2022-03-22 10:56 AM
Hi Team,
I has a list of Suspicious IP List,
I need to create a Alert rule which triggered based on the connection from Suspcious IP,
Inside ESA rule i need to use LIST feature , pls help us on this requirement
Thanks,
SOCUSER
2022-04-04 04:40 PM
Hi socuser,
Depending on the size of the list and how often it is updated you might be better off implementing your list as a feed and matching with an app rule. Then you can query on a metakey directly. ESA tends to get overburdened rather quickly for all but the simplest rules.
However, the ESA way I have used successfully in the past has been to create a string array using the following syntax snippets as an example:
CREATE VARIABLE string[] my_list = {
'10.0.0.1',
'10.0.0.2',
};
SELECT * FROM Event(
ip_dst = ANY(my_list)
);