Blumira's findings for specific detections can be used as an automated source of firewall blocklist data. When you enable Blumira's automated blocking capability, supported findings close automatically and add the threat source to your blocklist files.
If you disable automated blocking within the Blocklist configuration, findings are not closed automatically, but you can manually complete the workflow and choose to block the threat or not. If the finding resolution you choose indicates that the threat should be blocked, then the threat source is automatically added to your blocklist. You do not need to manually enter the IP or domain in Blocklists.
Reference: To learn about managing your blocklist configurations see Configuring blocklists and managing blocking.
Tip: In Blocklists, you can see the date a threat will stop being blocked in the Blocked Until column. Your blocklist settings include a configurable number of days to block. If you are unsure why an IP or domain is no longer being blocked, check your default number of days to block and/or the number of days indicated for a specific block entry.
Detections included in dynamic blocklist automation
- Password Spraying - 4625 & 4771
- Password Spraying - 4625 & 4648
- Outlook Web Access Anomalous Access Attempts
- SSH, SMB, RDP, or FTP Connection from Public IP
- Indicator: Fatal Severity ESET Alert
- Indicator: Deceptive Site Blocked
- Failed Attempt at Single Factor Powershell Authentication
- Exchange Server: Repeated Failed Login Activity
- DFIR Report Qbot Tier 1 Endpoint Command and Control
- DFIR Report PowerShell Empire command and control
- DFIR Report Posh C2 command and control
- DFIR Report Metasploit Command and Control
- DFIR Report Covenant Command and Control
- DFIR Report Cobalt Strike Command and Control High
- ASA WebVPN Anomalous Access Attempts
- Anomalous Server Path Access