Threat Intelligence Director-Management Center Action Prioritization
If threat intelligence director observable actions conflict with management center policy actions, the system prioritizes actions as follows:
-
Security Intelligence Do Not Block
-
TID Block
-
Security Intelligence Block
-
TID Monitor
-
Security Intelligence Monitor
Specifically:
Setting: Security Intelligence Action |
Setting: Threat Intelligence Director Observable Action |
Threat Intelligence Director Incidents Field: Action Taken |
Security Intelligence Events Fields: | ||
---|---|---|---|---|---|
Action |
Security Intelligence Category |
Reason | |||
Do Not Block |
Monitor or Block |
No TID incident |
No Security Intelligence event | ||
Block |
Monitor |
Blocked |
Block |
as determined by system analysis; see Security Intelligence Categories |
URL Block |
Block |
Blocked |
Block |
TID URL Block |
URL Block | |
Monitor |
Monitor |
Monitored |
Determined by access control rules processed after Security Intelligence and TID. |
TID URL Monitor |
URL Monitor |
Block |
Blocked | Block |
TID URL Block |
URL Block |
Setting: Security Intelligence Action |
Setting: Threat Intelligence Director Observable Action |
Threat Intelligence Director Incidents Field: Action Taken |
Security Intelligence Events Fields: | ||
---|---|---|---|---|---|
Action |
Security Intelligence Category |
Reason | |||
Do Not Block |
Monitor or Block |
No TID incident |
No Security Intelligence event | ||
Block |
Monitor |
No TID incident |
Block |
as determined by system analysis; see Security Intelligence Categories |
IP Block |
Block |
Blocked |
Block |
TID IPv4 Block TID IPv6 Block |
IP Block | |
Monitor |
Monitor |
Monitored |
Determined by access control rules processed after Security Intelligence and TID. |
TID IPv4 Monitor TID IPv6 Monitor |
IP Monitor |
Block |
Blocked | Block |
TID IPv4 Block TID IPv6 Block |
IP Block |
Setting: DNS Policy Action |
Setting: Threat Intelligence Director Domain Name Observable Action |
Threat Intelligence Director Incidents Field: Action Taken |
Security Intelligence Events Fields: | ||
---|---|---|---|---|---|
Action |
Security Intelligence Category |
Reason | |||
Do Not Block |
Monitor or Block |
No TID incident |
No Security Intelligence event | ||
Drop, Domain Not Found Sinkhole—Log Sinkhole—Block and Log |
Monitor |
Blocked |
Block |
as determined by system analysis; see Security Intelligence Categories |
DNS Block |
Block |
Blocked | Block |
TID Domain Name Block |
DNS Block | |
Monitor |
Monitor |
Monitored |
Determined by access control rules processed after Security Intelligence and TID. |
TID Domain Name Monitor |
DNS Monitor |
Block |
Blocked |
Block |
TID Domain Name Block |
DNS Block |
File Disposition |
Threat Intelligence Director SHA-256 Observable Action |
Action Taken in Threat Intelligence Director Incidents |
Action in File Events |
Action in Malware Events |
---|---|---|---|---|
Clean |
Monitor or Block |
Monitored |
Malware Cloud Lookup |
n/a |
Malware |
Monitor or Block |
Monitored |
Malware Cloud Lookup |
n/a |
Custom |
Monitor or Block |
Monitored |
|
|
Unknown |
Monitor or Block |
Monitored |
Malware Cloud Lookup |
n/a |
Note | Threat Intelligence Director matching occurs before the system sends a file
for dynamic analysis. |
File Disposition |
Threat Intelligence Director SHA-256 Observable Action |
Action Taken in Threat Intelligence Director Incidents |
Action in File Events |
Action in Malware Events |
---|---|---|---|---|
Clean or Unknown |
Monitor |
Monitored |
Malware Cloud Lookup |
n/a |
Block |
Blocked |
|
TID Block Modified file disposition is Custom. | |
Malware or Custom |
Monitor |
Blocked |
Block Malware |
Block Malware |
Block |
Blocked |
|
TID Block Modified file disposition is Custom. |