F5 Distributed Cloud App Infrastructure Protection (AIP)'s Threat Intelligence feature correlates the outgoing and incoming IPs out of the host with the Distributed Cloud AIP curated IP list from various sources.
IP Source List
The default threat intelligence rule captures outgoing traffic
(type=“connect”) and generates a Severity 1 alert.
To configure this rule:
- Under Rulesets, enable the Threat Intelligence rule. If you do not see this ruleset, contact Support.
- Tweak the rule for the right severities and filters (for example, if you want to add capture incoming traffic as well and change severities on that).
- Associate the rule set with the servers on which you want to see alerts.
Create a New Threat Intelligence Rule
You can create custom threat intelligence rules (click add new threat intelligence rule) based on the filter keys below:
- network event types
(type = “connect”or
type = “accept”)
- threatintel_source: The fields here are
- scanning host
- spamming host
- malicious host
A custom filter might look like
Select aggregations for the alert title to work.
Threat Intelligence features in two places: alerts and events.
Distributed Cloud AIP generates an event of type threatintel
(event_type="threatintel") when there is a IP match with any of the bad IP lists. The event includes information on whether the connections is a inbound or outbound, the source of the threat intelligence and the reason. You can search for any of the corresponding fields illustrated in the examples below.
Alerts generate if there is a match to the ruleset.
After you click on the alert, you see the contributing event and details related to the match, including the source, the reason, and the type.