IP Shun Rule

Hello All,

I am trying to make an IP Shun Rule for SW SEM, but am needing some advice/help. I am thinking rule is true when: NetworkAttackAlerts occured, Actions: Block IP Network Attack Alerts.Source Machine and send email to our IT group about the incident. I just started learning in SEM so any help would be greatly appreciated. 

  • This would work, in theory, but I'd caution you to create a filter first to see how often this is going to trigger and ensure that it's going to only trigger when you need it to. I'd hate for you to build in an action that would cripple your network by accident. I make it a rule, myself, to create a filter before ever executing on a rule.