Policy Condition	Used for Directive Events?	Definition
Source		Assets, asset groups, networks, or network groups as the source of an IP address for the event.
Destination		Assets, asset groups, networks, or network groups as the destination of an IP address for the event.
Source Port		TCP/UDP source port of an event.
Destination Port		TCP/UDP destination port of an event.
Event types	✓	Defines events to be processed by this policy. Data sources for events are defined by a data source group. Types of events are defined by taxonomy.
Sensors (Deputies)		The Sheriff CSM Sensor that collected and normalized the event.
Reputation	✓	IP Reputation of the source or destination IP address of an event.
Event priority	✓	Priority and reliability of an event.
Time range	✓	A window of time for event matching.

Create New Policy Conditions

To configure policy conditions for an external event

1. Go to Configuration > Threat Intelligence > Policy.

2. In the Default Policy Group section, click New.

3. Select one or more conditions that you want to configure for the policy to take effect by doing one of the following:

   • On the top half of the policy configuration interface, click on the colored areas under Source, Dest, SRC Ports, Dest Ports, or Event Types to open the configuration area for each condition.
   • On the bottom-half of the policy configuration interface, click one of the vertical labels for Source, Dest, SRC Ports, Dest Ports, or Event Types to open the configuration area for each condition.

Configure Source as a Condition

To add a source

1. Click on Assets, Asset Groups, Networks, or Network Groups and add the desired sources.

2. You can choose Any as the source condition if you want the policy to apply to any source. You can also choose HOME_NET to include, or !HOME_NET to exclude, all assets that you are monitoring.

   The selection then appears in the Source rectangle under Policy Conditions.

Add New Source or Destination

To configure Source or Destination Parameters quickly

1. Click Insert New Host?, Insert New Net?, or Insert New Net Group?

   

2. Fill in all the configuration information for the new asset.

3. When finished, click Save.

Configure Source or Destination Ports as Conditions

To configure one of more source ports as a condition

1. Click the colored Src Ports rectangle in the Conditions section of the Policy Configuration page.

   Under Policy Conditions at the bottom of the page, the Source Ports window appears.

2. Click an asset from the Ports Groups tree, or click Any.

   Your selection appears under Policy Conditions within the Source Ports window.

To establish a policy for events destined for certain TCP or UDP ports

1. In the Conditions section of the Policy Configuration page, click Dest Ports

   The Destination Ports condition appears under Policy Conditions, at the page bottom.

2. Click a port from the Port Groups tree, or click Any if you don't need to restrict the event to a specific port.

   Your selection appears in the Destination Ports window.

   

   If you do not see the port group listed, click the Insert New Port Group link to create one.

Configure an Event Type

This procedure configures a condition for both external and directive event policies.

Event Types define the types of events that will be processed by this policy. In Sheriff CSM, these consist of data source groups and taxonomy.

You configure an event type by adding either a data source (DS) group or a taxonomy category to it.

Add a DS Group to an Event Type

To add a data source group to an event type

• Select the desired data source groups from the DS Groups list by selecting the check box to the left of the group’s name. If the box can't be selected, make sure that you deselect Any.

Find Out About DS Groups

To find out the available data source groups

1. In the Policy Configuration page, click Event Types.

2. Click View All DS Groups.

   To see more information about a DS Group, click the name of the group to expand it and view a concise description. To edit DS Group information, click the pencil icon at the end of its row.

Insert a New DS Group Based on Data Sources

To insert a new DS group

1. Under Policy Conditions in the DS groups view of Event Types, click Insert New DS Group.

2. In the Insert New DS Group dialog box, enter a name for the DS group and select Add by Data Source.

3. In the list that displays, click the data sources you want to add to your DS group.

   The dialog box now displays the data sources you selected.

4. To include all the event types in the selected data sources (default), click Update.

5. Alternatively, if you want to include particular event types, click the pencil icon at the right side of the data source, and complete the following:

   • Click the + icon to select the event types you want to include.
   • You can also use the text box to filter the event types, and then click Add all.

     Note: A maximum of 150 event types can be selected for each data source in any given DS group. Multiple DS groups can be created for policies requiring more than 150 event types.

     

     Your selections move to the left-hand column of the dialog box.

6. Click Submit Selection.

7. Repeat the same steps for the other data sources in the group.

8. Add a description of the new DS Group in the Description field and click Update.

   The dialog box now shows the entire list of DS groups and reveals details for the DS group you added, consisting of the following:

   • Data Source ID
   • Data Source Name
   • Description
   • Event Types

9. (Optional) To add another DS group, click Add New Group.

10. Close the dialog box, which returns you to the Event Types section of the policy. Your newly added DS group appears now as a selection among the DS groups.

11. Select the new DS group as a condition, along with any others appropriate.

Insert a New DS Group Based on Event Types

To insert a New DS Group Based on Event Type

1. Under Policy Conditions in the DS groups view of Event Types, click Insert New DS Group.

2. In the Insert New DS Group dialog box, select Add by Event Type.

3. In the Event Type field, left-click inside of it to expose the selections.

4. Select the event type and, to see all of the event types of this kind, click Search.

5. Select the events for the DS group:

   • To select all events in the list, select Data Source.
   • To select particular event types individually, select the check box next to their IDs.

6. Click Add Selected.

7. Enter the name for the DS group In the Please enter a DS Group name field of the popup of the same name.

   The new DS group appears at the bottom of the Insert New DS Group? dialog box.

8. To complete this procedure, refer to steps 5 through 8 of Insert a New DS Group Based on Data Sources.

Configure Taxonomy as a Condition

To use taxonomy as a condition

1. In the Conditions section in the top-half of the Policy Configuration page, click Event Types.

2. In the Policy Conditions section in the bottom-half of the Policy Configuration page, select Taxonomy.

3. Select a product type from the Product Type list, or choose Any.

4. Select a Category from the Category list, or choose Any.

5. Select an appropriate Subcategory, or choose Any.

6. Click Add New.

Configure More Conditions

Additional conditions that you can configure for external event policies consist of the following:

• Sensors
• Reputation
• Event Priority
• Time Range

Note: Sensors are the only condition that you cannot use for a policy based on a directive event, since those come through the Sheriff CSM Server.

To access the additional conditions

• Click Add More Conditions.

Configure Sensors as Condition

To specify a particular Sheriff CSM Sensor or Any Sheriff CSM Sensor as a condition for an event

1. At the right-hand top of the Policy Conditions half of the Policy Configuration view, click Add More Conditions.

2. Select Sensors.

3. Click one of the Sensor within the Sensor list, or click Any to apply the policy to any Deputy capturing the event.

   Your selection appears within the white Sensors field at center.

Configure Reputation as a Condition

By using reputation as a policy condition, you can filter events coming from any of the items in the list with high priority and accuracy.

You can use greater than (>) or less than (<) when specifying Priority or Reliability values as reputation parameters. For example, if you choose Priority < 3 and Reliability > 8, Sheriff CSM adds all the combinations of qualified priority and reliability values as Reputation Conditions.

To add a reputation condition

1. Select the desired Activity, Priority, Reliability, and Direction in the Reputation Parameters section.

   • Activity is the type of malicious activity of an IP address that the policy should match.
   • Priority relates to the malicious activity on the part of the IP address. Priority is a number between 1 and 10, where 1 defines a low priority and 10, a high priority..
   • Reliability is a number between 1 and 10, where 1 defines a low reliability (False Positive) and 10, a high reliability (attack in progress), as calculated by OTX IP Reputation.
   • Direction indicates whether or not to match the reputation of the source or destination IP address.

2. Click Add New.

Configure Event Priority as a Condition

You can configure Event Priority as a condition for a policy for an external event. However, only Sheriff partners and who have a Sheriff CSM Federated environment with event forwarding enabled, can use this filter. For details, see the Getting Started Wizard.

To add Event Priority as a condition

1. Click Event Priority.

2. Using the guidelines provided in Policy Conditions, set the event priority and reliability as appropriate, using the list boxes.

Configure Time Range as a Condition

You can configure a time range as a condition for a policy for either an external or a directive event.

To add time range as a condition

1. Click Time Range.

2. Fill out the frequency, time zone, and start and end dates and times for the events.