This is the final task in the process of creating a new policy.
You should have already completedCreating a New Policy, on page 132andCreating Policy Conditions
There must already be at least one action in the system to create a policy. Unless you can link to an action, you can't complete the creation of a new policy. SeeCreating an Action for an External Event.
External event consequences can consist of any of the following:
l Actions—Creating an Action as a Consequence to a Policy
l SIEM—Creating SIEM Consequences to a Policy Condition, on page 147
l Logger—Creating a Consequence to Log and Sign an Event, on page 148
l Forwarding—Creating a Consequence to Forward an Event
Note: For a directive event, the Logger cannot be configured as a consequence.
For explanations of each consequence, see the tablePolicy consequences, on page 123.
To open a dialog box for external event policy consequences
l Click within the colored panel that corresponds to the type of consequence you want to assign (right-hand section of the upper half of the Policy Configuration page).
or
l Click Policy Consequences (bottom left), then click on any of the vertical Actions, SIEM, Logger, or Forwarding labels to open the configuration area for that consequence.
Creating an Action as a Consequence to a Policy
This task links an action to a consequence, which is the most commonly chosen option.
This task assumes that you or someone else has already created an action that you can reference.
For instructions on how to create an action, seeCreating an Action for an External Event.
To create an Action consequence
1. Go to Configuration > Threat Intelligence > Policy.
2. Under Actions (bottom of the page), select the action from the Available Actions, at right, and add it by clicking the plus (+) sign, or by dragging it to the Active Actions section.
Now the action you selected appears in the Actions area of Consequences at the top of the page.
Note: You may assign more than one consequence to an event policy. For details, see Creating SIEM Consequences to a Policy Condition, on page 147andCreating a Consequence to Log and Sign an Event, on page 148.
3. Type a name in the Policy Rule Name field and click Update Policy.
4. Click Reload Policies (in red).
You have just completed creation of an external event policy.
Creating SIEM Consequences to a Policy Condition
SIEM is a very powerful consequence. For a discussion of its usefulness, seePolicy consequences, on page 123.
To create a SIEM consequence to a policy condition
1. Go to Configuration > Threat Intelligence > Policy and, under Consequences, click on SIEM.
A SIEM window opens under Policy Consequences at the bottom of the page.
2. Fill out the form as appropriate.
a. SIEM—Select Yes for SIEM as a consequence. (Yes is the default.)
b. Event Priority—From the Event Priority list, select the priority you want USM to assign to such events. Event priority is from 1 to 5, with 1 being minor and 5 being major, or an attack in progress.
c. Risk Assessment—Indicate whether or not you want USM to perform risk assessment as a consequence of this policy by selecting Yes or No.
Risk assessment looks at asset value, event priority, and event reliability. It then assigns a risk based on the value of the asset and type of event.
d. Logical Correlation—Indicate whether or not you want to use logical correlation by selecting
Yes or No.
You use this to create new events from multiple events found by detectors and monitors.
These are configured using correlation directives (logical trees combining individual events).
Each new event has assigned priority and reliability values define by one directive.
e. Cross-Correlation—Indicate whether or not you want to enable cross-correlation by selecting Yes or No.
f. SQL Storage—Indicate whether or not you want to enable SQL storage by selecting Yes or No.
Events detected or generated by USM are stored in the SQL database by default. Enabling SQL storage means that events matching a policy setting should be stored in the SQL database as well..
Note: It is not required nor desirable for all events to be stored in the database.
Now the SIEM parameters you selected appear in the SIEM area of Consequences at the top of the page.
3. (Optional) If you plan to create an action as an additional consequence to your policy, follow the steps inCreating an Action as a Consequence to a Policy, on page 145.
Note: You may assign more than one consequence to an event policy.
4. Type a name in the Policy Rule Name field and click Update Policy.
5. Click Reload Policies.
You have just completed creation of an external event policy.
Creating a Consequence to Log and Sign an Event
Most users choose to log events processed by policies in the Logger for analysis, compliance, and archiving purposes.
To enable the USM Logger to log events processed by specific policies
1. Go to Configuration > Threat Intelligence > Policy and, under Consequences, click the colored Logger section.
A Logger window opens under Policy Consequences at the bottom of the page.
2. To enable the Logger to record events caught by your policy, select Yes.
Next to Sign, you can see that either Line or Block are selected. (For a detailed explanation of what these do, seePolicy consequences, on page 123.)
If you want a particular log signing method as a consequence, you must have configured this first in the USM Server. The Logger setting on the Consequences page can only reflect what has been configured there.
For information, seeConfiguring the Way the Logger Digitally Signs Logs, on page 59.
3. (Optional) If you plan to create an action as an additional consequence to your policy, follow the steps inCreating an Action as a Consequence to a Policy, on page 145.
Note: You may assign more than one consequence to an event policy.
4. Type a name in the Policy Rule Name field and click Update Policy.
5. Click Reload Policies.
You have just completed creation of an external event policy.
Creating a Consequence to Forward an Event
Normally, all events are forwarded to one USM Server. By enabling the Forwarding consequence, you instruct USM to forward a subset of events, for example, from a remote USM Server, to a headquarters USM Server.
To enable event forwarding
1. Go to Configuration > Threat Intelligence > Policy and, under Consequences, click the coloredForwardingsection.
A Forwarding window opens under Policy Consequences at the bottom of the page.
2. Select Yes to enable forwarding or No to disable forwarding.
3. (Optional) If you plan to create an action as an additional consequence to your policy, follow the steps inCreating an Action as a Consequence to a Policy, on page 145.
4.
Note: You may assign more than one consequence to an event policy.
5. Type a name in the Policy Rule Name field and click Update Policy.
6. Click Reload Policies.
You have just completed creation of an external event policy.