IBM Security Threat Content Application
The X-Force data includes a list of potentially malicious IP addresses and URLs with a corresponding threat score. You use the X-Force rules to automatically flag any security event or network activity data that involves the addresses, and to prioritize the incidents before you begin to investigate them.
The following list shows examples of the types of incidents that you can identify using the X-Force rules:
when the [source IP|destinationIP|anyIP] is part of any of the following [remote network locations]
when [this host property] is categorized by X-Force as [Anonymization Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value [equal to] [this amount]
when [this URL property] is categorized by X-Force as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating]
Your JSA administrator must install the IBM Security Threat Content application in order for the rules to appear in the Threats group in the Rules List window. The rules must be enabled before you can use them.
Enabling X-Force Rules in JSA
By adding the IBM Security Threat Content application to your JSA system, X-Force rules are added to the Rules List. The rules must be enabled before you can use them.
- Click the Log Activity tab.
- On the toolbar, click Rules >Rules.
- From the Group menu, click Threats.
The Group column might show both legacy and enhanced rules. By default, X-Force legacy rules are disabled. However, you might see legacy rules that are enabled. Use the newer enhanced rules in the Threat group, and not the legacy rules that use the remote nets.
- Select the X-Force rules in the Threat group and click Actions >Enable/Disable.