Skip to main content
Sumo Logic

Lab 20 - Installing the Threat Intel App for AWS ELB data

The Threat Intel App allows you to correlate CrowdStrike threat intelligence data with your own log data, for real-time security analytics to detect threats. In particular, it scans for threats based on filename, URL, domain, Hash 256 and email.

Although you could install the Threat Intel app for your entire data set, this is not recommended for performance reasons. Best practice is to install the app for a given source. If necessary, you can install the app numerous times for the different sources you are looking to correlate. In this lab, we will install the Threat Intel app for our Ossec data (host-based intrusion detection system).

 

  1. In the App Catalog, search for the Threat Intel Quick Analysis app

  2. Once selected, click Add to Library

  3. For App Name, enter: Threat Intel - AWS ELB

  4. For _sourceCategory, enter: Labs/AWS/ELB

  5. Under Advanced, select Personal > Apps, and finally click Add to Library.

  6. This created a new folder Personal/Apps/Threat Intel - AWS ELB with queries and Dashboards for that source.

  7. Open the Threat Intel Quick Analysis - Overview dashboard. Notice that most panels have no data to display.

  8. Notice that you can click on any Dashboard panel to view the query behind it. If you make changes to the query, you can always click Update Dashboard to save your changes to the original dashboard.

  9. If you want to share this content with other users, from the Library, select the Threat Intel folder. Clicking on the 3 stacked dots to the right opens a menu of actions, including Share.