Cisco Cisco FirePOWER Appliance 8390
21-24
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
Note that you can use intrusion event thresholding alone or in any combination with rate-based attack
prevention, the
prevention, the
detection_filter
keyword, and intrusion event suppression. See
, and
for more information.
See the following sections for more information:
•
•
•
Tip
You can also add thresholds from within the packet view of an intrusion event. See
for more information.
Adding and Modifying Intrusion Event Thresholds
License:
Protection
You can set a threshold for one or more specific rules. You can also separately or simultaneously modify
existing threshold settings. You can set a a single threshold for each. Adding a threshold overwrites any
existing threshold for the rule.
existing threshold settings. You can set a a single threshold for each. Adding a threshold overwrites any
existing threshold for the rule.
For more information on viewing and deleting threshold configurations, see
You can also modify the global threshold that applies by default to all rules and preprocessor-generated
events. For more information, see
events. For more information, see
.
Note that a revert icon (
) appears in a field when you type an invalid value; click it to revert to the
last valid value for that field or to clear the field if there was no previous value.
Tip
A global or individual threshold on a managed device with multiple CPUs may result in a higher number
of events than expected.
of events than expected.
To add or modify event thresholds:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Manage Rules
.
The Rules page appears. By default, the page lists the rules alphabetically by message.
Step 4
Locate the rule or rules where you want to set a threshold. You have the following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.