ThreatSTOP Policies

Policies define the set of IOCs that will be applied to the device to block malicious IP traffic and DNS lookups.

The API service supports the creation, modification and retrieval of policy definitions.

Policies are assembled with:

Policies can be assigned to devices. As their contents are updated throughout the day, firewall and DNS rules are reconfigured to filter the latest IOCs.

Policies can also be loaded on SIEM devices using the optional ThreatList feature.

IP and DNS Policies

There are two types of policies, which are assigned to devices based on the device type:

  • IP Defense devices use IP Policies that block traffic on firewalls and routers based on source and destination IP addresses.
  • DNS Defense devices and Roaming Defense devices use DNS Policies that prevent DNS requests for malicious domains.

DNS policies can filter both domains and IP addreses (IP records returned by the DNS lookups) and can use both domain and IP targets. IP policies use IP targets only.

Predefined and custom policies

  • Predefined policies are managed by ThreatSTOP, and provide a good default . Predefined policies cannot include user-defined lists. They are Read-Only by customers.
  • Custom policies are created by customers and can include User-defined lists.

Trial policies

  • Trial policies are a special group of predefined policies that can only be assigned to trial devices.

Target Action

  • IP policies support two actions - block and allow.
  • DNS Policies support RPZ actions, which can block DNS requests in different ways, or allow and log them.
    • RPZ Targets have a default behavior (typically block, but possibly pass-thru) defined by ThreatSTOP. A policy can override the default action at the policy level (it applies to all targets, for example to use a walled garden) and/or override it at the target level only.

DNS transport

Policies are typically retrieved by ThreatSTOP’s integrations (the software loading policy on your firewall) using the DNS protocol. It is unlikely that your software will require integration with ThreatSTOP’s DNS services. Nevertheless, this service outputs the policy settings associated with the the DNS zones.