How to import custom threat feeds in EventLog Analyzer
Objective
EventLog Analyzer provides an option to import custom threat feeds or indicators, allowing users to upload lists of malicious IP addresses, CIDR values, domains, and URLs as per internal investigation. These imported indicators are then used for correlation against the collected log data. This article provides step-by-step information on how to import custom feeds, which are stored in the CSV file feeds.
Prerequisites
- You need access to the EventLog Analyzer server and installation directory.
- The service account used in EventLog Analyzer must have full control for installation directory and has to be used in services.msc.
Steps to follow
Step 1: Enable the threat import scheduler
- Navigate to the <EventLog Analyzer Home>\conf\EventLogAnalyzer\threat folder and open threatstore.properties in a text editor.
- Update the dae.threat.import.schedule.enable property value from false to true.
Step 2: Place the files in the <EventLog Analyzer Home>\data\za\threatfeeds\ThreatImport\Import folder.
Step 3: A schedule will run everyday at 8am to process the files placed under the respective ThreatImport folder. Restarting the product will trigger the threat import operation immediately instead of waiting for the 8am schedule.
Step 3: A schedule will run everyday at 8am to process the files placed under the respective ThreatImport folder. Restarting the product will trigger the threat import operation immediately instead of waiting for the 8am schedule.
Step 4: Files in the ThreatImport directory will be deleted once it is processed. If any files are not deleted, this may indicate that an exception has occurred. Open the serverout.txt file located in the <EventLog Analyzer Home>\logs folder and check for the keyword as FileImportTask to check for the exception. Or contact support for further assistance.
Tips
If you need to remove any threat sources from flagging threat alerts, place the file containing the threat feeds to be removed in the <EventLog Analyzer Home>\data\za\threatfeeds\ThreatImport\Delete folder.
If you would like to add a new list or update the existing one, add the new or customized list to the same location to automate the threat import.
Related articles
New to ADSelfService Plus?
Related Articles
How to add Cyware Threat Intelligence Platform as a threat feed manager in EventLog Analyzer
Objective It is essential to have multiple threat feed managers integrated with a SIEM solution to detect threats in the production environment. This article focuses on how to add Cyware Threat Intelligence Platform as a threat feed manager in ...How to add IBM X-Force as a threat feed manager in EventLog Analyzer
Objective It is essential to have multiple threat feed managers integrated with a SIEM solution to detect threats in the production environment. This article focuses on how to add IBM X-Force as a threat feed manager in EventLog Analyzer. ...Introduction to EventLog Analyzer
What is log management? An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...How to add the SecAlliance ThreatMatch Intelligence Portal as a threat feed manager in EventLog Analyzer In this article:
Objective It is essential to have multiple threat feed managers integrated with a SIEM solution to detect threats in the production environment. This article focuses on how to add the SecAlliance ThreatMatch Intelligence Portal as a threat feed ...How to create a new technician role in EventLog Analyzer
Objective This document outlines the step-by-step process to create and assign a technician role in EventLog Analyzer. Defining technician roles helps delegate administrative responsibilities while ensuring controlled access to sensitive log data. By ...