Up
Previous Next

Task 2: Add a Level 1 Rule to Detect the Event

This task adds a level 1 rule for the directive created in Task 1. In this rule, we try to match one Cisco ASA Access Permitted event on a particular server on port 139.

To add a level 1 rule
  1. In Name for the Rule, type "Established connections", and then click Next.

  2. In Rule name > Plugin, type "cisco-asa" in the search box, and then click Cisco-ASA.

  3. In Rule name > Plugin > Event Type,

    1. Type "permitted" in the search box.

      A list of ASA event types with the word "permitted" in their description displays in the right column.

    2. To select the event types identified, click the plus (+) sign to the right of each event type or click Add all.

    3. Click Next.
  4. In Rule name > Plugin > Event Type > Network,

    1. Select your server from the Assets list under Destination Host / Network.

      The server appears in Destination.

      Note: Leave Source Host / Network and Source Port(s) empty, which means any asset.

    2. In Destination Port(s), type "139".

    3. (Optional) To specify IP reputation parameters, click the green triangle next to Reputation options, change No to Yes, and then select the Min Priority and Min Reliability values.

      Note: For details on IP reputation, see OTX IP Reputation.

    4. Click Next.
  5. In Rule name > Plugin > Event Type > Network > Reliability, click 1.

    Note: We choose a low reliability value because typically the level 1 rule detects that a certain event occurs, but it is not necessary to generate an alarm.

  6. Click Finish.

    The New Directive window closes.

Topic revision: r6 - 29 May 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.