Integrate a LogRhythm SIEM On-Premises Device

Configure a LogRhythm SIEM on-premises device to pull IOCs from Threat Command.

The following table shows device-specific integration characteristics:

CharacteristicDescription
IOC types supportedDomains, IP addresses, and URLs.
IOC group limitationAll IOC types can be pulled in the same group.
Device IOC limitThe device is limited to 100,000 IOCs.

Add a Logrhytm SIEM on-premises device

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to the Threat Command virtual appliance.
  2. Configure the device to pull IOCs from Threat Command.

The procedure to add the device to Threat Command is different depending on the version of the Threat Command virtual appliance in your environment. To determine which version is running, see Determine the Version of Virtual Appliance.

Add the on-premises device

Add the device in virtual appliance v3.9

Prerequisites:

  • The Threat Command virtual appliance web interface is configured and you can access it.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the virtual appliance using the web access username and password.
  3. From the Devices page, click Devices (Pull).
  4. Click Add new device.
  5. In the Devices (Pull) screen, set up the new device:
    1. Type a user-defined, unique device name.
    2. Select the device type.
    3. Click Create.
  6. Verify that the new device was added:
    1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
    2. From the main menu, select Automation > Integrations.
      If this window is already open, refresh it by selecting Automation > Integrations from the menu.
      The new device is displayed in the On-Premises tab.
      TC
Add the device in virtual appliance v4.0

Prerequisites:

  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation > Integrations.
  3. From the Integrations page, click On-Premises.
  4. Click Add new device.
  5. In the Add New On-Premises Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.

Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a LogRhythm SIEM device to pull IOCs 

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command. The configuration is done by editing the hosts file and then configuring the device in the LogRhythm management console.

Configuration for on-premises devices

When configuring an on-premises device, it is important to know which version of the Threat Command virtual appliance is running in your environment. This will affect which Rapid7 URL is displayed in the Device Details screen and also which URL to copy into the device management console.

tc

When running version 4.0 or later, the Legacy URL should be used only with Rapid7 support.

To determine which version of the virtual appliance is running, see Determine the version of virtual appliance.

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group
  • Ensure that port 9000 is open.

To configure the device to pull IOCs:

  1. Edit the server hosts file:
    1. Log in to the LogRhythm server.
    2. Start a command window, as administrator.
    3. Change to the C:\Windows\System32\drivers\etc directory.
    4. Use a text editor to add the following lines to the hosts file:
      <Threat Command virtual appliance IP address> agent-taxii
      <Threat Command virtual appliance IP address> taxii For example, if the IP address is 192.168.0.111, add these lines to the file:

      - 192.168.0.111 agent-taxii

      - 192.168.0.111 taxii
    5. Save and close the file.
  2. Log into the LogRhythm management console.
  3. Click Add STIX/TAXII Provider.
    temporary placeholder
  4. Fill in the details:
FieldDescription
Threat Provider NameType a user-defined name. Collected IOCs can be found under this folder name.
TAXII Collection EndpointCopy/paste from the Threat Command Device Details dialog. From the Threat Command main menu, select Automation > Integrations. From the On-Premises device list, select the LogRhytm SIEM device. Click Device Details. test From the IOC Group URL dialog, use the Copy button to copy the URL. For virtual appliance v4.0 or later: Use the TAXII Collection Endpoint. For virtual appliance v3.9 or earlier: Use the Legacy intendpo. Replace [APPLIANCE_IP/URL] with the words agent-taxii (not the appliance IP address).
UsernameCopy/paste from the Threat Command Device Details dialog.
PasswordCopy/paste from the Threat Command Device Details dialog.
Certificate fieldsOptional.

The following figure shows the dialog with the fields populated:
temporary placeholder
5. Test the connection by clicking Test.
The following table describes possible errors and their solution:

Error displayed is similar to the followingDescription and solution
Feeds not found for the provider-Configuration was successful, but there are no IOC groups in Threat Command.
Exception while testing … : The underlying connection was closed-Configuration was successful. This is a random error that can be ignored.
Exception while testing … : Unable to connect to the remote server-The IP address or port in the TAXII Collection Endpoint field is incorrect or this is a communication problem between LogRhythm and the Threat Command virtual appliance.
  1. Click Save.
  2. Click Enabled.
    temporary placeholder
    When IOCs are present in the Threat Command IOC group, the LogRhythm SIEM device will begin to pull them.

View pulled IOCs in LogRhythm SIEM

You can download a TXT file of the pulled IOCs in the LogRhythm SIEM management console.

To view pulled IOCs:

  1. In the LogRhythm Threat Intelligence management console, select the group to download.
  2. Click Download Now.

Downloaded files are located in the \staging<Threat Provider Name> folder.
For example, C:\Program Files\LogRhythm Threat Intelligence Service\staging\Intsights5