Updated on 2022-03-14 GMT+08:00

Adding Black/White Lists

Scenario

Yu can add black/white lists of IP addresses and domain names. MTD preferentially detects suspicious activities related to the IP addresses and domain names in the list. MTD runs with low workloads and the detection is fast.

If the same IP address or domain name is added to both the blacklist and whitelist, the IP address or domain name will be ignored during detection as the whitelist has a higher priority.

Prerequisites

  • The black/white lists can only be added from the OBS bucket. You need to upload the files to your OBS bucket first. For details about how to upload an object, see Uploading an Object.
  • MTD supports only Plaintext black/white lists. You need to uploaded Plaintext files to your OBS before adding them. For details about how to edit an object in Plaintext format, see How Do I Edit Objects in Plaintext Format?

In MTD, "intelligence" is a blacklist containing IP addresses and domain names that are forbidden to access.

Procedure

  1. Log in to the management console.
  2. Click and choose Security & Compliance > Managed Threat Detection. The Detection Result page is displayed. Choose Settings > Threat Intelligence form the navigation pane.

    Figure 1 Threat Intelligence page

  3. Add an intelligence/whitelist file.

    1. Add intelligence.
      1. On the Intelligence tab page, click Add Intelligence. The Add Intelligence dialog box is displayed.
        Figure 2 Adding intelligence
        Table 1 Intelligence file parameters

        Parameter

        Description

        Example Value

        File Name

        Name of the intelligence file to add

        BlackList

        Intelligence Type

        Content type of the file to be uploaded from the OBS bucket to MTD

        • IP: MTD will detect threats based on the IP addresses in the intelligence file.
        • Domain name: MTD will detect threats based on the domain names in the intelligence file.

        MTD preferentially generates alarms that are associated with the IP addresses or domain names in the intelligence file.

        IP

        Bucket Name

        Name of the OBS bucket where the file is located

        NOTE:

        If no OBS bucket is available, click View/Create OBS Bucket. For details, see Creating a Bucket.

        obs-mtd-bejing4

        Object Name

        Name of the object in the bucket that stores the intelligence

        NOTICE:

        The object name must contain the file name extension.

        mtd-blacklist-ip.txt

        Storage Path

        Path of the OBS bucket storing the intelligence file

        obs://obs-mtd-beijing4/mtd-blacklist-ip.txt

      2. Confirm the information and click OK. If the added file is displayed in the intelligence list, the operation is successful.
    2. Add a whitelist.
      1. In the Whitelist tab, click Add Whitelist. The Add Whitelist dialog box is displayed.
        Figure 3 Adding a whitelist
        Table 2 Whitelist file parameters

        Parameter

        Description

        Example Value

        File Name

        Name of the intelligence file to add

        SecurityList

        Intelligence Type

        Content type of the file to be uploaded from the OBS bucket to MTD

        • IP: MTD will detect threats based on the IP addresses in the whitelist file.
        • Domain name: MTD will detect threats based on the domain names in the whitelist file.

        MTD ignores log information that is associated with the IP addresses or domain names in the whitelist file.

        IP

        Bucket Name

        Name of the OBS bucket where the file is located

        NOTE:

        If no OBS bucket is available, click View/Create OBS Bucket. For details, see Creating a Bucket.

        obs-mtd-bejing4

        Object Name

        Name of the object in the bucket that stores the file

        NOTICE:

        The object name must contain the file name extension.

        mtd-securitylist-ip.txt

        Storage Path

        Path of the OBS bucket storing the file

        obs://obs-mtd-beijing4/mtd-securitylist-ip.txt

      2. Confirm the information and click OK. If the added file is displayed in the whitelist pane, the operation is successful.

  4. On the Threat Intelligence page, click the Intelligence or Whitelist tab to view the added files.

    Figure 4 Intelligence list
    Figure 5 Whitelist

Example

In this example, you upload intelligence file mtd-blacklist-ip to OBS bucket obs-mtd-bejing4, and set the file name to BlackList. This file contains historical intelligence IP address 121.3X.XX.XXX. MTD will detect and block activities related to these IP addresses.
  1. Create an intelligence file in Plaintext format. Write the IP address 121.3X.XX.XXX into the intelligence file. For details about how to edit an object in Plaintext format, see How Do I Edit Objects in Plaintext Format?
  2. Upload the file. Log in to the management console. Click and choose Storage > Object Storage Service. On the displayed page, upload the object file to the target OBS bucket by following the steps provided in Uploading an Object.
    Figure 6 Uploading the intelligence file
  3. Log in to the MTD console, choose Settings > Threat Intelligence from the navigation pane. On the Threat Intelligence page, click the Intelligence tab and click Add Intelligence. In the displayed dialog box, configure the parameters as required and click OK. View the added file in the intelligence list after the system displays a message indicting the file is added.
    Figure 7 Adding an intelligence file
    Figure 8 Intelligence added successfully
  4. MTD scans all service logs against the IP address and domain name in the blacklist preferentially.
    Figure 9 Alarm details