The Source and Destination allows you to define which Assets, Asset Groups, Networks, or Network Groups will be monitored by the policy. This allows you to tailor policies to focus on events on specific assets or networks. You can add multiple sources or destinations to the condition or if you don't want to limit the number of sources or destinations, you can select ANY instead.

In Sheriff CSM versions 5.4 and later, you can select HOME_NET as a source. HOME_NET, as referred to by its policies usage, is defined by the settings in Environment > Assets & Groups > Networks, whereas HOME_NET are the assets not contained in the HOME_NET group. You can select HOME_NET to include all assets that you are monitoring, or you can use !!HOME_NET to exclude all of the assets you are monitoring.

For more detailed instructions, see Configure Source as a Condition or Add New Source or Destination.

Source Ports and Destination Ports define the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports that are monitored by the policy. This allows you to monitor packets sent to and from certain port groups in your network.

For more detailed instructions, see Configure Source or Destination Ports as Conditions.

Event Types allows you to have granular control on which specific kinds of events the policy will look for. Event types are categorized by two groups:

• DS (Data Source) Groups — Define the data sources for events.
• Taxonomy — Defines the types of events.

Event Types — DS Groups

A data source refers to any application or device that generates information which Sheriff CSM can collect and analyze. Sheriff CSM organizes data sources for policies affecting events into Data Source Groups. When assembled into a DS group, it makes it easier to incorporate multiple data sources into one policy.

For information about the use of data source plugins in Sheriff CSM, see Log Collection and Normalization in Sheriff CSM.

When you create policies with a data source in mind, you can limit the event types to best suit the policy. If you are creating a policy for a certain plugin, and are only interested in certain events (such as logins, configuration changes, VPN connections, dropped connections), you can select the event types that are most relevant to associate with the plugin. For more detailed instructions, see Insert a New DS Group Based on Data Sources.

Note: Policies belonging to the Policies for events generated in server policy group can only include DS Groups comprised of system events.

Event Types — Taxonomy

Taxonomy refers to the classification for security events, using a system based on main categories and subcategories. See Sheriff CSM Event Taxonomy for more information.

You can either select general categories, or more specific classifications by relying on the assigned event taxonomies in the database. You can use the Product Type, Category, and Subcategory taxonomy parameters to create a taxonomy condition. Category options change based on which product type is selected. Similarly, the subcategory options change based on which category is selected.

In the example below, only events matching all of the taxonomy parameters would meet the policy condition:

For more detailed instructions, see Configure Taxonomy as a Condition.

When you click Add More Conditions in the bottom-right half of the Policy Conditions page, an additional list of conditions appears.