Malicious IP or domain
This alert is triggered when detecting communications between internal IP addresses and blacklist ones. The blacklist contains malicious IPs and domains.
Data sources needed
In order for the alert to be set, the following sources need to be collected in Cyberquest:
- Network communication events;
- Blacklist and/or security feeds.
Go to Settings, click on Alerts, then Realtime.
In the Rule 1 settings fields, fill in the fields with the information as shown below: SrcIP isinList @BlackListDomains AND DestIP isinList @BlackListDomains
To export the alert settings, click on Alert Object above.