Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Restrictive Question Parameters for Actual Communication Tests

SUMMARY The actual communication tests for assets include restrictive questions and parameters that you can choose when you create a Policy Monitor test.

When you apply the exclude condition to a test, the exclude condition applies to the protocols parameter.

For example, if you configure this test to exclude the following protocols, the test returns only assets that do not use the excluded protocols.

The following table lists and describes the restrictive question parameters for actual communication tests.

Table 1: Restrictive Question Parameters for Actual Communication Tests
Test Name Description
include only the following protocols

Filters assets from the contributing test that include or exclude the specified protocols.

This test is only selectable when a contributing asset test is added to this question.
include only the following inbound ports

Filters assets from the contributing test that include only or exclude the specified ports.

This test is only selectable when a contributing asset test is added to this question.
include only the following inbound applications

Filters assets from the contributing test question that include only or exclude any inbound or outbound applications.

This test filters connections that include only flow data.
include only if the source inbound and destination outbound bytes have a percentage difference less than 10

Filters assets from the contributing test question that is based on communications with a specific ratio of inbound to outbound (or outbound to inbound) bytes.

This test is useful for detecting hosts that might be exhibiting proxy type behavior (inbound equals outbound).
include only if the inbound and outbound flow count has a percentage difference less than 10

Filters assets from the contributing test question that is based on communications with a specific ratio of inbound to outbound (or outbound to inbound) flows.

This test filters connections that include flow data when flow count is selected.

This restrictive test requires two contributing tests that specify a source and destination. The following test outlines a set of questions that are trying to determine what assets between two points have an inbound and outbound percentage difference greater than 40%. For example,

Contributing test - have accepted communication to the Internet.

Contributing test - and have accepted communication from the Internet.

Restrictive test - and include only if the inbound and outbound flow count has a percentage difference greater than 40.
include only if the time is between start time and end time inclusive Filters communications within your network that occurred within a specific time range. Run this test to detect out-of-policy communications. For example, if your corporate policy allows FTP communications between 1 and 3 AM, this test can detect any attempt to use FTP to communicate outside of that time range.
include only if the day of week is between start day and end day inclusive Filters assets from the contributing test question based on network communications that occurred within a specific time range. Run this test to detect out-of-policy communications.
include only if susceptible to vulnerabilities that are exploitable.

Filters assets from a contributing test question that is searching for specific vulnerabilities and restricts results to exploitable assets.

This restrictive test does not contain configurable parameters, but is used along with the contributing test, are susceptible to one of the following vulnerabilities. This contributing rule that contains a vulnerabilities parameter is required.
include only the following networks Filters assets from a contributing test question that includes or excludes the configured networks.
include only the following asset building blocks Filters assets from a contributing test question that are or are not associated with the configured asset building blocks.
include only the following asset saved searches Filters assets from a contributing test question that are or are not associated with the asset saved search.
include only the following reference sets Filters assets that are from a contributing test question that includes or excludes the configured reference sets.
include only the following IP addresses Filters assets that are or are not associated with the configured IP addresses.
include only if the Microsoft Windows service pack for operating systems is below 0 Filters assets to determine whether a Microsoft Windows service pack level for an operating system is under the level your company policy specifies.
include only if the Microsoft Windows security setting is less than 0 Filters assets to determine whether a Microsoft Windows security setting is under the level your company policy specifies.
include only if the Microsoft Windows service equals status Filters assets to determine whether a Microsoft Windows service is unknown, boot, kernel, auto, demand, or disabled.
include only if the Microsoft Windows setting equals regular expressions Filters assets to determine whether a Microsoft Windows Setting is the specified regular expression.