Track connections with IP addresses identified in blacklist databases or tracked with the IP Reputation Library. See conversations occurring with known Tor client exit points and much more.
Configure a Network Traffic Analyzer Suspicious Connections threshold:
Automatically resolve items no longer out of threshold. Select this option if you want Alert Center to automatically resolve items when they return to the value within the threshold limit.
Note: Notification policies are optional for most thresholds. If you do not select a notification policy, no notifications are generated for the threshold, but a dashboard report listing the out of threshold items still appears on the Alert Center Home page. —These events will also still be available to review, analyze, and share from the Suspicious Connections Report.
Add Condition Rules:
The default threshold is configured to alert when more than one connection to a suspicious IP (such as an address in use by Tor—also referred to as the "Dark Web") has been made in the last 15 minutes.
Tip: If you are leveraging a community updated list (as configured in the IP Reputation Library), suspect IP lists (such as those in use by Dark Web) are set to update weekly by default. For more information, see the IP Reputation Library topic.
Note: Sources sending sampled data are not displayed as a selection option in the traffic to monitor list because Network Traffic Analyzer cannot determine that traffic has failed on sampled data.
Note: Configure the threshold check interval for a longer time than the sampling interval for thresholds relating to trends, such as percent utilization. Configure it for a time the same as (or similar to) the sampling interval when configuring a threshold for a health check.
Tip: Avoid setting the threshold check interval to a very short time. Aggressive intervals can degrade system performance. In general, setting the threshold check interval to less than five minutes is not advised.