Policy Monitor questions to assess and monitor risk
You can define questions in Policy Monitor to assess and monitor risk based on network
activity, vulnerabilities, and firewall rules.
When you submit a question, the topology search is based on the data type that you selected:
- For questions based on assets, the search is based on the network assets that violated a defined policy or assets that introduced risk into the network.
- For questions based on devices or rules, the search either identifies the rules in a device that violated a defined policy or introduced risk into the network.
Important: If you configured IBM
QRadar for multiple domains,
asset questions monitor only assets in your default domain.
Devices or rules questions look for violations in rules and policy and do not have restrictive test components. You can also ask devices or rules questions for applications.
Asset tests are divided into the following categories:
- A contributing test uses the question parameters to examine the risk indicators that are specified in the question. Contributing tests return data based on assets detected that match the test question. Risk data results are generated that can be filtered by using a restrictive test. Contributing tests are shown in the Which tests do you want to include in your question area.
- A restrictive test narrows the results that are returned by a contributing test question. Restrictive tests display only in the Which tests do you want to include in your question area after a contributing test is added. You can add restrictive tests only after you include a contributing test in the question. If you remove or delete a contributing test question, the restrictive test question cannot be saved.