Hi
@Johan López,
Not sure what firewall you have implemented but generally almost all firewalls have this service where they check the IPs against their own threat intel database.
1) Check with your firewall team if they can enable that service for you or not.
2) If not, you can take advantage of IBM X-Force threat feed by requesting X-Force to tag the IP as malicious or not malicious
3) The X-Force usage in rules is expensive if you have a lot of those rules but you can also use the IBM's "Threat Intelligence" application which can TAXII feed a reference set or table which will update automatically.Really helpful if you want to check for specific thinngs.
https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:ThreatIntelligence------------------------------
Chinmay Kulkarni
------------------------------
Original Message:
Sent: Wed February 26, 2020 11:03 AM
From: Johan López
Subject: Use Case
Hi People
I'm triying to create a use case to detect when a malicious IP try to connect to any server in my customer enviroment, but i don't have events of "malicious IP" from the firewall.
Does someone know a better way to create a rule that detects this kind of IPs?
------------------------------
Johan López
------------------------------