View Policies

The Policies screen lists all configured policies in your system. The lists are grouped for each Policy Category in separate tabs. The page lists both pre-configured policies and user-defined policies. Each policy includes a toggle that shows the current status of the policy as well as several parameters indicating the policy configuration.

You can show/hide columns and sort and filter the asset lists as well as search for keywords. For information about customizing the list, see Management Console User Interface Elements.

The following table describes the policy parameters:

Parameter Description
Status Shows if the policy is turned on or off. If the system automatically disabled a policy because it generated too many events, then a warning icon appears next to the toggle. Toggle the status switch to turn a Policy ON/OFF.
Policy ID A unique identifier for the policy in the system. Policy IDs are grouped by category, with a different prefix for each category. For example, P1 for Controller Activities, P2 for Network Events, and so on.
Name The name of the policy.
Severity The degree of severity of the event. Possible values are: None, Low, Medium, or High. See section Severity Levels for a description of the severity levels.
Event Type The specific type of event that triggers this Event Policy.
Category The general category of the event type that triggers this Event Policy. Possible values are: Configuration, SCADA, Network Threats, or Network Event. For more information about the various categories, see Policy Categories and Sub-Categories.
Source A policy condition. The source Asset Group/Network Segment (that is, the asset that initiated the Activity) to which the policy applies.
Destination/ Affected Asset A policy condition. The destination Asset Group/Network Segment (that is the asset that receives the Activity) to which the policy applies. For policies that involve a single asset (no source and destination), this parameter shows the asset affected by the event.
Schedule A policy condition. The time range for which the policy applies.
Syslog The Syslog server (SIEM) that logs the events for this policy.
Email The Email Group that sends the event notifications for this policy.
Sub Category The sub-category classification of the event. The Configuration Events category comprises these sub-categories: Controller Activities and Controller Validation. For information about different sub-categories, see View Policies.
Number of Events per Policy Lists the number of events that every policy generates. You can click the column to sort the list so that you can focus on the policies with the most violations/events.
Exclusions Lists the number of exclusions added to each policy. For more information, see Events.

View Policy Details

The Policy Details page for a policy shows additional details about the policy. This page lists all policy conditions and events that the policy triggered.

To open the Policy Details screen for a particular policy:

  1. On the Policies page, select the desired policy.

  2. From the Actions drop-down box, select View.

    The Policy Details page appears for the selected policy.

    Note: Alternatively, you can access the Actions menu by right-clicking on the relevant Policy.

    The Policy Details page contains the following elements:

    • Header bar — Shows the Name, Type, and Category of the policy. The page includes a toggle switch to turn the enable or disable the policy and a drop-down list of available Actions (Edit, Duplicate, and Delete).

    • Details tab — Shows details about the policy configuration in these sections:

      • Policy Definition — Shows all policy conditions. This includes all relevant fields according to the policy type.

      • Policy Actions — Shows the severity level as well as destination (Syslog, Email) of Event notifications. Also, shows whether the Take Scapshot after policy hit feature is activated.

      • General — Shows the category and status of the policy.

    • Triggered Events — Shows a list of events triggered by this policy. It also shows details about the assets involved in the event and the nature of the event. The information on this tab is identical to the information on the Events page except that this tab shows only events for the specified policy. For an explanation of the event information, see Viewing Events.

      Exclusions tab — If a policy generates events for specific conditions that do not pose a security threat, you can exclude those conditions from the policy (that is, stop generating events for those particular conditions). You can add exclusions on the Events page, see Events. The Exclusions tab shows all exclusions applied to this Policy and for each exclusion, it shows the specific excluded conditions. From this tab, you can also delete an exclusion thereby enabling the system to resume generating events for the specified conditions.