Datasets
The Object Management page provides a dedicated space for managing policies. It allows you to easily add, search, filter, enable, disable, and preview the impact of policies on events. In future releases, this page will also centrally manage other objects within the platform, such as datasets and lists.
While the Risks Overview page will also maintain the current functionality to create and manage policies, this page provides a streamlined approach that simplifies policy management and enhances your overall experience.
The table on the Policies tab displays the following fields.
Enabled: Use the toggle to enable or disable policies. When a policy is disabled, it will no longer be enforced on new events. Past events associated with a disabled policy will remain associated with it. You can sort, filter, and search in this column.
Name: The policy name. You can sort, filter, and search in this column. Response Action: The response action defined in the policy (Monitor, Warn, or Block). You can sort, filter, and search in this column.
Last Modified: Date and time the policy was last modified. You can sort, filter, and search in this column.
Severity: The policy severity defined in the policy. You can sort, filter, and search in this column.
| Severity Rating | Value |
|---|---|
| Critical | 8 |
| High | 4 |
| Medium | 2 |
| Low | 1 |
| Informational | 0 |
Datasets: The datasets added to the policy. Hovering over a number in this column will display the remaining datasets. You can sort, filter, and search in this column.
Events: The number of events the policy matched.
Events trend: Shows the changes to the number of event matches over the past 7 days.
Actions: You can take the following actions on a policy.
View and edit: Opens the policy page to view the current policy configuration and the performance details, such as the number of event matches, locations, users, and datasets. See the
Performance Panel section for more details.
Duplicate: Enter a name for the new policy in the dialog box and click on the Duplicate policy button to create a new policy using the settings of the selected policy.
Disable: Alternative way to disable a policy. For a disabled policy, you will see Enable instead of this option.
Delete: The policy is permanently deleted from this page and will no longer apply to past and future events. Past events are disassociated from the deleted policy.
Adding a New Policy
The process of adding a new policy is the same as it is on the Risks Overview page.
1. Click on Add new policy and select a predefined template or proceed without a template.
2. On the Create new policy page, enter a name and description for the new policy.
3. Select specific datasets or a data sensitivity level to which you want to apply the policy.
4. Select a response type for the policy. See, Policy Settings for more information about the response actions.
5. Define the policy conditions and adjust them based on the metrics displayed in the Performance panel.
6. Click on Save changes to save the policy.
7. Use the sort option in the Last Modified column to quickly find the policy you recently created.
Editing a Policy
1. Click on the Actions menu of the policy, select View and edit. The current policy configuration is displayed on the policy page.
2. Click on Edit policy. The Performance panel dynamically displays the impact of your changes as you modify the policy. The comparative view allows you to immediately see how your changes will affect the performance of the policy.
NOTE
The metrics displayed in the comparative view depends on the Dynamic Configuration Updates setting in your Account Settings. When enabled, the number of event matches are precisely calculated based on the policy configuration changes. However, enabling this setting can degrade the performance of the console due to the increased real-time calculation. See, Dynamic Configuration Updates for more details.
3. Click the links for individual metrics (Events, Locations, Users, and Datasets) to review the changes. The links for Locations, Users, and Datasets open a pop-up window with the details. “Added” or “Removed” tags are shown to indicate the changes.
4. After reviewing your edits, click on Save changes.
The changes made to a dataset will take effect immediately on new events, while historical events are updated in the background. Cyberhaven manages the updates to historical events and performs them during off-peak hours to minimize performance impact on your console.
Performance Panel
The Performance Panel shows you the performance metrics for a policy based on the events from the last 7 days. These metrics include,
Events: The number of events that match the policy. The Open Events link redirects you to the Events page of Risks Overview to display the list of events that match the policy.
Locations: The number of locations that match the policy. The Preview Locations link displays all the locations with the corresponding number of event matches in a pop-up window. In Edit mode, this window displays “Added” or “Removed” tags to highlight any changes resulting from policy modifications.
Users: The number of users that match the policy. The Preview Users link displays all the users with the corresponding number of event matches in a pop-up window. In Edit mode, this window displays “Added” or “Removed” tags to highlight any changes resulting from policy modifications..
Datasets: The number of datasets that match the policy. The Preview Datasets link displays all the users with the corresponding number of event matches in a pop-up window. In Edit mode, this window displays “Added” or “Removed” tags to highlight any changes resulting from policy modifications.