Found a post a couple of days ago in the Intelligence community describing how to create an alert based on a 'dynamic' Watchlist of botnet Command & Control IP addresses.
I created the watchlist and decided to run a report at first rather than create an alert to have alook at it.
It seems that only a portion of the Watchlist is evaluated, i.e.when adding a test IP at the top of the list, it seems to work fine but when shifting it to the bottom (line 3788), the report doesn't return any data.
Does anyone know if there are limitation using watchlists in a report ? size, length ?
If so, has this been addressed in Version 4 ?
Any suggestions ?