Documentation Center
AlienVault® USM Appliance™

Policy Consequences

Applies to Product: USM Appliance™ AlienVault OSSIM®

Policy consequences define the ways in which USM Appliance responds to events that trigger the specified policy conditions. You can use consequences to assist you in automatically evaluating elements such as the risk of events, and responding accordingly.

Consequences section from Policy.

Actions

Actions are performed when the conditions of the designated policy are met. Click the Actions area (green) to display the corresponding section at the bottom of the page. You need to create the actions first before activating them for your policy. See Create an Action for further information.

SIEM

The SIEM column displays whether or not SIEM processing is active (Yes), or inactive (No). Click the SIEM area (green) to display the corresponding section at the bottom of the page.

When SIEM processing is set to Yes, you can also modify the individual options.

  • Set Event Priority — Changes the priority assigned by USM Appliance to events matching the policy conditions, scored from 0-5, with 0 being a non-priority and 5 being the highest importance.

    Changing the event priority would alter the calculated Risk, therefore turning an event into an alarm, or an alarm into an event.
  • Risk Assessment — Looks at asset value, event priority, and event reliability to evaluate the Risk value of the event.
  • Logical Correlation — Performs logical correlation as configured in correlation directives. See also: Correlation Directives.
  • Cross-correlation — Performs cross-correlation related to events. See also: Cross-Correlation.
  • SQL Storage — Stores events in the SIEM database.

When only SQL Storage is set to No, it instructs USM Appliance to perform risk assessment and correlation on the event but do to store it in the SIEM database. The benefit is that you will see an alarm triggered by this event if the calculated risk is above 1, but you will not find this event in the database, saving the storage space.

Alternatively, you can also turn off SIEM processing. See Tutorial: Configure a Policy to Discard Events for a concrete example.

Logger

The Logger consequence determines whether the event will be logged and digitally signed. In the policy settings, Logger always refers to the local logger, and not the remote logger.

  • Line — Digitally signs every log received. This ensures immediate protection from log tampering, but is processing-intensive.
  • Block — Digitally signs a block of logs every hour, or whenever the log file is larger than 100 MB. This is the most commonly used signing approach and meets most compliance requirements, but the unsigned block of logs is not secure from being edited until it is signed.

Forwarding

Forwards events to other USM Appliance Servers.

All events are forwarded to one USM Appliance Server by default. You can use forwarding consequences to configure a subset of events to be forwarded from a remote server to an alternate server, such as a a federated server.

Having Logger set to yes and Forwarding set to no will have all events sent to the local logger. This takes precedent over what is configured in the Servers tab (as set up in the Configure the USM Appliance Logger after Deployment chapter) for all events that fall under the policy's conditions.

AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in AlienVault OSSIM.