Cisco Cisco Firepower Management Center 2000
28-22
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Sensitive Data
Using Predefined Data Types
License:
Protection
Each intrusion policy includes predefined data types for detecting commonly used data patterns such as
credit card numbers, email addresses, U.S. phone numbers, and U.S. Social Security numbers with and
without dashes. Each predefined date type is associated with a single sensitive data preprocessor rule
that has a generator ID (GID) of 138. You must enable the associated sensitive data rule to enable
detection, and event generation, for each data type you want to use in your policy. See
credit card numbers, email addresses, U.S. phone numbers, and U.S. Social Security numbers with and
without dashes. Each predefined date type is associated with a single sensitive data preprocessor rule
that has a generator ID (GID) of 138. You must enable the associated sensitive data rule to enable
detection, and event generation, for each data type you want to use in your policy. See
for information on enabling rules in an intrusion policy.
To help you enable sensitive data rules, a link on the configuration page takes you to a filtered view of
the Rules page that displays all predefined and custom sensitive data rules. You can also display only
predefined sensitive data rules by selecting the sensitive-data rule filtering category on the Rules page.
See
the Rules page that displays all predefined and custom sensitive data rules. You can also display only
predefined sensitive data rules by selecting the sensitive-data rule filtering category on the Rules page.
See
for more information. Predefined sensitive data
rules are also listed on the Rule Editor page (
Policies > Intrusion > Rule Editor
), where you can view but not
Table 28-8
Individual Data Type Options
Option
Description
Data Type
Displays the unique name for the data type.
Threshold
Specifies the number of occurrences of the data type when the system generates
an event. You receive an error message when you save the policy if you do not set
a threshold for an enabled data type. You can specify 1 through 255.
an event. You receive an error message when you save the policy if you do not set
a threshold for an enabled data type. You can specify 1 through 255.
Note that the preprocessor generates one event for a detected data type per
session. Note also that global threshold events are independent of individual data
type events; that is, the preprocessor generates an event when the data type event
threshold is reached, regardless of whether the global event threshold
session. Note also that global threshold events are independent of individual data
type events; that is, the preprocessor generates an event when the data type event
threshold is reached, regardless of whether the global event threshold
has been
reached, and vice versa.
Destination Ports
Specifies destination ports to monitor for the data type. You can specify a single
port, a comma-separated list of ports, or
port, a comma-separated list of ports, or
any
, meaning any destination port. You
receive an error message when you save the policy if you enable the rule for a data
type without setting at least one port or application protocol for the data type.
type without setting at least one port or application protocol for the data type.
Application
Protocols
Protocols
Note that this
feature requires
Protection and
Control licenses.
feature requires
Protection and
Control licenses.
Specifies up to eight application protocols to monitor for the data type. You
receive an error message when you save the policy if you enable the rule for a data
type without setting at least one port or application protocol for the data type.
receive an error message when you save the policy if you enable the rule for a data
type without setting at least one port or application protocol for the data type.
At least one detector must be enabled (see
) for each application protocol you select. By default, all
Cisco-provided detectors are activated. If no detector is enabled for an application
protocol, the system automatically enables all Cisco-provided detectors for the
application; if none exist, the system enables the most recently modified
user-defined detector for the application.
protocol, the system automatically enables all Cisco-provided detectors for the
application; if none exist, the system enables the most recently modified
user-defined detector for the application.
for detailed
instructions for selecting application protocols for data types.
Pattern
For a custom data type, the specified pattern to detect (data patterns for data types
provided by Cisco are predefined). See
provided by Cisco are predefined). See
for
more information. The web interface does not display built-in patterns for
predefined data types.
predefined data types.
Note that custom and predefined data patterns are system-wide.