Creating a Suspicious Activity Rule from Results

If you monitor traffic, and see a suspicious result, you can create an SAM rule immediately from the results.

Note - You can only create a Suspicious Activity rule for Traffic views with data about the Source or Destination (Top Sources, Top P2P Users, and so on).

To create an SAM rule:

1. In SmartView Monitor open a Traffic view.

   The Select Gateway / Interface window opens.

2. Select an object and click OK.
3. In the Results, right-click the bar in the chart (or the row in the report), that represents the source, destination, or other traffic property to block.
4. Select Block Source.

   The Block Suspicious Activity window opens.

5. Create the rule.
6. Click Enforce.

For example:

Your corporate policy does not allow to share peer2peer file, and you see it in the Traffic > Top P2P Users results.

1. Right-click the result bar and select Block Source.

   The SAM rule is set up automatically with the user IP address and the P2P_File_Sharing_Applications service.

2. Click Enforce.
3. For the next hour, while this traffic is dropped and logged, contact the user.