In addition to the predefined threat intelligence feeds that your subscription offers, you can create custom lists (containing domains and IP addresses) to define allow lists and block lists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. When using your own threat intelligence feeds with BloxOne Threat Defense Cloud, allow lists and block lists, you can apply your own security policies. Each custom list can contain as many as 50,000 records, and BloxOne Thread Defense Cloud supports up to 500,000 records across al customer lists.
...
- Threat Insight – Data Exfiltration: The default action for this policy is Log. This list helps minimize the risk of DNS data exfiltration that are brought upon your networks through DNS tunneling.Threat Insight - Notional Data Exfiltration: This list includes low confidence DNS Tunnel detections. The default action for this policy is Allow with Log. This feed will only be displayed if the Threat Insight – Data Exfiltration feed is enabled in your policy. If this is the case, then the Threat Insight - Notional Data Exfiltration feed will be listed below the Threat Insight – Data Exfiltration feeds listed in the Threat Insight - Notional Data Exfiltration list.
Ideally, only high confidence DNS Tunnel detections should be blocked, which are listed in the existing Threat Insight - Data Exfiltration list. However, there are cases where you may want to be informed of even lower confidence tunnels in your network. You can change to default action of this list to Block based on your organization's sensitivity to these low confidence DNS tunnels. - Threat Insight – DNS Messenger: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks through the DNSMessenger malware, a Remote Access Trojan (RAT), that attackers use to conduct malicious Powershell commands on compromised devices.
- Threat Insight – Fast Flux: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Fast Flux technique. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery.
- Threat Insight – DGA: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Domain Generation Algorithm (DGA). DGA is a scheme used by malwares for domain fluxing by generating variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, block lists, reputation systems, security gateways, intrusion prevention systems, and other security methods.
...