Risk Intelligence
このコンテンツはまだ日本語に翻訳されていません。
Risk Intelligence provides centralized management of entity risk classifications. It enables SOC teams to maintain curated lists of trusted, monitored, blocked, and known-threat entities for use across detection rules, playbooks, and alert correlation.
List Types
Whitelist (Trusted Entities)
Entities that are known-good and should be excluded from alert generation:
- Internal infrastructure IPs and domains
- Trusted third-party services (CDN, SaaS providers)
- Authorized scanning tools and security services
- Known-safe file hashes (system binaries, approved software)
Watchlist (Monitored Entities)
Entities under active monitoring that require enhanced logging:
- Employees on notice period or with access to sensitive data
- Recently onboarded vendors with elevated access
- IPs from regions with elevated threat levels
- Domains associated with shadow IT
Blocklist (Blocked Entities)
Entities that are actively blocked at perimeter and endpoint:
- Known malicious IPs from threat intelligence feeds
- Phishing and malware distribution domains
- Command & control infrastructure
- Banned file hashes (malware, unauthorized tools)
Threatlist (Known Threats)
Entities confirmed as threats through investigation:
- APT group infrastructure documented from past incidents
- Confirmed C2 servers from internal investigations
- Compromised credentials discovered through breach monitoring
- IOCs from completed incident investigations
Features
- Bulk Import/Export: Upload CSV files to populate lists, export for backup or sharing
- Expiration Dates: Set automatic expiry on entries (e.g., 30-day watchlist for departing employee)
- Audit Trail: All additions, modifications, and removals are logged
- API Integration: Lists are queryable via the REST API for integration with external tools
- Detection Rule Integration: Lists can be referenced in detection rule conditions
Access Requirements
Risk Intelligence requires the Respond (MDR) tier or above.