Cisco Cisco FirePOWER Appliance 7020
28-24
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Sensitive Data
To configure sensitive data detection:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
add or remove application
protocols to monitor for a
data type
protocols to monitor for a
data type
Note that this feature
requires Protection and
Control licenses.
requires Protection and
Control licenses.
click inside the
Application Protocols
field, or click
Edit
next to the field. The Application
Protocols pop-up window appears:
•
To add up to eight application protocols to monitor, select one or more application protocols
from the
from the
Available
list on the left, then click the right arrow (
>
) button.
•
To remove an application protocol, select it from the
Enabled
list on the right, then click the
left arrow (
<
) button.
Use Ctrl or Shift while clicking to select multiple application protocols. You can also click and
drag to select multiple adjacent application protocols.
drag to select multiple adjacent application protocols.
At least one detector must be enabled (see
for each application protocol you select. By default, all Cisco-provided detectors are activated.
If no detector is enabled for an application protocol, the system automatically enables all
Cisco-provided detectors for the application; if none exist, the system enables the most recently
modified user-defined detector for the application.
If no detector is enabled for an application protocol, the system automatically enables all
Cisco-provided detectors for the application; if none exist, the system enables the most recently
modified user-defined detector for the application.
Note
To detect sensitive data in FTP traffic, you must add the
Ftp data
application protocol
and enable the FTP/Telnet preprocessor. See
for more information.
create a custom data type
click the
+
sign next to
Data Types
on the left side of the page. The Add Data Type pop-up window
appears.
Specify a unique data type name and the pattern you want to detect with this data type and click
OK
, or click
Cancel
to abandon your edits. See
for more
information.
display sensitive data
preprocessor rules
preprocessor rules
click the
Configure Rules for Sensitive Data Detection
link above the Global Settings page area. A
listing of all sensitive data preprocessor rules appears in a filtered display of the Rules page.
Optionally, you can enable or disable any of the listed rules. Note that you must enable the
sensitive data preprocessor rule for each data type that you want to use in your intrusion policy.
See
sensitive data preprocessor rule for each data type that you want to use in your intrusion policy.
See
for more information.
You can also configure sensitive data rules for any of the other actions available on the Rules
page, such as rule suppression, rate-based attack prevention, and so on; see
page, such as rule suppression, rate-based attack prevention, and so on; see
for more information.
Click
Back
to return to the Sensitive Data Detection page.
Table 28-10
Sensitive Data Configuration Actions (continued)
To...
You can...