Protection Policies
The Protection Policies tab displays all the configured protection policies. On this tab, you can add, view, edit, duplicate, delete, and enable or disable policies.
Policy Table Fields and Values
The policies table displays the following fields:
| Field | Description | Severity Rating Values |
|---|---|---|
| Enabled | Use the toggle to enable or disable policies. When a policy is disabled, it will no longer be enforced on new events. Previously matched events will continue to be associated with this policy. You can sort and filter in this column. | N/A |
| Policy name | The policy name. You can sort and search in this column. | N/A |
| Response | The response defined in the policy (Monitor, Warn, or Block). You can sort, filter, and search in this column. | N/A |
| Secondary response | The secondary responses defined in the policy (Incident creation, Email notifications, Screenshot capture). You can filter in this column. | N/A |
| Last Modified | Date and time the policy was last modified. You can sort, filter, and search in this column. | N/A |
| Last modified by | The user who last modified the policy. You can sort, filter, and search in this column. | N/A |
| Created | Date and time the policy was created. You can sort, filter, and search in this column. | N/A |
| Severity | The policy severity defined in the policy. You can sort, filter, and search in this column. | Critical: 8, High: 4, Medium: 2, Low: 1, Informational: 0 |
| Datasets | The datasets added to the policy. Hovering over a number in this column will display the remaining datasets. You can filter and search in this column. | N/A |
| Events | The number of events the policy matched. | N/A |
| Events trend | Shows the changes to the number of event matches over the past 7 days. | N/A |
| Actions | Actions available for the policy (details, duplicate, disable/enable, delete). | N/A |
Performance Panel Functionality
The Performance Panel shows you the performance metrics for a policy based on the events from the last 7 days.
When editing a policy, the panel dynamically updates to show how your changes would affect event matching. This is a preview only; whether changes are actually applied to historical events depends on the "Apply changes to past events" option in the Advanced settings.
The metrics include:
- Events: The number of events that match the policy. The Open Events link redirects you to the Events page of Risks Overview.
- Locations: The number of locations that match the policy. In Edit mode, the preview window displays "Added" or "Removed" tags to highlight any changes resulting from policy modifications.
- Users: The number of users that match the policy. In Edit mode, this window displays "Added" or "Removed" tags to highlight any changes.
- Datasets: The datasets associated with the policy that have matching events.
Understanding the Impact of Updating Past Events
When managing datasets and policies, you have the option to apply changes to past events using the Advanced settings.
| Setting | Effect on New Events | Effect on Historical Events |
|---|---|---|
| New Events | Updates are immediately applied to all new events occurring after the changes are saved. | N/A |
| Advanced settings (Apply changes to past events): Enabled | Immediately applied. | Historical events are reprocessed with the updated definition. This update is performed during off-peak hours. |
| Advanced settings (Apply changes to past events): Disabled | Immediately applied. | Historical events remain unchanged. |
Limitations and Dynamic Configuration
- Past incidents: Policy or dataset updates do not retroactively modify incidents that have already been generated.
- Lists or user risk groups: Changes are not applied to historical events for policies that use lists or user risk groups.
- Dynamic configuration update: This setting affects how soon you see the impact of changes in the Console UI.
- Enabled: The Console reflects updated event counts immediately, even if the reprocessing of events is still pending.
- Disabled (default): The Console continues to show the old event counts until the past events are reprocessed and rematched. If the Advanced settings option is disabled, the Dynamic configuration update setting has no effect.