Policy Condition | Used for Directive Events? | Definition |
---|---|---|
Source | Assets, asset groups, networks, or network groups as the source of an IP address for the event. | |
Destination | Assets, asset groups, networks, or network groups as the destination of an IP address for the event. | |
Source Port | TCP/UDP source port of an event. | |
Destination Port | TCP/UDP destination port of an event. | |
Event types | ✓ |
Defines events to be processed by this policy.
|
Sensors (Deputies) | The Sheriff CSM Sensor that collected and normalized the event. | |
Reputation | ✓ | IP Reputation of the source or destination IP address of an event. |
Event priority | ✓ | Priority and reliability of an event. |
Time range | ✓ | A window of time for event matching. |
In the Default Policy Group section, click New.
Select one or more conditions that you want to configure for the policy to take effect by doing one of the following:
Click on Assets, Asset Groups, Networks, or Network Groups and add the desired sources.
You can choose Any as the source condition if you want the policy to apply to any source. You can also choose HOME_NET to include, or !HOME_NET to exclude, all assets that you are monitoring.
The selection then appears in the Source rectangle under Policy Conditions.
Click Insert New Host?, Insert New Net?, or Insert New Net Group?
When finished, click Save.
Click the colored Src Ports rectangle in the Conditions section of the Policy Configuration page.
Under Policy Conditions at the bottom of the page, the Source Ports window appears.
Click an asset from the Ports Groups tree, or click Any.
Your selection appears under Policy Conditions within the Source Ports window.
In the Conditions section of the Policy Configuration page, click Dest Ports
The Destination Ports condition appears under Policy Conditions, at the page bottom.
Click a port from the Port Groups tree, or click Any if you don't need to restrict the event to a specific port.
Your selection appears in the Destination Ports window.
If you do not see the port group listed, click the Insert New Port Group link to create one.
Select the desired data source groups from the DS Groups list by selecting the check box to the left of the group’s name. If the box can't be selected, make sure that you deselect Any.
In the Policy Configuration page, click Event Types.
Click View All DS Groups.
To see more information about a DS Group, click the name of the group to expand it and view a concise description. To edit DS Group information, click the pencil icon at the end of its row.
Under Policy Conditions in the DS groups view of Event Types, click Insert New DS Group.
In the Insert New DS Group dialog box, enter a name for the DS group and select Add by Data Source.
In the list that displays, click the data sources you want to add to your DS group.
The dialog box now displays the data sources you selected.
Alternatively, if you want to include particular event types, click the pencil icon at the right side of the data source, and complete the following:
Note: A maximum of 150 event types can be selected for each data source in any given DS group. Multiple DS groups can be created for policies requiring more than 150 event types.
Your selections move to the left-hand column of the dialog box.
Click Submit Selection.
Repeat the same steps for the other data sources in the group.
Add a description of the new DS Group in the Description field and click Update.
The dialog box now shows the entire list of DS groups and reveals details for the DS group you added, consisting of the following:
(Optional) To add another DS group, click Add New Group.
Close the dialog box, which returns you to the Event Types section of the policy. Your newly added DS group appears now as a selection among the DS groups.
Select the new DS group as a condition, along with any others appropriate.
To insert a New DS Group Based on Event Type
Under Policy Conditions in the DS groups view of Event Types, click Insert New DS Group.
In the Insert New DS Group dialog box, select Add by Event Type.
In the Event Type field, left-click inside of it to expose the selections.
Select the event type and, to see all of the event types of this kind, click Search.
Select the events for the DS group:
Click Add Selected.
Enter the name for the DS group In the Please enter a DS Group name field of the popup of the same name.
The new DS group appears at the bottom of the Insert New DS Group? dialog box.
In the Conditions section in the top-half of the Policy Configuration page, click Event Types.
In the Policy Conditions section in the bottom-half of the Policy Configuration page, select Taxonomy.
Select a product type from the Product Type list, or choose Any.
Select a Category from the Category list, or choose Any.
Select an appropriate Subcategory, or choose Any.
Click Add New.
Additional conditions that you can configure for external event policies consist of the following:
Select Sensors.
Click one of the Sensor within the Sensor list, or click Any to apply the policy to any Deputy capturing the event.
Your selection appears within the white Sensors field at center.
Select the desired Activity, Priority, Reliability, and Direction in the Reputation Parameters section.
Click Add New.
Click Event Priority.