Add or modify a rule
- Select Logs > Security Incidents > Rules
- Click Add or select an existing security rule and click Modify.
- Click in the Name field and enter a name for this security rule.
- Use the table below to enter the security rule information.
- Click OK to save your security rule.
Settings
Field |
Definition |
Rule Enabled |
Select this check box to activate the security rule. |
Name |
A unique name for this security rule. |
Trigger |
The trigger that will activate the rule. You can use the icons next to the Trigger field to add a new trigger or modify the trigger shown in the drop-down menu. When you modify this trigger, it is modified for all security rules that make use of the trigger. |
User/Host Profile |
Indicates whether the rule must match or not match the host profile selected from the drop-down menu. You can use the icons next to the Host Profile field to add a new host profile or modify the profile shown in the drop-down menu. A host profile is not applied to the trigger when None is selected. |
Action |
The action assigned to the security rule. You can select whether the action should be manual or automatic. You can use the icons next to the Action field to add a new action or modify the action shown in the drop-down menu. Note that by selecting None, an action is not assigned to the trigger. |
Send Email when Rule is Matched |
Select this check box to automatically send an email to the selected administrator group when the security rule creates an alarm. |
Admin Group drop-down menu |
Select the administrator group list that will receive the email when an alarm is created. |
Send Email when Action is Taken |
Select this check box to automatically send an email to the selected administrator group when the action associated with the security rule is taken. |
Admin Group drop-down menu |
Select the administrator group to be notified when the action associated with the security rule is taken. |
Admin Group Email Content |
When you select Send Email when Rule is Matched and/or Send Email when Action is Taken, the email message that is sent to the selected Admin group contains information such as the security rule that was matched, the date and time of the alarm, the host and MAC address information, severity, and location of the host. The following is an example of the content included in the email: Security Rule Matched = PA_test Alarm Date/Time = 2015-09-28 17:04:36.0 User ID = testuser No owner Host Name = testuser-PC Host OS = Windows 7 Professional 6.1 Service Pack 1 Host Hardware = Host MAC addresses = 5C:26:0A:44:53:1D,00:24:D7:A2:24:5C,00:50:56:C0:00:01,00:50:56:C0:00:08 Host IP addresses = 192.168.10.139,192.168.4.169,192.168.204.1,192.168.74.1 Host Locations = Concord-3750 Fa3/0/6,Concord_Cisco_1131.example.com VLAN 4 Date = 2015-09-28 17:04:35.0 Alert Type = THREAT Severity = null ThreatID = null Description = HTTP OPTIONS Method(30520) Source IP = 192.168.10.139 Source MAC = 5C:26:0A:44:53:1D Destination IP = 23.96.61.106 Location = Concord-3750 Fa3/0/6 Vendor = PaloAlto |