Cisco Cisco Firepower Management Center 4000
28-21
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Sensitive Data
Selecting Individual Data Type Options
License:
Protection
Individual data types identify the sensitive data you can detect and generate events on in your specified
destination network traffic. You can modify default settings for data type options that specify the
following:
destination network traffic. You can modify default settings for data type options that specify the
following:
•
a threshold that must be met for a detected data type to generate a single per-session event
•
the destination ports to monitor for each data type
•
the application protocols to monitor for each data type
At a minimum, each data type must specify an event threshold and at least one port or application
protocol to monitor.
protocol to monitor.
Each predefined data type provided by Cisco uses an otherwise inaccessible
sd_pattern
keyword to
define a built-in data pattern to detect in traffic. See the
table for a listing of
predefined data types. You can also create custom data types for which you use simple regular
expressions to specify your own data patterns. See
expressions to specify your own data patterns. See
for more
information.
Note that data type names and patterns are system-wide; all other data type options are policy-specific.
The following table describes the data type options you can configure.
Networks
Specifies the destination host or hosts to monitor for sensitive data. You can specify
a single IP address, address block, or a comma-separated list of either or both. The
system interprets a blank field as
a single IP address, address block, or a comma-separated list of either or both. The
system interprets a blank field as
any
, meaning any destination IP address. For
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
.
Global
Threshold
Threshold
Specifies the total number of all occurrences of all data types during a single session
that the preprocessor must detect in any combination before generating a global
threshold event. You can specify 1 through 65535.
that the preprocessor must detect in any combination before generating a global
threshold event. You can specify 1 through 65535.
Cisco recommends that you set the value for this option higher than the highest
threshold value for any individual data type that you enable in your policy. See
threshold value for any individual data type that you enable in your policy. See
for more information.
Note the following points regarding global thresholds:
•
You must enable preprocessor rule 139:1 to detect and generate events on
combined data type occurrences. See
combined data type occurrences. See
for
information on enabling rules in your intrusion policy.
•
The preprocessor generates up to one global threshold event per session.
•
Global threshold events are independent of individual data type events; that is,
the preprocessor generates an event when the global threshold is reached,
regardless of whether the event threshold for any individual data type has been
reached, and vice versa.
the preprocessor generates an event when the global threshold is reached,
regardless of whether the event threshold for any individual data type has been
reached, and vice versa.
Table 28-7
Global Sensitive Data Detection Options (continued)
Option
Description