Rules

Navigate to Policy > Rules to see an overview of all rules currently configured in the system. Rules are flow-specific, i.e. they are only applied to traffic flows matching the conditions specified in the rule.

The overview table displays the rules that are defined in the system and gives a summary of their configuration (for further information, see Rules Settings). The slider switch in the first column allows you to enable (on) or disable (off) the respective rule. The buttons in last column allow you to edit, copy or delete the rule.

Tip

You can hover the mouse on the entries in the table to see a tooltip displaying the defined options, where applicable.

Global rules, which are applied to all traffic, are placed at the top of the table. Rules used in correlation scenarios are grouped by scenario (see Advanced Correlation).

Note

The rules are processed from top to bottom. It is therefore recommended to place more specific rules at the top of the table and rules that apply to a broader range of traffic at the bottom. To reorder global rules, click the ACTIVATE GLOBAL RULES REORDER button above the table. Move the rules to the desired positions using drag and drop. Correlation scenarios can be reordered under Policy > Advanced Correlation.

To add a new global rule to the system, click the Add Global Rule button above the overview table.

Note

Global rules cannot be added to advanced correlation scenarios. To create rules for Advanced Correlation scenarios, you need to create them directly in the respective scenario. Click the name of the scenario to access its settings screen (see Advanced Correlation Scenario Settings). In the Rules tab, click Add.

Rules Settings

When you add a new rule or edit an existing one, the settings screen is displayed.

The General section provides the following options:

Field

Description

on/off

The slider switch indicates whether rule is enabled or disabled.

Name

Enter the name of the rule.

Note

Optional: Add a short description of the rule.

Statistics

This section displays the number of hits per second of this rule in a time chart. By mouseover you can see the individual values in a tooltip.

In the Schedule section, you can specify a time frame during which the rule is active:

Field

Description

on/off Schedule

Click the slider switch to enable a time schedule for the rule.

Include

Click this button if you want the rule to be active during the selected period of time. Outside of this time period, the rule is inactive.

Exclude

Click this button if you want the rule to be inactive during the selected period of time. Outside of this time period, the rule is active.

Schedule

From the drop-down list, select the schedule you want to activate for the rule. You can only select one schedule at a time.

ADD SCHEDULE

Click this button to open the schedule settings screen and create a new time schedule (see Schedules).

The Source & Destination section provides the following options:

Field

Description

Source Networks

Specify the source networks of the traffic flows to which the rule is to be applied. The default setting is Any, i.e. the rule matches traffic from all source networks. You can select static network objects (preceded by S:) and dynamic network objects (preceded by D:) here. You can also type in the input field to narrow down the list to the sources whose names contain the characters you are typing. Click x next to an element to remove individual networks from the selection.

Destination Networks

Specify the destination networks of the traffic flows to which the rule is to be applied. The default setting is Any, i.e. the rule matches traffic directed to all destination networks. You can select static network objects (preceded by S:) and dynamic network objects (preceded by D:) here. You can also type in the input field to narrow down the list to the destinations whose names contain the characters you are typing. Click x next to an element to remove individual networks from the selection.

ADD DYNAMIC NETWORK OBJECT

Click this button to open the dynamic network objects settings screen and create a new dynamic network object (see Dynamic Network Objects). If you click this button in a global rule, you create a global dynamic network object. If the rule belongs to an advanced correlation scenario, the dynamic network object will be created inside the scenario.

ADD STATIC NETWORK OBJECT

Click this button to open the static network objects settings screen and create a new static network object (see Static Network Objects).

The Advanced Correlation Conditions section is only available for rules that are created in advanced correlation scenarios. It contains the following elements:

Field

Description

Event in Event Tracking Table

Enable this option to compare the traffic to the events in an event tracking table. From the drop-down list, select the Event Tracking Table you want to use for comparison. Click ADD EVENT TRACKING TABLE to open the event tracking tables settings screen and create a new table (see Event Tracking Tables). Select the elements you want to compare to the primary and secondary attributes of the events from the respective drop-down lists. The rule only matches the traffic if the comparison is successful.

Number of Similar Events in Event Tracking Table

Enable this option to count the number of events in an event tracking table. From the drop-down list, select the Event Tracking Table you want to count the events in. Click ADD EVENT TRACKING TABLE to open the event tracking tables settings screen and create a new table (see Event Tracking Tables). Under Count all Entries with Primary Attribute equal to, specify which entries you want to count. Under Minimum Number of Entries, specify the minimum number of entries that have to be counted for the rule to match.

In the Conditions section, click the slider switches to enable the conditions you want to activate for the rule.

Note

You can enable any number of rule conditions. Conditions are AND-connected. This means, if you activate multiple conditions in a rule, the rule only matches if the traffic fulfills all active conditions. If you select multiple elements within a condition, those elements are OR-connected.

When you enable a condition, dedicated input fields are displayed for this condition:

Field

Description

Assets

Enable this option to apply the rule to traffic generated by specific assets. Select the asset tags that you want to use as source and/or destination in the rule. You can create new tags by entering them in the fields. Click x next to an element to remove individual tags from the selection.

Users

Enable this option to apply the rule to traffic generated by specific users. Click into the field and select the respective users from the list. You can also type in the input field to narrow down the list to the users whose names contain the characters you are typing. Click x next to an element to remove individual elements from the selection.

GeoIP

Enable this option to check the traffic by Source Countries and/or Destination Countries. Click into the field and select the required countries from the list. You can also type in the input field to narrow down the list to the countries whose names contain the characters you are typing. Click x next to an element to remove individual countries from the selection. If you enable Include, the rule matches the selected countries. If you enable Exclude, the rule matches all but the selected countries.

Layer 4 Protocol

Enable this option to check the traffic by layer 4 protocols used. Click into the field and select the required protocols from the list. You can also type in the input field to narrow down the list to the protocols whose names contain the characters you are typing. Click x next to an element to remove individual elements from the selection.

Layer 4 Port

Enable this option to check the traffic by layer 4 ports used. Enter the Source Ports and/or Destination Ports into the fields. The port numbers have to be separated by commas.

Classification

Enable this option to explicitly include or exclude applications and protocols in/from the rule. Click into the respective field and select the applications (preceded by A:) and protocols (preceded by P:) from the list. You can also type in the input fields to narrow down the list to the applications and protocols whose names contain the characters you are typing. Click x next to an element to remove individual elements from the selection. Threat Defender also provides groups of applications and protocols (preceded by G:).

Threats Indicators

Enable this option to select threat intelligence indicators to include in the rule. Select the tags you want to include by clicking into the respective field and selecting the tags from the list. You can also type in the input fields to narrow down the list to the tags whose names contain the characters you are typing. Click x next to an element to remove individual elements from the selection.

Intrusion Prevention System

Enable this option to specify the IPS rules that the rule is to be applied to. Click into the field and select the IPS tags from the list. You can also type in the input field to narrow down the list to the tags whose names contain the characters you are typing. Click x next to an element to remove individual elements from the selection.

If the Respect/Ignore Suricata Alert Threshold slider switch is set to on, the IPS rule will only match if the Thresholding Keywords (types threshold, limit, or both) are met. This serves to reduce the number of alerts generated by frequently hit rules. Rules that do not contain a threshold will match on every hit. Note that thresholds are applied per source and/or destination (not per flow).

In the Actions section, click the slider switches to activate the actions you want to apply to traffic matching the rule:

Field

Description

Log

Enable this option to log rule hits to syslog, IPFIX and the reporting. Enable the Late Log option to log additional data when the flow has stopped. This way, the entire flow can be analyzed. Select the severity of the event in the logs by clicking the respective button. You can assign high, medium or low severity or log the event as notice.

Final Action

Enable this option to specify how traffic matching this rule is to be handled. You can select one of the following options:

- Allow Traffic and Skip to Next Scenario - Traffic matching this rule is permitted and processing continues with the next scenario.
- Drop Traffic and Stop Processing - Traffic matching this rule is silently dropped and rule processing for this traffic ceases.
- Reject Traffic and Stop Processing - Traffic matching this rule is actively rejected and rule processing for this traffic ceases.

Asset Tag

Enable this option to tag or untag assets that match the rule conditions:

- Select the Operation you want to perform, i.e. add or delete a tag.
- Select the Tag you want to assign or remove. You can also enter a new asset tag.
- Under Who, select which communication participant will be tagged or untagged.

Dynamic Network Object

Enable this option to specify an action to be carried out for dynamic network objects:

- Select the Operation you want to perform, i.e. add entries to or delete them from the Target Dynamic Network Object.
- Under Host Identifier, specify what information is to be handled by the dynamic network object (IP addresses, MAC addresses, assets or all).
- From the drop-down list, select Who the action is to be performed on.
- Specify the Target Dynamic Network Object that is the target of the operation. Click ADD DYNAMIC NETWORK OBJECT to create a new dynamic network object.

For further information, see Dynamic Network Objects.

Shape Traffic

Enable this option to activate traffic shaping. Select the desired Scope from the drop-down list:

- Select Global to shape all traffic matching the rule.
- Select Host Inbound/Outbound to individually shape the inbound and outbound host traffic.
- Select Host Aggregated to shape all host traffic.

Enter the desired Bandwidth. Note that inbound and outbound bandwidth is seen from the perspective of Threat Defender.

Add to Event Tracking Table

Only available for rules in advanced correlation scenarios: Enable this option to add entries to an event tracking table. From the drop-down list, select the Event Tracking Table you want to add entries to. Specify what elements you want to add to the primary and secondary attributes of the new event in the respective drop-down lists.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).