Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating Custom Feeds, Infected Host

 

To access this page, click Configure>Threat Prevention>Custom Feeds.

  • Note that infected hosts are hosts known to be compromised. For an infected host custom feed, enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.

  • If you create a custom infected hosts feed, it will override the SKY ATP infected hosts feed.

  • To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show custom feed types, including infected hosts.

  • Note that when Sky ATP only mode is selected as the Threat Prevention Type, the infected host custom feed is not available.

  • For creating other custom feed types, see Creating Custom Feeds: Dynamic Address, Allowlist and Blocklist.

Warning

When you have no Sky ATP Configuration Type selected (No selection), Sky ATP realms are disabled. Because site selection is usually done from the Sky ATP realm page, you must select sites from the Custom Feed - Infected Hosts page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection is available in the Custom Feeds - Infected Hosts page.

To create local file and remote file custom feeds:

  1. Select Configure>Threat Prevention>Custom Feeds.
  2. Select the Infected Host tab.Note

    When Sky ATP only is selected as the Threat Prevention Type, the infected host custom feed is not available.

  3. Click Create and select one of the following:
    • Feeds with local files—This is data you enter manually into the provided fields or upload from a text file on your location machine. See Table 1 for details.

    • Feeds with remote file server—This is a data feed from a remote server. Configure communication with the remote server using instructions in Table 2.

  4. Complete the configuration by using the guidelines inTable 1 or Table 2.
  5. Click OK. Your entry is added to custom list displayed at the bottom of the page.
Note

To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Infected Hosts, Dynamic Addresses, Allowlist and Blocklists.

Use the fields in Table 1 to add custom feeds.

Table 1: Fields on the Custom Feeds Page, Feeds with Local Files

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

Description

Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.

Sites

Select the required sites from the list to associate them with the infected feeds.

In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. You cannot share the same site across the same feed type. However, you can share a site across different feed types.

Realms

Select the required realms from the list, if you are in Cloud feeds only, or SDSN with Sky ATP only mode and associate them with dynamic address or allowlists and blocklists feeds.

You cannot share the same realm across the same feed type. However, you can share a realm across different feed types.

When you are creating a Sky ATP realm, if you do not assign any sites it, those realms are not listed here. Only realms with sites associated are listed here.

Custom List

Do one of the following:

  • Click Upload File to upload a text file with an IP address list. The uploading file must have the string add at the beginning, followed by the IP addresses. If you want to delete certain IP addresses, enter the string delete followed by the IP addresses to delete.

    Click the Add button to include the address list in your custom list.

    Note that the file must contain only one item per line (no commas or semi colons). All items are validated before being added to the custom list.

  • Manually enter your item in the space provided in the Custom List section. To add more items, click + to add more spaces.

    For syntax, enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

Table 2: Fields on the Custom Feeds Page, Feeds with Remote File Server

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

Description

Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.

Type of Server URL

Select one of the following:

  • http

  • https

Server File URL

Enter the URL for the remote file server.

Certificate Upload

Click Browse and select the CA certificate to upload.

If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate.

Username

Enter the credentials for the remote file server.

Password

Enter the credentials for the remote file server.

Update Interval

Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never

You can create only a single infected host. If you want to create one more infected host, you must first delete the existing feed and create a new one.

If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to Sky ATP UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.