Hello Team,
I am writing a rule to detect unknown IPs hitting our public-facing domains. In this rule, I only want to generate an alert when the source IP is not present in GCTI.
The reason is that we already have a separate rule that handles IPs found in GCTI, so I want to avoid duplicate detections.
Could someone please advise on the best way to implement a βNOT IN GCTIβ condition within the rule?
Is the below approach the correct way to verify that the principal IP generating the alerts is not present in GCTI? Also, is using the join with entity.ip the correct method for this check?
Β
