Skip to content

Malicious IP or domain

Alert description

This alert is triggered when detecting communications between internal IP addresses and blacklist ones. The blacklist contains malicious IPs and domains.

Data sources needed

In order for the alert to be set, the following sources need to be collected in Cyberquest:

  • Network communication events;
  • Blacklist and/or security feeds.

Alert setup

Go to Settings, click on Alerts, then Realtime.

In the Rule 1 settings fields, fill in the fields with the information as shown below: SrcIP isinList @BlackListDomains AND DestIP isinList @BlackListDomains

Alert Object

To export the alert settings, click on Alert Object above.