Before you start
When you are ready to integrate ThreatSTOP with a device, head to the Device Configuration page to set up the device using a predefined policy. Once the device integration is in place, the device will start uploading logs of connections or DNS lookups filtered by the policy and reports will become available.
The reports will link log entries from your devices to the Threat Intelligence information (Check IOC) collected for the IP addresses and domains, including the Targets (group of IOCs) containing them.
With the integration now fully in place, the next step will be to create your own custom policy, using the Policy Editor. Your custom policy should also include User-Defined Lists to block or whitelist your own list of domain names and IP addresses.
Following initial configuration, the typical ongoing usage of the Admin Portal rests in the tuning of the policy, updates to your User-Defined Lists and the review of reports.
Optionally, you can also make use of these additional features:
- Custom RPZ Behaviors to customize the response to blocked DNS queries (e.g. to use your own Walled Garden).
- The SIEM integration to integrate ThreatSTOP’s Threat Intelligence system with your SIEM application.
- The REST API to perform integration of your applications (e.g. automated updates of user-defined lists).