Cisco Systems CL-28826-01

39-22

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 39 Configuring Event Action Rules

Configuring Settings for Event Actions

Enable Event Action

Summarizer

(IPS appliances and service

modules only.)

When selected, enables the Summarizer component. The Summarizer

groups events into a single alert, thus decreasing the number of alerts

the sensor sends out.

By default, the Summarizer is enabled. If you disable it, all signatures

are set to Fire All with no summarization. If you configure individual

signatures to summarize, this configuration is ignored when the

Summarizer is not enabled.

The Report Manager component of Cisco Security Manager reports

events individually. The Event Viewer component of Cisco Security

Manager displays alerts. As stated above, the Summarizer groups

events into a single alert, thus decreasing the number of alerts the

sensor sends out.

Tip Cisco IPS Manager Express (IME) and Cisco Security Manager

do not summarize events in precisely the same way.

Enable Meta Event Generator

(IPS appliances and service

modules only.)

When selected, enables the Meta Event Generator. The Meta Event

Generator processes the component events, which lets the sensor watch

for suspicious activity transpiring over a series of events.

By default, the Meta Event Generator is enabled. If you disable the

Meta Event Generator, all Meta engine signatures are disabled.

Enable Threat Rating

Adjustment

(IPS appliances and service

modules only.)

When selected, enables threat rating adjustment, which adjusts the risk

rating. If disabled, risk rating is equal to threat rating. Available in

sensors running IPS 6.0+ software only.

The Threat Rating feature provides a single view of the threat

environment of the network. Threat Rating minimizes alarms and

events through a customized view that shows only events with a high

Threat Rating value. The Threat Rating value is derived as follows:

•Dynamic adjustment of event Risk Rating based on success of

response action

•If response action was applied, Risk Rating is deprecated (Threat

Rating < Risk Rating)

•If response action was not applied, Risk Rating remains unchanged

(Threat Rating = Risk Rating)

The result is a single value by which the threat risk is determined.

Deny Attacker Duration in

seconds

(All device types.)

The number of seconds to deny the attacker inline.

The range is 0 to 518400. The default is 3600.

Block Attack Duration in

minutes

(IPS appliances and service

modules only.)

The number of minutes to block a host or connection.

The range is 0 to 10000000. The default is 30.

Table39-8 Event Actions Settings Policy (Continued)

Element Description