cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Cyber Elite
Cyber Elite

@Jim.Couch,

Build the application rule above the rule that you currently have utilizing services. Once you verify that the application rule has been tuned to match traffic properly (without decryption you'll need to make adjustments for WinRM over HTTPS as an example) the service rule should stop getting hit.

 

When it comes to cleaning up the service rules that all depends on your environment and appetite of risk. I've had some people just delete the service rule when the application rule is matching traffic, I'll have some people setup alerting whenever the service rule is hit but leave it there for a month just as backup, I'll have have some people set the service rule to deny the traffic with the rule set to alert on any traffic and leave it around for a month; it all depends on your environment and what you decide to do.

View solution in original post

Who rated this post