AlienVault® USM Appliance™

Policy Consequences

Applies to Product: USM Appliance™ AlienVault OSSIM®

You can configure different consequences when creating or modifying a policy. Policy consequences define the ways in which USM Appliance responds to events that trigger the specified policy conditions. You can use consequences to assist you in automatically evaluating elements such as the risk of events, and responding accordingly.

Important: When configuring policy consequences, If you change any of the settings in SIEM, Logger, or Forwarding, they will override the default configurations under Configuration > Deployment > Components > Servers. The new consequence configuration will apply to all events that match the policy's conditions.

Consequences section from Policy.

Actions

Actions are performed when the conditions of the designated policy are met. The default is No Actions.

Click the Actions area (green) to display the corresponding section at the bottom of the page. You need to create the actions first before activating them for your policy. See Create an Action for further information.

SIEM

The SIEM column displays whether or not SIEM processing is active (Yes), or inactive (No). The default is Yes.

Click the SIEM area (green) to display the corresponding section at the bottom of the page. When SIEM processing is set to Yes, you can also modify the individual options.

  • Set Event Priority — Changes the priority assigned by USM Appliance to events matching the policy conditions, scored from 0-5, with 0 being a non-priority and 5 being the highest importance. The default is Do not change.

    Changing the event priority would alter the calculated Risk, therefore turning an event into an alarm, or an alarm into an event.
  • Risk Assessment — Looks at asset value, event priority, and event reliability to evaluate the Risk value of the event. The default is Yes.
  • Logical Correlation — Performs logical correlation as configured in correlation directives. The default is Yes. See also: Correlation Directives.
  • Cross-correlation — Performs cross-correlation related to events. The default is Yes. See also: Cross-Correlation.
  • SQL Storage — Stores events in the SIEM database. The default is Yes.

When only SQL Storage is set to No, it instructs USM Appliance to perform risk assessment and correlation on the event but do to store it in the SIEM database. The benefit is that you will see an alarm triggered by this event if the calculated risk is above 1, but you will not find this event in the database, saving the storage space.

For more detailed instructions, see Adjust SIEM Consequences to Process Events.

Logger

The Logger consequence determines whether the event will be logged and digitally signed. The default is Yes.

In the policy settings, Logger refers to the local logger, which is included in a USM Appliance All-in-One. When Logger is set to Yes in a policy, USM Appliance will store events locally.

  • Line — Digitally signs every log received. This ensures immediate protection from log tampering, but is processing-intensive.
  • Block — Digitally signs a block of logs every hour, or whenever the log file is larger than 100 MB. This is the most commonly used signing approach and meets most compliance requirements, but the unsigned block of logs is not secure from being edited until it is signed.

For more detailed instructions, see Create a Consequence to Log and Sign Events.

Warning: When Logger is set to Yes in a policy consequence, USM Appliance will send all events that match the policy's conditions to the local logger. This takes precedence over what is configured under Configuration > Deployment > Components > Servers (as documented in Configure the USM Appliance Logger after Deployment), but only applies to the events that match the policy's conditions.

Forwarding

The Forwarding consequence determines whether to forward events to another USM Appliance Server or Logger. The default is No.

By changing the Forwarding consequence to Yes, you can configure all or a subset of events to be forwarded to an alternate server, such as a federated server.

For more detailed instructions, see Create a Consequence to Forward Events.

Warning: When Forwarding is set to No in a policy consequence, USM Appliance will NOT forward the events that match the policy's conditions. This takes precedence over what is configured under Configuration > Deployment > Components > Servers (as documented in Configure the USM Appliance Logger after Deployment), but only applies to the events that match the policy's conditions.

AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in AlienVault OSSIM.