Rules: Threat Intel - Inbound Traffic Context
This rule detects allowed inbound traffic from an IP address associated with a known malicious campaign as designated by threat intelligence.
Detail | Value |
---|---|
Type | Templated Match |
Category | Threat Intelligence |
Apply Risk to Entities | srcDevice_ip |
Signal Name | Threat Intel - Inbound Traffic Context |
Summary Expression | This rule detects inbound traffic from an IP address associated with a known malicious campaign as designated by threat intelligence. |
Score/Severity | Static: 0 |
Enabled by Default | True |
Prototype | False |
Tags |
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Network Firewall
- Amazon AWS - VpcFlowLogs
- Amazon AWS - Web Application Firewall (WAF)
- CheckPoint - Application Control
- CheckPoint - Firewall and VPN
- CheckPoint - SmartDefense
- CheckPoint - URL Filtering
- Cisco Systems - ASA
- Cisco Systems - Meraki
- Cisco Systems - Umbrella
- Citrix - ADC
- Cloudflare - Logpush
- Fortinet - Fortigate
- Google - BigQuery
- Google - Google Cloud Platform
- JFrog - Artifactory
- Juniper - SRX Series Firewall
- Linux - Systemd Journal
- Microsoft - Azure
- Microsoft - O365 Exchange Message Trace
- Microsoft - Office 365
- Okta - Single Sign-On
- Palo Alto Networks - Next Generation Firewall
- Proofpoint - Targeted Attack Protection
- Sophos - UTM 9
- Zscaler - Nanolog Streaming Service
Origin | Field |
---|---|
Normalized Schema | dstDevice_ip |
Normalized Schema | listMatches |
Normalized Schema | objectType |
Normalized Schema | srcDevice_ip |
Normalized Schema | srcDevice_ip_isInternal |
Normalized Schema | success |