@@ -2371,6 +2371,398 @@ A Security Engine has been offline for more than 48 hours.
23712371
23722372</details >
23732373
2374+ #### ` Blocking Known Safe IP `
2375+
2376+ A known safe or legitimate IP address was blocked (false positive)
2377+
2378+ ``` json
2379+ {
2380+ "event_id" : " c6d468d4f1084ebca84165c33f97fbc4"
2381+ "organization_id" : " 12345678-1234-1234-1234-123456789012"
2382+ "event_timestamp" : " 2025-07-10T09:11:33.359703Z"
2383+ "event_type" : " blocking_safe_ip"
2384+ "uuid" : " alert-uuid-1234"
2385+ "message" : " Suspicious SSH behavior detected"
2386+ "scenario" : " ssh-brute-force"
2387+ "behaviors" : [
2388+ {
2389+ "name" : " Brute Force"
2390+ "description" : " Multiple failed SSH login attempts detected in short time"
2391+ "label" : " SSH Brute Force"
2392+ },
2393+ {
2394+ "name" : " Port Scan"
2395+ "description" : " Scanning activity detected on multiple ports"
2396+ "label" : " Scan"
2397+ }
2398+ ],
2399+ "start_at" : " 2025-07-10T09:11:26.584612Z"
2400+ "stop_at" : " 2025-07-10T09:11:26.584612Z"
2401+ "target" : {
2402+ "ip" : " 192.168.1.10"
2403+ "id" : " machine-01"
2404+ "name" : " internal-server-01"
2405+ },
2406+ "source" : {
2407+ "scope" : " ip"
2408+ "value" : " 203.0.113.25"
2409+ "as_name" : " ExampleISP"
2410+ "as_number" : 64512 ,
2411+ "country" : " US"
2412+ "city" : " San Francisco"
2413+ "latitude" : 37.7749 ,
2414+ "longitude" : -122.4194 ,
2415+ "rdns" : " 25.113.0.203.example.com"
2416+ },
2417+ "is_manual_decision" : false ,
2418+ "scenario_confidence" : 0 ,
2419+ "false_positives" : [
2420+ {
2421+ "name" : " cdn:example_exit_node"
2422+ "description" : " IP is an Example CDN exit IP and should not be flagged as a threat."
2423+ "label" : " Example CDN"
2424+ }
2425+ ]
2426+ }
2427+ ```
2428+ <details >
2429+ <summary >JSON Schema</summary >
2430+ ``` json
2431+ {
2432+ "$defs" : {
2433+ "AlertBehavior" : {
2434+ "properties" : {
2435+ "description" : {
2436+ "description" : " The attack behavior description"
2437+ "title" : " Description"
2438+ "type" : " string"
2439+ },
2440+ "label" : {
2441+ "description" : " The attack behavior label"
2442+ "title" : " Label"
2443+ "type" : " string"
2444+ },
2445+ "name" : {
2446+ "description" : " The attack behavior name"
2447+ "title" : " Name"
2448+ "type" : " string"
2449+ }
2450+ },
2451+ "required" : [
2452+ " name"
2453+ " description"
2454+ " label"
2455+ ],
2456+ "title" : " AlertBehavior"
2457+ "type" : " object"
2458+ },
2459+ "AlertSource" : {
2460+ "properties" : {
2461+ "as_name" : {
2462+ "anyOf" : [
2463+ {
2464+ "type" : " string"
2465+ },
2466+ {
2467+ "type" : " null"
2468+ }
2469+ ],
2470+ "default" : null ,
2471+ "description" : " The AS name of the source"
2472+ "title" : " As Name"
2473+ },
2474+ "as_number" : {
2475+ "anyOf" : [
2476+ {
2477+ "type" : " integer"
2478+ },
2479+ {
2480+ "type" : " null"
2481+ }
2482+ ],
2483+ "default" : null ,
2484+ "description" : " The AS number of the source"
2485+ "title" : " As Number"
2486+ },
2487+ "city" : {
2488+ "anyOf" : [
2489+ {
2490+ "type" : " string"
2491+ },
2492+ {
2493+ "type" : " null"
2494+ }
2495+ ],
2496+ "default" : null ,
2497+ "description" : " The city of the source"
2498+ "title" : " City"
2499+ },
2500+ "country" : {
2501+ "anyOf" : [
2502+ {
2503+ "type" : " string"
2504+ },
2505+ {
2506+ "type" : " null"
2507+ }
2508+ ],
2509+ "default" : null ,
2510+ "description" : " The country of the source"
2511+ "title" : " Country"
2512+ },
2513+ "latitude" : {
2514+ "anyOf" : [
2515+ {
2516+ "type" : " number"
2517+ },
2518+ {
2519+ "type" : " null"
2520+ }
2521+ ],
2522+ "default" : null ,
2523+ "description" : " The latitude of the source"
2524+ "title" : " Latitude"
2525+ },
2526+ "longitude" : {
2527+ "anyOf" : [
2528+ {
2529+ "type" : " number"
2530+ },
2531+ {
2532+ "type" : " null"
2533+ }
2534+ ],
2535+ "default" : null ,
2536+ "description" : " The longitude of the source"
2537+ "title" : " Longitude"
2538+ },
2539+ "rdns" : {
2540+ "anyOf" : [
2541+ {
2542+ "type" : " string"
2543+ },
2544+ {
2545+ "type" : " null"
2546+ }
2547+ ],
2548+ "default" : null ,
2549+ "description" : " The rDNS of the source"
2550+ "title" : " Rdns"
2551+ },
2552+ "scope" : {
2553+ "description" : " The scope of the value"
2554+ "title" : " Scope"
2555+ "type" : " string"
2556+ },
2557+ "value" : {
2558+ "description" : " The value of the source"
2559+ "title" : " Value"
2560+ "type" : " string"
2561+ }
2562+ },
2563+ "required" : [
2564+ " scope"
2565+ " value"
2566+ ],
2567+ "title" : " AlertSource"
2568+ "type" : " object"
2569+ },
2570+ "AlertTarget" : {
2571+ "properties" : {
2572+ "id" : {
2573+ "description" : " The id of the machine targeted by the attack"
2574+ "title" : " Id"
2575+ "type" : " string"
2576+ },
2577+ "ip" : {
2578+ "description" : " The IP targeted by the attack"
2579+ "title" : " Ip"
2580+ "type" : " string"
2581+ },
2582+ "name" : {
2583+ "anyOf" : [
2584+ {
2585+ "type" : " string"
2586+ },
2587+ {
2588+ "type" : " null"
2589+ }
2590+ ],
2591+ "default" : null ,
2592+ "description" : " The name of the machine targeted by the attack"
2593+ "title" : " Name"
2594+ }
2595+ },
2596+ "required" : [
2597+ " ip"
2598+ " id"
2599+ ],
2600+ "title" : " AlertTarget"
2601+ "type" : " object"
2602+ },
2603+ "FalsePositive" : {
2604+ "properties" : {
2605+ "description" : {
2606+ "description" : " The description of the false positive"
2607+ "title" : " Description"
2608+ "type" : " string"
2609+ },
2610+ "label" : {
2611+ "description" : " The label of the false positive"
2612+ "title" : " Label"
2613+ "type" : " string"
2614+ },
2615+ "name" : {
2616+ "description" : " The name of the false positive"
2617+ "title" : " Name"
2618+ "type" : " string"
2619+ }
2620+ },
2621+ "required" : [
2622+ " name"
2623+ " description"
2624+ " label"
2625+ ],
2626+ "title" : " FalsePositive"
2627+ "type" : " object"
2628+ }
2629+ },
2630+ "properties" : {
2631+ "behaviors" : {
2632+ "default" : [],
2633+ "description" : " The attack behaviors"
2634+ "items" : {
2635+ "$ref" : " #/$defs/AlertBehavior"
2636+ },
2637+ "title" : " Behaviors"
2638+ "type" : " array"
2639+ },
2640+ "event_id" : {
2641+ "description" : " ID of the source event"
2642+ "examples" : [
2643+ " c6d468d4f1084ebca84165c33f97fbc4"
2644+ ],
2645+ "title" : " Event Id"
2646+ "type" : " string"
2647+ },
2648+ "event_timestamp" : {
2649+ "description" : " Timestamp of the source event"
2650+ "examples" : [
2651+ " 2021-07-29T12:00:00+00:00"
2652+ ],
2653+ "format" : " date-time"
2654+ "title" : " Event Timestamp"
2655+ "type" : " string"
2656+ },
2657+ "event_type" : {
2658+ "const" : " blocking_safe_ip"
2659+ "default" : " blocking_safe_ip"
2660+ "title" : " Event Type"
2661+ "type" : " string"
2662+ },
2663+ "false_positives" : {
2664+ "anyOf" : [
2665+ {
2666+ "items" : {
2667+ "$ref" : " #/$defs/FalsePositive"
2668+ },
2669+ "type" : " array"
2670+ },
2671+ {
2672+ "type" : " null"
2673+ }
2674+ ],
2675+ "description" : " List of false positive identifiers"
2676+ "title" : " False Positives"
2677+ },
2678+ "is_manual_decision" : {
2679+ "default" : false ,
2680+ "description" : " Whether the decision was created manually"
2681+ "title" : " Is Manual Decision"
2682+ "type" : " boolean"
2683+ },
2684+ "message" : {
2685+ "anyOf" : [
2686+ {
2687+ "type" : " string"
2688+ },
2689+ {
2690+ "type" : " null"
2691+ }
2692+ ],
2693+ "default" : null ,
2694+ "description" : " The alert message"
2695+ "title" : " Message"
2696+ },
2697+ "organization_id" : {
2698+ "description" : " Organization ID of the source event"
2699+ "examples" : [
2700+ " 12345678-1234-1234-1234-123456789012"
2701+ ],
2702+ "title" : " Organization Id"
2703+ "type" : " string"
2704+ },
2705+ "scenario" : {
2706+ "description" : " The attack scenario"
2707+ "title" : " Scenario"
2708+ "type" : " string"
2709+ },
2710+ "scenario_confidence" : {
2711+ "default" : 0 ,
2712+ "description" : " The confidence of the scenario"
2713+ "title" : " Scenario Confidence"
2714+ "type" : " integer"
2715+ },
2716+ "source" : {
2717+ "$ref" : " #/$defs/AlertSource"
2718+ "description" : " The source of the attack"
2719+ },
2720+ "start_at" : {
2721+ "description" : " The attack start time"
2722+ "format" : " date-time"
2723+ "title" : " Start At"
2724+ "type" : " string"
2725+ },
2726+ "stop_at" : {
2727+ "description" : " The attack stop time"
2728+ "format" : " date-time"
2729+ "title" : " Stop At"
2730+ "type" : " string"
2731+ },
2732+ "target" : {
2733+ "$ref" : " #/$defs/AlertTarget"
2734+ "description" : " The target of the attack"
2735+ },
2736+ "uuid" : {
2737+ "anyOf" : [
2738+ {
2739+ "type" : " string"
2740+ },
2741+ {
2742+ "type" : " null"
2743+ }
2744+ ],
2745+ "default" : null ,
2746+ "description" : " The alert UUID"
2747+ "title" : " Uuid"
2748+ }
2749+ },
2750+ "required" : [
2751+ " organization_id"
2752+ " scenario"
2753+ " start_at"
2754+ " stop_at"
2755+ " target"
2756+ " source"
2757+ " false_positives"
2758+ ],
2759+ "title" : " BlockingSafeIP"
2760+ "type" : " object"
2761+ }
2762+ ```
2763+ </details >
2764+
2765+
23742766### Admin
23752767
23762768![ Admin] ( /img/console/notification_integrations/admin.png )
0 commit comments