If any alarm or event is generated by the action of a listed dangerous IP address, then this event will have a smaller probability of being a false positive. The main purpose of the IP reputation list is to provide a list of known or potentially dangerous IP addresses. Activity, Reliability, and Priority values provided by OTX are saved with event information for those events having reputation data for either source or destination IP addresses. The IP reputation list maintained by USM Appliance is stored on the USM Appliance Server in the /etc/ossim/server/reputation.data file. This allows USM Appliance to support some additional features like reprioritization of events and alarms depending on the IP of the hosts involved. Whenever an event has its source or destination IP addresses listed in the IP Reputation list, reputation data will be added to the data stored for the event.
USM Appliance maintains an IP reputation list that stores data it receives from OTX about public IP addresses involved in malicious or other suspect activities. OTX IP Reputation Data Correlated with Events In addition, information is provided on filtering events based on related pulse information and risk based on specific IP Reputation levels. The same mechanism is used in a high availability (HA) deployment to replicate OTX pulses between nodes.įollowing sections describe collection of IP Reputation information used in calculating risk for specific events. When the Sensor is removed, the firewall rule is deleted. Note: When a USM Appliance Sensor is added to the USM Appliance Server, a firewall rule is created to allow OTX traffic going through TCP port 6380. This replication is read-only so that the copy on the USM Appliance Server remains intact. In a distributed environment, the USM Appliance Server replicates the OTX pulses to the connected USM Appliance Sensors through TCP port 6380. It generates an alarm when a malicious IP address communicates with any of your assets, or when some of the other IoCs, including CIDR (IPv4 only), domain, and hostname, are detected in your network.
You can review OTX pulses about related threat vectors in USM Appliance.You receive updates on your subscribed pulses by email, either individually as they occur or in digest mode.USM Appliance detects threat updates every 30 minutes for all pulses to which you subscribe, either directly or through subscriptions to other OTX users.Such interactions might consist of malicious IPs communicating with systems, malware detected in your network, or outbound communication with command-and-control (C&C) servers.Ĭonnecting OTX to USM Appliance helps manage risks and threats in the following ways: USM Appliance then correlates that data with incoming events, alerting you to OTX pulse and IP Reputation-related security events/alarms when it detects IoCs interacting with assets in your environment. Note: Reputation data is updated separately from OTX pulse information.
0 kommentar(er)
