Cisco Cisco Firepower Management Center 4000

Page of 1844
 
21-14
FireSIGHT System User Guide
 
Chapter 21      Managing Rules in an Intrusion Policy 
  Filtering Rules in an Intrusion Policy
The Rules page updates to display rules according to current rule state.
To use the Recommendation filter:
Access: 
Admin/Intrusion Admin
Step 1
Under 
Rule Configuration
, click 
Recommendation
.
Step 2
Select the FireSIGHT rule state recommendation to filter by. 
The Rules page updates to display rules according to recommended rule state.
To use the Threshold filter:
Access: 
Admin/Intrusion Admin
Step 1
Under Rule Configuration, click 
Threshold
.
Step 2
Select the threshold setting to filter by: 
  •
To find rules with a threshold type of 
limit
, select 
Limit
, and click 
OK
  •
To find rules with a threshold type of 
threshold
, select 
Threshold
, and click 
OK
  •
To find rules with a threshold type of 
both
, select 
Both
, and click 
OK
  •
To find rules with thresholds tracked by 
source
, select 
Source
, and click 
OK
  •
To find rules with thresholds tracked by destination, select 
Destination
, and click 
OK
  •
To find any rule with a threshold set, select 
All
, and click 
OK
The Rules page updates to display rules where the type of threshold indicated in the filter has been 
applied to the rule.
To use the Suppression filter:
Access: 
Admin/Intrusion Admin
Step 1
Under 
Rule Configuration
, click 
Suppression
.
Step 2
Select the suppression setting to filter by: 
  •
To find rules where events are suppressed for packets inspected by that rule, select 
Rule
, and click 
OK
  •
To find rules where events are suppressed based on the source of the traffic, select 
Source
, and click 
OK
  •
To find rules where events are suppressed based on the destination of the traffic, select 
Destination
and click 
OK
  •
To find any rule with suppression set, select 
All
, and click 
OK
The Rules page updates to display rules where the type of suppression indicated in the filter has been 
applied to the rule.