This task adds a level 1 rule for the directive created in Task 1. In this rule, we try to match one Cisco ASA Access Permitted event on a particular server on port 139.
To add a level 1 ruleIn Name for the Rule, type "Established connections", and then click Next.
In Rule name > Plugin, type "cisco-asa" in the search box, and then click Cisco-ASA.
In Rule name > Plugin > Event Type,
In Rule name > Plugin > Event Type > Network,
Select your server from the Assets list under Destination Host / Network.
The server appears in Destination.
Note: Leave Source Host / Network and Source Port(s) empty, which means any asset.
In Destination Port(s), type "139".
(Optional) To specify IP reputation parameters, click the green triangle next to Reputation options, change No to Yes, and then select the Min Priority and Min Reliability values.
Note: For details on IP reputation, see OTX IP Reputation.
In Rule name > Plugin > Event Type > Network > Reliability, click 1.
Note: We choose a low reliability value because typically the level 1 rule detects that a certain event occurs, but it is not necessary to generate an alarm.
Click Finish.
The New Directive window closes.