Integrate a LogRhytm SIEM Cloud Device

Configure a LogRhythm SIEM cloud device to pull IOCs from Threat Command. You must first add the device to Threat Command and then configure the device itself to pull IOCs from Threat Command.

For LogRhythm devices, ensure that port 9000 is open.

Add a LogRhythm SIEM cloud device

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a LogRhythm SIEM device to pull IOCs 

After a device has been added, you must enable it to pull IOCs from Threat Command. The configuration is done by editing the hosts file and then configuring the device in the LogRhythm management console.

Prerequisites:

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

IOC groups for LogRhythm SIEM devices can consist of the following types of IOCs: domains, URLs, and IP addresses.

To configure the device to pull IOCs:

  1. Log into the LogRhythm management console.
  2. Click Add STIX/TAXII Provider.
    temporary placeholder
    The LogRhythm Custom Provider dialog is displayed:
    temporary placeholder
  3. Fill in the details:
FieldDescription
Threat Provider NameType a user-defined name. Collected IOCs can be found under this folder name.
TAXII Collection EndpointCopy/paste from the Threat Command Device Details dialog.
- From Threat Command, select Automation > Integrations.
- From the Cloud device list, select the LogRhytm SIEM device.
- Click Device Details. icon
- From the Device Details dialog, use the Copy button to copy the TAXII Collection Endpoint URL.
UsernameEnter the Threat Command account ID.
PasswordEnter the Threat Command appliance key.
Certificate fieldsOptional.
  1. Test the connection by clicking Test. For more information, see Troubleshooting
  2. Click Save.
  3. Click Enabled, then click Save.
    temporary placeholder
    When IOCs are present in the Threat Command IOC group, the LogRhythm SIEM device will begin to pull them.

View pulled IOCs in LogRhythm SIEM

You can download a TXT file of the pulled IOCs in the LogRhythm SIEM management console.

To view pulled IOCs:

  1. In the LogRhythm Threat Intelligence management console, select the group to download.
  2. Click Download Now.

Downloaded files are located in the <installation directory>\staging&lt;Threat Provider Name> folder.
For example, C:\Program Files\LogRhythm Threat Intelligence Service\staging\Intsights5

Troubleshooting errors during testing

The following table describes possible errors and their solution:

Error displayed is similar to the followingDescription and solution
Feeds not found for the providerConfiguration was successful, but there are no IOC groups in Threat Command.
Exception while testing … : The underlying connection was closedConfiguration was successful. This is a random error that can be ignored.
Exception while testing … : Unable to connect to the remote serverThe IP address or port in the TAXII Collection Endpoint field is incorrect or this is a communication problem between LogRhythm and the Threat Command virtual appliance.
Exception while testing … : The remote server returned an error: (401) UnauthorizedThe Threat Command account ID or appliance key is not correct.