Security Analytics Engine Overview
Plugins
Conditions
Introduction
Conditions page
Condition categories
Shared Policies
Application
Behavior
Adding and managing conditions
Abnormal Authentication
Abnormal Time
Associated w/ Application Category
Associated w/ Application Threat Level
Associated w/ Blacklist
Associated w/ Country
Associated w/ Malware
Authentication List
Location
Network
User
Introduction
Shared risk policies
Shared Policies page
Adding and managing shared risk policies
Shared Policy wizard
Applications
Introduction
Risk policies
Applications page
Adding and managing applications
Adding and managing risk policies
Application wizard
Auditing
Introduction
Auditing page
Filtering the audit events
Configuring the retention settings
Displaying details for an individual audit event
Downloading audit events information
Adding and managing overrides on the Auditing page
Issued Alerts
Policy Overrides
Fallback Password
Security Settings
Glossary
SonicWALLPlugin
|
• |
Maximum Retention Days - This is the number of days to retain malware records starting with the date detected by the SonicWALL firewall. By default, this is 30 days. The maximum number of days tracking data can be retained is 365 days. |
|
• |
Maximum Audit Records - This is the maximum number of malware records to list in the details of an audit record. By default, this is 10 records. The maximum number of records that can be returned is 20. |
|
• |
Ignore Malware Signatures - (Optional) This field is for listing any malware signature IDs to ignore and is used for instances where certain signatures have also been disabled in the SonicWALL firewall configuration by a firewall administrator, when specific signatures are considered false positives, or when any signatures should be ignored for any other reason. The signature ID values need to be separated by a comma and fall between 0-4294967295. By default, signature IDs for ICMP Destination Unreachable (Port Unreachable) (310) and ICMP Echo Reply (316) are configured to be ignored. |
|
• |
Ignore Application Signatures - (Optional) This field is for listing any application signature IDs to ignore and is used for instances where certain signatures have also been disabled in the SonicWALL firewall configuration by a firewall administrator, when specific signatures are considered false positives, or when any signatures should be ignored for any other reason. The signature ID values need to be separated by a comma and fall between 0-4294967295. By default, signature IDs for Microsoft® App Store (10313, 10314,10366), Akamai (6570, 6572, 6573, and 6574), cURL (1618), BITS (6583), and WGET (1613) are configured to be ignored. |
Click Add to display the following fields:
|
• |
IP Address - This is for configuring an IPv4 or IPv6 address. |
|
• |
IP Subnet Mask - This is for configuring the optional IPv4 or IPv6 subnet mask. |
|
• |
Enable - Select this check box to enable the dynamic network. |
|
• |
Delete - Click this button to remove the dynamic network. |
After making changes to the plugin, click the Validate button in the lower right corner to check that the configuration is valid.
Editing plugins
button to open the Edit Plugin page.|
3 |
After editing the plugin settings (see Plugins for information on the specific settings available for each plugin), click Validate to test the configuration. |
|
4 |
Click Save to save the changes. |
Conditions
Introduction
When working with conditions, keep in mind that within a risk policy all conditions can be used to modify other conditions, in which case it becomes a modifier. However, all modifiers cannot be used as conditions. Conditions with a risk type value of Can increase risk, Can both increase or decrease risk, and those without a risk type value are able to be used as both conditions and modifiers since they have the ability to increase a risk score. Conditions assigned the risk type value of Can decrease risk are only usable as modifiers since they are designed to decrease condition scores not decrease an entire risk score. All conditions and modifiers, regardless of risk type value, are managed using the Conditions page.
From the Home page of the Security Analytics Engine Administration web site, click on the Conditions link to create and manage condition parameters for the plugins.