|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
Set policy conditions to determine which elements of an incoming event USM Appliance will process. You set these conditions when you create a new policy or modify an existing one. You can set a number of conditions for the default policy group, but events generated in the server only use Event Types.
The Source and Destination allows you to define which Assets, Asset Groups, Networks, or Network Groups will be monitored by the policy. This allows you to tailor policies to focus on events on specific assets or networks. You can add multiple sources or destinations to the condition or if you don't want to limit the number of sources or destinations, you can select ANY instead.
In USM Appliance versions 5.4 and later, you can select HOME_NET as a source. HOME_NET, as referred to by its policies usage, is defined by the settings in Environment > Assets & Groups > Networks, whereas !HOME_NET are the assets not contained in the HOME_NET group. You can select HOME_NET to include all assets that you are monitoring, or you can use !HOME_NET to exclude all of the assets you are monitoring.
Source Ports and Destination Ports define the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports that are monitored by the policy. This allows you to monitor packets sent to and from certain port groups in your network.
Event Types allows you to have granular control on which specific kinds of events the policy will look for. Event types are categorized by two groups:
- DS (Data Source) Groups — Define the data sources for events.
- Taxonomy — Defines the types of events.
Event Types — DS Groups
A data source refers to any application or device that generates information which USM Appliance can collect and analyze. USM Appliance organizes data sources for policies affecting events into Data Source Groups. When assembled into a DS group, it makes it easier to incorporate multiple data sources into one policy.
For information about the use of data source plugins in USM Appliance,
When you create policies with a data source in mind, you can limit the event types to best suit the policy. If you are creating a policy for a certain plugin, and are only interested in certain events (such as logins, configuration changes, VPN connections, dropped connections), you can select the event types that are most relevant to associate with the plugin. For detailed instructions, see Create a DS Group to Specify Event Types.
Note: Policies belonging to the Policies for events generated in server policy group can only include DS Groups comprised of system events.
Event Types — Taxonomy
Taxonomy refers to the classification for security events, using a system based on main categories and subcategories. See USM Appliance Event Taxonomy for more information.
You can either select general categories, or more specific classifications by relying on the assigned event taxonomies in the database. You can use the Product Type, Category, and Subcategory taxonomy parameters to create a taxonomy condition. Category options change based on which product type is selected. Similarly, the subcategory options change based on which category is selected.
In the example below, only events matching all of the taxonomy parameters would meet the policy condition:
When you click Add More Conditions in the bottom-right half of the Policy Conditions page, an additional list of conditions appears.
The Sensors policy condition identifies the USM Appliance Sensor that is collecting and normalizing an event. This allows youto specify which sensor or sensors are the source for the events identified for processing by the policy. For example, in distributed deployment, you might want to create a policy for events received from only the sensors that are installed at remote locations.
Using Open Threat Exchange Reputation data as a policy condition, you can filter events from either the source or destination IP address of an event with more accuracy. To learn more about IP Reputation in USM Appliance, see OTX IP Reputation Data Correlated with Events.
Reputation has four parameters that let you specify these event characteristics:
- Activity — Type of malicious activity of an IP address that the policy should match.
- Priority — Priority of malicious activity on the part of the IP address. Priority is a number between 1 and 10, where 1 defines a low priority and 10, a high priority.
- Reliability — Accuracy of an IP address reported as malicious. Reliability is a number between 1 and 10, where 1 defines a low reliability (false positive) and 10, a high reliability (attack likely in progress), as calculated by OTX IP Reputation.
- Direction — Matches the reputation of the source or destination IP address.
You can use greater than (>) or less than (<) when specifying Priority or Reliability values as reputation parameters. For example, if you choose Priority < 3 and Reliability > 8, and then click Add New, USM Appliance adds all the combinations of qualified priority and reliability values as Reputation Conditions.
Using Event Priority as a policy condition, you can filter events that are from a server according to how reliable the events are. Each event has an assigned priority value. This specifies the importance of the event and defines how urgently the event should be investigated. Priority is a numeric value between 1 and 5, where priority event 1 has no importance, and priority event 5 is of critical importance.
You can use greater than (>), less than (<), or equals to (=) when specifying priority or reliability values for events to set thresholds for the parameter.
Time Range sets a period of time in which to match events. When configured, only events that occur during the specified time range are processed by the policy. You can configure the time to a daily, weekly, monthly, or custom time range.
AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in AlienVault OSSIM.