Home > User Interface > Configuration > Compliance > Security Events
|
Menu path: Configuration > Compliance Overview > Security Events.
The security events list ties security events, such as malware detection and unauthorized operating system with actions. Actions include quarantining endpoints, sending email alerts, and showing remediation instructions from a captive portal.
The format and usage of this page is discussed in General GUI Usage. An additional 
button will
display the message associated with the event.
Note
Security event ID 3000007 was added in release 3.3.0 to cover cases in which mobile devices are assigned random MAC addresses. If enabled, clients that trigger this event will be isolated with role isolation, and a message will be displayed that prompts the client to disable the random MAC address feature and then reconnect to the network.Select 
or 
to add a new
security event. The fields in the New Security Event dialog are:
| Field | Usage | Example |
|---|---|---|
| Enable Security Event | Indicates whether the security event detection is enabled. |
|
| Identifier | A unique number to use as the identifier of the event. Events should use numbers above 1500000 if they might be deleted later. The range from 1200000-120099 are reserved for administrative events. | 1500001 |
| Description | User friendly description of the security event. | Trap illegal operating systems |
| Priority | A number from 1 to 10, with 1 being the highest priority. When multiple events exist for a node, the lowest numbered priority is handled first. | 4 |
| Ignored Roles | The roles in this list will not be affected by this security event. | admin |
| Triggers | A set of conditions that trigger the security event. See the Triggers section for details. | |
| Event Actions | The actions to be taken when the event is triggered. See Event Actions for further details. | |
| Dynamic Window | This option is only applicable for accounting security events. If enabled, such events will last from the first overuse of resources until the end of the time period set for the event. |
|
| Grace | The amount of time before a security event can reoccur. This gives clients the time to fix their problem. | 2 minutes |
| Window | The amount of time before a security event will be closed automatically. | |
| Delay By | The amount of time that a security event will be delayed after triggered. | 30 seconds |
The first trigger is added by clicking 
.
Additional triggers can be added after a row by clicking the 
and a row can be
removed by clicking 
. Rows are executed in order; they can be arranged by selecting a
row and moving it to the desired position.
Each row contains for components, all of which must be true for the row to be triggered. If a row is not triggered, the next row is evaluated, and so on. The four components of a trigger are:
Client
The client component of a trigger consists of a set of endpoint attributes that must all be true. The first condition is added by clicking 
. Additional triggers can be added after a row by clicking the and a row can be removed by clicking .
Each client condition consists of an attribute and a value:
| Attribute | Value | Example |
|---|---|---|
| Role | Select from one of the existing Roles. | Role guest |
| MAC Address | The twelve digit MAC address. The MAC addresses can use regex expressions. The example text detects MAC addresses starting with 2, 6, a, or e in the second digit. | ^.[26ae].* |
| Device | The address or address range of one of the Network Devices. | 1912.168.1.0/24 |
| Device Group | Select from one of the existing device groups. See Network Devices. | Aerohive_AP |
Client Profiling
The client profiling component of a trigger consists of a set of Fingerbank attributes that must all be true. The first condition is added by clicking . Additional triggers can be added after a row by clicking the and a row can be removed by clicking .
Each client profiling condition consists of an attribute and a value:
| Attribute | Value | Example |
|---|---|---|
| Device | Select from one of the Fingerbank devices by typing some of the letters from the device name, then selecting from the offered list. | BrightSign XD1230 |
| DHCP Fingerprint | Select from one of the Fingerbank DHCP fingerprints by typing some of the numbers from the fingerprint, then selecting from the offered list. | 1.44.46 |
| DHCP Vendor | Select from one of the Fingerbank DHCP vendors by typing some of the letters from the vendor name, then selecting from the offered list. | android-dhcp-7.0 |
| DHCPv6 Fingerprint | Select from one of the Fingerbank DHCPv6 fingerprints by typing some of the numbers from the fingerprint, then selecting from the offered list. | 1,13,12,23,24,39,7 |
| MAC Vendor | Select from one of the Fingerbank MAC vendor IDs by typing some of the numbers from the ID, then selecting from the offered list. | 0000af |
Data Usage
This condition measures data usage over time. The fields in this form are:
| Field | Usage | Example |
|---|---|---|
| Direction | The direction of traffic to measure. One of Total, Inbound, or Outbound. | Total |
| Limit | The data usage limit, expresses as a numeric number of bytes (B), kilobytes (kB), megabytes (MB), or gigabytes (GB). | 10MB |
| Interval | The period over which to measure usage. One of day, week, month, or year. | month |
Event
The condition is used to test another trigger event. A single entry consisting of an event and value is used. The event choices and values are:
| Attribute | Value | Example |
|---|---|---|
| Detect | An event ID. | 150001 |
| Internal | An event number or one of :
|
hostname_change |
| Nessus | A Nessus event number. A Nessus scan engine must be defined for this trigger to be active. See Configuration > Compliance Overview > Scans. | 10861 |
| Nessus V6 | A Nessus V6 event number. A Nessus6 scan engine must be defined for this trigger to be active. See Configuration > Compliance Overview > Scans. | |
| Nexpose event contains ... | Text contained within a Nexpose event. | |
| Nexpose event starts with ... | Text at the beginning of a Nexpose event. | |
| OpenVAS | An OpenVAS event ID. An OpenVAS scan engine must be defined for this trigger to be active. See Configuration > Compliance Overview > Scans. | 1.3.6.1.4.1.25623.1.0.90023 |
| Provisioner | check = a provisioner check failure. | check |
| Suricata Event | Select from any of the Suricata events. | ET P2P |
| Suricata MD5 | Select from any of the Suricata events. |
One or more actions can be selected for a security event. The choices, each of which can be independently enabled are:
| Action | Sub-Field | Usage | Example |
|---|---|---|---|
| Unregister | Unregisters the node. | ||
| Register | Target Role | The role to be assigned to the node. | isolation |
| Access Duration | The access duration for the registration, chosen from the available list of durations. | 12 hours | |
| Isolate | Role While Isolated | The role to be assigned while the node is isolated. | isolate |
| Template to Use |
The template to use when displaying a message to the client. One of:
|
bandwidth_expiration.html | |
| Button Text | The text displayed to the user for the event. | Bandwidth limit exceeded | |
| Redirection URL | The destination URL where A3 will forward the device. If omitted, the redirection URL from the Connection Profiles configuration will be used. | ||
| Auto-Enable | If enabled, the client can self-remediate the security event. | ||
| Max Enables | The maximum number of times a client can try self-remediation before they are locked out. | ||
| Email Administrator | Send an email to the administrator. | ||
| Email Client Owner | Send an email to the owner of the node. | ||
| Execute Script | Execute a downloaded script. | ||
| Close Another Security Event | Security event to close |
Choose from any of the Descriptions on the Security Events listing. |
Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.