Splunk® Intelligence Management (Legacy)

Workflow Apps

Configure LogRhythm Threat Intelligence Services (TIS) to collect indicator data from Splunk Intelligence Management

Install LogRhythm Threat Intelligence Services (TIS) to collect Indicator data from the Splunk Intelligence Management TAXII server and make that data available for analysis in LogRhythm.

Requirements

  • LogRhythm Threat Intelligence Services
  • LogRhythm Threat Intelligence Module
  • Access to your Splunk Intelligence Management API Key and API Secret.

LogRhythm's TIS User Guide explains how to configure these modules. You can access the LogRhythm Support Portal to download the TIS installer and documentation.

Configuring the TAXII Client

After you have installed and configured the connection between LogRhythm Threat Intelligence Service Manager and LogRhythm you will need to follow these steps on the Threat Intelligence Service Manager:

  1. Ensure the service has been started by clicking Start Service link at the top of the screen.
  2. Click Add STIX/TAXII Provider.
  3. On the Custom Provider screen, fill in the form details as explained below.
    • Threat Provider Name: Choose a name for the Splunk Intelligence Management threat intel. Include "Splunk Intelligence Management" in this name so that you can easily identify it later.
    • TAXII Collection Endpoint:
    • Username: Enter your Splunk Intelligence Management API Key. Finding your API Key and API Secret
    • Password: Enter your your Splunk Intelligence Management API Secret.
    • Certificate Authentication: Leave unchecked and ignore Certificate Password and Certificate Path.
  4. Click Test when finished.
  5. Click OK in the Feeds Found popup box.
  6. Click Save on the Custom Provider screen. You now see Splunk Intelligence Management Threat Intel in the list. In the main portion of the app, you see the nine different feeds the Splunk Intelligence Management TAXII server provides.

    Not all TruSTAR feeds can be consumed by LogRhythm. See the next step to enable specific feeds.

  7. Check the Enabled box to automatically enable all available feeds. You can deselect feeds that are not relevant to your LogRhythm correlation rules and investigation processes.
  8. Click the Test button. If the test is successful, you see a confirmation popup.
  9. Click OK to close the dialog box.
  10. Configure the Download every and First Run at parameters based on your operational requirements.
  11. Click Save to store this configuration. If the save is successful, you see a confirmation dialog box.
  12. Click OK to close that box and finish the TAXII client configuration.

FAQ

Q: Where is the STIX package downloaded from the TruSTAR TAXII Server? A: Navigate to LogRhythm\LogRhythmThreat Intelligence Service Demo\staging and select the folder with the Threat Provider Name you configured when setting up the LogRhythm TAXII service

Last modified on 27 July, 2022
Configure Anomali Threatstream client to collect Indicator data from the Splunk Intelligence Management   Palo Alto MineMeld

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters