Skip to main content

Security ContentWhat's New in Security Content

Updated Threat Intelligence Feeds from ZeroFox

To provide increased accuracy for risk evaluation of users and assets, Exabeam can now leverage threat intelligence feeds from ZeroFox (ZF) across Exabeam products. The ZeroFox feeds provide improved information for indicators of compromise (IoCs) such as IP addresses associated with ransomware and malware attacks.

In most cases, no configuration change is required to begin utilizing ZeroFox threat intelligence. However, if you previously disabled rules or models that utilize the new feeds, you will need to enable them to utilize the new feeds.

The following table displays the rules that leverage the ZeroFox threat intelligence feeds by IoC category:

IoC Category

Rules

(ZF) IP addresses associated with ransomware attacks

  • Auth-Ransomware-Shost

  • Auth-Ransomware-Shost-Failed

  • A-NET-Ransomware-IP

  • A-NETF-Ransomware-IP

  • WEB-UI-Ransomware

(ZF) IP addresses associated with ransomware or malware attacks

  • VPN02

  • Auth-Blacklist-Shost

  • Auth-Blacklist-Shost-Failed

  • EPA-PI-ThreatIp

  • A-NET-TI-IP-Outbound

  • A-NETF-TI-IP-Outbound

  • A-NET-TI-IP-Inbound

  • A-WEB-Reputation-IP

  • EPA-PI-ThreatIp

  • WEB-UI-Reputation

(ZF) Domain names and URLs associated with sites that often contain malware, drive-by compromises, and more

  • WEB-UD-Reputation

  • A-WEB-Reputation-Domain

  • A-NET-TI-H-Outbound

  • A-NETF-TI-H-Outbound

  • A-NET-TI-H-Inbound

  • A-DNS-MALDOM-QUERY

  • A-DNS-MALDOM-RESPONSE

(ZF) Domain names associated with phishing or ransomware

WEB-UD-Phishing