Up
Previous Next

Sheriff CSM™

The Policy View

Sheriff CSM allows you to create and manage policy groups for both external and system events. Policy groups contain sets of certain types of policies grouped together to make them easier to manage. You can access the Policy View page by going to Configuration > Threat Intelligence > Policy.

The Policy view has three sections:
  • Default Policy Group — The Default Policy Group includes no predefined policies. This group is used to hold the policies you create to handle external events. External events are processed by Sheriff CSM Sensor (Deputies) from systems outside your own network.
  • AV Default Policies — The AV Default Policies section filters events from the AVAPI user, a service internal to Sheriff CSM that performs various system tasks. Because these logs only record system processes, their audience consists primarily of Sheriff Technical Support. You can filter such events by highlighting the policy and clicking Enable.

    Note: In Sheriff CSM version 5.3.2 and later, the AVAPI filter policy is enabled by default.

  • Policies for events generated in the server — This policy group includes no predefined policies. This group is used to hold the policies you create to handle system events. System events, also called directive events, include any events generated by Sheriff CSM Server.
The Sheriff CSM Policy view includes a set of management options that allow you to manage individual policies within any group.
  • New — Click this button to create a new policy.

  • Modify — Select an existing policy from the list and click this button to modify that policy.

  • Delete Selected — Select an existing policy from the list and click this button to delete it.

  • Duplicate Selected — Select an existing policy from the list and click this button to duplicate it. You can then rename and update the policy as desired and save it.

  • Reload Policies — Restarts the service used to manage the policies. After you modify or reorder policies for external events, you must reload them. Otherwise, the Sheriff CSM Server won't recognize the changes.

  • Enable/Disable Policy — Select a policy from the list and click this button to enable or disable it.

Sheriff Vigilante Limitations: Sheriff CSM includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in Sheriff Vigilante.
Topic revision: r9 - 23 Sep 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.