Dynamic Blocklists and Threat Feeds

Blumira’s Automated Response

Click here for the most updated version of this documentation.

With Blumira’s Dynamic Blocklists, you can automate threat response with one click and reduce your overall attack surface by blocking malicious source IP addresses and domains through your next-generation firewalls. Blumira integrates with many different firewall providers, including:

And many others – see all of our integrations.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Overview

Blumira’s dynamic blocklists (DBLs) help you to reduce your overall attack surface and can automate blocking of malicious sources by providing your next-generation firewall (NGFW) with a regularly-updated aggregate of blocklist and threatlist data.

Depending on the configuration you choose, DBLs can include both your organization’s blocklist information (reactive data) and shared information from threat intelligence feeds and community blocklists (proactive data). Items in a blocklist are referred to as blocks, and Blumira’s DBLs include:

Blocks you manually add in Blocklists.
Blocks resulting from a finding workflow, which can be automated or manual.
(Optional) Community blocks.
(Optional) Threat feed blocks.

You can enable Blumira’s DBLs by configuring a blocklist on your integrated next-generation firewall. Follow the procedures in Configuring blocklists to begin using the features described below.

Automated blocking workflows

A threat detected in your firewall log data generates a finding in Blumira, which usually triggers an alert and awaits your action for resolution. Blumira can automatically resolve finding workflows in which an identified threat should be blocked by your firewall. The diagrams below summarize the steps involved in responding to a threat that is attempting to access your network: the first is the automated workflow and the second includes the additional manual steps.

Dynamic blocklists

Dynamic blocklists (DBLs) are regularly-updated feeds that can be used by your NGFW to automatically block threats found in your network traffic. Other common names for these firewall reference objects are: external dynamic lists, threatlists, threat or intelligence feeds, and thread lists.

Blumira provides three DBLs: Domain, IP, and URL blocklists. The DBLs that Blumira creates for your organization are updated every 5 minutes and include these data:

Sources blocked as a result of a finding workflow.
IPs and domains blocked directly by your Administrators and/or Managers in Blocklists.
Threat intelligence data, according to your chosen threat feed severity level (low, moderate, high).

When DBLs are configured on your firewall, you may notice a question in your future workflows asking if you’d like to add a threatening IP to your DBL.

When an IP or domain is blocked through a finding workflow, it will be added immediately to your Blumira blocklist, but it may take a few minutes to reflect on the firewall, depending on your firewall’s update frequency.

Threat feed

Threat intelligence data feeds provide current information about potential sources of attack. See About Blumira’s intelligence feeds for more background information.

When you enable the threat feed in Blocklists, your DBLs will include feed data. Incoming network traffic from sources that are in the threatlist will be automatically blocked from connecting to your network or these will be detected and flagged as findings in your Blumira blocking workflows. The threatlist data resulting from the threat feed will depend on the severity level you choose:

Low: If you want conservative blocking, start with the “Low” setting. The lowest setting will provide your DBLs with only the feeds that we have weighted with very a high confidence score (90-100).
Moderate: Our recommended setting is “Moderate”. This will include data from sources we have weighted 80-100 in confidence.
High: The “High” setting will provide your DBLs with the most data and, therefore a higher amount of blocked sources, but it will include feeds that have confidence ratings as low as 70.

Community blocking

When you enable Community blocking, you are part of Blumira’s blocking community:

Your blocked IPs (excluding private IPs) and domains are automatically added to our community database to be leveraged by other Blumira customers.
Malicious sources blocked by other Blumira customers can be automatically added to your blocklist.

Note: No confidential information is passed between customer databases; only the source IP/domain that was found to be malicious is shared.