Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1136
Views
2
Helpful
6
Replies

Excluding an alarm between two host groups

stipend
Level 1
Level 1

‎04-03-2023 11:23 AM

We have a "Exfiltration" alarm that triggers between several source hosts and a single target host. For example, I've created a host group A for the source hosts and host group B for the target hosts.

How can I stop the "Exfiltration" alarm from triggering between the two host groups?  I tried relationship, role, and single host policy but all of them only allow me to specify the action to take for a single host group.

stipend_0-1680545999096.png

Is there any way to specify when A host group is source and when B host group is Target to ignore the alarm?

0 Helpful
6 Replies 6

jamegill
Cisco Employee
Cisco Employee

‎04-14-2023 09:38 AM

Hi @stipend  - Are both of the host groups in this example under Inside Hosts?

Before we get too much further, let's skip the Exfiltration Alarm because it is a Category Alarm. Instead, let's talk about the Suspect Data Loss Security Event that is responsible for it.  (For a discussion on the difference between Category Alarms and Security Events see this thread)

In The 7.4.2 documentation for Alarms & Events covering the Suspect Data Loss event the Suspect Data Loss event is explicitly looking for traffic between inside and outside host groups.

--jg

0 Helpful

stipend
Level 1
Level 1
In response to jamegill

‎04-14-2023 09:50 AM

Sorry not sure why I put Exfiltration. The alarm is actually for Slow Connection Flood.

Yes both these host groups are in Inside Hosts.  They are both inside host groups that communicate with each other and have legitimate traffic. I would like exclude the Slow Connection Flood between these two groups.

0 Helpful

jamegill
Cisco Employee
Cisco Employee
In response to stipend

‎04-14-2023 10:30 AM

Ok, you have a couple of options. As discussed here the configuration option for When host is [target | source] can be set to just "on" instead of "on + alarm" so the individual event does not create an alarm for each event, but rather only for the Category Alarm.

The next option would be to create a Relationship Alarm for these two hosts.  I will come back with a longer post later on how to do that (fact: Relationshop Alarms are my favorite feature of SNA that nobody really knows about).  

Quick start, though -

  1. create a new Network Diagram (look under the Dashbaords menu), add just the host groups in question
  2. create an edge (line) between the groups.  tweak the diagram to suit your liking (or don't, you can edit it later)
  3. save the diagram
  4. right-click on the line between the groups, select Policy Management
  5. You're now editing the policy that only applies to the traffic between the two groups
  6. click on Select Events and choose the individual policies for behaviors you want to monitor for here.
    (yes, the policy types are more general than with the Core Policies, but you can get pretty close)

--jg

stipend
Level 1
Level 1
In response to jamegill

‎04-18-2023 06:35 AM

I tried the Relationship Alarm but I found that to be too generic as you said. I instead created a role policy which says to Ignore alarm when A is source and "On+Alarm" when A is target. Its too bad though there is no definitive way to make a policy to ignore an alarm between Source A and Target B.

0 Helpful

jamegill
Cisco Employee
Cisco Employee
In response to stipend

‎04-18-2023 11:14 AM

Hi @stipend ... good work, you're on the right track.  Here are a couple of suggestions ...

For Slow Connection Flood consider turning the "when host is source" to "on" for the Inside Hosts default policy.   Because you shouldn't see this very much between inside hosts (as discussed in more detail in the documentation for this alarm), you probably don't need an alarm for each instance of this event.  By setting it to "on" you are still monitoring for this behavior but it will contribute to the Category Alarms for Concern Index, dDoS Source, dDoS Target.

The Role Policy approach here is a good approach if you are only seeing the alarm on a subset of your hosts. By applying that policy to the effected subset of hosts (Host Groups) you can again decide to set the event to "on" or "on+alarm", and you can also adjust the the thresholds in the event configuration to that Role Policy to override the setting of the Inside Hosts Default policy.

The concept of building policies with specific application to  (or excemption for) specific source/destination host groups is a concept which has come up before, so I have added this thread to the internal discussion around that topic.  Thank you for enhancing that conversation.

--jg

stipend
Level 1
Level 1
In response to jamegill

‎04-19-2023 06:58 AM


For Slow Connection Flood consider turning the "when host is source" to "on" for the Inside Hosts default policy.   Because you shouldn't see this very much between inside hosts (as discussed in more detail in the documentation for this alarm), you probably don't need an alarm for each instance of this event.  By setting it to "on" you are still monitoring for this behavior but it will contribute to the Category Alarms for Concern Index, dDoS Source, dDoS Target.

--jg

We do this see this a lot internally. One instance has been the case of just how two groups of servers communicate with each other. The other instance has been employees accessing an internal application through port 443 which triggers the alarm. So far its been false positives but, yeah, we see this frequently. Thanks for your help anyways. I hope an "exemption" feature gets added in the future!

0 Helpful
Customers Also Viewed These Support Documents