IP Address and URL Categories
X-Force Threat Intelligence categorizes IP address and URL information.
The IP addresses are grouped into the following categories:
Dynamic IP addresses
Botnet Command and Control
Scanning IP addresses
The X-Force Threat Intelligence feed also categorizes URL addresses.
Finding IP Address and URL Information in X-Force Exchange
Use right-click menu options in JSA to find information about IP addresses and URLs that is found on X-Force Exchange. You can use the information from your JSA searches, offenses, and rules to research further or to add information about IP addresses or URLs to an X-Force Exchange collection.
You can contribute either public or private information to track data in collections when you research security issues.
A collection is a repository where you store the information that is found during an investigation. You can use a collection to save X-Force Exchange reports, comments, or any other content. An X-Force Exchange report contains both a version of the report from the time when it was saved, and a link to the current version of the report. The collection contains a section that has a wiki-style notepad where you can add comments that are relevant to the collection.
- To look up an IP address in X-Force Exchange from JSA, follow these steps:
Select the Log Activity or the Network Activity tab.
Right-click the IP address that you want to view in X-Force Exchange and select More Options >Plugin Options >X-Force Exchange Lookup to open the X-Force Exchange interface.
- To look up a URL in X-Force Exchange from JSA, follow these steps:
Select either the Offenses tab, or the event details windows available on the Offenses.
Right-click the URL you want to look up in X-Force Exchange and select >Plugin Options > X-Force Exchange Lookup to open the X-Force Exchange interface.
Creating a URL Categorization Rule to Monitor Access to Certain Types Of Websites
You can create a rule that sends an email notification if users of the internal network access URL addresses that are categorized as gambling websites.
To use X-Force data in rules, your administrator must configure JSA to load data from the X-Force servers.
To create a new rule, you must have the Offenses >Maintain Custom Rules permission.
- Click the Offenses tab.
- On the navigation menu, click Rules.
- From the Actions list, select New Event Rule.
- Read the introductory text on the Rule wizard and click Next.
- Click Events and click Next.
- From the Test Group list box, select X-Force Tests.
- Click the plus (+) sign beside the when URL (custom) is categorized by X-Force as one of the following categories test.
- In the enter rule name here field in the Rule pane, type a unique name that you want to assign to this rule.
- From the list box, select Local or Global.
- Click the underlined configurable parameters to customize
the variables of the test.
Click URL (custom).
Select the URL property that contains the URL that was extracted from the payload and click Submit.
Click one of the following categories.
Select Gambling / Lottery from the X-Force URL categories, click Add + and click Submit.
- To export the configured rule as a building block to use
with other rules:
Click Export as Building Block.
Type a unique name for this building block.
- On the Groups pane, select the check boxes of the groups to which you want to assign this rule.
- In the Notes field, type a note that you want to include for this rule, and click Next.
- On the Rule Responses page, click Email and type the email addresses that receive the notification.
- Click Next.
- If the rule is accurate, click Finish.