Logsign USO Threat Intelligence Guide

Purpose and Overview

The Logsign Threat Intelligence area collects Indicators of Compromise (IOCs) (IP, domain, URL, hash, etc.) from internal and external sources and makes them usable within Logsign.

From this screen, you can:

• Enable/disable TI globally, 
• Add, edit, and remove TI sources, 
• Change priority order (processing order), 
• Enable/disable sources individually or in bulk.

What Changed Compared to the Old Approach?

Before: Users clicked a single button and Logsign used predefined TI lists.

Now: Users can add and manage their own IOC sources, enabling full control over which feeds are used (via TAXII/STIX or API).

Top Bar Controls

The top area includes:

• Enable/Disable Threat Intelligence: Turns the TI feature on/off globally. 
• Search: Searches by source name. 
• Add Source: Adds a new TI source. 
• Check All: Selects multiple sources. 
• Enable / Disable: Enables/disables selected sources in bulk. 
• Filter by Status: Filters sources by enabled/disabled state.

Source List (Table) and Key Logic

Each row represents a TI source. Key columns include:

• Priority: Processing / lookup order. 
• Name: Source name. 
• Source Type: Source method (TAXII/STIX, API, or Logsign TI). 
• Indicator Type: IOC type (ip, domain, url, hash, or Mixed). 
• Count: Number of ingested IOCs. 
• URL: Source endpoint. 
• Status: Enabled/disabled state. 
• Actions: View/list, edit, delete.

Priority Order Behavior

• You can change priority order. 
• The system starts checking/processing from the top of the list. 
• Priority can be adjusted via drag-and-drop (using the handle on the left).

Record Limit per Source

• Each added source can contain up to 300,000 (300k) IOC records. 
• For larger feeds, it is recommended to filter or split them at the source side.

Whitelist Takes Precedence (Conflict Rule)

If an IOC exists in a TI source but is also in the Whitelist: 

• It is ignored from TI matching, 
• The Whitelist always overrides TI. 

Enable / Disable Sources

• You can enable/disable each source using its Status toggle. 
• You can also use Check All + Enable/Disable to manage multiple sources at once.

Supported Source Types

When adding sources, Logsign supports two ingestion methods:

A) TAXII/STIX Source

Used for consuming standard threat intelligence services via TAXII/STIX.

Typical fields (Edit Source):

• Name 
• Source Type: TAXII/STIX 
• Indicator Type: e.g., IP (depending on the feed) 
• Feed URL: TAXII collection URL 
• TAXII Version: e.g., 2.1 
• Use Authentication (optional): 
  • Username
  • Password 
• Test Connection: Validates connectivity and credentials 
• Description

Recommended flow:

1. Fill URL and credentials (if required) 
2. Click Test Connection 
3. Click Save

B) API Source

Used to ingest IOCs from HTTP endpoints returning text or JSON.

Typical fields (Edit Source):

• Name 
• Source Type: API 
• Indicator Type: 
  • Mixed (All Types) (if multiple IOC types are included) 
  • or a specific type (ip/domain/url/hash) if the feed is single-type 
• Method: e.g., GET 
• Content Type: e.g., application/json 
• API URL 
• Headers: Add if needed (API key, auth headers, etc.) 
• Response Format: e.g., Text 
• Text Delimiter: e.g., \n (for line-by-line IOC lists) 
• Purge Period (seconds): Cache/cleanup interval (in seconds) Description

Note about Mixed sources:

If Mixed is selected, the system determines the IOC type from the content/format rules, and entries may appear as Type: mixed in the list view.

Viewing Ingested IOCs (Source Details)

Using the “view/list” action on a source row, you can display the ingested IOC entries.

The detail page typically shows:

• Indicator (IOC value: IP, domain, etc.) 
• Type (mixed/ip/domain/url/hash)

How TI Enrichment Works

When a log event is processed and a match is found in an active TI source, Logsign automatically enriches the log with threat intelligence data. This section explains which fields are used for matching, which fields are populated, and how multiple matches are handled.

Matched and Enriched Fields

TI enrichment operates in two layers:
Fixed (always populated on a match):

Additional fields (configurable via updateFields): Beyond the fixed fields above, enrichment rules can be configured to populate additional log fields. For example:

External.ThreatType  
External.ThreatInfo  
External.ListID

The following table shows which source column is used for matching per IOC type, and which fields are populated upon a successful match:

External.IP is derived from Source.IP or Destination.IP, depending on which one is identified as the external address.

Handling Multiple Simultaneous Matches

If two or more TI sources match on the same target field (e.g., Intelligence.IP), only the first match based on priority order is applied subsequent matches for that field are ignored.

However, if the matching applies to different fields (e.g., one rule matches on IP and another on domain), both enrichments can occur simultaneously. To enable this, two separate rules must be defined in the bucket each writing to its own target field:

"updateFields": [
 {
   "field": "Intelligence.IP",
   "type": "ip",
   "description": "External.IP",
   "value": "$value[External.IP]"
 },
 {
   "field": "Intelligence.Domain",
   "type": "string",
   "description": "Destination.Domain",
   "value": "$value[Destination.Domain]"
 }
]

Note: Priority order (set in the Source List) determines which TI source wins when multiple sources match the same field. See the Priority Order Behavior section above.

Supported Indicator Types and Custom Values

TI enrichment is not limited to IP, domain, hash, and URL. Supported values vary by source type: