Threat Situations

Threat situations are system-defined resources used to block threats and suspicious traffic as part of threat inspection policy. It defines traffic signature patterns that are used by deep packet inspection to identify potentially malicious traffic.

Note: Threat situations are dynamically updated by Forcepoint. You cannot edit this list.

From the Navigation pane, click Objects > Threat Situations to navigate to the Threat Situations page.

On the Threat Situations page, you can do the following:
  • You can use the Type to filter field to search for a specific threat situation. Click x to clear the field.
  • Click a row in the table to open the Threat Situation details panel, to view more details about the threat situation.
  • Also, from the Threat Situation details panel, you can do the following:
    • View details about where the threat situation object is referenced. To view where the object is referenced, do the following:
      1. On the Network Application details panel, click the ... menu in the upper-right corner of the panel.
      2. Select the Show where used option. The Where used dialog-box is displayed that contains the information about where the object is referenced.
      3. Click x to close the dialog-box.
    • View details about the associated tag elements. To view details about the associated tag, do the following:
      1. On the Network Application details panel, click the tag link in the Tag field of the panel. The dialog-box that contains the details is displayed.
      2. (Optional) To view details about the parent tag of the associated tag, click the parent tag element link under Parent Situation Tags in the dialog-box.
      3. Click x to close the dialog-box.
Table 1. Threat situation categories and sub-categories
Category Description Sub-categories
Attack-related anomalies Network traffic typically seen prior to or following an attack.
  • Known – Attack – related anomalies
  • Probable – Attack – related anomalies
Compromise and successful attacks Attacks designed to exploit known vulnerabilities or traffic patterns associated with attempts to gain unauthorized access to a system through bypassing normal security mechanisms.
  • Compromise
  • Known – Compromises and successful attacks
  • Probable – Compromises and successful attacks
  • Suspected – Compromises and successful attacks
Denial of Service Attacks designed to overwhelm the network, servers, and associated services in order to deny service to legitimate users.
  • Known – Denial of service
  • Probable – Denial of service
  • Suspected – Denial of service
Disclosure Attacks designed to leak sensitive and confidential information including user names, source code, directory, configuration, and file contents.
  • Known – Disclosure
  • Probable – Disclosure
  • Suspected – Disclosure
Probe Scanning activity designed to gather intelligence and identify vulnerabilities.
  • Known – Probe
  • Probable – Probe
  • Suspected – Probe
Botnet Botnet traffic typically indicates that malware has been installed, allowing remote control of the device to steal data or use it as a launch pad for further attacks.
  • Known – Botnet
  • Probable – Botnet
  • Suspected – Botnet
Invalid Packet Malformed or invalid packets that are sometimes related to attacks or some packets that are dropped regardless of configuration because further processing of the packet is not possible.
  • Malicious routing
  • Invalid Packet Attacks - 1st Class Accuracy
  • Invalid Packet Attacks - 2nd Class Accuracy
  • Invalid Packet Attacks - 3rd Class Accuracy
Other suspicious traffic Uncategorized suspicious traffic that does not conform to normal usage. May come with an increased risk of false positives if enabled.
  • Known - Compromises and successful attacks
  • Spyware, malware and adware
  • Other suspicious traffic