Scoring Updates for IP Threat Rules
June – November 2023
In specific Advanced Analyticsreleases, default scoring has been updated for rules that are based on the is_ip_threat condition. These rules are used to identify traffic from known malicious domains or IP addresses.
To reduce false positive alerts and provide more accurate threat detection, the scoring system for IP addresses collected from threat detection services has been modified. The default score for IP addresses, as assigned in the is_ip_threat field, has been reduced to a score of 1.
For a list of the rule score changes, see the table below.
Rule Name | Original Score | Updated Score | AA Release Affected | Deprecated* |
|---|---|---|---|---|
A-NET-TI-IP-Outbound | 10 | 1 | i63.5, i62.5 | True |
A-NETF-TI-IP-Outbound | 5 | 1 | i63.5, i62.5 | True |
A-NET-TI-IP-Inbound | 30 | 1 | i63.5, i62.5 | |
VPN02 | 30 | 1 | i63.5, i62.5 | |
Auth-Blacklist-Shost | 40 | 1 | i63.5, i62.5 | |
Auth-Blacklist-Shost-Failed | 30 | 1 | i63.5, i62.5 | True |
EPA-PI-ThreatIp | 10 | 1 | i63.5, i62.5 | |
WCA-Threat-IP | 10 | 1 | i63.5, i62.5 | |
WEB-UI-Reputation-A | 5 | 1 | i63.6, i62.5 | |
WEB-UI-Reputation-F | 10 | 1 | i63.6, i62.5 | |
WEB-UI-Reputation-N | 2 | 1 | i63.6, i62.5 | |
A-WEB-Reputation-IP | 10 | 1 | i63.6, i62.5 |
* Deprecated and cannot be enabled.