You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler to enable or prevent it from triggering an event. Creating a subnet whitelist/blacklist for event handlers eliminates the need to specify common networks in every event handler.
To include or exclude subnets in an event handler:
- Go to Incidents & Events > Event Handler List.
- Select an event handler to edit from the list.
- In the Subnet category, select Specify.
- Choose which subnets to include or exclude by selecting them from the corresponding dropdown menu.
- Select OK.
If a conflict arises between the exclude and include lists, the exclude list will take priority.
Subnet filters work when either SRCIP or DSTIP hit the subnet, meaning SRCIPs and DSTIPs share the same subnet filters.