Using Event Rules 77
Specifying the Time Filter
With certain types of event rule, you can specify the times at which rules apply. For example, you could choose to restrict unauthorized traffic at all times, or only during certain periods.
Specifying Sensitivity
For most event rule types, you can specify how sensitive you want the rule to be:
■Security event rules — high sensitivity generally means that only a small amount of prohibited traffic is required for an event to be generated.
■Traffic event rules — high sensitivity generally means that events are generated in response to small changes in the behavior of the device, connection or network being monitored.
When you create an event rule, you can set the sensitivity of that rule approximately on a simple slider. However, you might find it easier to create a rule and then adjust its sensitivity in response to the number of events that it generates. The Event List makes it easy for you to adjust the sensitivity of event rules in this way. See Chapter 10, “Viewing Events”, for further information.
To specify sensitivity with more precision, or to understand exactly what the sensitivity of a rule means, open the Thresholds tab in the Sensitivity dialog box in the Event Rule Creation Wizards.
Using Event Rules Below are some suggestions about configuring event rules to give you more information about the behavior of your own particular network.
Some of these ideas may not be applicable to your network.
Monitoring Your Network as a Whole
Spotting General Long Term Trends
You can configure a Monitor Network Trends event rule to generate an event if the usage of your network fluctuates. An event rule of this type, Detect changes on local network, is preconfigured.
You could also use a Segment Activity report if you would rather view data on your network periodically. See “Segment Activity Report” on page 103 for more information.
