Documentation Center
AlienVault® USM Appliance™

Create Policy Consequences

Applies to Product: USM Appliance™ AlienVault OSSIM®

Policy Consequences are the final component to creating a policy, after Create a New Policy and Create Policy Conditions. Policy Conditions are assigned at the bottom of the Policy's page.

External event consequences can be consist of any of the following:

For explanations of each consequence, see Policy Consequences.

Note: For a directive event, the Logger cannot be configured as a consequence.

Create an Action as a Consequence to a Policy

Actions are sThis task assumes that you or someone else has already created an action that you can reference. For instructions on how to create an action, see Create an Action.

To create an Action consequence

  1. Go to Configuration > Threat Intelligence > Policy.
  2. Under Actions, select the action from the Available Actions, at right, and add it by clicking the plus (+) sign, or by dragging it to the Active Actions section.

  3. Policy Consequences section with send_email highlighted for Actions.

    Now the action you selected appears in the Actions area of Consequences at the top of the page.

    Note: You may assign more than one consequence to a policy. For details, see Create SIEM Consequences to a Policy Condition and Create a Consequence to Log and Sign an Event.

  4. Type a name in the Policy Rule Name field and click Update Policy.
  5. Click Reload Policies.

Policy page with Reload Policies highlighted.

Create SIEM Consequences to a Policy Condition

You can choose to make a SIEM consequence for a deeper control over risk assessment, event priority, and correlations. For more details on SIEM as a policy consequence, see SIEM in Policy Consequences.

To create a SIEM consequence to a policy condition

  1. Go to Configuration > Threat Intelligence > Policy and, under Consequences, click on SIEM.

    A SIEM window opens under Policy Consequences at the bottom of the page.

  2. Fill out the form as appropriate.

    1. SIEM — Select Yes for SIEM as a consequence.
    2. Event Priority — From the Event Priority list, select the priority you want USM Appliance to assign to such events. Event priority is from 1 to 5, with 1 being minor and 5 being major, or an attack in progress.
    3. Risk Assessment — Indicate whether or not you want USM Appliance to perform risk assessment as a consequence of this policy by selecting Yes or No.

      Risk assessment looks at asset value, event priority, and event reliability. It then assigns a risk based on the value of the asset and type of event.

    4. Logical Correlation — Indicate whether or not you want to use logical correlation by selecting Yes or No.

      You use this to create new events from multiple events found by detectors and monitors. These are configured using correlation directives (logical trees combining individual events). Each new event has assigned priority and reliability values define by one directive.

    5. Cross-Correlation — Indicate whether or not you want to enable cross-correlation by selecting Yes or No.

    6. SQL Storage — Indicate whether or not you want to enable SQL storage by selecting Yes or No.

      Events detected or generated by USM Appliance are stored in the SQL database by default. Enabling SQL storage means that events matching a policy setting should be stored in the SQL database as well.

      Note: It is not required nor desirable for all events to be stored in the database.

    Now the SIEM parameters you selected appear in the SIEM area of Consequences at the top of the page.

  3. (Optional) If you plan to create an action as an additional consequence to your policy, follow the steps in Create an Action as a Consequence to a Policy.

    Note: You may assign more than one consequence to a policy.

  4. Type a name in the Policy Rule Name field and click Update Policy.
  5. Click Reload Policies.

Create a Consequence to Log and Sign an Event

By adding a log consequence to your policy, events processed by policies will be sent to the Logger for analysis, compliance, and archiving purposes.

To enable the USM Appliance Logger to log events processed by specific policies

  1. Go to Configuration > Threat Intelligence > Policy and, under Consequences, click the colored Logger section.

    A Logger window opens under Policy Consequences at the bottom of the page.

  2. To enable the Logger to record events caught by your policy, select Yes.

    Next to Sign, you can see that either Line or Block are selected. (For a detailed explanation of what these do, see Logger in Policy Consequences.)

    If you want a particular log signing method as a consequence, you must have configured this first in the USM Appliance Server. The Logger setting on the Consequences page can only reflect what has been configured there.

  3. (Optional) If you plan to create an action as an additional consequence to your policy, follow the steps in Create an Action as a Consequence to a Policy.

    Note: You may assign more than one consequence to a policy.

  4. Type a name in the Policy Rule Name field and click Update Policy.
  5. Click Reload Policies.

Create a Consequence to Forward an Event

Normally, all events are forwarded to one USM Appliance Server. By enabling the Forwarding consequence, you instruct USM Appliance to forward a subset of events, for example, from a remote USM Appliance Server, to a headquarters USM Appliance Server.

To enable event forwarding

  1. Go to Configuration > Threat Intelligence > Policy and, under Consequences, click the colored Forwarding section.

    A Forwarding window opens under Policy Consequences at the bottom of the page.

  2. Select Yes to enable forwarding or No to disable forwarding.

    If you select Yes, then select the server you want to forward to.

  3. If you plan to create an action as an additional consequence to your policy, follow the steps in Create an Action as a Consequence to a Policy.

    Note: You may assign more than one consequence to a policy.

  4. Type a name in the Policy Rule Name field and click Update Policy.
  5. Click Reload Policies.