Symantec 10521146 Administration Guide - Page 137
Setting severity levels, Search Events
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 137 highlights
Responding 137 Setting response parameters SuperUsers and Administrators can apply the response rule to a specific type of event using Event Type. You can focus the display on a manageable subset of event types with specific characteristics. You can narrow or widen the view by searching for event types that match certain characteristics. To set the Event Type 1 In the Network Security console, click Configuration > Response Rules. 2 Click the Event Type cell of the response rule. 3 In Search Events, select the attack types to which the response rule applies by providing some or all of the following search criteria: ■ In Event Name, enter a name. ■ In Protocol, select a protocol from the pull-down list. ■ In Category, select a category from the pull-down list. ■ In Severity, set a severity level from the pull-down list. ■ In Confidence, set a confidence level from the pull-down list. ■ In Intent, select an intention from the pull-down list. 4 Click Search Events. Search Results displays the total number of items shown in the subset. 5 Click OK to save and exit. Setting severity levels The severity parameter describes the relationship between the action to take in response to an incident and the severity of that incident. Before the analysis process assigns a severity level to an incident, it analyzes the various events that make up the incident according to the following factors: ■ Intrinsic severity of the type of event: An event might consist of an FTP packet transmitted on port 80. Because port 80 is used for HTTP traffic, this event might represent an attack on a Web server. By itself, this example might represent a medium level of intrinsic severity. ■ Level of traffic, if it is a counter event: If Symantec Network Security determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received. ■ Severity of other events in the same incident: Symantec Network Security correlates severity levels from all events in the same incident. By using these variables to perform statistical analysis, Symantec Network Security assigns different severity levels as they apply to an incident. As the