This screen displays alerts produced by MOREAL based on Threat Intelligence accumulated in ThreatDB.
ThreatDB alerts are generated when a traffic event contains an IP (either source_IP
or destination_IP
) that is currently included in our ThreatDB and, therefore, is considered malicious based on aggregated crowd sourced Security Intelligence. For more information, refer to the ThreatDB Advancements article.
Our logic considers also multizone topologies, which may not be known in advance. In such cases, the time ordering of traffic events for the same incident from different devices might vary depending on the zone and latency the devices belong to and communicate the related events to MOREAL respectively. Taken into account the aforementioned observations, we generate alerts only if no related blocked traffic events are occurred. However, as soon as, we get a blocked related traffic event within the zones of the given branch/subnetwork, the alert ceases to be visualised in relevant screens.
The alerts screen filtered to show only ThreatDB alerts
A ThreatDB alert contains:
The alert overview page provides extra information for the generated alert and links to the relevant events. Especially for ThreatDB alerts it also includes information about the open-source intelligence feeds this indicator was retrieved from.
Example of a ThreatDB Alert (overview)
This feature allows organizations super admin users to configure ThreatDB alerts generation according to their preferences with respect to public IPs that are not considered malicious for them. More specifically. this feature enables the user to declare IPs that should not be taken into account in ThreatDB alert generation process. This functionality is provided by given button in the Organizations screen under the Manage main-menu option. All declared IPs are omitted from the ThreatDB alert generation process starting from the next calendar day, when ThreatDB and the relevant event process are updated with new threats and changes in custom preferences.
The ThreatDB “Whitelisted IPs” button in the organization management page
Adding a new whitelisted IP
Adding a new whitelisted IP is straightforward: Just enter the IP address and a description for future reference in the provided form.
New whitelisted IP form