All,
I'm need to create a rule to monitor for and alert on traffic from a specific IP address to our firewalls. I have a filter in the Monitor section of LEM but I can't create email alerts on filters. Basically we're in the midst of a PCI re certification audit and as part of the that the audit company does an external penetration scan on all of our public IP addresses. They have provided us with the source addresses of all their tests. I want to be alerted when these scans are happening so I can correlate any network issues that might be caused by the scans. Some times these auditors get a little overly aggressive with their scans and forget that there's a production network behind the public addresses they are scanning