Threat ID Bundle



Bundle details and download


This bundle analyzes common security vectors, such as certificates, ciphers, DNS, and scans, for behavior patterns associated with potential threats. This analysis allows IT operations and security teams to proactively identify and react to potential security issues.


If you want to learn more about the Threat ID Bundle, check out the blog post and video walkthrough that @dan has put together.

Blog Post -

Video Walkthrough -


Switching from the Encryption Auditing Trigger to the Threat ID: Certificates trigger reduced my trigger load by 20% . Yay!

Not sure why they didn’t include an IP ignore list like the Encryption Auditing Trigger had, but I absolutely need a way to ignore some IPs. I have proxy servers that bring in a lot of external certs that we don’t want to monitor, so I added it back in and it seems to be working well.

I also liked the way the Encryption Auditing Trigger gave you all the info on one line - server IP, cert name, expiration date. With this trigger, I can’t get all this info without drilling into the device or going into the records. I couldn’t figure out how to tweak the trigger to make it do this.


Excellent, thanks for the feedback @monroeh . Supported bundles, like Threat ID, will continually be updated and we always appreciate your suggestions and input.


Anyone doing alerting around the data in this bundle? Curious what thresholds/events in here might be appropriate for alerts.


I would like to include internal IP’s instead of excluding all external onces. Seems a lot simpler to me. How would I do this?


In version 6.2.5, isExternal was added to the IPAddress class. It shouldn’t be difficult to add this test to the bundle.


What does isExternal do, is it like the opposite of Flow.server.ipaddr.isRFC1918 ?


Hi there, we have some information about the IPAddress class in our Trigger API Reference. Here’s a link, but I will summarize the information for you below, too.

isExternal is a property of the IPAddress class. The boolean value is true if the IP address is external to your network. With isRFC1918, the value is true if the IP address belongs to one of the RFC1918 private IP ranges (,, The value is always false for IPv6 addresses.

Please let us know if you have any further questions!


Thanks Jeena. I have the trigger API pdf.
I will try adding if (Flow.server.ipaddr.isExternal) return;
See if I get the result I’m looking for.

if (! Flow.server.ipaddr.isRFC1918) return; should give pretty much the same results if you use rfc1918 in the LAN only. (and no ipv6)


One note on ‘external’ IPs. You can tune which IPs the appliance considers external vs internal using the REST API. Search “network locality” in the REST API guide for details.


Here’s a link to the section about network locality in the REST API guide!


So as someone else said it would be fantastic if there was an IP exclusion list in this bundle. We have our own Appliances that do different scans, so does SCOM, solarwinds and many more so having the ability to exclude them would be fantastic. Right now the top 10 is all our Known scan tools so not as useful for alerting.


Threat ID bundle updates:

The updated version of this bundle and complete list of changes are available here.

Some of the changes include:

  • The Certificates trigger now has a way to filter out certificates and restrict metrics to internal SSL servers
  • The Certificates dashboard includes a region for self-signed certificates and the Ciphers dashboard tracks sessions by SSL version
  • All cipher custom metrics and some DNS metrics were replaced with built-in metrics
  • There is a new Overview dashboard to provide a quick look at important metrics


So I have just loaded this bundle and it looks promising. I do like the overview. It is interesting that my DNS Size metric is 0. but I will trouble shoot that shortly.


I’m struggling to find a way to view the expiring certificates for my internal domains only. Tried to restrict by IP, but still not working. Any tips or guide about the filtering you mentioned?


@yuvycrown, did you try setting the INCLUDE_EXTERNAL_DEVS flag on line 14 to false? That would ignore any servers with IP addresses outside of private IP ranges.