Managing Threats

Matched Threats

The Matched Threats table provides data for each threat that matched the rule.

The table lists the other rules that were matched by the threat:

  • Clicking a rule name in the Rules column displays that rule’s activity page.

  • Hovering over a rule in the Rules column also highlights all instances of the same rule in the other rows.

  • Clicking a rule in the Description column displays the properties for that rule.

  • The Match Events column shows the number of times traffic matched a rule within the selected time range and its change over time. A significant value could indicate a security problem.

You can drill into each threat to display its Entity Details page.

Activity

The Activity table lists each attack and the time it occurred. You can drill into each threat to display its Entity Details page.

If you are unfamiliar with the Status icons, you can hover over the icon in the Status column to see its activity.

Managing threats

If your account has sufficient permissions, you can manually allow, block or deny entitie from the threat’s Entity Details page, IWAF Settings page, or by using the ThreatX API.

Entity Details

If the threat has interacted with your sites, you can add them to the list: . Click the threat in the Dashboard or other location to open its Entity Details page. . Click Current Status . Change it to the desired list.

image

To remove a threat from a list, open Current Status and select a different list or Watched.

IWAF Settings

IWAF blacklisted ips no nav

  • In each tab, use Add Entry to add an IP address or CIDR range to the list. You are prompted to provide a reason for the action.

  • Use the Remove in the entity’s row to manually remove an entity.

ThreatX API

ℹ️ Manage Lists with the List ThreatX API Endpoint
URL

api.threatx.com/tx_api/v2/list

List the IP addresses currently within the list

  • list_blacklist

  • list_blocklist

  • list_whitelist

Return the details of a single IP entry

  • get_blacklist

  • get_blocklist

  • get_whitelist

Add a single IP address or CIDR

  • new_blacklist

  • new_blocklist

  • new_whitelist

Add one or more new entries

  • bulk_new_blacklist

  • bulk_new_blocklist

  • bulk_new_whitelist

Delete a single entry

  • delete_blacklist

  • delete_blocklist

  • delete_whitelist

Delete one or more new entries

  • bulk_delete_blacklist

  • bulk_delete_blocklist

  • bulk_delete_whitelist

Remove an IP address from the block list
Request
$ curl https://api.threatx.com/tx_api/v2/lists \
  --header 'Content-Type: application/json' \
 --data @- <<EOF
{
  "command": "delete_blocklist",
  "token": "<api_token>",
  "customer_name": "<tenant_name>",
  "ip": "1.2.3.4"
}
EOF
Response
{"Ok": "Blocklist entry for IP 1.2.3.4 removed"}
🎓 Add an IP address to the Blacklist
Request
$ curl https://api.threatx.com/tx_api/v2/lists \
  --header 'Content-Type: application/json' \
  --data @- <<EOF
{
  "command":"new_blacklist",
  "token":"<api_token>",
  "customer_name":"<tenant_name>",
  "entry":{
     "ip":"1.2.3.4",
     "description":"Test Blacklist",
      "created":1
  }
}
EOF
Response
{ "Ok": "Blacklist entry for ip 1.2.3.4 added" }