Risk Intelligence

Risk Intelligence provides centralized management of entity risk classifications. It enables SOC teams to maintain curated lists of trusted, monitored, blocked, and known-threat entities for use across detection rules, playbooks, and alert correlation.

---

List Types

Whitelist (Trusted Entities)

Entities that are known-good and should be excluded from alert generation:

• Internal infrastructure IPs and domains
• Trusted third-party services (CDN, SaaS providers)
• Authorized scanning tools and security services
• Known-safe file hashes (system binaries, approved software)

Watchlist (Monitored Entities)

Entities under active monitoring that require enhanced logging:

• Employees on notice period or with access to sensitive data
• Recently onboarded vendors with elevated access
• IPs from regions with elevated threat levels
• Domains associated with shadow IT

Blocklist (Blocked Entities)

Entities that are actively blocked at perimeter and endpoint:

• Known malicious IPs from threat intelligence feeds
• Phishing and malware distribution domains
• Command & control infrastructure
• Banned file hashes (malware, unauthorized tools)

Threatlist (Known Threats)

Entities confirmed as threats through investigation:

• APT group infrastructure documented from past incidents
• Confirmed C2 servers from internal investigations
• Compromised credentials discovered through breach monitoring
• IOCs from completed incident investigations

---

Features

• Bulk Import/Export: Upload CSV files to populate lists, export for backup or sharing
• Expiration Dates: Set automatic expiry on entries (e.g., 30-day watchlist for departing employee)
• Audit Trail: All additions, modifications, and removals are logged
• API Integration: Lists are queryable via the REST API for integration with external tools
• Detection Rule Integration: Lists can be referenced in detection rule conditions

---

Access Requirements

Risk Intelligence requires the Respond (MDR) tier or above.