Threat Manager policies

Alert Logic allows you to create six types of policies in Threat Manager. These policies dictate how Threat Manager interacts with its environment.

To access the Policies page, click the Configuration tab, and then click the Network IDS subheading. Policies appears in the left navigation panel.

Protected host policies

Protected Host policies allow you to apply attributes to a host in a deployment.

Create a protected host policy

Threat Manager allows you to create protected host policies.

To create a protected host policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Protected Host.
  4. Click the Add icon ().
  5. In the Host Name field, enter a name for the protected host policy.
  6. To enable encryption, click the Encrypt switch to the right.
  7. Click Save.

Update a protected host policy

Threat Manager allows you to update an existing protected host policy.

To update a protected host policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Protected Host.
  4. In the list of protected host policies, click the pencil icon ( ) for the protected host to edit.
  5. Make necessary changes to one or both of the following: 
    • To change the name of the protected host policy, type a new name in the Host Name field.
    • To change encryption options, toggle the Encrypt switch.
    • Click Save.

If you update detection or policy configurations, you affect all interconnected configurations.

Delete a protected host policy

Threat Manager allows you to remove an existing protected host policy.

To delete a protected host policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Protected Host.
  4. Click the trash icon ( ) for the protected host policy to delete.
  5. Click Delete.

You cannot remove "Default TM Host Policy."

If you update detection or policy configurations, you affect all interconnected configurations.

Assignment policies

An assignment policy is a set of rules that indicates the traffic that appliances should either accept or ignore. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.

Create an assignment policy

Threat Manager automatically creates a default assignment policy for each appliance. You can use the default assignment policy, or you can create a new assignment policy in Threat Manager.

To create an assignment policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Assignment.
  4. Click the Add icon ().
  5. In the Appliance Assignment Policy Name field, enter a name.
  6. In the Appliances field, select an appliance(s).
  7. Click Save.

Update an assignment policy

Threat Manager allows you to edit and update the settings for existing assignment policies.

To update an assignment policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Assignment.
  4. In the list of assignments, click the pencil icon ( ) for the assignment to edit.
  5. Make the changes you wish to make:
    1. Enter a new name in the Appliance Assignment Policy Name field.
    1. Select the assignment policy you want to use from the Appliances drop-down menu.
  6. Click Save.

Updating detection or policy configurations will affect all interconnected configurations.

Delete an assignment policy

Threat Manager allows you to delete assignment policies you no longer require.

To delete an assignment policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Assignment.
  4. Click the trash icon ( ) for the assignment to delete.
  5. Click Delete.

Deleting detection or policy configurations affects all interconnected configurations.

Whitelist policies

A whitelist policy allows you to define a list of IP addresses allowed to communicate with hosts in a Threat Manager protected network. Whitelists help ensure you do not exhaust resources monitoring permitted communication.

Whitelist policy agent requirements

Whitelist policies require the Alert Logic agent version 1.8 or higher. Before you assign a whitelist policy, determine the version of the agent on the host, and then upgrade the agent if necessary.

Determining the agent version (Linux)

If the agent is on a Linux host, use the following command to display the agent name and version number:

rpm -qa | grep al

In the following example, the agent version is 4.9.0:

al-agent-0.0.1+490.g35b92ae.dev.master.TEST-1.x86_64

Determining the agent version (Windows)

If the agent is on a Windows host, perform the following commands:

  1. Open a command prompt.
  2. Navigate to the Threat Manager directory.
  3. Type the following command to display the agent name and version number:

    al-agent.exe -v.

Create a whitelist policy

Threat Manager allows you to create whitelist policies and assign them to an appliance.

To create a whitelist policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Whitelist.
  4. Click the Add icon ().
  5. In the Host Name field, type a name for the whitelist policy.
  6. Select Enabled to enable the whitelist configuration upon saving.

You are not required to immediately enable the whitelist policy. You can create whitelist policies, and then enable them at a later time.

  1. Create one or more rules by entering information for the following fields:
    • Protocol
    • CIDR
    • Port
  2. Click Save.

To activate this policy, you must assign it to an appliance.

Edit a whitelist policy

Threat Manager allows you to edit existing whitelist policies.

To edit a whitelist policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Whitelist.
  4. In the list of whitelists, click the pencil icon ( ) for the whitelist to edit.
    1. Enter a new name in the Host Name field.
    2. Toggle the Enabled switch to activate or deactivate the whitelist.
    3. Create one or more rules by entering information for the following fields
    • Protocol
    • CIDR
    • Port
  5. A whitelist policy may contain more than one rule.

  6. Click Save.

Assign a whitelist policy

Threat Manager allows you to assign a saved whitelist policy to an appliance.

To assign a saved whitelist policy to an appliance:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Whitelist.
  4. In the list of whitelists, click the pencil icon () for the appliance to which you want to assign a whitelist policy.
  5. Select a whitelist from the Select a whitelist drop-down list.
  6. Click Save.

You may also add one or more whitelist policies to Monitoring policies.

Delete a whitelist policy

Threat Manager allows you to delete whitelist policies.

To delete a whitelist policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Whitelist.
  4. Click the trash icon () for the whitelist policy to delete.
  5. Click Delete.

Monitoring policies

Threat Manager monitoring policies define the networks you want an appliance to monitor. You can assign whitelist policies to a monitoring policy to filter traffic you want analyzed by the Threat Manager appliance.

Create a monitoring policy

Threat Manager allows you to create monitoring policies to define the networks you want an appliance to monitor.

To create a monitoring policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Monitoring.
  4. Click the Add icon ().
  5. In the Monitoring Policy Name field, enter a name for the new monitoring policy.

If you want to use an existing network and create a new network, you must first add the new network, update the network, and then select Use an existing network.

  1. Select the appliances you want to apply to the monitoring policy.

If you want to create a new whitelist policy and use an existing whitelist policy, you must first create the new whitelist policy, update the policy, and then add the existing policy.

  1. Click Save.

Edit a monitoring policy

Threat Manager allows you to edit an existing monitoring policy.

To edit a monitoring policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Monitoring.
  4. In the list of monitoring policies, click the pencil icon ( ) for the monitoring policy you want to edit.
  5. In the Name box, enter a name for the new monitoring policy.
  6. If you want to use existing networks, select Use existing Networks.
    If you want to create a new Network,
    1. Select Create new Networks.
    2. Type a name for the new network.
    3. Type the network CIDR information.
    4. To assign tag(s), type one or more tag names in the Tags field.

If you want to use an existing network and create a new network, you must first add the new network, update the network, and then select Use an existing network.

  1. Select the appliances you want to apply to the monitoring policy.
  2. To use existing whitelist policies, select Use existing Whitelist Policies.
    If you want to create a new whitelist policy,
    1. Select Create new Whitelist Policy.
    2. Type a name for the new whitelist policy.
    3. Select Enabled to enable the whitelist policy.
    4. Create the rules for the new whitelist policy.

If you want to create a new whitelist policy and use an existing whitelist policy, you must first create the new whitelist policy, update the policy, and then add the existing policy.

  1. Click Save.

Delete a monitoring policy

Threat Manager allows you to delete an existing monitoring policy.

To delete a monitoring policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Monitoring.
  4. Click the trash icon () for the monitoring policy to delete.
  5. Click Delete.

Updates

An updates policy schedules hosts to update with the latest version of the agent software at the specified check-in. By default, hosts are assigned the Default Update Policy which sends software updates as they become available. If your maintenance strategy requires a scheduled maintenance window, you can specify the time frame in Updates.

Create an updates policy

To create an updates policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Updates.
  4. Click the Add icon ().
  5. In Updates Name, type a descriptive name.
  6. In Updates Frequency, select one of the following:
    • Automatic
    • Scheduled
    • Never
  7. Specify the options that appear (if any), and then click Save.

Modify an updates policy

To modify an updates policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Updates.
  4. In the table of updates, click the pencil icon ( ) next to the update you want to edit.
  5. In the Updates Name field, type a descriptive name.
  6. Under Updates Frequency, select one of the following:
    • Automatic
    • Scheduled
    • Never
  7. Specify the options that appear (if any), and then click Save.

Delete an updates policy

To delete an updates policy:

  1. In the Alert Logic console, click CONFIGURATIONS, and then click Network IDS.
  2. In the left navigation area, click Policies.
  3. Click Updates.
  4. Click the trash icon () for the updates policy to delete.
  5. Click Save.

Related topics