Configuring an Offense Rule to Trigger a Scan
To trigger a scan of any assets that are communicating with the Internet, configure the rule that is generated by the offense.
An offense must be generated. You can generate the offense manually or wait for an asset to communicate with the Internet. To generate the offense, you can do any of the following steps:
Generate an offense manually by temporarily connecting any new asset from the asset saved search to the Internet.
Search the rules on the Offenses tab and search for the rule after an offense is generated.
Enable email notification for the dispatched event that creates an offense. You can edit the rule when you get this notification.
- Click the Offenses tab.
- On the navigation menu, click Rules.
- Use the search box on the toolbar to search for the rule.
The name of the rule is Risk Question Monitor : <Event Name>.
You can search by the Event Name, which is from the Monitor Question Results window.
The Event Name for an offense appears in the Description field when you select All Offenses.
- Double-click the rule name to open the Rule Wizard.
- Click Next.
- Configure the following settings:
Select the Ensure the detected event is part of an offense check box.
Select Destination IP from the Index offense based on menu.
Select the Send to Local SysLog check box.
Select the Trigger Scan check box.
Select the scan profile that you want to use from the Scan Profile to be used as a template menu.
You must select the On Demand Scanning option in the scan profile that you want to use with this rule.
Click the Destination radio button for the Local IPs to Scan field.
Enter values for the Response Limiter setting.
Configure appropriate intervals to avoid a potential overload on your system.
If you don't want to activate this rule right away, clear the Enable Rule option and then click Finish.