Home

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Click here to expand

Threat Management

This page elaborates the steps to manage the threat sources of EventLog Analyzer.

Enabling or disabling the default threat server
Adding TAXII server
Editing TAXII server configuration
Deleting TAXII server
Managing TAXII feeds
Advanced threat analytics

Enabling or disabling the default threat server

What is the default threat server?

EventLog Analyzer collects threat information from various STIX/TAXII based threat feeds such as AlientVault and Hail a TAXII on a daily basis. The threat information (malicious IPs, URLs, and domain names) is processed and stored on the ManageEngine cloud server. EventLog Analyzer securely connects to the cloud service and downloads the threat feed everyday. Using this information, it detects and raises an alert immediately when malicious sources interact with your enterprise network.

How to enable or disable the default threat server?

Go to Settings > Threat Management > STIX/TAXII Threat Feeds.
Click the enable/disable icon under Actions to enable/disable the default server.

Note: You cannot edit or delete the default server.

By default, the default threat server is disabled when Advanced threat analytics (ATA) is enabled as ATA has a much larger and more accurate threat data set. If required, you can override this by enabling the default threat server again. When default threat server is enabled, if a particular threat source is not flagged by ATA, EventLog Analyzer will check in default threat server's threat database and flag the threat source accordingly.

How to add a new STIX/TAXII server?

Go to Settings > Threat Management > STIX/TAXII Threat Feeds. .
Click Add Server .

In the Add Server box, enter the Display name, URL, Username and Password..
In the Poll from box, specify the date from when feeds should be collected.
In the Schedule drop down list, select the schedule frequency and the time for syncing data from the TAXII server.
To save the server configuration, click Add Server.

How to edit TAXII server configuration?

Go to Settings > Threat Management.
Click the edit icon against the server.

You can make the required changes such as the schedule to sync data from the TAXII server.

To save the changes made, click the Update Server button.

How to delete TAXII server?

To delete an existing TAXII server,

Go to Settings > Threat Management.
Click the delete icon corresponding to the server to be deleted.

Click Yes in the delete confirmation pop up box.

How to manage TAXII server feed?

Go to Settings > Threat Management > STIX/TAXII feeds..
Click Manage Feeds corresponding to the server to be managed.

The Manage Feeds window opens as shown below

Click the enable/disable icon under Actions to enable/disable polling for the corresponding feed. Click Yes in the pop-up to confirm.
Click Poll now poll the feed immediately.

Help Document