Security Threat Content Application
The Security Threat Content application on the IBM Security App Exchange contains rules, building blocks, and custom properties that are intended for use with X-Force feed data.
The X-Force data includes a list of potentially malicious IP addresses and URLs with a corresponding threat score. You use the X-Force rules to automatically flag any security event or network activity data that involves the addresses, and to prioritize the incidents before you begin to investigate them.
The following list shows examples of the types of incidents that you can identify using the X-Force rules:
when the [source IP|destinationIP|anyIP] is part of any of the following [remote network locations]
when [this host property] is categorized by X-Force as [Anonymization Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value [equal to] [this amount]
when [this URL property] is categorized by X-Force as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating]
JSA downloads approximately 30 MB of IP reputation data per day when you enable the X-Force Threat Intelligence feed for use with the Security Threat Content application.
Installing the Security Threat Content Application
The Security Threat Content application contains JSA content, such as rules, building blocks, and custom properties, that are designed specifically for use with X-Force data. The enhanced content can help you to identify and to remediate undesirable activity in your environment before it threatens the stability of your network.
Download the Security Threat Content application from the IBM Security App Exchange https://exchange.xforce.ibmcloud.com/hub.
To use X-Force data in JSA rules, offenses, and events, you must configure JSA to automatically load data from the X-Force servers to your JSA appliance.
To load X-Force data locally, enable the X-Force Threat Intelligence feed in the system settings. If new information is available when X-Force starts, the IP address reputation or URL database is updated. These updates are merged into their own databases and the content is replicated from the JSA console to all managed hosts in the deployment.
The X-Force rules are visible in the product even if the Security Threat Content application is later uninstalled.
- On the navigation menu (), click Admin to open the admin tab.
- In the System Configuration section, click Extensions Management.
- Upload the Security Threat Content application
to the JSA console by following these steps:
Click Browse and browse to find the extension.
Click Install immediately to install the extension without viewing the contents.
- To view the contents of the extension, select it from the extensions list and click More Details.
- To install the extension, follow these steps:
Select the extension from the list and click Install.
If the extension does not include a digital signature, or it is signed but the signature is not associated with the JSA Security certificate authority (CA), you must confirm that you still want to install it. Click Install to proceed with the installation.
Review the changes that the installation makes to the system.
Select Overwrite or Keep existing data to specify how to handle existing content items.
Review the installation summary and click OK.
The rules appear under the Threats group in the Rules List window. They must be enabled before they are used.
Enable the X-Force Threat Intelligence feed so that you can use the X-Force rules or add X-Force functions to AQL searches. For more information, see Enabling the X-Force Threat Intelligence Feed.