Threat Intelligence Feature Overview
F5 Distributed Cloud App Infrastructure Protection (AIP)'s Threat Intelligence feature correlates the outgoing and incoming IPs out of the host with the Distributed Cloud AIP curated IP list from various sources.
IP Source List
Configuration Steps
The default threat intelligence rule captures outgoing traffic (type=“connect”) and generates a Severity 1 alert.
To configure this rule:
- Under Rulesets, enable the Threat Intelligence rule. If you do not see this ruleset, contact Support.
- Tweak the rule for the right severities and filters (for example, if you want to add capture incoming traffic as well and change severities on that).
- Associate the rule set with the servers on which you want to see alerts.
Create a New Threat Intelligence Rule
You can create custom threat intelligence rules (click add new threat intelligence rule) based on the filter keys below:
- network event types
(type = “connect”ortype = “accept”) - threatintel_source: The fields here are
- tscommercial
- threatintel_reason
- scanning host
- spamming host
- malicious host
- threatintel_type
- IP
A custom filter might look like type=“connect” and threatintel_reason=“malicious host”
Select aggregations for the alert title to work.
Example:
Result Types
Threat Intelligence features in two places: alerts and events.
Events
Distributed Cloud AIP generates an event of type threatintel (event_type="threatintel") when there is a IP match with any of the bad IP lists. The event includes information on whether the connections is a inbound or outbound, the source of the threat intelligence and the reason. You can search for any of the corresponding fields illustrated in the examples below.
Alerts
Alerts generate if there is a match to the ruleset.
Contributing Events
After you click on the alert, you see the contributing event and details related to the match, including the source, the reason, and the type.