How to setup IP exclusion for File Reputation Service Alerts on Security Analytics

book

Article ID: 169240

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

A lot of false positive alerts are being triggered from one of our IP address.  Is there a way to exclude the IP address from the File Reputation Service (FRS) alerts?

Resolution

Blue Coat File Reputation consists of four indicators as below,
1. Blue Coat File Reputation Service Presented File Extensions
2. Blue Coat File Reputation Service Presented MIME Types
3. Blue Coat File Reputation Service File Types
4. File Transfer Activity 

To exclude the specific IP, you are required to make changes to all the above four of the indicators so that the IP address will be excluded. A sample screenshot is show below for IP exclusion on  'Blue Coat File Reputation Service Presented File Extensions' for IP address 10.10.10.10.

IP exclusion for FRS

Adding additional indicators with the IP exclusion filter to FRS rules will not help as the method uses the OR condition in the indicators instead of the AND condition. If a flow matches ‘Blue Coat File Reputation Service Presented File Extensions’ OR ‘Blue Coat File Reputation Service Presented MIME Types’ OR ‘Blue Coat File Reputation Service File Types’ OR ‘File Transfer Activity’ OR ‘IP Exclusion’, it will be sent to File Reputation Service.

 

Attachments