ThreatIQ

This section provides the purpose, elements, and actions performed on the ThreatIQ pages.

Overview
Configuration
Custom Threat List

Purpose

The Overview page provides visibility into real-time threat detection and remediation across multi-cloud environments using Aviatrix ThreatIQ.

Elements

Threat Summary Panel: Displays detected threats, severity, and impacted resources.
Topology View: Visualizes threat location and affected gateways.
Flow Data Panel: Shows traffic flows triggering alerts.
ThreatGuard Status: Indicates if automated remediation is active.

Actions

View ThreatIQ Overview

To view ThreatIQ threat detection and status:

Go to Security > ThreatIQ > Overview.
The Overview page appears with the Threat Summary Panel showing detected threats, severity, and impacted resources.
Review Topology View to visualize threat location and affected gateways.
Use Flow Data Panel to inspect traffic flows triggering alerts.
Check ThreatGuard Status for automated remediation (drop rules) status.

The Overview provides real-time visibility into threat detection and remediation across multi-cloud environments.

Parameter Details

Sl. No.	CoPilot Parameter Name	Description
1	Threat Summary	Lists threats detected by ThreatIQ with severity levels.
2	Topology View	Displays network topology highlighting impacted gateways.
3	Flow Data	Shows source/destination IPs and ports for suspicious traffic.
4	ThreatGuard Status	Indicates if drop rules have been programmed automatically.

Purpose

The Configuration page allows enabling ThreatIQ, customizing threat lists, and managing exclusion settings.

Elements

Enable ThreatIQ Toggle: Activates threat detection and alerting.
Custom Threat List: Add or remove IPs/domains for monitoring.
Exclusion Settings: Configure VPC/VNets to bypass ThreatIQ inspection.

Actions

Enable or Disable ThreatIQ

To enable or disable ThreatIQ threat detection and alerting:

Go to Security > ThreatIQ > Configuration.
Use the Enable ThreatIQ toggle to activate or deactivate threat detection and alerting.
Save your changes if required.

ThreatIQ is enabled or disabled according to the toggle state.

Parameter Details

Sl. No.	CoPilot Parameter Name	Description
1	Enable ThreatIQ	Turns on ThreatIQ threat detection and alerting.
2	Custom Threat List	Allows adding custom IPs/domains for threat monitoring.
3	Exclusion Settings	Configure VPC/VNets excluded from ThreatIQ inspection.

Manage Custom Threat List

To add or remove IPs or domains for monitoring:

Go to Security > ThreatIQ > Configuration.
In Custom Threat List, add or remove IPs or domains to monitor.
Save your changes.

Custom threat list entries are used for threat monitoring in addition to global feeds.

Configure Exclusion Settings

To configure VPC/VNets to bypass ThreatIQ inspection:

Go to Security > ThreatIQ > Configuration.
In Exclusion Settings, configure the VPC/VNets to exclude from ThreatIQ inspection.
Save your changes.

Excluded VPC/VNets are not inspected by ThreatIQ.

Purpose

The Custom Threat List page lets you add and manage a custom list of IP addresses that ThreatIQ treats as threat IPs.

Custom threat IPs are handled by the Controller in the same way as threat IPs from the global threat source (detection, alerts, blocking, and unblocking). Use this list to monitor and block traffic to or from IPs you define as threats.

Elements

Custom Threat List table: Lists the IP addresses, severity, color, classification, and notes you have added.
+ Threat IP: Adds a new threat IP entry to the list.
Edit icon: Edits an existing threat IP entry (double-click a value to change it, then save).
Delete icon: Removes an IP from the custom list; if blocking was applied for that IP, the Controller removes the rules from affected gateways.

Actions

Add a Custom Threat IQ IP List

To add a custom list of threat IPs in ThreatIQ:

Go to Security > ThreatIQ > Custom Threat List.
Click + Threat IP. An IP Deny List dialog appears.
Enter the details. Refer to the Parameter Details table.
To add more IPs, click the plus sign and enter the details for each.
Click Confirm.

The IP addresses are added to the database of known malicious hosts used by ThreatIQ.When those IPs are detected in traffic, they appear on the ThreatIQ map and are handled like other threat IPs (detection, blocking, unblocking). You must have all_write or all_security_write permissions to add a custom ThreatIQ IP list.

Parameter Details

Sl. No.	CoPilot Parameter Name	Description
1	IP	The IP address you consider a threat IP.
2	Severity	A term that indicates the severity of this threat IP (e.g. Major, Medium).
3	Color	The color to associate with this threat IP; used in lists and charts on the ThreatIQ dashboard.
4	Classification	A term that indicates the classification of this threat IP.
5	Info	A custom note for this threat IP.

Edit a Custom Threat IP Entry

To change an existing custom threat IP entry:

Go to Security > ThreatIQ > Custom Threat List.
Click the Edit icon for the entry you want to change.
Double-click the value you want to change and enter the new value.
Click the Save icon.

Threat records created before the change keep their earlier values.

Delete an IP from the Custom Threat List

To remove an IP from the Custom Threat List:

Go to Security > ThreatIQ > Custom Threat List.
Locate the IP you want to remove and click the Delete icon.

The IP is removed from the database of known malicious hosts used by ThreatIQ.

If ThreatIQ blocking was applied for that IP, the Controller automatically removes the security rules for that threat IP from the affected gateways and traffic is no longer blocked for it.

Concepts & Architecture

Guides

Reference

Purpose

Elements

Actions

Parameter Details

Purpose

Elements

Actions

Parameter Details

Purpose

Elements

Actions

Parameter Details

Concepts & Architecture

Guides

Reference

​Purpose

​Elements

​Actions

​Parameter Details

​Purpose

​Elements

​Actions

​Parameter Details

​Purpose

​Elements

​Actions

​Parameter Details

Purpose

Elements

Actions

Parameter Details

Purpose

Elements

Actions

Parameter Details

Purpose

Elements

Actions

Parameter Details