Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited.
Let’s say we have two systems on our internal network, 220.127.116.11 (desktop) and 18.104.22.168(server). Bob, who uses the desktop 22.214.171.124 RDP’s to 126.96.36.199 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 188.8.131.52/24 or 172.1.1.*).