Page tree

Contents

When creating or editing a custom list or a Threat Insight list, you can assign a custom threat level and confidence score to the list. By default, when a custom list is created, the threat level is set to Info with a confidence score of High. For a Threat Insight list, the default threat level is set to High while the confidence score is set to Low. By assigning a customer-defined threat level and confidence score, the default threat level and confidence scores are both overridden. 

Any customer-defined threat level and confidence scores will replace the default values and will be reflected in reports generated within the Cloud Services Platform. The customer-defined threat and confidence levels will also be reflected when pulling log reports from the Cloud Services Platform and when running an API pull request or when uploaded to an S3 bucket. By applying a customer-defined threat level and confidence score to a list, the number of alert notifications will also be reduced going to your SIEM.

Creating a Custom List with Customer-Defined Threat Level and Confidence Score

To apply customer-defined threat level and confidence score to newly created custom list, complete the following:

  1. From the Cloud Services Portal, click PoliciesSecurity Policies.
  2. On the Security Policies page, click the Custom Lists tab located above the top Action bar.
  3. On the Custom Lists page, click Create at the top Action bar.
  4. On the Create a Custom List page, complete the following:
    • Custom List Name: Enter a name for the custom list. Ensure that you use a unique name for each custom list.
    • Description: Enter a brief description of the custom list.
    • Threat Rating: Select a Threat Rating level from among the following options: Info, High, Medium, and Low. The system default value for a custom list is Info. The default Threat insight value is High.
    • Threat Confidence: Select a Threat Confidence score from among the following options: High, Low. Medium. The system default value for a custom list is Info. The default Threat insight value is Low
    • Domains/IP Addresses: Enter a fully qualified domain name (FQDN), a valid IPv4 address, or a CIDR that you want to include in the whitelist or blacklist that you are creating. You can enter multiple domains or IP addresses by repeating the same steps. For each domain or IP address added to a custom list, a description for the domain or IP address can also be added to improve the investigative process. When finished, press any key on your keyboard to accept the entry. To remove a domain or IP from the list, place a check the box to the left of the entry and then click the Remove button.  
  5. Click Save & Close to save the configuration. BloxOne Threat Defense Cloud adds the custom list.

Updating a Custom List with Customer-Defined Threat Level and Confidence Score

To update a customer-defined threat level and confidence score of a previously created  custom list, complete the following:

  1. From the Cloud Services Portal, click Policies -> Security Policies.
  2. On the Security Policies page, click the Custom Lists tab located above the top Action bar.
  3. On the Custom Lists page, select the custom list you want to update and click Edit
  4. On the Edit Custom Lists page, apply a new threat level or threat confidence level, or both.
    • Threat Rating: Select a Threat Rating level from among the following options: Info, High, Medium, and Low. The system default value for a custom list is Info. The default Threat insight value is High.
    • Threat Confidence: Select a Threat Confidence score from among the following options: High, Low. Medium. The system default value for a custom list is Info. The default Threat insight value is Low
  5. Click Save & Close to save the updated configuration. 


  • No labels

This page has no comments.