Tutorial: Create a Policy to Discard Events

Applies to Product: USM Appliance™ AlienVault OSSIM®

As part of your efforts to reduce the amount of events triggered by non-problematic, non-threat occurrences, you might want to create a policy to make sure that low-priority events don't trigger an alarm. For example, instant messaging programs such as Google Talk and Skype can potentially generate many events based on usage. This has the potential to create a good deal of "noise" in the USM Appliance system. It is generally unnecessary for USM Appliance to process these sorts of events unless a known vulnerability is associated with them.

This process shows you how to discard any events of this type, using Google Talk as an example.

Create a DS Group to Specify Event Types

To filter Google Talk events by using a policy

  1. Choose Configuration > Threat Intelligence > Policy.

  2. On the Default Policy Group panel, click New.

  3. Select the policy conditions: Source, Destination, Source Ports, and Destination Ports. Choose Any for all these policy conditions.

  4. Click Insert New DS Group? in the event types tab, to match events related to Google Talk.

    New Policy window with example of creating data source group.

  5. Write the DS Group Name and add events to the DS group by clicking Add by Data Source policy conditions.

  6. Select AlienVault NIDS data source from the list.

  7. Enable editing by clicking the pencil icon (pencil icon)

  8. Search for the ET Policy Gmail GTalk event and add it by clicking the plus (+) sign.

    Insert New DS Group section with ET Policy Gmail gtalk selected.

  9. Click Submit Selection and then Update and close the Insert New DS Group window.

    The new DS group appears in the policy conditions.

  10. Deselect Any and select the newly created DS group.

Discard Events

Follow the instructions below to discard Google Talk-related events so that neither risk assessment, logical correlation, cross-correlation, nor SQL storage of events will be performed.

Note: Logging still occurs if the USM Appliance Logger is set to Yes in the Policy Consequences section.

To discard Google Talk-related events

  1. Open the SIEM tab in the policy consequences and select NO for SIEM.

    Policy Consequences section with SIEM selected.

  2. Enter a name for the policy rule and click UPDATE POLICY.
  3. Click the Reload Policies button on the main policies page to refresh and display the changes.
  4. Move the policy to a desired position on the list. See Policy Order and Grouping for details.

Related Video Content

To view other related training videos, click here.