How threat intelligence with LEM works for Syslog traffic received from Firewall/UTM?
Does it check IP reputation with external threat database or downloads and stores threat database locally on SIEM?
If it checks with external database, does it check for each source/destination IP every time?
If it has checked the reputation of one IP once and found it good/bad, if the request from same IP is received in let's say 1 hour or so, will it again go and check with external database? I mean for every request.
Does it keep a cache of IP Reputation? If yes, how frequently it updates?
Which all external threat database it checks with?