Policy Configuration

Overview

Polices are modular groupings of correlation rules, actions, and response procedures that define how to respond to certain situations that happen on the monitored systems. Policies are usually system and manufacturer specific but can contain custom scripts for actions and response procedures. Each policy will also contain several correlation rules that are designed to create alerts based on the best practices of that particular system manufacturer. These alerts can apply to:

• Business processes

• Infrastructure

• Security

• Applications

• Unified communications

• Network behavior

• Metrics and threshold violations

Correlation Rules

A correlation rule extracts data from the various sources and then defines the parameters for creating an alert within a policy. It may contain one or more correlation definitions along with specific actions and response procedures. Each correlation rule consists of the following parameters:

Parameter	Description
Name	Descriptive name for the correlation rule, which will be displayed within an alert and viewed in Alert Analyzer.
Description	A complete description of the problem that created the alert along with any specific remediation steps that should be taken to resolve the problem.
Type	Simple: Select if the rule is to analyze a single log and as a result of the rule, you want to execute an action. Compound: Select if the rule is to correlate more than one log, the results of another correlated event or multi-tiered rules. A compound rule can be one or more simple rules that feed into one primary rule, or it can come directly from the source. Unique: Same as Simple but as a definition will be the only one.
Threshold	Defines how many times this rule is to match before an action occurs.
Window	The time window for the rule to match before an action occurs.

Parameter	Description
Severity	Indicates what is to appear in the Status field on the Alert Viewer monitor. Select the severity for this rule: Informational Minor Major Critical
Action	Choose the action that is to occur for this rule, based on the selection in the Severity field Respond - If the condition is met, set a marker and send an alert. Track - If the condition is met, track the event, but do not post it to the Alert Analyzer. Track/Respond - If the condition is met, send an alert and continue to monitor. Respond on Expire – If the condition is met, wait to send an alert until the window time has expired. If you want the policy/rule to only alert after an application does not respond, based on the setting (for example, to ping 9 times in 10 minutes), choose Track and Respond. For the example in this case, the alert triggers as soon as it sees 9 ping failures. This setting (Respond on Expire) does not track. Submit - Submit the results of a correlation event back into the Correlation Engine so that the behavior can be analyzed and re- correlated. Submit/Respond - Submit this alert back into the Correlation Engine so that the event can be analyzed and re-correlated. Then set a marker and send an alert.
Response Procedure	For any rule that is satisfied, an incident response procedure occurs and an event is posted to the Alert Analyzer. Select the response procedure from the drop-down to execute when conditions have been met.
Definition Output	Selects a single correlation definition’s extracted value to be displayed with the alert.
Enabled	Toggle to enable/disable the rule
Inherit Output	Toggle to enable/disable whether the rule will include the results of the filter attached to the policy module.
Halt Processing	Toggle to halt processing of logs to any other rules within the policy if the rule matches. This will highlight the Policy in Green to indicate that this function is in use.
Correlation Definitions	Click the wrench icon where you can define one or more definitions match and or extract the required data from a log or event. See Correlation Definitions.
Output Order	Sets the preferred order to output the extracted data from the Correlation Definitions.
Done	Click the Done box when the rule is complete
Save	Be sure to click the Save button so your rule (or changes) are saved and committed.

Correlation filters provide a simple way of ensuring that all of the correlation rules within the policy are firing on the correct set of data. The engine first looks at the filter criteria, then it selects only the data that matches the criteria, and then it applies the correlation rule. You can add as many of these as required.

Each filter has the following options:

Filter Option	Description
Name	Provide a name as close as possible to the data elements you wish to filter. This allows the output to match the name once viewed in the alert text.
Pattern	The extraction method used to pull a particular data point out. Click the Wrench icon adjacent to the box to launch the Regex Wizard, which helps you to find and extract the data. The Regex Wizard has two sections: Select a Log: In the top section you can search and select the log or data set you will be utilizing. That will then show up in the bottom portion under the phrase “Select log from the list above or paste log here:”. You can copy and paste a log into this section as well. Create Regex: Once you have your log then go to this section. Here you can use the wizard to create the Regular Expression required. Close the wizard and copy this pattern the Regex into the box under Pattern.
Source Field	From the drop-down, choose the source from which data is extracted.
Pattern Type	From the drop-down, choose the type of expression you want to use: String Match Regular Expression Match Regular Expression Match/Extract (Most Often Used) Regular Expression Multi-Valued Extract
Function	If the extracted data is integer-based, you can apply the following functions for comparing data: None Greater Than Less Than Same
Value	This field is available only if the data extracted is an integer.

Example - Policies and Alerts

Let’s say you have a Ping policy that you’ve set to alert after 10 failures in 20 minutes.

Depending on how you’ve set up your rules, the following may occur:

• The policy may run against all your assets and trigger an alarm if the cumulative Ping failure (across all assets) hits 10

• The policy may trigger an alarm for each asset that fails a ping 10 times in 20 minutes

Thus if it sees 10 failures (across all assets) in 20 minutes, an alert is triggered. However, if you want 10 failures per asset, you need a definition for the IP address, and set the filter function to Same, which defines that when you see 10 failures for the same IP address, trigger an alert.

You can configure this definition in two ways:

• As a filter on the policy

• As a specific rule definition.

Correlation Definitions

A Correlation Definition defines what criteria to match within the data. Each definition will consist of the following parameters:

Parameter	Description
Name	Name this as close as possible to the data elements being extracted. That way the output matches the name once viewed in the alert text. It is also utilized in the key value pair within the alert text. This is the extraction methodology utilized to pull the particular data point(s) out. Simply find the log containing the data by utilizing the search bar above. Within that log you can highlight the text you want to extract. Once highlighted a box will pop up allowing you to name the field and extract it. This will automatically create the Regex to extract the data. The highlight method is about 95% accurate. If you have trouble with this method due to special characters in the data set, then you can utilize the “wrench” icon beside the Pattern box and it will bring up the “Regex Wizard” to assist in finding and extracting the data.
Pattern	Within the Regex Wizard there are 2 sections: Select a Log: In the top section you can search and select the log or data set you will be utilizing. That will then show up in the bottom portion under the phrase “Select log from the list above or paste log here:”. As the phrase indicates you can copy and paste a log into this section as well. Create Regex: Once you have your log then go to this section. Here you can utilize the wizard to create the Regular Expression required. Close the wizard and copy this pattern the Regex into the box under Pattern.

Parameter	Description
Source Field	In the drop-down box select the source from which the data is being extracted.
Pattern Type	Select from the drop-down box the type of expression you want to utilize: String Match Regular Expression Match Regular Expression Match/Extract (Most Often Used) Regular Expression Multi-Valued Extract Note The “Extract” pattern types above will cause the correlation engine to include the definition name and the matched value in the Alert Message.
Function	The functions below may be used to change what the correlation engine counts as a “match” in the log. Alerts are only triggered if the specific number of matches are found. None - Default. Only use Pattern type matching to trigger a match. Greater Than - Should only be applied to integer values. If the extracted value is greater than the configured value, then a “match” is made. Less Than - should on be applied to integer values. If the extracted value is less than the configured value, then a “match” is made. Same - Can be applied to both Text or Integer. If the extracted value is the same as previous occurrences, a match triggered. For example, if multiple devices are sending an error message, only the first error will trigger an alert. If the desired goal is to trigger an alert for unique IP address, then the IP address definition should have the Same function applied.
Value	This field will only be available if the function selected is either “Greater Than” or “Less Than”.

Add a Policy

To add a policy:

1. Click the Policy View from the Configuration Menu Bar at the top of the page.

2. Click the Plus Icon at the bottom left of the Policies panel

3. Fill in the Policy name and press enter.

Add a Correlation Rule

To add a new correlation rule:

1. Click the Policy to which you wish to add the rule.

2. Click the Plus icon at the bottom of the Rules panel.

3. Fill in the rule name and the parameters.

Add a Definition

To add a new definition:

1. Click the wrench icon within any rule to bring up the search engine.

2. Enter a search term that is relevant or is in the log that you would like to match and press Enter. This will return the last 10 logs with this term in them.

3. Utilize the highlight and extract procedure or the Regex Wizard as described in the in “Correlation Definitions” section above.

4. Once finished click Update in the top right of the screen and be sure to save your Definition on the next page.

Delete a Correlation Rule

To delete a correlation rule:

1. Click the policy name on the left side of the screen.

2. Click the check box on the Correlation rule you wish to delete.

3. Click the minus icon at the bottom of the correlation panel.

4. Click the Save icon in the upper right to save your change.

Delete a Policy

To delete a policy:

1. Click the check box next to the name of the Policy you wish to delete.

2. Click the minus icon in the bottom left of the policy panel.

3. Click the Save icon in the upper right to save your change.

Disable or Enable a Policy

To Disable and Enable a Policy:

1. Select the Policy by clicking the check box next to the name of the policy.

2. Click the Green Check Box at the bottom of the Policies listing column.

3. The Name of the Policy will become italicized indicating that the Policy is Disabled

4. To Enable the Policy: Click the Green Check Box again. The name will turn back to a normal font indicating it is enabled.

Clone a Policy

Cloning a policy allows the quick replication of all of the Correlation Policy rules and definitions. The user then can simply change only the required elements for the new policy.

To clone a policy:

1. Select the Policy by clicking the check box next to the name of the policy.

2. Click the Blue “C” Box at the bottom of the Policies listing column.

3. Rename the Policy and make your modifications.

4. Be sure to click Save to save the new policy.

Export or Import a Policy

The Arbitrator platform allows for full export / import of all of its configuration. Within the Policy Configuration section, you can export and import the policy that you exported from another system.

A new system log table insights_system_log has also been added to log user actions and a user can create a dashboard to view these actions.

See the:

Log Search Section

Export a Policy

1. Select the check boxes of the policies to export, or select the Name check box at the top of he Policies list to select all policies.

2. Click the green Down arrow button at the bottom of the POLICY CONFIGURATION panel.

3. The Export CSV dialog opens. Enter a CSV file name (You do not have to add the .csv file extension) and click Export.

4. The Export finished dialog shows when the export file has been created. Click Download to save the CSV file to your selected download location.

Import a Policy

1. Click the green Up arrow button at the bottom of the POLICY CONFIGURATION panel.

2. A pop-up box will appear asking you choose your file.

3. Click the Choose file button and select the exported CSV file that you have saved to your computer.

4. Click the Import button.

Policy CSV Format

The following columns are in an exported CSV file:

"row action","policy group name",name,description,type,action,severity,
"respond procedure","SubCategory (definition: regular expression match)",
"Message (definition: regular expression match/extract)"

Note

• The "row action" column is used when importing and if it contains “delete”, then the row will be deleted upon import.

• The "respond procedure" column can be used when importing and should then contain the Response Procedure name exactly as it exists on the system. If a procedure is found, then it will be assigned to the associated rule. If a new value is entered, a new Response Procedure is created. The default Response Procedure is used if no value is entered.

• The combination: “policy group name”, “name”, “respond procedure” should be unique in CSV row. If a policy found, its data will be updated. If not found, new policy will be inserted. The “name” has to be unique. If a rule is found, its data will be updated. If not found, new rule will be inserted to the policy indicated in “policy group name”.

  See: Response Procedure Configuration.