NTA is one way to do it. For this kind of activity though, I would recommend SolarWinds LEM (Log and Event Manager). If you turn on traffic logging on your firewall, LEM will generate TCPTrafficAudit events with event fields such as source IP, destination IP, etc. So, you can easily search based on the external IPs. You can also create a LEM User Defined Group with these 7 IPs to filter the results or create correlation rules to alert you in real-time.
↧