Detecting and Responding to Network Activities Using the Network Activity Rules
By using Network Activity rules you can detect and respond to network activities using criteria such as the applications using the network, byte sent/received, remote host etc. The sample rule below shows how you can use a shared list to block blacklisted IPs and certain ports:
Create an Activity rule.
Select Network under the types of activities.
Select the users the rule will apply to.
Specify the detection conditions for the Remote Host. In this example, we used a Shared List called Blacklisted IPs as input for the condition. This list contains some network addresses (IPs) that we want to block.
Add another condition, Remote Port and assign it a port value. In this example, we used the port 50.
Select an action to take when the rule is violated. In this example, we selected a Block action.
Detecting Network Anomalies Using the Anomaly Rules (On-Premise)
You can use the Anomaly Rules to detect network anomalies like network connections going above certain threshold, network data out anomaly for certain user compared to their departmental baseline etc. The sample Anomaly Rule below will notify an admin if the threshold count for network connections (no-http) goes above certain level: