 |
Previous Next
Task 2: Add a Level 1 Rule to Detect the Event
This task adds a level 1 rule for the directive created in Task 1. In this rule, we try to match one Cisco ASA Access Permitted event on a particular server on port 139.
To add a level 1 rule-
In Name for the Rule, type "Established connections", and then click Next.
-
In Rule name > Plugin, type "cisco-asa" in the search box, and then click Cisco-ASA.
-
In Rule name > Plugin > Event Type,
-
Type "permitted" in the search box.
A list of ASA event types with the word "permitted" in their description displays in the right column.
-
To select the event types identified, click the plus (+) sign to the right of each event type or click Add all.
- Click Next.
-
-
In Rule name > Plugin > Event Type > Network,
-
Select your server from the Assets list under Destination Host / Network.
The server appears in Destination.
Note: Leave Source Host / Network and Source Port(s) empty, which means any asset.
-
In Destination Port(s), type "139".
-
(Optional) To specify IP reputation parameters, click the green triangle next to Reputation options, change No to Yes, and then select the Min Priority and Min Reliability values.
Note: For details on IP reputation, see OTX IP Reputation.
- Click Next.
-
-
In Rule name > Plugin > Event Type > Network > Reliability, click 1.
Note: We choose a low reliability value because typically the level 1 rule detects that a certain event occurs, but it is not necessary to generate an alarm.
-
Click Finish.
The New Directive window closes.
