threatER's Unexpected Blocks feature allows you to retrieve outbound Port 80 and 443 traffic logs from your Enforcer. The logs retrieved include the pertinent data to identify the problematic IP and make an informed decision on whether the IP should be allowed.
All Enforcers must be on at least Build 240 to access this new feature. After all the Enforcers are successfully updated to the new build, we strongly recommend you log out and log back into the threatER portal to ensure the previous cache is cleared.
Initiate Log Analysis
Log into the threatER Portal and navigate to Enforce > Unexpected Blocks. All end users can conduct the analysis but only Master Admins and Admins can add the IP to the allow list.
Select a Date Range and the Enforcers you want to query logs on. The default selections are "Last 3 Hours" and "All Enforcers." Click Submit to start the analysis.
The length of time for results to return varies based on the parameters selected, as well as network activity/connection. The progress of your analysis is available on the Unexpected Blocks tab.
You can navigate away and perform other functions within the application while your analysis is processing, but if you logout or close your browser your results will not complete.
Once your submitted query is complete, the log entries will display on the Unexpected Blocs tab. To view additional data in each entry, expand the row via the disclosure triangle in the far left column. By default, we have consolidated the duplicate IPs into groups, and the resulting IP groups are listed in descending chronological order.
The following data points are available in your initial view:
Field Name | Description |
Address Group | The IP and the number of unique events returned for that IP in the log set. Click on the copy icon to the right of the IP address to copy/paste the IP into IOC search or other log types. |
Extended Info Icon | Clicking on this icon will display any additional information that is available for the IP like Reverse DNS, WhoIS, County, ASN, etc. |
Date | The first and last logged timestamp for the IP in the queried range |
Enforcer(s) | The list of Enforcers that blocked the IP event set |
Lists | The Block or Threat lists the IP was found on |
Category | Score | Threshold | Available if the IP was on a Threat list. It will display the Threat Category(s), Threat Score(s) and Threshold(s) set in the outbound blocking policy. |
Address Group
To view the IP's child events, click on the chevron to the left of the IP address.
Each row will display the event-specific data for the individual timestamp. If you prefer viewing all Block Events by timestamp, click on the "Ungroup icon" and the table will display all events in reverse chronological order.
Extended Info Icon
Click the info icon to see additional information on the IP. We will show the following information if available on the IP:
Field Name | Description |
Details | Details include the country origin of the IP (Country Name), the autonomous system number that is associated with the IP (ASN Name) and any Allow Lists the IP was found on that maybe of interest when determining a proper mitigation strategy. Although the allow lists may display, by virtue of appearing in the log, the corresponding set of IP events were still blocked. |
Reverse DNS | DNS lookup of a domain name from an IP address. Reverse DNS is not always available if we can't see the domain due to DNS encryption. |
WHOIS | The "ownership" of the IP |
WHOIS.EXTENDED | A secondary WHOIS source with additional data |
Additional Columns
In the Block Events table, we are also providing the ability to add the following columns:
Field Name | Description |
Acting Policy | The policy that blocked the IP. |
Reason | The reason a connection was allowed or blocked. Reasons include Geo-blocking (Country), ASN, Block List, Threat List or Other (Policy) |
To add or remove these columns, click on the column icon at the top of the far-right column and then select the column(s) you would like included in the Block Events table.
Category | Score | Threshold
Related to the Threat List, this column will display the category(s), score(s) and theshold(s) set in the outbound blocking policy for that Threat Category. The header row will be a roll-up of all categories/scores/thresholds of the child events.
A warning icon will display next to Fraudulent Activity and Proxy/VPN if the threshold set on these categories is less than 97. Our threat intelligence has found that these two categories are the most likely source of unexpected blocks and setting these two categories to 97 can help alleviate issues you may be having with unexpected blocks.
Mitigation Strategies
When you have identified the IP that was being blocked, you can click on the Mitigate button in the far-right column. Mitigation can happen at the roll-up level, or at the individual event level.
You will be presented with up to 3 mitigation options. Only mitigation strategies relevant to the particular event or event set will be displayed. This means that you may see less than 3 options if that is the case for a IP set.
Mitigation options include:
- Adjust Thresholds
- Enable ThreatER Allow List
- Add IP to Allow List
Adjust Thresholds
The Adjust Thresholds option will be presented if the IP meets the following criteria:
- On a Threat list
- Categorized as Fraudulent Activity and/or Proxy/VPN
- Thresholds on the outbound blocking policy for either of these two categories is less than 97
If this is the desired mitigation strategy, click on Adjust.
The outbound policies that blocked the IP will be selected by default. All other policies are also available to select. Once the desired policy selections are made, click on the Adjust button. A confirmation modal will then display.
The Fraudulent Activity and Proxy/VPN category thresholds will now be set to 97 on the applicable policy(s) and enforced accordingly.
Enable threatER Allow List
If the IP is on any of threatER's out-of-the-box Allow lists, this option will be presented, as well as the names of the lists the IP was included on. An additional note will display if any of these lists are a CDN list.
If this list is the desired mitigation strategy, click on Enable.
Select the Allow List(s) you would like to enable. The outbound policies that blocked the IP will be selected by default. All other policies are also available to select. Once the desired policy selections are made, click on the Enable button. A confirmation modal will then display.
The IP is now added to the selected Allow list(s) and will be enforced by the policy(s) that are assigned to the lists.
Add IP to (Manual) Allow List
This mitigation option gives you the flexibility to set an expiration date or remove the IP from your manual allow list(s) at a later date.
If this is the desired mitigation strategy, click on Add.
Select the Allow list(s) that should host the IP. The colored pips next to the Allow list names indicate the following:
Color | Description |
Green | The list is enforced by the policy that blocked the IP address. Adding the IP to this List will allow it through the Networks enforced by this policy. |
Grey | The list is not Enforced by the policy that blocked the IP address. If the IP is added to this List, the IP will be allowed on the Networks Enforced by the policy. |
Red | The list is not enforced by any of your policies. If the IP is added to this list, it will continue to be blocked. |
Make any necessary edits to the IP entry. Below is the default for each field:
Field | Default Description |
Maskbits | default is 32 |
Description | default is "Added by Unexpected Blocks." It is recommended that you update the description to be something meaningful or memorable. An example includes "espn.com - requested access by user A" |
Expiration | default is "Never". It is recommended that you time-bound allowed-lists additions if feasible. |
Click the "Add" button to finalize the request. The IP is now added to the selected Allow lists and will be enforced by the list assigned to the policy(s).
Comments
0 comments
Please sign in to leave a comment.