25 PM
-
Re: Using a Thread Intelligence Feed with LEM?
1 of 1 people found this helpfulWe keep an eye on this question to see what we can integrate with natively, but so far haven't heard much of it. We have had some people import feed info via CSVs to User-Defined Groups to use in correlation rules or filters, but so far that's about it (and it's somewhat infrequent or vague).
Maybe some others will chime in with their experience, but that's what I've heard from the tower.
-
Re: Using a Thread Intelligence Feed with LEM?
byrona
Sep 4, 2014 10:43 PM
Thanks for the info Nicole! I am actually have two different meetings next week to look at Threat Intelligence Feeds, one with a SIEM expert that I have been talking with for over a year on LinkedIn and another with an actual Threat Intel Feed vendor. My hopes are that I can see what capabilities are available, what other SIEM vendors are doing and map that to what I might be able to do with LEM.
-
Re: Using a Threat Intelligence Feed with LEM?
byrona
Sep 5, 2014 3:33 PM
We keep an eye on this question to see what we can integrate with natively, but so far haven't heard much of it.
I guess my question would be; what options do you provide for Threat Intelligence Feeds to integrate into LEM? If you are waiting to see what you can integrate with natively, what native options do you support?
We have had some people import feed info via CSVs to User-Defined Groups to use in correlation rules or filters, but so far that's about it (and it's somewhat infrequent or vague).
How do you import CSV into a user defined group? If I was able to get CSV data from some other source I would love to import a list of IP's into a group that LEM would then use as a watch list.
-
Re: Using a Threat Intelligence Feed with LEM?
1 of 1 people found this helpfulRight now the only real option IS the import CSV to UDG. Effectively the "Import" on a UDG can import a CSV. Mentioned here: Log & Event Manager v5.7 RC Now Available: Scheduled Searching, License Recycling, and More! - here's the copy/paste for that section (it's super brief):
IMPORT USER-DEFINED GROUPS FROM CSV FILES
A commonly requested feature is the ability to import CSV files to automatically populate groups, rather than having to edit data elements by hand, which we've implemented in this RC. From Build>Groups, go to (top right) Gear>Import, change to "All File Types" and choose your CSV file. The format of the file is basically what you see in Build>Groups:
UDG, UDG Name, UDG Description
Element Name, Element Data, Element Description
Element 2 Name, Element 2 Data, Element 2 Description
If you could get the data as a big list (text?), you could create a CSV with the other 2 columns (name/description) and pull it in. Data is the column/field that's actually used for the comparison.
-
Re: Using a Threat Intelligence Feed with LEM?
byrona
Sep 8, 2014 10:37 PM
Awesome, thanks Nicole! I will go ahead and give this a try as soon as I can.
-
Re: Using a Threat Intelligence Feed with LEM?
byrona
Sep 12, 2014 5:08 PM
colby if you get a chance you should check out the service that the folks over at ThreatStream have put together. I just had a conversation with them today and what they have is pretty awesome. I did mention that we use LEM as our SIEM and therefore have no native ability to consume the data from their feed. They noted that since they are a newer company they are very agile at working with different SIEM solution providers to integrate with their technologies and he suggested that they may be reaching out to you as another SIEM to work to integrate with. They have already integrated with different SIEM solutions and consider themselves "SIEM agnostic" despite the fact they were born from ex-ArcSight employees. I just thought I should point this all out.
-
-
-
-
Re: Using a Thread Intelligence Feed with LEM?
Added a link to you LEM question as well as more information to help adoption of the new Threat Intelligence standards implemented late last year. I think this could be an opportunity to increase the value of LEM as a SIEM for a number of industries that now rely on Threat Intel, and possibly build on a Threat Response type platform.
Link to the Poll:
-
Re: Using a Thread Intelligence Feed with LEM?
The new STIX and TAXII open standard along with Soltra Edge a (Collect/Create Threat Repositories) also provide a means to share threat intelligence across member organizations anonymously. This would not limit Solarwinds to one threat source.
Solrta Edge is free to deploy, there are plenty of paid and free open sources to pull intelligence.
Some integration ideas with Solarwinds Products:
LEM - Threat Intel Sharing and receiving, actions/alerts based on rules (more data to correlate off of, and use actions to automate)
NCM - Automate updating firewall, routers, email gateway blacklists based on rules setup in LEM (more integration between Solarwinds products)
Threat Response Manager- Possibly a new Solarwinds module that would integrate with LEM/NCM or be standalone
Feature Request: Threat Intelligence Feed
Feature Poll: Would you be interested in importing Open/Closed Source Cyber Threat Intelligence into Solarwind's Products
References:
STIX -Structured Threat Information Expression
TAXII -Trusted Automated Exchange of Indicator Information
https://www.fsisac.com/article/fs-isac-and-dtcc-announce-soltra-strategic-partnership
-
Re: Using a Threat Intelligence Feed with LEM?
Take a look at my most recent blog post where I cover this topic in our LEM 6.2 Beta: Log & Event Manager 6.2 and a Threat Intelligence Feed
-
Re: Using a Threat Intelligence Feed with LEM?
Hello,
Since threat intelligence feed is now part of LEM 6.2 I'm looking for a way to learn more about this new feature, SolarWinds manual has limited information. Does anyone know where I can find more information for this new feature?
-
Re: Using a Threat Intelligence Feed with LEM?
mavturner
Dec 30, 2015 8:20 AM
1 of 1 people found this helpfulThe blog that was referenced earlier is the best source of information on the topic. A short version of that is, we have a list of regularly updating known bad IP addresses. This list is intentionally focused on known bad addresses to minimize the noise created with most threat feed services. If an incoming event includes an IP that is on the list, the event is flagged as IsThreat = True. You can use that field to find events that are communicating with malicious hosts.The most simple way to see these events is to go to Monitor, then expand Security and click "All Threat Events". See screenshot below.
Any events flagged as threats will appear in this streaming list. Hopefully you don't have any! If you don't see anything after watching it for a few minutes, click the Gear icon in the upper right corner of my screenshot and select "Send to n-depth". From there you can change the timeframe to look for historical events that may have been flagged as threats.
I hope that helps!
-
