Use the active list to detect suspicious IP addresses in any event and change the criticality level to maximum

Hi

Help me implement the mechanics of detecting suspicious addresses in arbitrary events using an actin list.

Now I'm trying to describe a rule that will compare the Indicator Value list column and the Device Address field of the event and if there is a match, I want to make the criticality level of the event the maximum.

At the moment, here is my description of the rule:

event1 : (
Device Address Is NOT NULL
AND
InActiveList("AlienVault Feeds DB")
AND Not(
DeviceVendor = AlienVault
And
Device Product = OTX
And
Agent ID = /All Connectors/AlienVault_OTX/alienvault_feeds
) AND
Type In (Base, Aggregated)
)

Although I have not fully understood their writing, even I understand that this is not enough.

How can I specify in the inActiveList condition which column should be paid attention to? Perhaps a custom variable should be used, if so, how?

Can I get the desired result only with the help of a rule or do I need to describe additional filters or something else for correct operation? Or do you know other implementation options?

Thank you in advance

Bohdan