About Recommended Rules
You can use intrusion rule recommendations to associate the operating systems, servers, and client application protocols detected on your network with rules specifically written to protect those assets. This allows you to tailor your intrusion policy to the specific needs of your monitored network.
The system makes an individual set of recommendations for each intrusion policy. It typically recommends rule state changes for standard text rules and shared object rules. However, it can also recommend changes for preprocessor and decoder rules.
When you generate rule state recommendations, you can use the default settings or configure advanced settings. Advanced settings allow you to:
-
Redefine which hosts on your network the system monitors for vulnerabilities
-
Influence which rules the system recommends based on rule overhead
-
Specify whether to generate recommendations to disable rules
You can also choose either to use the recommendations immediately or to review the recommendations (and affected rules) before accepting them.
Choosing to use recommended rule states adds a read-only Recommendations layer to your intrusion policy, and subsequently choosing not to use recommended rule states removes the layer.
You can schedule a task to generate recommendations automatically based on the most recently saved configuration settings in your intrusion policy.
The system does not change rule states that you set manually:
-
Manually setting the states of specified rules before you generate recommendations prevents the system from modifying the states of those rules in the future.
-
Manually setting the states of specified rules after you generate recommendations overrides the recommended states of those rules.
Tip
The intrusion policy report can include a list of rules with rule states that differ from the recommended state.
While displaying the recommendation-filtered Rules page, or after accessing the Rules page directly from the navigation panel or the Policy Information page, you can manually set rule states, sort rules, and take any of the other actions available on the Rules page, such as suppressing rules, setting rule thresholds, and so on.
Note |
The Talos Intelligence Group determines the appropriate state of each rule in the system-provided policies. If you use a system-provided policy as your base policy, and you allow the system to set your rules to the recommended rule state, the rules in your intrusion policy match the settings recommended by Cisco for your network assets. |
Recommended Rules and Multitenancy
The system builds a separate network map for each leaf domain. In a multidomain deployment, if you enable this feature in an intrusion policy in an ancestor domain, the system generates recommendations using data from all descendant leaf domains. This can enable intrusion rules tailored to assets that may not exist in all leaf domains, which can affect performance.