Policies allow you to identify the asset you are monitoring, and then add any combination of the following criteria:
Add filters to narrow the monitoring target and results
Define managed users for the activity
Assign event contexts to categorize policies
Specify a custom severity that matches the policy
Each Change Guardian application includes several policy types.
You must apply a policy to an agent that is collecting events from the asset. You can combine multiple policies from one or more agents to organize and manage monitoring the agents. You can include a policy in multiple policy sets.
Policy attributes provide granular details of a policy such as the purpose, severity, and authorized users.
Event Severity: When you create or edit a policy, you can specify a constant event severity or allow Change Guardian to calculate the severity automatically. If you set Severity to Automatic, Change Guardian calculates the severity based on whether the user is authorized and if the action is successful.
NOTE:Change Guardian automatically calculates Event Severity for Change Guardian Agent for UNIX events, including events generated by policies configured with a custom severity.
Examples of severity are as follows:
Sev 5:Unauthorized user, successful action
Sev 4:Unauthorized user, failed action
Sev 3: Authorized user, failed action
Sev 2: Authorized user, successful action
Sev 0 or 1: System events
Managed User: Change Guardian allows managed users to make specific changes to assets. When managed users make changes, the generated events appear as managed change events. When creating or editing a policy, use the Managed Events to specify the managed users for the policy.
If you specified a user group as a managed user, and the group membership changes, Change Guardian synchronizes associated policies with the new group members.
Event Context: Use the Event Context section to categorize the policy and specify its purpose. Generated events include the event contexts. You can create new event contexts with user-defined values. You can select one or more of the following default event contexts:
Risk Domain
Risk
Sensitivity
Regulation/Policy
Control/Classification
Response Window
LDAP Settings: Change Guardian uses LDAP to process each user group in a policy as a list of the group members. For example, if a policy monitors Group A, LDAP allows Change Guardian to monitor the activity that each user of the Group A performs. If the policy returns an event, the name of the user performing the change is included in the event report.
Configure LDAP server for every grouped resource. You can either add the Active Directory items manually or browse them while creating a policy. A policy cannot monitor the group members correctly if you only specify the grouped resource in a policy, but do not configure LDAP settings for the grouped resource.