Hello,
What would be the best way to go about switching off communication with a malicious/compromised/blocked IP that is fed from Thread Intelligence Feed or manually inserted into UDG from Emerging Threats rulesets at Index of /blockrules
I tried to correlate WebTrafficAudit event (OR) Network Audit event group with ProcessStart event, however the Disable Networking action does not work.
In addition to that there's no way to connect the Source account that is required into the Kill Process action tool
From the correlation below I get the message popup to work as a test, but the networking is not stopped.
In Kill Process action, if I enter e.g. chrome.exe and my account, then it kicks in, as Chrome is closed, however I cannot find a way how to correlate further and automate it.
I am still finding my way through Advanced LEM rule filters, but is there a more efficient way to achieve a goal like this ?
Thanks.