A threat event report is a report of traffic that has been dropped, or that has generated an alert, after matching one of Cisco Talos' intrusion policies. In most cases, there's no need to tune IPS rules. If necessary, you have the option to override how an event is handled by changing the matching rule action in CDO.
Note the following behaviors of the Threats page:
- Threat events that are displayed are not live. Devices are polled hourly for additional Threat events.
- Threat events that are not included in the Live or Historical view are not part of Cisco Security Analytics and Logging.
- To see Threat events that you've hidden from view, click the filter icon and check the view hidden option.
- From the navigation pane, select Monitoring > Threats. You can filter what events are shown and search by source IP address.
- Click on a threat event to expand the details panel on the right.
- For more information on the rule, click the Rule Document URL in the Rule Details section.
- To hide this event, check the toggle switch for Hide Events. The event handling continues as is, but you won't see it here, unless you click View Hidden or un-hide this event.
- To edit rule overrides, click Tune Rule. When you change a rule action in CDO, the override applies to all the pre-defined policies. This is different than in the FDM where each rule can be different from policy to policy.
- In the Override All devices pull-down, select an action and click Save.
- Drop-This choice creates an event when this rule matches traffic and then drops the connection. Use this action to tighten security of certain rules. For example, specifying Drop would make security stricter when the Talos rule is matched even if the "Connectivity over Security” policy is specified for the access control rule.
- Alert-This choice creates an event when this rule matches traffic, but it does not drop the connection. A use case for “Alert” is when traffic is blocked, but the customer wants to allow, it and look at the alerts before disabling the rule.
- Disabled-This choice prevents traffic from being matched to the rule. No events are generated. The use case for “Disabled” is to stop false positives in reports, or remove rules that do not apply to your environment, like disabling Apache httpd rules if you don't use httpd.
- Default-This choice returns a rule to the default action it was assigned by Talos, for the intrusion policy it is listed in. For example, when you return an intrusion rule to "Default" that may mean its action returns to "Alert" in the "Connectivity over Security" policy and "Block" in the "Balanced Security and Connectivity" policy.
- To edit rule overrides by device, check the Advanced Options slider. This section shows you the configured rule action for each device, which you can change by checking the affected device, selecting an override action, and clicking Save.
- Affected Devices does not indicate the source devices. Instead, it shows the FTD devices reporting the event.
- Review and deploy now the changes you made, or wait and deploy multiple changes at once.