Creating a custom policy

GuardiumĀ® Insights allows you to create your own custom policies.

Before you begin

To open the Policies page, select Policies in the main menu at the upper left of the page (open this menu by clicking the main menu icon (main menu).

Procedure

  1. Click Create a policy.
  2. By default, the Create a custom policy tab is selected. In this tab, enter a unique Name for the policy and then click Create.
  3. You can add access rules, exception rules, and result-set (extrusion) rules. To add an access rule, click Add an access rule in the Access rules pane. To add an exception rule, click Add an exception rule in the Exception rules pane. To add a result-set rule, click Include result-set rules and then click Add a result-set rule.
    1. To create a custom rule:
      1. Enter a unique name for the rule in the Name field.
      2. Set the rule conditions and the actions that will be taken when the conditions are met. To add multiple conditions, click Add another condition - and to add multiple actions, click Add another action.
        Note:
        • Access rules: Specifying a rule condition is optional. If you do not specify a rule condition, the action that you choose will apply to all server requests observed by Guardium Insights.
        • Exception rules: You must set at least one Exception type rule condition - and, thereafter, adding additional rule conditions is optional.
        • Result-set rules: You must set at least one Redaction pattern rule condition and one Replacement character rule. Thereafter, adding additional rule conditions is optional.
        • For all rule types, if you specify a is in group or not in group condition, you can select an existing group (by default). Alternatively, you can click the Create a new group toggle to enter a new unique group name in the field.
      3. Access rules and Exception rules only: When you have multiple rules defined in one policy, the same event may meet the rule conditions in multiple rules in the same category. Guardium Insights processes rules in the order of rule sequence. After a rule is matched and its actions are executed, you can choose to continue to subsequent matched rules by selecting Continue evaluation - or you can choose to stop the evaluation process by selecting Stop evaluation. The default is to stop evaluation.
      4. Choose the Severity that violations of this rule should be assigned.
      5. Enter or choose one or more tags to assign to the rule. Tags are used when searching for rules.
      6. Click OK
    2. To create a rule from a template:
      1. Select Use a template.
      2. Select a template and then complete or modify its settings in the same manner as is described for creating a custom rule.
  4. To modify any rules that you have added, click the Edit link next to it and then edit the rule as desired. To remove a rule, click the Delete link next to it.
  5. Click Save policy to create the policy.

Results

When viewing the policy, you can expand individual rules to see their settings - or you can expand all rules by clicking Expand rules (to hide the details of each rule, click Collapse rules).

What to do next

After the policy has been created, you can perform these actions in the Policies page:
  • Each policy (except the default policy) has a menu next to it with these actions:
    • Activate/Deactivate: Select this to enable or disable the policy. When you activate a policy, the Activate policies dialog box opens. This dialog box allows you to drag and drop all policies into your desired order. When the policies are in the order that you want, click Activate.
    • Copy: Click this to clone the policy. This is the only action that is available for the default policy.
    • Delete: Click this to delete the policy.
  • If you select the checkbox next to one or more anomalies, a banner opens with the actions that are supported for all selected policies. Click Cancel to deselect policies and close the banner.
  • If you select a policy in the Policies page, it opens in the editor and you can edit its name and its rules. If the policy that you are editing is already active, you will have the option to save the policy and activate it again immediately (Save and activate) - or you can use the Save as option to save the policy as a new inactive policy.