Advanced Threat policy
The Advanced Threat policy defines how the Network Security appliance quarantines traffic. The policy uses alert information that is supplied by external agents.
You can configure the Advanced Threat policy by adding one or more quarantine response objects to Advanced Threat policy rules.
The appliance translates an alert from an external
agent into a set of active quarantine rules. This translation is based
on matches for the following aspects of the alert:
- Agent Type
- Alert Type
- Alert Severity
Note: For the appliance to receive alerts from an ATP agent, you must
configure the agent on the Advanced Threat Protection Agents page.
Quarantine response objects define aspects of network traffic in an alert that the sending agent considers compromised, untrusted, or vulnerable. Using these defined aspects of network traffic, the system creates active quarantine rules to block network traffic for a specified amount of time. The system can use these active quarantine rules to block the following types of traffic:
- Traffic that is going to or coming from a particular host
- Traffic that is going to or coming from a particular port
- Traffic that is going to or coming from any combination of hosts and ports
- Traffic that is going to a particular URL
The system applies active quarantine rules to quarantine network
traffic based on the following alert attributes:
- Victim IP
- Victim Port
- Intruder IP
- Intruder Port
- URL
Note: The attributes Rate Limit and Issue ID that are defined
within intrusion type quarantine objects are not used in the context
of the Advanced Threat policy.
In an Advanced Threat policy rule, you can define custom quarantine
response objects or use predefined, read-only quarantine objects.
The following quarantine response objects are predefined:
- ATP-Compromise-Host
- ATP-Exposure-Endpoint
- ATP-Exposure-Host
- ATP-Intrusion-DDOS
- ATP-Intrusion-Intruder
- ATP-Intrusion-Origin
- ATP-Intrusion-Trojan
- ATP-Intrusion-Worm
- ATP-Malware-Intruder
- ATP-Malware-URI
- ATP-Malware-Victim
- ATP-Reputation-Host
- ATP-Reputation-URL
Processing principles
- Alerts that are received from an agent are matched on a unique combination of aspects. Only one match is possible for a particular agent type, alert type, and alert severity combination within the set of rules that can be matched.
- When an alert matches a rule, the system uses each associated quarantine response object to create a separate active quarantine rule.
- The system enforces each active quarantine rule for the duration
that is specified in the quarantine response object that was used
to create the rule.Note: You can delete an active quarantine rule after you investigate the security event that led to the creation of the rule. If you do not delete a rule, the rule expires at the end of the duration that is specified in the quarantine response object and the system deletes it.
Example: An alert is sent by a configured QRadar agent to the Network Security appliance. The alert
specifies a type of Compromise, severity of High, and a host IP of
1.2.3.4. The appliance matches this alert to the rule in your Advanced Threat
policy that specifies the following information:
- Agent Type: QRadar
- Alert Type: Compromise
- Alert Severity: High