|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
This topic explains how to configure policy conditions for external event policies, using the Default Policy Group section on the Threat Intelligence page. The only difference between conditions for directive event policies versus external event policies is that directive event policies have fewer conditions available.
|Policy Condition||Used for Directive Events?||Definition|
|Source||Assets, asset groups, networks, or network groups as the source of an IP address for the event.|
|Destination||Assets, asset groups, networks, or network groups as the destination of an IP address for the event.|
|Source Port||TCP/UDP source port of an event.|
|Destination Port||TCP/UDP destination port of an event.|
Defines events to be processed by this policy.
|Sensors||The USM Appliance Sensor that collected and normalized the event.|
|Reputation||✓||IP Reputation of the source or destination IP address of an event.|
|Event priority||✓||Priority and reliability of an event.|
|Time range||✓||A window of time for event matching.|
To configure policy conditions for an external event
- Navigate to Configuration > Threat Intelligence > Policy.
In the Default Policy Group section, click New.
Select one or more conditions that you want to configure for the policy to take effect by doing one of the following:
- On the top half of the policy configuration interface, click on the colored areas under Source, Dest, SRC Ports, Dest Ports, or Event Types to open the configuration area for each condition.
- On the bottom-half of the policy configuration interface, click one of the vertical labels for Source, Dest, SRC Ports, Dest Ports, or Event Types to open the configuration area for each condition.
To add a source
Click on Assets, Asset Groups, Networks, or Network Groups and add the desired sources.
You can choose Any as the source condition if you want the policy to apply to any source. You can also choose HOME_NET to include, or !HOME_NET to exclude, all assets that you are monitoring.
The selection then appears in the Source rectangle under Policy Conditions.
To configure Source or Destination Parameters quickly
Click Insert New Host?, Insert New Net?, or Insert New Net Group?
- Fill in all the configuration information for the new asset.
When finished, click Save.
To configure one of more source ports as a condition
Click the colored Src Ports rectangle in the Conditions section of the Policy Configuration page.
Under Policy Conditions at the bottom of the page, the Source Ports window appears.
Click an asset from the Ports Groups tree, or click Any.
Your selection appears under Policy Conditions within the Source Ports window.
To establish a policy for events destined for certain TCP or UDP ports
In the Conditions section of the Policy Configuration page, click Dest Ports
The Destination Ports condition appears under Policy Conditions, at the page bottom.
Click a port from the Port Groups tree, or click Any if you don't need to restrict the event to a specific port.
Your selection appears in the Destination Ports window.
If you do not see the port group listed, click the Insert New Port Group link to create one.
This procedure configures a condition for both external and directive event policies.
Event Types define the types of events that will be processed by this policy. In USM Appliance, these consist of data source groups and taxonomy.
You configure an event type by adding either a data source group or a taxonomy category to it.
Add a Data Source Group to an Event Type
To add a data source group to an event type
Select the desired data source groups from the DS Groups list by selecting the check box to the left of the group’s name. If the box can't be selected, make sure that you deselect Any.
Find Out About Data Source Groups
To find out the available data source groups
In the Policy Configuration page, click Event Types.
Click View All DS Groups.
To see more information about a DS Group, click the name of the group to expand it and view a concise description.To edit DS Group information, click the pencil icon at the end of its row.
To insert a new DS Group
- Under Policy Conditions in the DS Groups view of Event Types, click Insert New DS Group.
- In the Insert New DS Group dialog box, select Add by Data Source.
- In the list of data sources that displays, click the data source you want to add to the list.
Type a name for the DS Group in the Please enter a DS Group name popup and click OK.
The popup now displays the DS Group you selected, which has a default setting of Any that refers to all of the data sources in that group.
Select which data sources you want to be in the DS Group:
- If you want to accept any data source for the DS Group, click Update.
- If you want to include particular data sources, but not all of them, click the pencil icon at the right side of the Data Source Description.
If you elected to edit the DS Group, in the Insert New DS Group? dialog box, indicate which of the data sources you want to include by clicking the plus (+) next to that data source in the right-hand column.
You can also elect to include all on the list by clicking Add all.
Your selections move to the left-hand column of the dialog box.
- Click Submit Selection.
In the Insert New DS Group? dialog box, add a description of the new DS Group in the Description field and click Update.
The dialog box now shows the entire list of DS groups and reveals details for the DS Group you added, consisting of:
- Data Source ID
- Data Source Name
- Event Types, if any
(Optional) To add another DS Group, click Add New Group.
If you don't need to add another group, close out of the dialog box, which returns you to the Event Types view. Your newly added DS Group appears now as a selection among the DS Groups.
- Select the new DS Group as a condition, along with any others appropriate.
Insert a New DS Group Based on Event Type
To insert a New DS Group Based on Event Type
- Under Policy Conditions in the DS Groups view of Event Types, click Insert New DS Group.
- In the Insert New DS Group dialog box, select Add by Event Type.
In the Event Type field, left-click inside of it to expose the selections.
- Select the event type and, to see all of the event types of this kind, click Search.
Select the events for the DS Group:
- To select all events in the list, select Data Source.
- To select particular event types individually, select the check box next to their IDs.
- Click Add Selected.
Type the name for the DS Group In the Please enter a DS Group name field of the popup of the same name.
The new DS Group appears at the bottom of the Insert New DS Group? dialog box.
- To complete this procedure, refer to steps 5 through 8 of Insert a New DS Group Based on Data Source.
To use taxonomy as a condition
- In the Conditions section in the top-half of the Policy Configuration page, click Event Types.
- In the Policy Conditions section in the bottom-half of the Policy Configuration page, select Taxonomy.
- Select a product type from the Product Type list, or choose Any.
Select a Category from the Category list, or choose Any.
- Select an appropriate Subcategory, or choose Any.
- Click Add New.
Configure More Conditions
Additional conditions that you can configure for external event policies consist of the following:
- Event Priority
- Time Range
Note: Sensors is the only condition that you cannot use for a policy based on a directive event, since those come through the USM Appliance Server.
To access the additional conditions
- Click Add More Conditions.
To specify a particular USM Appliance Sensor or Any USM Appliance Sensor as a condition for an event
- At the right-hand top of the Policy Conditions half of the Policy Configuration view, click Add More Conditions.
Click one of the sensors within the Sensor list, or click Any to apply the policy to any sensor capturing the event.
Your selection appears within the white Sensors field at center.
By using reputation as a policy condition, you can filter events coming from any of the items in the list with high priority and accuracy.
To add a reputation condition
Select the desired Activity, Priority, Reliability, and Direction in the Reputation Parameters section.
- Activity is the type of malicious activity of an IP address that the policy should match.
- Priority relates to the malicious activity on the part of the IP address. Priority is a number between 1 and 10, where 1 defines a low priority and 10, a high priority.
- Reliability is a number between 1 and 10, where 1 defines a low reliability (False Positive) and 10, a high reliability (attack in progress), as calculated by OTX IP Reputation.
- Direction indicates whether or not to match the reputation of the source or destination IP address.
Click Add New.
You can use greater than (>) or less than (<) when specifying Priority or Reliability values as reputation parameters. For example, if you choose Priority < 3 and Reliability > 8, USM Appliance adds all the combinations of qualified priority and reliability values as Reputation Conditions.
Configure Event Priority as a Condition
You can configure Event Priority as a condition for a policy for an external event. However, only AlienVault partners and who have a USM Appliance Federated environment with event forwarding enabled, can use this filter. For details, see the Getting Started Wizard.
To add Event Priority as a condition
- Click Event Priority.
- Using the guidelines provided in Policy Conditions, set the event priority and reliability as appropriate, using the list boxes.
You can configure a time range as a condition for a policy for either an external or a directive event.
To add time range as a condition