Injecting malicious IP list to compare against active connections and alert if found - Use case

Hi there,

I was trying to setup a usecase to do the following:

1.) Download a txt file containing known malicious IP's.
2.) Compare existing netflow traffic logs to see if there is a match against any of the malicious IP's
3.) Send an alert if a connection is found with these malicious IP's.

Is this possible to do?

Thank you for any assistance.

is this the same as Use Case: Upload to rare external IP or are this two different use cases ?

That link is for creating a use case that involves this step, this thread is only for that one step of injecting a list into elastic. This step can be applied in many use cases.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.