Blumira's dynamic blocklists (DBLs) help you to reduce your overall attack surface and can automate blocking of malicious sources by providing your next-generation firewall (NGFW) with a regularly-updated aggregate of blocklist and threatlist data.
Depending on the configuration you choose, DBLs can include both your organization's blocklist information (reactive data) and shared information from threat intelligence feeds and community blocklists (proactive data).
You can enable Blumira's DBLs by configuring the blocklist settings in the app (Settings > Blocklists), then configuring the blocklist files as a feed source on your firewall device. Blumira automatically updates the DBL files whenever a new block entry is added to your blocklists in the app.
Reference: Follow the procedures in Configuring blocklists to begin using the features described below.
Dynamic blocklists (DBLs) are regularly-updated feeds that can be used by your NGFW to block threats found in your network traffic. Other common names for these firewall reference objects are external dynamic lists, threatlists, threat or intelligence feeds, and thread lists.
Blumira provides three dynamically updated blocklists: Domain, IP, and URL blocklists. Items in each blocklist are referred to as blocks and include:
- Blocks you manually add in Blocklists.
- Blocks from a finding workflow, which can be automated or manual.
- (Optional) Community blocks.
- (Optional) Threat feed blocks.
With Blumira's detections and manual blocking, you will notice a question in supported findings asking if you want to add a threatening IP to your DBL. If you choose to block the IP or domain, it is immediately added to your blocklist, but it may take a few minutes to reflect on the firewall, depending on your firewall's update frequency.
Tip: The timestamp at the top of the Blocklists screen (Settings > Blocklists) indicates when the DBL files were last updated.
A threat detected in your firewall log data generates a finding in Blumira, which triggers an alert and awaits your action for resolution. Blumira's Automated Blocking feature can automatically resolve findings where a threat should be blocked by your firewall instead of waiting for a team member to review and respond to the finding.
If you do not automate Blumira's blocking workflows, you must manually resolve these supported findings, and the threat source is not added to your blocklist until after you indicate that the threat is valid and should be blocked.
Tip: Findings that have automatically closed and updated your blocklist include a link to "View Blocklist", where you can review and update the number of days to block the entry.
Threat intelligence data feeds provide current information about potential sources of attack. See About Blumira's intelligence feeds for more background information.
When you enable the threat feed in Blocklists, your DBLs will include feed data. Incoming network traffic from sources that are in the threatlist will be automatically blocked from connecting to your network or these will be detected and flagged as findings in your Blumira blocking workflows. The threatlist data resulting from the threat feed will depend on the severity level you choose:
- Low: If you want conservative blocking, start with the “Low” setting. The lowest setting will provide your DBLs with only the feeds that we have weighted with very a high confidence score (90-100).
- Moderate: Our recommended setting is "Moderate". This will include data from sources we have weighted 80-100 in confidence.
- High: The "High" setting will provide your DBLs with the most data and, therefore a higher amount of blocked sources, but it will include feeds that have confidence ratings as low as 70.
When you enable Community blocking, you are part of Blumira's blocking community:
- Your blocked IPs (excluding private IPs) and domains are automatically added to our community database to be leveraged by other Blumira customers.
- Malicious sources blocked by other Blumira customers can be automatically added to your blocklist.
Note: No confidential information is passed between customer databases; only the source IP/domain that was found to be malicious is shared.