Policy Conditions

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Set policy conditions to determine which elements of an incoming event USM Appliance will process. You set these conditions when you create a new policy or modify an existing one. You can set a number of conditions for the default policy group, but events generated in the server only use Event Types.

Policy Conditions with Source selected.

The Source and Destination allows you to define which Assets, Asset Groups, Networks, or Network Groups will be monitored by the policy. This allows you to tailor policies to focus on events on specific assets or networks. You can add multiple sources or destinations to the condition or if you don't want to limit the number of sources or destinations, you can select ANY instead.

In USM Appliance versions 5.4 and later, you can select HOME_NET as a source. HOME_NET, as referred to by its policies usage, is defined by the settings in Environment > Assets & Groups > Networks, whereas !HOME_NET are the assets not contained in the HOME_NET group. You can select HOME_NET to include all assets that you are monitoring, or you can use !HOME_NET to exclude all of the assets you are monitoring.

Image of Policy Conditions Sources

For more detailed instructions, see Configure Source as a Condition or Add New Source or Destination .

Source Ports and Destination Ports define the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports that are monitored by the policy. This allows you to monitor packets sent to and from certain port groups in your network.

For more detailed instructions, see Configure Source or Destination Ports as Conditions.

Event Types allows you to have granular control on which specific kinds of events the policy will look for. Event types are categorized by two groups:

  • DS (Data Source) Groups — Define the data sources for events.
  • Taxonomy — Defines the types of events.

Image of Policy Conditions Events

Event Types — DS Groups

A data source refers to any application or device that generates information which USM Appliance can collect and analyze. USM Appliance organizes data sources for policies affecting events into Data Source Groups. When assembled into a DS group, it makes it easier to incorporate multiple data sources into one policy.

For information about the use of data source plugins in USM Appliance, see Log Collection and Normalization in USM Appliance.

When you create policies with a data source in mind, you can limit the event types to best suit the policy. If you are creating a policy for a certain plugin, and are only interested in certain events (such as logins, configuration changes, VPN connections, dropped connections), you can select the event types that are most relevant to associate with the plugin. For more detailed instructions, see Insert a New DS Group Based on Data Sources.

Note: Policies belonging to the Policies for events generated in server policy group can only include DS Groups comprised of system events.

Event Types — Taxonomy

Taxonomy refers to the classification for security events, using a system based on main categories and subcategories. See USM Appliance Event Taxonomy for more information.

You can either select general categories, or more specific classifications by relying on the assigned event taxonomies in the database. You can use the Product Type, Category, and Subcategory taxonomy parameters to create a taxonomy condition. Category options change based on which product type is selected. Similarly, the subcategory options change based on which category is selected.

In the example below, only events matching all of the taxonomy parameters would meet the policy condition:

Policy Conditions section with Taxonomy selected for Event Type.

For more detailed instructions, see Configure Taxonomy as a Condition.

When you click Add More Conditions in the bottom-right half of the Policy Conditions page, an additional list of conditions appears.

The Sensors policy condition identifies the USM Appliance Sensor that is collecting and normalizing an event. This allows youto specify which sensor or sensors are the source for the events identified for processing by the policy. For example, in distributed deployment, you might want to create a policy for events received from only the sensors that are installed at remote locations.

For more detailed instructions, see Configure Sensors as a Condition.

Using Open Threat Exchange Reputation data as a policy condition, you can filter events from either the source or destination IP address of an event with more accuracy. To learn more about IP Reputation in USM Appliance, see OTX IP Reputation Data Correlated with Events.

For more detailed instructions, see Configure Reputation as a Condition.

Using Event Priority as a policy condition, you can filter events that are from a server according to how reliable the events are. Each event has an assigned priority value. This specifies the importance of the event and defines how urgently the event should be investigated. Priority is a numeric value between 1 and 5, where priority event 1 has no importance, and priority event 5 is of critical importance.

You can use greater than (>), less than (<), or equals to (=) when specifying priority or reliability values for events to set thresholds for the parameter.

Time Range sets a period of time in which to match events. When configured, only events that occur during the specified time range are processed by the policy. You can configure the time to a daily, weekly, monthly, or custom time range.

For more detailed instructions, see Configure Time Range as a Condition.

AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in LevelBlue OSSIM.