Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Include / exclude logic

Every source in an EDL Deployment is either included (+, green), excluded (-, red), or unset. This page describes how ELLIO resolves the final IP set when sources overlap.

Excludes always win over includes.

If an IP appears in any included source and any excluded source, the IP is not in the EDL.

That’s the whole rule. The rest of this page explains why each source type behaves the way it does given that rule.

  • Include MAX (or 250K, 100K, RDP) → all the list’s IPs are candidates for the EDL.
  • Exclude MAX → guarantees no MAX IP appears, even if a custom ruleset adds one of the same IPs.

MAX itself excludes RECON IPs at generation time, so including MAX does not include Censys, Shodan, etc. To include those, include their dedicated RECON list.

  • Include Censys → Censys IPs become candidates.
  • Exclude Censys → guarantees no Censys IP appears, even if MAX accidentally lists one or your custom blocklist contains one.

Most production deployments exclude the scanners they trust (Shadowserver, Rapid7) and include the ones they don’t.

  • Include Cloudflare CDN → all Cloudflare CDN IPs are candidates for the EDL.
  • Exclude Cloudflare CDN → guarantees no Cloudflare CDN IP appears, even if MAX or your custom ruleset would have added one.

Most deployments exclude the CBS members their stack depends on (CDN, M365, Google Workspace) and otherwise leave CBS unset.

  • Include a BYOIPB source → all its IPs are candidates.
  • Exclude a BYOIPB source → guarantees none of its IPs appear.

Useful for staging: ingest a community blocklist as BYOIPB, exclude it while you measure false positives, then flip to include when you’re satisfied.

  • Include an Allowlist ruleset → don’t. Allowlist rulesets are designed to be excluded from blocklist EDLs.
  • Exclude an Allowlist ruleset → guarantees the IPs you’ve allow-listed never appear in the EDL.
  • Include a Blocklist ruleset → adds your custom blocklist IPs to the EDL.
  • Exclude a Blocklist ruleset → guarantees those IPs are never in the EDL (rarely useful).

The default rulesets that ship with every workspace nudge you in the right direction with their built-in descriptions:

  • “My Allowlist rules - Default allowlist ruleset. Do not forget to exclude this ruleset when creating your custom blocklist.”
  • “My Blocklist rules - Default blocklist ruleset. Do not forget to include this ruleset when creating your custom blocklist.”

When ELLIO regenerates an EDL it walks every source the deployment references and computes:

  1. The union of every included source’s IPs.
  2. The union of every excluded source’s IPs.
  3. The final EDL = (1) minus (2).

CIDR ranges expand notionally during this calculation - excluding 198.51.100.0/24 removes every individual IP that would otherwise have appeared.

If your Purpose is Allowlist (Configuration → Metadata) the same logic applies, but inverted from a firewall perspective: only IPs in the EDL are allowed by your firewall. The wizard’s metadata is purely organisational - the firewall decides whether the EDL is used as an allowlist or a blocklist based on which security policy references the URL.

Imagine you’re building a typical production ingress blocklist:

Source Choice Why
ELLIO Threat List MAX Include Backbone of the blocklist.
RECON: Censys, BinaryEdge, Cortex Xpanse, Driftnet, InfraWatch, Internet Census, InternetTL, LeakIX, NetScout, Nokia Deepfield, Stretchoid, BufferOver, Shodan Include Block these scanners.
RECON: Shadowserver, Rapid7 Exclude Trust these scanners - they send free abuse reports.
CBS Cloud Providers → AWS Exclude Some of your customers run on AWS; don’t block them.
CBS CDNs → Cloudflare Exclude You sit behind Cloudflare.
CBS SaaS → Microsoft 365 Exclude Your tenants live on M365.
BYOIPB → vendor C2 list Include Vendor’s high-confidence C2 feed.
My IP Rulesets → My Allowlist rules Exclude Your safety net for false positives.
My IP Rulesets → My Blocklist rules Include Your hand-curated additions.

The resulting EDL contains: MAX + 13 RECON lists + the C2 list + your custom blocklist - minus Shadowserver, Rapid7, AWS, Cloudflare, M365, and your allowlist.

If anything ever blocks something it shouldn’t, add the affected IP to My Allowlist rules and the next regeneration cycle (5 min - 24 h depending on update frequency) will remove it.