Track connections with IP addresses identified in blacklist databases or tracked with the IP Reputation Library. See conversations occurring with known Tor client exit points and much more.

Configure a Network Traffic Analysis Suspicious Connections threshold:

• Name. Used in the Threshold library and the title on the Alert Center Dashboard.
• Notification Policy. (Optional) Select the notification policy to apply to this threshold. The policy initiates notifications when an item is outside the configured threshold limits.
• Threshold Check Interval. Enter a time interval for Alert Center to check the Network Performance Monitor database for items that are out of the threshold limits.

  Automatically resolve items no longer out of threshold. Select this option if you want Alert Center to automatically resolve items when they return to the value within the threshold limit.

Note: Notification policies are optional for most thresholds. If you do not select a notification policy, no notifications are generated for the threshold, but a dashboard report listing the out of threshold items still appears on the Alert Center Home page. —These events will also still be available to review, analyze, and share from the Suspicious Connections Report.

Add Condition Rules:

The default threshold is configured to alert when more than one connection to a suspicious IP (such as an address in use by Tor—also referred to as the "Dark Web") has been made in the last 15 minutes.

• More than... Maximum number of connections to suspicious IP addresses.
• in the past... Select a period for the measurement.

Select Network Traffic Analysis Sources (Traffic to Consider)

Tip: If you are leveraging a community updated list (as configured in the IP Reputation Library), suspect IP lists (such as those in use by Dark Web) are set to update weekly by default. For more information, see the IP Reputation Library topic.

• Traffic to monitor. By default, the threshold is set to monitor traffic from all Network Traffic Analysis sources. Select the Network Traffic Analysis source or interface from which to monitor traffic. When you select a source, traffic for all interfaces on the source is monitored. When you select an interface, only traffic for the selected interface is monitored.

  Note: Sources sending sampled data are not displayed as a selection option in the traffic to monitor list because Network Traffic Analysis cannot determine that traffic has failed on sampled data.

• Hosts to monitor. Click Select to choose the hosts to which the threshold applies.
  • By default, the threshold monitors all applicable hosts
  • Click Apply this Threshold to Specific Hosts to choose the hosts to which the threshold applies.
• Click Exclude Hosts to build an exclusion list.

Note: Configure the threshold check interval for a longer time than the sampling interval for thresholds relating to trends, such as percent utilization. Configure it for a time the same as (or similar to) the sampling interval when configuring a threshold for a health check.

Tip: Avoid setting the threshold check interval to a very short time. Aggressive intervals can degrade system performance. In general, setting the threshold check interval to less than five minutes is not advised.

Track connections with IP addresses identified in blacklist databases or tracked with the IP Reputation Library. See conversations occurring with known Tor client exit points and much more.

Configure a Network Traffic Analysis Suspicious Connections threshold:

• Name. Used in the Threshold library and the title on the Alert Center Dashboard.
• Notification Policy. (Optional) Select the notification policy to apply to this threshold. The policy initiates notifications when an item is outside the configured threshold limits.
• Threshold Check Interval. Enter a time interval for Alert Center to check the Network Performance Monitor database for items that are out of the threshold limits.

  Automatically resolve items no longer out of threshold. Select this option if you want Alert Center to automatically resolve items when they return to the value within the threshold limit.

Note: Notification policies are optional for most thresholds. If you do not select a notification policy, no notifications are generated for the threshold, but a dashboard report listing the out of threshold items still appears on the Alert Center Home page. —These events will also still be available to review, analyze, and share from the Suspicious Connections Report.

Add Condition Rules:

The default threshold is configured to alert when more than one connection to a suspicious IP (such as an address in use by Tor—also referred to as the "Dark Web") has been made in the last 15 minutes.

• More than... Maximum number of connections to suspicious IP addresses.
• in the past... Select a period for the measurement.

Select Network Traffic Analysis Sources (Traffic to Consider)

Tip: If you are leveraging a community updated list (as configured in the IP Reputation Library), suspect IP lists (such as those in use by Dark Web) are set to update weekly by default. For more information, see the IP Reputation Library topic.

• Traffic to monitor. By default, the threshold is set to monitor traffic from all Network Traffic Analysis sources. Select the Network Traffic Analysis source or interface from which to monitor traffic. When you select a source, traffic for all interfaces on the source is monitored. When you select an interface, only traffic for the selected interface is monitored.

  Note: Sources sending sampled data are not displayed as a selection option in the traffic to monitor list because Network Traffic Analysis cannot determine that traffic has failed on sampled data.

• Hosts to monitor. Click Select to choose the hosts to which the threshold applies.
  • By default, the threshold monitors all applicable hosts
  • Click Apply this Threshold to Specific Hosts to choose the hosts to which the threshold applies.
• Click Exclude Hosts to build an exclusion list.

Note: Configure the threshold check interval for a longer time than the sampling interval for thresholds relating to trends, such as percent utilization. Configure it for a time the same as (or similar to) the sampling interval when configuring a threshold for a health check.

Tip: Avoid setting the threshold check interval to a very short time. Aggressive intervals can degrade system performance. In general, setting the threshold check interval to less than five minutes is not advised.

Clone a threshold based on a custom or built-in configuration:

1. Click on a threshold on the Thresholds Library panel you want to copy.
2. Click the Copy button, and click OK to create a new Suspicious Connections Threshold.

   The Edit Suspicious Connections Threshold dialog displays.

3. Save or customize your new threshold, either:
   • Type in a new value for Name field (or keep the default) and click OK to save to the Thresholds Library.
   • Follow the Edit Suspicious Connections Threshold instructions.

Delete an existing Suspicious Connections Threshold:

1. Select Suspicious Connections Threshold you want to delete from the Suspicious Connections Threshold panel.
2. Click the Delete button, and then click Yes to confirm the deletion.

   The Suspicious Connections Threshold configuration is deleted.