Threat Intelligence Director-Management Center Action Prioritization

If threat intelligence director observable actions conflict with management center policy actions, the system prioritizes actions as follows:

Security Intelligence Do Not Block
TID Block
Security Intelligence Block
TID Monitor
Security Intelligence Monitor

Specifically:

Threat Intelligence Director URL Observable Action vs. Security Intelligence Action
Setting: Security Intelligence Action	Setting: Threat Intelligence Director Observable Action	Threat Intelligence Director Incidents Field: Action Taken	Security Intelligence Events Fields:
Setting: Security Intelligence Action	Setting: Threat Intelligence Director Observable Action	Threat Intelligence Director Incidents Field: Action Taken	Action	Security Intelligence Category	Reason
`Do Not Block`	`Monitor` or `Block`	No TID incident	No Security Intelligence event
`Block`	`Monitor`	`Blocked`	`Block`	as determined by system analysis; see Security Intelligence Categories	`URL Block`
`Block`	`Block`	`Blocked`	`Block`	`TID URL Block`	`URL Block`
`Monitor`	`Monitor`	`Monitored`	Determined by access control rules processed after Security Intelligence and TID.	`TID URL Monitor`	`URL Monitor`
`Monitor`	`Block`	`Blocked`	`Block`	`TID URL Block`	`URL Block`

Threat Intelligence Director IPv4/IPv6 Observable Action vs. Security Intelligence Action
Setting: Security Intelligence Action	Setting: Threat Intelligence Director Observable Action	Threat Intelligence Director Incidents Field: Action Taken	Security Intelligence Events Fields:
Setting: Security Intelligence Action	Setting: Threat Intelligence Director Observable Action	Threat Intelligence Director Incidents Field: Action Taken	Action	Security Intelligence Category	Reason
`Do Not Block`	`Monitor` or `Block`	No TID incident	No Security Intelligence event
`Block`	`Monitor`	No TID incident	`Block`	as determined by system analysis; see Security Intelligence Categories	`IP Block`
`Block`	`Block`	`Blocked`	`Block`	`TID IPv4 Block` `TID IPv6 Block`	`IP Block`
`Monitor`	`Monitor`	`Monitored`	Determined by access control rules processed after Security Intelligence and TID.	`TID IPv4 Monitor` `TID IPv6 Monitor`	`IP Monitor`
`Monitor`	`Block`	`Blocked`	`Block`	`TID IPv4 Block` `TID IPv6 Block`	`IP Block`

Threat Intelligence Director Domain Name Observable Action vs. DNS Policy Action
Setting: DNS Policy Action	Setting: Threat Intelligence Director Domain Name Observable Action	Threat Intelligence Director Incidents Field: Action Taken	Security Intelligence Events Fields:
Setting: DNS Policy Action		Threat Intelligence Director Incidents Field: Action Taken	Action	Security Intelligence Category	Reason
`Do Not Block`	`Monitor` or `Block`	No TID incident	No Security Intelligence event
`Drop`, `Domain Not Found` `Sinkhole—Log` `Sinkhole—Block and Log`	`Monitor`	`Blocked`	`Block`	as determined by system analysis; see Security Intelligence Categories	`DNS Block`
	`Block`	`Blocked`	`Block`	`TID Domain Name Block`	`DNS Block`
`Monitor`	`Monitor`	`Monitored`	Determined by access control rules processed after Security Intelligence and TID.	`TID Domain Name Monitor`	`DNS Monitor`
`Monitor`	`Block`	`Blocked`	`Block`	`TID Domain Name Block`	`DNS Block`

TID SHA-256 Observable Action vs. Malware Cloud Lookup File Policy
File Disposition	Threat Intelligence Director SHA-256 Observable Action	Action Taken in Threat Intelligence Director Incidents	Action in File Events	Action in Malware Events
`Clean`	`Monitor` or `Block`	`Monitored`	`Malware Cloud Lookup`	n/a
`Malware`	`Monitor` or `Block`	`Monitored`	`Malware Cloud Lookup`	n/a
`Custom`	`Monitor` or `Block`	`Monitored`	`Malware Cloud Lookup`, if SHA-256 is not in a custom detection list. `Custom Detection`, if SHA-256 is in a custom detection list.	`Malware Cloud Lookup`, if SHA-256 is not in a custom detection list. `Custom Detection`, if SHA-256 is in a custom detection list.
`Unknown`	`Monitor` or `Block`	`Monitored`	`Malware Cloud Lookup`	n/a

Note	Threat Intelligence Director matching occurs before the system sends a file for dynamic analysis.

TID SHA-256 Observable Action vs. Block Malware File Policy
File Disposition	Threat Intelligence Director SHA-256 Observable Action	Action Taken in Threat Intelligence Director Incidents	Action in File Events	Action in Malware Events
`Clean` or `Unknown`	`Monitor`	`Monitored`	`Malware Cloud Lookup`	n/a
`Clean` or `Unknown`	`Block`	`Blocked`	`TID Block`, if SHA-256 is not in a custom detection list. Modified file disposition is `Custom`. `Custom Detection Block`, if SHA-256 is in a custom detection list.	`TID Block` Modified file disposition is `Custom`.
`Malware` or `Custom`	`Monitor`	`Blocked`	`Block Malware`	`Block Malware`
`Malware` or `Custom`	`Block`	`Blocked`	`TID Block`, if SHA-256 is not in a custom detection list. Modified file disposition is `Custom`. `Custom Detection Block`, if SHA-256 is in a custom detection list.	`TID Block` Modified file disposition is `Custom`.