Tool Templates

Tool template in Application Metadata Intelligence predefines a list of applications and its attributes, which you can choose as per your requirements while configuring Application Metadata Intelligence solution.

A template once created can be used by multiple exporters to export the attributes in the specified format to the destination tools.

You can use the tool templates while creating an Application Metadata Intelligence session. By default, you can find the following tool templates:

■

BroMetadata Template

■

Netflow V5 Template

■

SplunkMetadata Template

■

InsightSensor

Starting from software version 6.2.00, the following tool templates are supported:

■

SecurityPosture

■

RogueActivity

■

SuspiciousActivities

■

AnomalousTraffic

■

Troubleshooting

■

M2131Logging

■

UnmanagedAssets

The following table provides the purpose of each of the tool templates when used in Application Metadata Intelligence :

Tool Template	Purpose
BroMetadata Template	For selecting applications and attributes that can be detected by Bro sensor
Netflow V5 Template	For emulating NetFlow V5 behavior
SplunkMetadata Template	For providing a quick insight into the network traffic generated by various applications and protocols
InsightSensor	For selecting applications and attributes detected by ThreatInsight Sensor (must be compatible with ThreatInsight Sensor meta data)
SecurityPosture	For detecting flaws in securing the applications in the network
RogueActivity	For detecting unsanctioned applications that can pose challenges to network security
SuspiciousActivities	For detecting issues related to unmanaged devices, suspicious connections, and traffic outside normal limits in the network
AnomalousTraffic	For detecting challenges with HTTP, HTTPS, and DNS traffic in the network
Troubleshooting	For detecting latency, connectivity, and protocol errors in the network
M2131Logging	For U.S. Office of Management and Budget M-21-31 logging requirements
UnmanagedAssets	For providing visibility into unmanaged hosts and devices in the network

Note: You cannot edit the above templates. Hover over the Description column to view the description of the default tool templates.

You can create new tool templates according to your requirements. You can also edit and clone the templates. Refer to Create Custom Tool Templates for more information.

Create Custom Tool Templates

To create a customized Tool Template, do the following:

On the left navigation pane, click

, and then select Resources > Tool Templates.

You can view two system defined templates by default.

Click Create. The New Tool Template page appears.

Enter the Template Name.
Select the GS Version*.
Enable the fastmode check box. When the fastmode option is enabled, only the fastmode supported attributes will be listed.
Enter the Description.

Click the App Editor button. The App Editor page appears.

Click the Application Family field and select an Application Family such as antivirus, webmail that needs to be filtered from the traffic. You can also select multiple application families.

If you choose to add or delete all the applications in a family, click Add All Application in Families or Delete All Application in Families.

Note: You can select the required applications without selecting the application family.

Click the Application field and select an application or multiple applications that needs to be exported from the traffic.

Click Add to add the Application details.

Select the format (CEF/NetFlow) in which the application details need to be exported to the tool.

Select the record or template type:

Segregated - The application-specific attributes and the generic attributes will be exported as individual records to the tool.

Cohesive- The application-specific attributes and the generic attributes will be combined as a single record and exported to the tool.

Enter the Active timeout and Inactive timeout in seconds.

Note: Select the Version and the Template Refresh Interval for the Netflow format.

In the AdvancedSettings > Collects section, you can view and configure the following collect types:

•

Counter - Select the Bytes and Packets.

•

IPv4 - Select and enter the required information in the fields such as Source Address, Destination Address, Fragmentation, and Header Size and Payload Size.

•

IPv6 - Select and enter the required information in the fields such as Source Address, Destination Address, Fragmentation, and Header Size and Payload Size.

•

Transport -Select and enter the required information in the fields such as Source Address, Destination Address, and Header Size and Payload Size.

By default, the above collect types are displayed. Click to add the following collect types:

•

Data Link - Select any one of the parameters such as Source Mac, Destination Mac and VLAN.

•

Timestamp - Select the required timestamp such as System Uptime First, Flow Start, System Uptime Last, and Flow End.

•

Flow - Select the parameter as End Reason if required.

•

Interface - Select any one of the parameter such as Input Physical, Output Physical and Input Name.

Click Save. The new tool template is added to the list view.

Select a tool template and click the ellipsis to perform the following:

•

View Details - To view the details in the template.

•

Edit - To edit the parameters and fields in the template.

•

Delete - To delete the template from the list.

•

Duplicate - To duplicate the template in the list.

•

Export - To export a tool template.

Note: You can edit an existing template and the attributes associated with it as required, and save the updates as a new template while creating an Application Metadata Intelligence session. Refer to Create Metadata Intelligence by Selecting Applications from Dashboard for details.