A threat event report is a report of traffic that has been dropped, or that has generated an alert, after matching one of Cisco Talos' intrusion policies. In most cases, there's no need to tune IPS rules. If necessary, you have the option to override how an event is handled by changing the matching rule action in Security Cloud Control.
Note the following behaviors of the Threats page:
-
Threat events that are displayed are not live. Devices are polled hourly for additional Threat events.
-
Threat events that are not included in the Live or Historical view are not part of Cisco Security Analytics and Logging.
-
To see Threat events that you've hidden from view, click the filter icon and check the view hidden option.
-
If you are a subscriber to Cisco Security Analytics and Logging , the events you see in Threat Events table do not contain events sent to the Secure Event Connector.
Procedure
Step 1 | In the left pane, click . You can filter what events are shown and search by source IP address. |
Step 2 | Click on a threat event to expand the details panel on the right.
-
For more information on the rule, click the Rule Document URL in the Rule Details section.
-
To hide this event, check the toggle switch for Hide Events. The event handling continues as is, but you won't see it here, unless you click View Hidden or un-hide this event.
-
To edit rule overrides, click Tune Rule. When you change a rule action in Security Cloud Control, the override applies to all the pre-defined policies. This is different than in the FDM-managed device where each rule can be different from policy to policy.
Note |
Security Cloud Control provides the ability to tune rules on FDM-managed devices that run software versions 6.4.x.x through 6.6.0.x and 6.6.1.x. Security Cloud Control currently does not support rule tuning on FDM-managed Version 6.7.
|
-
To edit rule overrides by device, check the Advanced Options slider. This section shows you the configured rule action for each device, which you can change by checking the affected device, selecting an override action, and clicking Save.
-
Affected Devices does not indicate the source devices. Instead, it shows the FDM-managed devices reporting the event.
Note |
-
Click the refresh () button to refresh the table that shows threats based on the current search filters.
-
Click the export () button to download the current summary of the threats to a comma-separated value (.csv) file. You can open the .csv file in a spreadsheet application such as Microsoft Excel to sort and filter the items on your list. Security Cloud Control exports the basic threat details to the file except for additional information such as time, source, and device.
|
|
Step 3 | Review and deploy now the changes you made, or wait and deploy multiple changes at once. |