Monitoring Communication Between New Assets and the Internet
Configure the policy monitor question to generate an offense when an asset from the asset saved search communicates with the Internet.
- Click the Risks tab.
- On the navigation menu, click Policy Monitor.
- Select the question that you want to monitor.
- Click Monitor.
- Select an interval from the Policy evalutation interval.
- Enter a name in the Event Name field.
If you select Ensure the dispatched event is part of an offense, the Event Name appears in the Description field for an offense when you select All Offenses on the Offenses tab.
The name of the rule that is generated from an offense is Risk Question Monitor: <Event Name>. This format for the offense name appears on the Offenses tab when an offense is generated.
- Enter an event name description.
- In the Event Details section, select Ensure the dispatched event is part of an offense check box, and (Correlate By: Asset) from the menu.
- In the Additional Actions section:
This option is helpful when you want to get a notification for the first event that is dispatched as an offense. You can edit the rule that is generated from that offense to trigger a scan. If you don't want to be notified about every event, after you configure the rule that is generated by the offense, you can turn off this notification.
Send to SysLog
If you want the event to be logged, select this option.
If you want the event to appear in the System Notifications alert on the dashboard, select this option.
- Select Enable the monitor results function for this question/simulation.
- Click Save Monitor.
- Click Submit Question.