Objective
EventLog Analyzer provides an option to import custom threat feeds or indicators, allowing users to upload lists of malicious IP addresses, CIDR values, domains, and URLs as per internal investigation. These imported indicators are then used for correlation against the collected log data. This article provides step-by-step information on how to import custom feeds, which are stored in the CSV file feeds.
Prerequisites
You need access to the EventLog Analyzer server and installation directory.
CSV files should contain the list of threat sources in the first column. Sample CSV file. The service account used in EventLog Analyzer must have full control for installation directory and has to be used in services.msc.
Steps to follow
Step 1: Enable the threat import scheduler
- Navigate to the <EventLog Analyzer Home>\conf\EventLogAnalyzer\threat folder and open threatstore.properties in a text editor.
Update the dae.threat.import.schedule.enable property value from false to true.
Step 2: Place the files in the <EventLog Analyzer Home>\data\za\threatfeeds\ThreatImport\Import folder.
Step 3: A schedule will run everyday at 8am to process the files placed under the respective ThreatImport folder. Restarting the product will trigger the threat import operation immediately instead of waiting for the 8am schedule.
Step 4: Files in the ThreatImport directory will be deleted once it is processed. If any files are not deleted, this may indicate that an exception has occurred. Open the serverout.txt file located in the <EventLog Analyzer Home>\logs folder and check for the keyword as FileImportTask to check for the exception. Or contact support for further assistance.
Tips
If you need to remove any threat sources from flagging threat alerts, place the file containing the threat feeds to be removed in the <EventLog Analyzer Home>\data\za\threatfeeds\ThreatImport\Delete folder.
If you would like to add a new list or update the existing one, add the new or customized list to the same location to automate the threat import.
Related articles
Advance Threat Analytics