Email Threat Detection and Response customers can access the Indicators of Compromise (IOC) Settings screen in the portal at Dashboard> Services> Email Threat Detection and Response> Indicators of Compromise (IOC) Blocklist Settings.
You enable the IOC Blocklist feature on this page by checking the box and clicking Save. Once the service is enabled, you can manage and view your IOC blocklist using the controls on the page. You can select an action to apply to messages that the service identifies. You can:
- Provide custom text for the subject lines of emails that are tagged as malicious.
- Specify an address to which the email that is identified as malicious is forwarded.
- Download a report listing the IOCs that were blocked for a specified retention period.
- Modify the retention period for IOC entries. The default is 7 days and it can be set as high as 30 days maximum.
You can also use the controls on the Email Services > Anti-Malware > Alerts page to configure alerts to notify others in your organization when IOCs are blocklisted.
Using the IOC Blocklist API
The IOC Blocklist API provides functionality to:
- Add, modify, and delete IOCs from your blocklist.
- Download your blocklist in JSON or CSV format.
- Upload IOCs to your blocklist (merge with existing list or replace it).
- Renew or reset expiry date per IOC in your blocklist.
To get started using the IOC Blocklist API, follow these steps.
- At the top of the IOC Blocklist Settings page, check the box to enable the service. Remember to click Save at the bottom of the page.
- Create a new user account in the portal for authentication to the IOC Blocklist service. You can use your existing portal account to access the IOC Blocklist API. However, we recommend that you create a separate user account to interact with the API. The API expects the following ClientNet credentials for authorization:
- Any ClientNet user who has View Configuration permission for either the IOC Blacklist service or the Email Threat Detection and Response service can access the Download API.
- Any ClientNet user who has View Configuration and Edit Configuration permissions for the IOC Blacklist service is able to access the Upload and RenewAll APIs.
- Download https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/email-security/email-security-cloud/generated-pdfs/Indicators-of-Compromise-(IOC)-Blacklist-API-Guide.pdf ,which explains how to use the IOC Blocklist API to upload, download, and renew IOC data to help block emerging threats.
IOCs that can be added to your blocklist are:
- Attachment MD5 or SHA2 file hash
- Body sender domain, top-level domain, and email address
- Envelope sender domain, top-level domain, and email address
- Sender IP address and IP range (CIDR notation)
- Recipient domain and email address
- Subject text
- URLs in the message body only, limited to the first 250 URLs that appear