39-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 9 Configuring Event Action Rules
Configuring Event Action Overrides
Configuring Event Action Overrides
You can add an event action override to change the actions associated with an event based on the risk
rating of that event. Event action overrides are a way to add event actions globally without having to
configure each signature individually.
Each event action has an associated risk rating range. If a signature event occurs and the risk rating for
that event falls within the range for an event action, that action is added to the event. For example, if you
want any event with a risk rating of 85 or more to generate an SNMP trap, you can create an event action
override for Request SNMP Trap with the risk rating 85-100.
Tip If you want to prevent the use of action overrides, you can disable the entire event action override
component as described in Configuring Settings for Event Actions, page39-21.
Related Topics
Understanding the IPS Event Action Process, page 39-1
Step 1 Do one of the following to open the Event Action Overrides policy:
(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector.
(Policy view, IPS appliances and service modules) Select IPS > Event Actions > Event Action
Overrides, then select an existing policy or create a new one.
(Policy view, Cisco IOS IPS devices) Select IPS (Router) > Event Actions > Event Action
Overrides, then select an existing policy or create a new one.
The table shows the existing overrides, including the action, the risk rating of the alerts the action will
be added to, and whether the rule is enabled. The order of the rules does not matter: all overrides that
apply to an alert add the associated actions.
The table can have at most a single entry for each possible action.
Step 2 Configure the desired overrides:
To add a new override, click the Add Row (+) button beneath the table and fill in the Add Event
Action Override dialog box. In the dialog box, select the action you want to add, enter the rating
range of the alerts to which you are adding the action (for example, 90-100), and click OK. For more
information, see Event Action Override Dialog Box, page39-14.
The risk rating range must be between 0 and 100. Separate the low and high of the range with a
hyphen, for example, 80-90.
To edit an override, to disable it or to change the risk rating, select the override and click the Edit
Row (pencil) button. You cannot change the event action.
To remove an override, select it and click the Delete Row button.
Note Policies for IPS appliances and service modules include a default override for Deny
Packet Inline, which you cannot delete. If you do not want to use that override, disable
it.