Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

ThreatDB alerts

This screen displays alerts produced by MOREAL based on Threat Intelligence accumulated in ThreatDB.

ThreatDB alerts are generated when a traffic event contains an IP (either source_IP or destination_IP) that is currently included in our ThreatDB and, therefore, is considered malicious based on aggregated crowd sourced Security Intelligence. For more information, refer to the ThreatDB Advancements article.

Our logic considers also multizone topologies, which may not be known in advance. In such cases, the time ordering of traffic events for the same incident from different devices might vary depending on the zone and latency the devices belong to and communicate the related events to MOREAL respectively. Taken into account the aforementioned observations, we generate alerts only if no related blocked traffic events are occurred. However, as soon as, we get a blocked related traffic event within the zones of the given branch/subnetwork, the alert ceases to be visualised in relevant screens.

The alerts screen filtered to show only ThreatDB alerts

A ThreatDB alert contains:

  • A default title “ThreatDB Blacklisted IP”
  • A timestamp which indicates when the underlying activity occurred
  • The number of occurrences that the specific alert occurred during the last calendar day (UTC 24hrs)
  • The organization that the incident took place for
  • The branch (sub-organization) that the incident took place for
  • A description that includes:
    • The IP reported by our ThreatDB
    • The originating country of the reported IP
    • The number of AS the reported IP belongs to
    • The first occurrence date & timestamp
    • A default mitigation suggestion

Alert Overview

The alert overview page provides extra information for the generated alert and links to the relevant events. Especially for ThreatDB alerts it also includes information about the open-source intelligence feeds this indicator was retrieved from.

alert details screenshot

Example of a ThreatDB Alert (overview)

Personalised ThreatDB whitelisting

This feature allows organizations super admin users to configure ThreatDB alerts generation according to their preferences with respect to public IPs that are not considered malicious for them. More specifically. this feature enables the user to declare IPs that should not be taken into account in ThreatDB alert generation process. This functionality is provided by given button in the Organizations screen under the Manage main-menu option. All declared IPs are omitted from the ThreatDB alert generation process starting from the next calendar day, when ThreatDB and the relevant event process are updated with new threats and changes in custom preferences.

The ThreatDB “Whitelisted IPs” button in the organization management page

Adding a new whitelisted IP

Adding a new whitelisted IP is straightforward: Just enter the IP address and a description for future reference in the provided form.

New whitelisted IP form