Policy Order and Grouping

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Policy Order Importance

Policies consist of numbered rules that USM Appliance applies in descending order whenever it processes an event. Similar to the way USM Appliance handles plugin rules, when an event matches a rule, USM Appliance stops looking for other matches, even if they may exist. For this reason, the most specific and restrictive rules should be ordered at the top of the rules list, and generic rules should be ordered at the bottom of the rules list.

In the following example, the second rule is very general, while the third rule is much more specific. This can lead to the third rule not being evaluated. For this reason, you would order the INTERNAL_NMAP rule before the FIREWALL_EVENTS rule.

Default Policy Group illustrating order of rules.

Reorder Existing Policies

This procedure illustrates how to reorder the sequence in which rules are processed.

To re-order existing policies

  1. Go to Configuration > Threat Intelligence > Policy to view any policies that are configured on your USM Appliance Server.

  1. Move the Default Policy Group scroll bar to the right to see additional settings of the configured policies.
  2. When you drag and drop policies a few times to reorder them, you may accidentally end up with duplicated order IDs. Policy Group additional settings.

  3. To correct this, click Reorder Policies.

    Displays location of Policy Reorder link

    An information popup prompts you to confirm your selection:

    Policies are going to be reordered. This action cannot be undone. Are you sure you want to continue?

  4. Click OK.
  5. Click and drag the policy to move it.

Group Policies to Assign a Correlation Context

Policy groups allow you to group policies for administrative purposes, or to assign policies to a correlation context. Correlation context defines the USM Appliance Sensors and the number of other assets on which to perform correlation.

After initial installation, USM Appliance has one pre-configured policy group, AV Default Policies,which filters events from the LevelBlue avapi user. However, you will want to create your own policy groups for different situations.

To create your own policy groups

  1. Go to Configuration > Threat Intelligence > Policy.

  2. Click Edit Policy Groups.
  3. In the Edit Policy Groups popup, click New.

  4. Choose a name for the policy group and assign this policy group either to the entity or context.

    Note: You can manage entities and contexts under Configuration > Administration > Users > Structure.

AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in LevelBlue OSSIM.