Hi,
ThratRadar is a very good tool to enrich the logs.
I know from my experience that blocking IP only from IP lists might generate a lot of false positives.
If you want to block traffic using IP from the TR, you can write your own security policies.
Example - When the IP is on the Spam IPs list and is trying login to the application with bad credentials and is doing it more than 5 times in 10 seconds then block it.
I think it is a good way to use the TR IP list to block traffic but when you are using it with additional criteria.
------------------------------
Karol Gruszczyński
IT Security Expert
Trafford IT
Warsaw
------------------------------
Original Message:
Sent: 07-27-2022 04:00
From: Ken Chau
Subject: ThreatRadar - Comment Spam IPs
Hi all,
While the default severity of this violation ThreatRadar - Comment Spam IPs is high, the default action is none instead of block. Any reason behind for this?
Anyone has tried to change the default action to block? Do you experience quite a lot of false positive hit?
Thanks.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Ken Chau
IT Manager
Central Hong Kong
------------------------------