Working with Managed Policies

Understand how managed policies are updated, and how to change subscription status and create modifiable copies.

Managed policies come in two types:

• Tier 1 policies

  • Focus on information security-related events or changes

  • Are unsubscribed (disabled) by default for every instance of an application type

  • Provide administrator instructions on actions that should be taken

• Tier 2 policies

  • Include information technology (IT)-related events, and information security events that may require context in order to be valuable. For example, a domain name that is unique to your organization may be needed.

    1. Click the Name of the policy

    2. Check the Description for instructions for what context needs to be added in order for the managed policy to generate alerts

    3. Then copy the managed policy to a custom policy where you can make the changes

  • Are subscribed (enabled) by default

  • Generally need to be customized to provide context before enabling

To view details, configure, and copy managed policies:

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click the Managed tab.
3. To enable a managed policy:
   1. Ensure that the SUBSCRIBED column setting is ON.

      By default, tier 1 smart policies are ON, and tier 2 smart policies are OFF.

      Note:

      If you turn the SUBSCRIBED setting is ON for a tier 2 smart policy, you may still have to supply some context information in order to generate alerts:

      1. Click the row for the policy.

      2. Check the text in the Description.

      3. If additional information is required in order for the policy to generate alerts, make a copy of the policy and modify the copy in the Custom tab. See next step below, “To make a copy of a managed policy...”

4. To make a copy of a managed policy that you can modify as a custom policy alert:
   1. Ensure that the SUBSCRIBED status for the managed policy you are copying is set to OFF.

      Caution:

      If the managed policy is left with SUBSCRIBED status ON, it continues to generate alerts. This is usually undesirable. Ensure that you really do want both versions of the policy to generate alerts if you leave managed policy SUBSCRIBED status ON.
   2. In the row for the managed policy that you want to copy, drop down the Action menu and select Copy to Custom.
   3. Click the Custom tab and locate the copied policy.

      The copied policy:

      • Has the same NAME as the managed policy, with a time stamp appended.

      • Is not enabled, even if the managed policy SUBSCRIBED setting is ON.

   4. In the row for the copied policy, drop down Action menu and select Edit to make changes.
   5. In the New Policy wizard, navigate to the settings that you want to change for this version, and make the changes.

      • Click Next to work your way through the pages in sequence.

      • Click a page name, such as Condition or Action, in the column on the left, to go directly to that page.

      • Click Review and Submit whenever you have made all the changes you want to, then click Submit on that page to save your changes.

      For information on the different global settings in the New Policy wizard, see Creating a Policy. For information on Resource and Action settings that are specific to an application type, see the Creating Policy Alerts for... topic for that application type, in the Creating Policies and Managing Policy Alerts chapter.