Create a rule to check malicious traffic

I have an active channel which populates a list of malicious IP's and it keeps updating itself.

My requirement is to have a rule populated everytime an internal IP interacts with one of the IP's in the list.

Wanted to know how do I do it.

My thoughts are:

Have the list of the IP's from the active channel populated to an Dynamic active list

Have a rule to check the network traffic with the list present in the active list.

Will this work?

Or would there be an easier way of achieving this.



Top Replies

  • Hi , you can make a rule that looks for the events (the ones you are looking at in your active channel) and use a rule action to populate a list.

    Can you clarify what type of active channel it is? What…