Threat Intelligence Director-Management Center Action Prioritization

If threat intelligence director observable actions conflict with management center policy actions, the system prioritizes actions as follows:

  • Security Intelligence Do Not Block

  • TID Block

  • Security Intelligence Block

  • TID Monitor

  • Security Intelligence Monitor

Specifically:

Threat Intelligence Director URL Observable Action vs. Security Intelligence Action

Setting: Security Intelligence Action

Setting: Threat Intelligence Director Observable Action

Threat Intelligence Director Incidents Field: Action Taken

Security Intelligence Events Fields:

Action

Security Intelligence Category

Reason

Do Not Block

Monitor or Block

No TID incident

No Security Intelligence event

Block

Monitor

Blocked

Block

as determined by system analysis; see Security Intelligence Categories

URL Block

Block

Blocked

Block

TID URL Block

URL Block

Monitor

Monitor

Monitored

Determined by access control rules processed after Security Intelligence and TID.

TID URL Monitor

URL Monitor

Block

Blocked

Block

TID URL Block

URL Block

Threat Intelligence Director IPv4/IPv6 Observable Action vs. Security Intelligence Action

Setting: Security Intelligence Action

Setting: Threat Intelligence Director Observable Action

Threat Intelligence Director Incidents Field: Action Taken

Security Intelligence Events Fields:

Action

Security Intelligence Category

Reason

Do Not Block

Monitor or Block

No TID incident

No Security Intelligence event

Block

Monitor

No TID incident

Block

as determined by system analysis; see Security Intelligence Categories

IP Block

Block

Blocked

Block

TID IPv4 Block

TID IPv6 Block

IP Block

Monitor

Monitor

Monitored

Determined by access control rules processed after Security Intelligence and TID.

TID IPv4 Monitor

TID IPv6 Monitor

IP Monitor

Block

Blocked

Block

TID IPv4 Block

TID IPv6 Block

IP Block

Threat Intelligence Director Domain Name Observable Action vs. DNS Policy Action

Setting: DNS Policy Action

Setting: Threat Intelligence Director Domain Name Observable Action

Threat Intelligence Director Incidents Field: Action Taken

Security Intelligence Events Fields:

Action

Security Intelligence Category

Reason

Do Not Block

Monitor or Block

No TID incident

No Security Intelligence event

Drop, Domain Not Found

Sinkhole—Log

Sinkhole—Block and Log

Monitor

Blocked

Block

as determined by system analysis; see Security Intelligence Categories

DNS Block

Block

Blocked

Block

TID Domain Name Block

DNS Block

Monitor

Monitor

Monitored

Determined by access control rules processed after Security Intelligence and TID.

TID Domain Name Monitor

DNS Monitor

Block

Blocked

Block

TID Domain Name Block

DNS Block

TID SHA-256 Observable Action vs. Malware Cloud Lookup File Policy

File Disposition

Threat Intelligence Director SHA-256 Observable Action

Action Taken in Threat Intelligence Director Incidents

Action in File Events

Action in Malware Events

Clean

Monitor or Block

Monitored

Malware Cloud Lookup

n/a

Malware

Monitor or Block

Monitored

Malware Cloud Lookup

n/a

Custom

Monitor or Block

Monitored

  • Malware Cloud Lookup, if SHA-256 is not in a custom detection list.

  • Custom Detection, if SHA-256 is in a custom detection list.

  • Malware Cloud Lookup, if SHA-256 is not in a custom detection list.

  • Custom Detection, if SHA-256 is in a custom detection list.

Unknown

Monitor or Block

Monitored

Malware Cloud Lookup

n/a

Note
Threat Intelligence Director matching occurs before the system sends a file for dynamic analysis.
TID SHA-256 Observable Action vs. Block Malware File Policy

File Disposition

Threat Intelligence Director SHA-256 Observable Action

Action Taken in Threat Intelligence Director Incidents

Action in File Events

Action in Malware Events

Clean or Unknown

Monitor

Monitored

Malware Cloud Lookup

n/a

Block

Blocked

  • TID Block, if SHA-256 is not in a custom detection list.

    Modified file disposition is Custom.

  • Custom Detection Block, if SHA-256 is in a custom detection list.

TID Block

Modified file disposition is Custom.

Malware or Custom

Monitor

Blocked

Block Malware

Block Malware

Block

Blocked

  • TID Block, if SHA-256 is not in a custom detection list.

    Modified file disposition is Custom.

  • Custom Detection Block, if SHA-256 is in a custom detection list.

TID Block

Modified file disposition is Custom.