Task 3: Add a Level 2 Rule to Detect the Same Event with 100 Occurrences

In this task, we try to match the same events selected in Task 2. We want to use the

• same event types

• same source and destination IP addresses

• same destination port

1. Click the green plus (+) sign at the right side of the first rule, under the Action heading.

   

   The New Rule window displays.

2. In Name for the Rule, type "Established connections", and then click Next.

3. In Rule name > Plugin, type "cisco-asa" in the search box, and then click Cisco-ASA.

4. In Rule name > Plugin > Event Type, click Plugin SID from rule of Level 1.

   This selects the same event types as in the level 1 rule.

   

5. In Rule name > Plugin > Event Type > Network,

   1. In Source Host / Network, under From a parent rule, select "Source IP from level 1".

      This selects the same source IP address as in the level 1 rule.

   2. Leave the Source Ports empty.

   3. In Destination Host / Network, under From a parent rule, select "Destination IP from level 1".

      This selects the same destination IP address as in the level 1 rule.

   4. In Destination Port(s), under From a parent rule, select "Destination Port from level 1".

      This selects the same destination port as in the level 1 rule.

      

6. In Rule name > Plugin > Event Type > Network > Reliability, click +2.

   Note: In this step, you can either choose an absolute value (left column) or a relative value (right column). If you select a relative value, as we did, USM Appliance adds the value to the reliability set in the previous rule.

7. Click Finish. The New Directive window closes.

8. In the Timeout column, click "None" in the second rule, type "30" (seconds), and then click OK.

9. In the Occurrence column, click "1" in the second rule, type "100", and then click OK