You can use the monitored data, such as datasource names, user names, actions, and file
paths, in the Investigation Dashboard Results Table to create policy rules.
Procedure
-
Choose File from the dropdown list in the product banner and click the
search icon to open the Investigation Dashboard for file data.
-
Open the Results Table Entitlements tab. Click Details to see individual entries.
- Choose one or more entries in the results that you want
to use to populate a rule. You can use the Select all check
box to include all the entries that are currently displayed (not all
the entries in the database).
-
Right-click and choose Add Policy Rule.
The
Build Rule dialog opens with values from the entries that you
selected. If you selected multiple entries, a group is created that contains the values from those
entries. You can create a rule that is to be added to an existing policy, or create a new policy
that includes your new rule.
Note: A overly broad rule (a
rule that monitors too many files) can overload the system and increase processing and response
time.
Note: A FAM rule can have more than one pattern in it. To protect both a directory and
its contents, define a rule with two patterns /FAMtest/* and /FAMtest.
Note: When using FAM
policy, setting a group to define monitored file paths requires either consideration of case
sensitivity. Otherwise the group cannot be created successfully. The workaround is to create two
different FAM policy rules. Clarification - If strings defined as members of group are different
without considering case sensitive, the group can be created successfully. For example: 1. C:\ABC 2.
C:\abcdef. If strings defined as members of group are same without considering case sensitive, the
group can NOT be created. For example: 1. C:\ABC 2. C:\abc So it is not required to input members
with all upper case characters or all lower case characters. Group builder is not case sensitive.
However, in UNIX, which is case sensitive, the path /IBM/Guardium is different from the path
/ibm/guardium. If the user wants to monitor both of these paths, the current Group builder has a
limitation and will not see it as the same path.
- Choose datasources, actions, and criteria. Overwrite any
values that you want to change. Click Edit to
modify each field.
- To create a new policy and install it, click Create
and Install. To create the policy but not install it,
click OK.