How would you accomplish this?

You have selected the event Port Scan from Internal Network in SmartEvent, to detect an event
when 30 port scans have occurred within 60 seconds. You also want to detect two port scans from
a host within 10 seconds of each other. How would you accomplish this?

A.
Define the two port-scan detections as an exception.

B.
You cannot set SmartEvent to detect two port scans from a host within 10 seconds of each
other.

C.
Select the two port-scan detections as a sub-event.

D.
Select the two port-scan detections as a new event.

Show Hint

← Previous question

Next question →

Leave a Reply 4

palantir

answer is A.

Exceptions allow an event to be independently configured for the sources or destinations that appear here. For example, if the event Port Scan from Internal Network is set to detect an event when 30 port scans have occurred within 60 seconds, you can also define that two port scans detected from host A within 10 seconds of each other is also an event.

To manually add an exception, under the heading Apply the following exceptions, click Add and select either the Source and/or Destination of the object to which you want to apply different criteria for this event.

ileht

1. “You ALSO want to detect,” you don’t want an exception.
2. Exceptions refine src/dst, not counts and time periods.

You can create new “User Defined” event based on the existing one, and modify its parameters.
D

Viper

The answer is “A”
Exceptions allow an event to be independently configured for the sources or destinations that appear here. For example, if the event Port Scan from Internal Network is set to detect an event when 30 port scans have occurred within 60 seconds, you can also define that two port scans detected from host A within 10 seconds of each other is also an event.

Esteban

A. Define the two port-scan detections as an exception.

Eexceptions work to separate events independently so if the event in the example occurs, with the exception is show as 2 and not as 1 event.