The Manage Alert sidebar allows you to create a rule that is matched against all subsequent events detected by NSX Network Detection and Response. When an event matches a rule, the rule action is applied.
Accessing the sidebar
- From any tab on the Host profile page, click the Host actions button then select Manage alert from the pull-down menu. The sidebar panel is then prepopulated with relevant filters. You can edit these entries.
- Click the Threats tab on the Host profile page. On a threat card, click Next steps and select Manage alert from the pull-down menu.
- From the Incident details view, select a specific incident and click Manage Alert.
- From the Alert Management page, click in the Custom Rules widget,
The Manage alert sidebar consists of three separate panels: FILTERS, ACTIONS, and REVIEW RULE. Each panel is displayed depending on which step of the Create Rule or Edit rule you are currently in.
You can close the Manage alert sidebar by clicking X in the upper-right corner. If you made changes, you must confirm the closing of the sidebar.
To create or edit a rule, you must perform three steps in the Manage Alert sidebar.
Step 1: Create or Edit Filters
- To toggle the Create/Edit mode to Advanced mode, click the Advanced tab at the top of the sidebar.
- To toggle back to the Basic mode, click the Basic tab (but see the Important note).
- Click Add a new filter+.
- Select a filter from the filter entries drop-down menu.
The filters are grouped into four categories: Source, URL, Detection, and File. See the Attributes entries section in Alert Rule Syntax for more details about these categories.
- Depending on the rule type selected, set its value. This may involve clicking a toggle, entering a value, selecting an item from a pull-down menu, or others.
To edit the filters, scroll through the list, select a filter, and modify the appropriate values. Delete an unwanted filter by clicking. You can also select more filters.
(network_event.relevant_host_ip: 10.154.115.91 OR network_event.relevant_host_ip: 10.1.1.1-10.255.255.255) AND NOT (network_event.server_port: 53 OR network_event.server_port: 65535) OR (network_event.other_host_hostname: block.lastline.com) AND (network_event.threat: Lastline blocking test)
Step 2: Define the action
After you define or edit a filter, to define the rule actions, click Define Actions in the bottom-right corner. The Actions panel has two edit modes: Basic actions (the default) and Advanced actions:
- Click the Advanced actions tab at the top of the sidebar to toggle the create/edit mode to Advanced mode.
- Click the Basic actions link to toggle back to the Basic mode.
There are two toggles on the Actions panel in Basic actions mode: Manage alert and Custom impact (1-100).
- Suppress action
-
- Click the Manage alert toggle.
- Select Demote to INFO event (the default) or Delete from the drop-down menu.
The Demote action converts subsequent network events that match the rule into
INFO
events. Note that you must select INFO with the Event outcome filter.The Delete action deletes the matching events from the User Portal.
Warning: Any event that is deleted can no longer be accessed.
- Custom impact
-
- Click the Custom impact (1-100) toggle.
- Click the radio buttons to select Defined range or Single value. If you selected Defined range, enter minimum and maximum values in the respective textboxes. If you selected Single value, enter the value in the textbox.
- Click the Advanced actions tab.
- In the textbox, add or edit an action using the alert rules syntax.
For example:
demote:outcome=TEST
orimpact:min_impact=12,impact:max_impact=22
After you have selected the action, click Review Rule to go to the next step.
To correct the selected filters, click Filters to go back to the previous Filters panel.
Step 3: Review Rule
- In the Rule name text box, enter a name.
If you are editing an existing rule, you cannot change the name.
- (Optional) Use the drop-down menu to select a license.
This drop-down menu is disabled if you launched the Manage Alert sidebar from the Alert Management page or if you are editing an existing rule.
- In the Rule summary section, verify the selected filters that are listed.
If the Filters tab was left in Basic mode, the summary consists of a list of the selected filters. Each filter is displayed with its name and values. For example:
Rule summary SERVER IP 12.6.6.6/32 RELEVANT HOST SILENCED 1 THREAT(S) Torn rat THREAT CLASS Malicious file execution
If the Filters tab was left in Advanced mode, the summary displays the matching expression. For example:Rule summary (network_event.server_ip: 12.6.6.6/32) AND (network_event.relevant_host_whitelisted: 1) AND (network_event.threat: Torn RAT) AND (network_event.threat_class: Malicious File Execution)
If the Actions tab was left in Basic actions mode, the summary displays the action. For example:SUPPRESSION ALERT Demote to INFO event
If the Actions tab was left in Advanced actions mode, the summary displays the action. For example:ACTION impact:min_impact=12,impact:max_impact=22
- (Optional) To correct the selected rule types, click Edit rule to go back to the previous page.
- When you are done, click Create Rule to complete the rule or click Update Rule if you are editing an existing rule.