Configuring general settings for security events

Use the general settings area of the Security Events page to enable security events, apply protection domains, and to set how to display information.

About this task

Navigating in IPS Local Management Interface: Secure Protection Settings > Advanced IPS > Security Events

Navigating in SiteProtector™ Management: select the Security Events policy

Procedure
  1. Click the Add icon.
  2. Complete the following settings:
    Option Description
    Enabled

    Enables the event as part of your security policy.

    Protection Domain
    Applies a protection domain to one event.
    Notes:
    • You can apply only one event to one domain at a time.
    • If you have not configured (or are not using) protection domains, the protection domain appears as "Global" in the list
    Tips:
    • To configure this event for another domain, copy and rename the event, and then assign it to the other domain.
    • If the protection domain you want does not appear in the list, you can configure protection domains in Secure Protection Settings > Advanced IPS > Protection Domains.
    Attack/Audit
    Specifies whether the event is an attack or an audit.
    • Audit: Events that match network traffic seeking information about your network.
    • Attack: Events that match network traffic seeking to harm your network.
    Note: This area is unavailable when you are creating a custom event.
    Event Name
    Specifies a truncated name for the event. You can click the ellipsis button to choose from a list of names.
    Note: If you are editing an existing event, the event name appears. Click Signature Information to view a brief description of the event.
    Note: In some policies, you can apply the policy to events detected by X-Force. In the Event Name list, filter the events using, Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the IssueID for details. If these events are triggered on the appliance, see them in Monitor Health and Statistics > Security and in Review Analysis and Diagnostics > Logs > Security Alerts.
    Severity

    Specifies a severity level for the event: low, medium, or high.

    Protocol
    Specifies a protocol for the event.
    Note: For existing events, this field displays the protocol type, which is not editable.
    Ignore Events

    Instructs the appliance to ignore events that match the criteria set for the event.

    Display
    Specifies how you want to display the event in the management console.
    • No Display: Does not display the detected event.
    • Without Raw: Logs a summary of the event.
    • With Raw: Logs a summary and the associated packet capture.
    Block

    Instructs the appliance to block the attack by dropping packets and sending resets to TCP connections.

    Log Evidence
    Determines the type of packets to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory.
    • None: The appliance captures no traffic.
    • Offending Packet: When an event occurs, the appliance captures the suspicious traffic.
    • Connection: When an event occurs, the appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLan ID.
    • Interface: When an event occurs, the appliance captures all traffic that passes through specified interfaces.
    • All Interfaces: When an event occurs, the appliance captures all traffic that passes through all interfaces.

What to do next

On the Add Security Events window, you can configure responses along with other miscellaneous settings like applicable XPU, event throttling, and default protection.