Custom Feed Sources Overview
Policy Enforcer uses threat feeds to provide actionable intelligence to policies about various types of threats. These feeds can come from different sources, such as Sky ATP, and from lists that you can customize by adding IP addresses, domains, and URLs.
Sky ATP feeds and custom feeds are mutually exclusive. You can only have one source for allowlist, blocklist, and infected host feeds.
The following types of custom threat feeds are available:
A dynamic address is a group of IP addresses that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy.
An allowlist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the allowlist does not have to be inspected for malware.
A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Infected hosts are hosts known to be compromised. Enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.
Using DDoS threat feed, policy Enforcer blocks source IP addresses in the feed, rate limit the traffic from the source IP addresses, and takes BGP Flowspec action to apply null-route filtering or redirect the traffic to scrubbing centers.
For threat management policies to use these feeds, you must enter configuration information for each feed type.
Benefits of Custom Feed Sources
Provides relevant and timely intelligence that you can use to create enforcement policies. Enables you to customize threat feeds specific to your industry or organization.
Provides flexible mechanisms to synchronize threat information to:
Configure Policy Enforcer to poll from local file and remote file custom feeds.
Push threat feeds to Policy Enforcer using the Threat Feed API .