Veriti enables you with a way to manage centrally and seamlessly (automatically) your Indicators of Compromise, blocking attackers trying to compromise your organization using 0-day exploits and techniques. Veriti offers two options to add Indicators to your security products – Manually or Automatically.
These IoCs are automatically extracted from your “Under Attack” and “Automatic Indicators” Insights, once you will remediate one of these Insights the IoC linked with them will be populated on the Indicators page.
Veriti applies its machine-learning algorithms and identifies malicious IPs that are attacking your environment and blocks them for 6/12/24/48 hours. The default block time is 6 hours, but you can tweak it according to each indicator according to your needs.
Indicators will be populated to all your integrated security products including your firewalls and endpoints (EDR/EPP). At this time, there’s no option to skip some of your devices.
First, verify that Indicators are enabled.
- Navigate Settings > System
- Click on “Indicators”
- Make sure “Enable indicators” is turned ON
You don’t need to do anything specific to enable this feature on your integrated Endpoint security products. Existing Indicators won’t be overridden.
Currently, Microsoft Defender for Endpoint and Crowdstrike Falcon are supported.
- Microsoft Defender for Endpoint requires the following permissions
- CrowdStrike Falcon required the following permissions
- IOC Management (Read & Write)
- Prevention Policies (Read & Write)
Firewalls rely on Feed Links to update them about these new Indicators, to enable this feature on your firewalls, you must first apply a few basic configurations on your firewall.
You’ll need to get the Feed Link that will be configured on your firewall, as well as to allow Veriti’s IP address in your access rule base.
- Navigate to Intelligence > Indicators
- Click on the ellipsis (three dots), and click on the “Get Feed URL”.
- Copy the relevant link according to your vendor type. Veriti support feeds by Check Point, Palo Alto, and Fortinet
Next to each vendor, you will find a link demonstrating how to configure the Feed URL.
Another option is to manually add IoCs that you wish to block. Click on the “Add” button in the Indicators table.
You have the option to edit or delete your IoCs, do so by clicking on the buttons in your Action column.