Configuring Suspicious Connections Threshold

Track connections with IP addresses identified in blacklist databases or tracked with the IP Reputation Library. See conversations occurring with known Tor client exit points and much more.

Configure a Network Traffic Analyzer Suspicious Connections threshold:

Note: Notification policies are optional for most thresholds. If you do not select a notification policy, no notifications are generated for the threshold, but a dashboard report listing the out of threshold items still appears on the Alert Center Home page. —These events will also still be available to review, analyze, and share from the Suspicious Connections Report.

Add Condition Rules:

The default threshold is configured to alert when more than one connection to a suspicious IP (such as an address in use by Tor—also referred to as the "Dark Web") has been made in the last 15 minutes.

Select Network Traffic Analyzer Sources (Traffic to Consider)

Tip: If you are leveraging a community updated list (as configured in the IP Reputation Library), suspect IP lists (such as those in use by Dark Web) are set to update weekly by default. For more information, see the IP Reputation Library topic.

Note: Configure the threshold check interval for a longer time than the sampling interval for thresholds relating to trends, such as percent utilization. Configure it for a time the same as (or similar to) the sampling interval when configuring a threshold for a health check.

Tip: Avoid setting the threshold check interval to a very short time. Aggressive intervals can degrade system performance. In general, setting the threshold check interval to less than five minutes is not advised.

See Also

Suspicious Connections Threshold