Create custom Situation elements

You can create custom Situation elements in addition to using the predefined ones.

Before you begin

Creating new Situation elements requires detailed knowledge of the protocols that you want to inspect and the traffic patterns related to their use.

You can create a Situation element to detect individual events or a Correlation Situation element to detect a group of related events.

A Situation element collects together the related elements and settings and sets the severity value for the Situation. The severity value can be set between Info (the least severe) to Critical (the most severe). You can use the severity value to restrict which Situations added to the Situations cell are considered in Inspection Exceptions and Alert Policies. For example, if a rule matches a large range of Situations you can create separate rules for less severe and more severe Situations.

Note: Avoid defining the same pattern in different Situation elements. Duplicate situations in the policy can create unintended results and makes the policies difficult to manage.

The predefined Situation elements are updated through dynamic update packages. You can also create new Situation elements to fine-tune the patterns that the engines look for in the traffic.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > Situations.
  3. Right-click Situations, then select New > Situation or New > Correlation Situation.
  4. In the Name field, enter a unique name.
  5. (Optional) Click Select and select the Situation Type with which to associate this Situation.
    You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included.
  6. In the Description field, enter a description of the traffic pattern that the Situation represents.
    This description is shown in log entries and other places where statistics related to the Situation appear.
  7. In the Severity drop-down list, select the severity value for the Situation.
    The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation.
  8. (Optional) In the Attacker and Target drop-down lists, select how the attacker and target are determined when the Situation matches.
    This information is used for block listing and in log entries.

Situation Properties dialog box

Use this dialog box to configure a Situation element.

Note: We recommend that you use only the predefined Situation elements included in dynamic update packages. The use of custom Situations is an advanced feature that requires technical expertise.
Option Definition
General tab
Name Specifies a unique name for the Situation.
Comment An optional comment for your own reference.
Vulnerability Lists the known vulnerabilities associated with the Situation, if available.
Situation Type Shows the Situation Type with which to associate this Situation.
Select Opens the Select Element dialog box.

You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included.

Description Use the Description field to describe the traffic pattern that the Situation represents. This description is shown, for example, in log entries.
Severity Select a Severity for the Situation. The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation.
Attacker Select how the Attacker is determined when the Situation matches. This information is used for block listing and in log entries.
  • None — Does not define the Attacker and Target information, so block listing entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Target Select how the Target is determined when the Situation matches. This information is used for block listing and in log entries.
  • None — Does not define the Attacker and Target information, so block listing entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Last Update in Shows the dynamic update package number that the Situation was included in or changed in.
Supported Engine Versions Specifies the supported engine versions for the Situation.
Category Includes the Situation in predefined categories.
Select Opens the Category Selection dialog box.
Option Definition
Context tab
Context Shows the selected Context for this Situation.
Select Opens the Select Context dialog box.
Note: These contexts are updated dynamically and can change.
Option Definition
Tags tab
Name Shows the name of the tag.
Comment Shows the comment associated with the tag.
Type Shows the type of tag.
Add Tags Opens the dialog box to add a tag. Select from the available options:
  • Hardware
  • Operating System
  • Situation Tag
  • Software

Correlation Situation Properties dialog box

Use this dialog box to configure a Correlation Situation.

Note: We recommend that you use only the predefined Correlation Situation elements included in dynamic update packages. The use of custom Correlation Situations is an advanced feature that requires technical expertise.
Option Definition
General tab
Name Specifies a unique name for the Situation.
Comment An optional comment for your own reference.
Vulnerability Lists the known vulnerabilities associated with the Situation, if available.
Situation Type Shows the Situation Type with which to associate this Situation.
Select Opens the Select Element dialog box.

You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included.

Description Use the Description field to describe the traffic pattern that the Situation represents. This description is shown, for example, in log entries.
Severity Select a Severity for the Situation. The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation.
Attacker Select how the Attacker is determined when the Situation matches. This information is used for block listing and in log entries.
  • None — Does not define the Attacker and Target information, so block listing entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the Situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Target Select how the Target is determined when the Situation matches. This information is used for block listing and in log entries.
  • None — Does not define the Attacker and Target information, so block listing entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the Situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Last Update in Shows the dynamic update package number that the Situation was included in or changed in.
Supported Engine Versions Specifies the supported engine versions for the Situation.
Category Includes the Situation in predefined categories.
Select Opens the Category Selection dialog box.
Option Definition
Context tab
Context Select the Context that you want to associate with this Correlation Situation:
  • Compress — Combines repeated similar events into the same log entry, reducing the amount of data that is sent to the Log Server.
  • Count — Finds recurring patterns in traffic by counting the times certain Situations occur within a defined time period. The Situation matches if the threshold values you set are exceeded.
  • Group — Finds patterns in traffic by following if all events in the defined set of Situations match at least once in any order within the defined time period.
  • Match — Allows filtering event data using filters.
  • Sequence — Finds patterns in traffic by following if all events in the defined set of Situations match in a specific order within a defined time period.
Note: These contexts are updated dynamically and can change.

Click Select to select an element.

Parameters section

(When Context is Group or Sequence)

Correlated Situations Shows the situations that are correlated in this Correlation Situation.
Keep and forward events When Yes is selected, log entries are created about events related to the correlated situations.
Time window size The time period in which events must occur to be correlated.
Continuous responses

(When Context is Group)

When Yes is selected, the Secure SD-WAN Engine responds continuously to events.

Usage context

Specifies whether correlation is done only on the Secure SD-WAN Engine, only on the Log Server, or on both the Secure SD-WAN Engine and the Log Server.

By default, correlation is done on both the Secure SD-WAN Engine and the Log Server for custom Correlation Situations.

Option Definition
Tags tab
Name Shows the name of the tag.
Comment Shows the comment associated with the tag.
Type Shows the type of tag.
Add Tags Opens the dialog box to add a tag. Select from the available options:
  • Hardware
  • Operating System
  • Situation Tag
  • Software

Event Binding Properties dialog box

Use this dialog box to view the properties of Event Binding elements.

CAUTION:
Do not create Event Binding elements. Use the predefined Event Binding elements instead. The main options are explained here.
Option Definition
Name Specifies a unique name for the event binding.
Comment An optional comment for your own reference.
Resources Shows a list of log fields.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Refresh View — Refreshes the list of elements.
Bindings table
First binding The first set of logs to use in Correlation Situations to bind together different types of events in traffic.
Second binding The second set of logs to use in a sequence when using Correlation Situations to bind together different types of events in traffic.