Before you start

This page provides a short overview of how to use the features of the Admin Portal. If you are new to the ThreatSTOP platform, we recommend starting with the Overview and the Guided Setup.

Initial Configuration

When you are ready to integrate ThreatSTOP with a device, head to the Device Configuration page to set up the device using a predefined policy. Once the device integration is in place, the device will start uploading logs of connections or DNS lookups filtered by the policy and reports will become available.

The reports will link log entries from your devices to the Threat Intelligence information (Check IOC) collected for the IP addresses and domains, including the Targets (group of IOCs) containing them.

With the integration now fully in place, the next step will be to create your own custom policy, using the Policy Editor. Your custom policy should also include User-Defined Lists to block or whitelist your own list of domain names and IP addresses.

With the policy in place, you can setup email reports (e.g. daily/weekly) or alerts (real-time notifications), for example to be alerted if connections are detected for specific threats or devices.

Following initial configuration, the typical ongoing usage of the Admin Portal rests in the tuning of the policy, updates to your User-Defined Lists and the review of reports.

Additional features

Optionally, you can also make use of these additional features:

  • Custom RPZ Behaviors to customize the response to blocked DNS queries (e.g. to use your own Walled Garden).
  • The SIEM integration to integrate ThreatSTOP’s Threat Intelligence system with your SIEM application.
  • The REST API to perform integration of your applications (e.g. automated updates of user-defined lists).