I noticed that some IP prototypes have a direction of inbound (spamhaus) while others are outbound (ransomwaretracker). What is the difference with respect to being able to use them in feeds for EDLs?
Solved! Go to Solution.
IP indicators, and only IP indicators, have an attribute called direction. This is used to specify if the IP is typically seen as a source of a session (direction = inbound) or as a destination ( ). This could be helpful when definining security policies to match IPs on sources or destination.
But if you prefer you can also ignore this attribute, as always with MineMeld it's up to you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!