Base Event: New Status - Blocked

[tankbusta]

Problem

There is currently not a way to indicate that an activity was blocked due to reasons like Corporate Policy, Allow/Blocklisting, etc. The closest alternative would be to enable the Malware profile and use the disposition field but as noted above, just because something is blocked doesn't mean it's malicious.

Proposal

Add an additional item to status_id called Blocked that can be used to indicate the "thing" described by the event was seen and prevented. Additional details as to why it was blocked can be included in the existing status_detail field.

[rroupski]

for that purpose, you have to use the malware profile -- see the disposition_id, which gets added by the malware profile. BTW, we are already discussing to simplified and perhaps create a new profit, which defines the disposition only. @pagbabian-splunk Paul, any comments?

[tankbusta]

I did outline the reasons why applying the malware profile doesn't make sense here (corporate policy, allow/block listing, etc). If disposition was brought over via a profile, the description would also have to change to remove it's malware focused description but you may also want this additional status_id of Blocked to go along with the Disposition.