Cisco Cisco Firepower Management Center 4000
21-25
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.
Step 5
Select the rule or rules where you want to set a threshold. You have the following options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
Select
Event Filtering > Threshold.
The thresholding pop-up window appears.
Step 7
Select the type of threshold you want to set:
•
Select
Limit
to limit notification to the specified number of event instances per time period.
•
Select
Threshold
to provide notification for each specified number of event instances per time period.
•
Select
Both
to provide notification once per time period after a specified number of event instances.
Step 8
Select the appropriate option for
Track By
to indicate whether you want the event instances tracked by
source or destination IP address.
Step 9
In the
Count
field, specify the number of event instances you want to use as your threshold.
Step 10
In the
Seconds
field, specify the number of seconds that make up the time period for which event
instances are tracked.
Step 11
Click
OK
.
The system adds your threshold and displays an event filter icon (
) next to the rule in the Event
Filtering column. If you add multiple event filters to a rule, a number over the icon indicates the number
of event filters.
of event filters.
Step 12
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Viewing and Deleting Intrusion Event Thresholds
License:
Protection
You may want to view or delete an existing threshold setting. You can use the Rules Details view to
display the configured settings for a threshold to see if they are appropriate for your system. If they are
not, you can add a new threshold to overwrite the existing values.
display the configured settings for a threshold to see if they are appropriate for your system. If they are
not, you can add a new threshold to overwrite the existing values.
Note that you can also modify the global threshold that applies by default to all rules and
preprocessor-generated events. See
preprocessor-generated events. See
for more information.
To view or delete a threshold:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.