Cisco Cisco FirePOWER Appliance 7010
18-25
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Note
You cannot set shared object rules to generate events from e packet view, nor can you disable
rules in the default policies.
rules in the default policies.
Set this rule to drop
If your managed device is deployed inline on your network, you can set the rule that triggered the
event to drop packets that trigger the rule in all policies that you can edit locally. Alternately, you
can set the rule only in the current policy (that is, the policy that generated the event) if you can edit
the current policy locally.
event to drop packets that trigger the rule in all policies that you can edit locally. Alternately, you
can set the rule only in the current policy (that is, the policy that generated the event) if you can edit
the current policy locally.
Note that the current policy option appears only when you can edit the current policy; for example,
you can edit a custom policy, but you cannot edit a default policy provided by Cisco. Note also that
this option appears only when
you can edit a custom policy, but you cannot edit a default policy provided by Cisco. Note also that
this option appears only when
Drop when Inline
is enabled in the current policy. See
for more information.
Set Thresholding Options
You can use this option to create a threshold for the rule that triggered this even in all policies that
you can edit locally. Alternately, you create a threshold only for the current policy (that is, the policy
that generated the event) if you can edit the current policy locally.
you can edit locally. Alternately, you create a threshold only for the current policy (that is, the policy
that generated the event) if you can edit the current policy locally.
The thresholding options are described in
Note that the current policy option appears only when you can edit the current policy; for example,
you can edit a custom policy, but you cannot edit a default intrusion policy provided by Cisco.
you can edit a custom policy, but you cannot edit a default intrusion policy provided by Cisco.
Set Suppression Options
You can use this object to suppress the rule that triggered this event in all policies that you can edit
locally. Alternately, you can suppress the rule only in the current policy (that is, the policy that
generated the event) if you can edit the current policy locally.
locally. Alternately, you can suppress the rule only in the current policy (that is, the policy that
generated the event) if you can edit the current policy locally.
The suppression options are described in
Note that the current policy option appears only when you can edit the current policy; for example,
you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
Setting Threshold Options within the Packet View
License:
Protection
You can control the number of events that are generated per rule over time by setting the threshold
options in the packet view of an intrusion event. You can set threshold options in all policies that you
can edit locally or, when it can be edited locally, only in the in the current policy (that is, the policy that
caused the event to be generated).
options in the packet view of an intrusion event. You can set threshold options in all policies that you
can edit locally or, when it can be edited locally, only in the in the current policy (that is, the policy that
caused the event to be generated).
To set the threshold options within the packet view:
Access:
Admin/Intrusion Admin
Step 1
Within the packet view of an intrusion event that was generated by an intrusion rule, expand
Actions
in
the Event Information section; expand
Set Thresholding Options
and select one of the two possible options:
•
in the current policy
•
in all locally created policies