So I am trying to refine my Threat Activity Detected Search to only show "Allowed" connections rather than any blocked messages. Has anyone tried this before because in the Threat Intelligence Framework its not showing anything regarding action.
Hi, Im heading down the same path, maybe trying to reduce the number of notables by not raising one for anything under X number of bytes.
Did you get anywhere with your method? I'd be very interested.
Thanks
