Create a rule to check malicious traffic

I have an active channel which populates a list of malicious IP's and it keeps updating itself.

My requirement is to have a rule populated everytime an internal IP interacts with one of the IP's in the list.

Wanted to know how do I do it.

My thoughts are:

Have the list of the IP's from the active channel populated to an Dynamic active list

Have a rule to check the network traffic with the list present in the active list.

Will this work?

Or would there be an easier way of achieving this.

Thanks,

Ravi.

Top Replies

  • Hi , you can make a rule that looks for the events (the ones you are looking at in your active channel) and use a rule action to populate a list.

    Can you clarify what type of active channel it is? What…