Threat categories settings

The threat categories table lists categories of malicious traffic. For each category, use the Block level slider to define how potentially malicious traffic in that category is treated. Click Save to save the changes.

The slider can be set to the following positions:
  • None (take no action): Traffic is inspected and logged. Traffic may be blocked if found to match a different threat category.
  • Known (block known threats only): Known threats are blocked. There is a low risk of false positives.
  • Probable (block known and probable threats): Known and probable threats are blocked. There is a moderate risk of false positives.
  • Suspected (block known, probable, and suspected threats): Known threats, probable threats, and suspected threats are blocked. There is an increased risk of false positives.
Note: The order of threat severity is Known > Probable > Suspected. The Suspected threat is the least severe threat and the Known threat is the most severe threat.

What is a False positive?

False positives occur when traffic is incorrectly detected as suspicious, and blocked, when no threat exists. For each category, Forcepoint recommends a default block level that provides a high level of security while minimizing the risk of false positives. Any threat detection policy is a balance between identifying threats and minimizing false positives. Lower block levels allow more potentially suspicious traffic while lowering the risk of false positives, and higher block levels will stop more potentially suspicious traffic, but increase the risk of false positives.