The Policy View

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance allows you to create and manage policy groups for both external and system events. Policy groups contain sets of certain types of policies grouped together to make them easier to manage. You can access the Policy View page by going to Configuration > Threat Intelligence > Policy.

The Policy view has three sections:

  • Default Policy Group — The Default Policy Group includes no predefined policies. This group is used to hold the policies you create to handle external events. External events are processed by USM Appliance Sensors from systems outside your own network.

  • AV Default Policies — The AV Default Policies section filters events from the AVAPI user, a service internal to USM Appliance that performs various system tasks. Because these logs only record system processes, their audience consists primarily of LevelBlue Technical Support. You can filter such events by highlighting the policy and clicking Enable.

    Note: In USM Appliance version 5.3.2 and later, the AVAPI filter policy is enabled by default.

  • Policies for events generated in the server — This policy group includes no predefined policies. This group is used to hold the policies you create to handle system events. System events, also called directive events, include any events generated by USM Appliance Server.

The USM Appliance Policy view includes a set of management options that allow you to manage individual policies within any group.

  • New — Click this button to create a new policy.

  • Modify — Select an existing policy from the list and click this button to modify that policy.

  • Delete Selected — Select an existing policy from the list and click this button to delete it.

  • Duplicate Selected — Select an existing policy from the list and click this button to duplicate it. You can then rename and update the policy as desired and save it.

  • Reload Policies — Restarts the service used to manage the policies. After you modify or reorder policies for external events, you must reload them. Otherwise, the USM Appliance Server won't recognize the changes.

  • Enable/Disable Policy — Select a policy from the list and click this button to enable or disable it.

AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in LevelBlue OSSIM.