80CHAPTER 9: USING EVENT RULES
Implementing Some organizations and network administrators have specific policies Business Policies about how the network can be used, in general or at different times of
day. Detect Network Misuse and Detect Unauthorized Machine Access event rules are powerful tools for detecting behavior that does not conform to such policies.
You might require that most of your network bandwidth is available for backups at night. You could configure a Detect Network Misuse event rule to spot significant traffic during the night which is not backup traffic.
You might also require that bandwidth be available on certain links for certain activities at certain times of day. For example, you could use a Detect Network Misuse event rule to spot Web traffic on a WAN link during working hours.
You can create Detect Unauthorized Machine Access event rules to check that only authorized devices access important machines at critical times, for example, during backup.
As all rules have a time filter, you can configure event rules that only apply at certain times of day. For example, you could configure a Monitor Critical Devices event rule to generate an event if the behavior of your backup server changes significantly during the night.