Advanced Threat policy

The Advanced Threat policy defines how the Network Security appliance quarantines traffic. The policy uses alert information that is supplied by external agents.

You can configure the Advanced Threat policy by adding one or more quarantine response objects to Advanced Threat policy rules.

The appliance translates an alert from an external agent into a set of active quarantine rules. This translation is based on matches for the following aspects of the alert:
  • Agent Type
  • Alert Type
  • Alert Severity
Note: For the appliance to receive alerts from an ATP agent, you must configure the agent on the Advanced Threat Protection Agents page.

Quarantine response objects define aspects of network traffic in an alert that the sending agent considers compromised, untrusted, or vulnerable. Using these defined aspects of network traffic, the system creates active quarantine rules to block network traffic for a specified amount of time. The system can use these active quarantine rules to block the following types of traffic:

  • Traffic that is going to or coming from a particular host
  • Traffic that is going to or coming from a particular port
  • Traffic that is going to or coming from any combination of hosts and ports
  • Traffic that is going to a particular URL
The system applies active quarantine rules to quarantine network traffic based on the following alert attributes:
  • Victim IP
  • Victim Port
  • Intruder IP
  • Intruder Port
  • URL
Note: The attributes Rate Limit and Issue ID that are defined within intrusion type quarantine objects are not used in the context of the Advanced Threat policy.
In an Advanced Threat policy rule, you can define custom quarantine response objects or use predefined, read-only quarantine objects. The following quarantine response objects are predefined:
  • ATP-Compromise-Host
  • ATP-Exposure-Endpoint
  • ATP-Exposure-Host
  • ATP-Intrusion-DDOS
  • ATP-Intrusion-Intruder
  • ATP-Intrusion-Origin
  • ATP-Intrusion-Trojan
  • ATP-Intrusion-Worm
  • ATP-Malware-Intruder
  • ATP-Malware-URI
  • ATP-Malware-Victim
  • ATP-Reputation-Host
  • ATP-Reputation-URL

Processing principles

  • Alerts that are received from an agent are matched on a unique combination of aspects. Only one match is possible for a particular agent type, alert type, and alert severity combination within the set of rules that can be matched.
  • When an alert matches a rule, the system uses each associated quarantine response object to create a separate active quarantine rule.
  • The system enforces each active quarantine rule for the duration that is specified in the quarantine response object that was used to create the rule.
    Note: You can delete an active quarantine rule after you investigate the security event that led to the creation of the rule. If you do not delete a rule, the rule expires at the end of the duration that is specified in the quarantine response object and the system deletes it.
Example: An alert is sent by a configured QRadar agent to the Network Security appliance. The alert specifies a type of Compromise, severity of High, and a host IP of 1.2.3.4. The appliance matches this alert to the rule in your Advanced Threat policy that specifies the following information:
  • Agent Type: QRadar
  • Alert Type: Compromise
  • Alert Severity: High
The appliance refers to the default quarantine response object that is associated with the matched rule (ATP-Compromise-Host). The default quarantine response object defines the duration and the network information in the alert to block. An active quarantine rule is generated that specifies that the system block network traffic from the host IP address 1.2.3.4 for a duration of 60 minutes. All network traffic from the host IP address 1.2.3.4 is blocked for 60 minutes.
Parent topic: Security Protection Settings