ActOn Policies

  • Updated
In this article:

    Learn from the following video on how to create ActOn policy to convert multiple and similar situations into ActOns.

    Resolution Intelligence Cloud generates actionable insights you can act on, called ActOns. ActOns present highly curated, contextual data – like related alerts, asset, and user data. You can focus on what matters most because ActOns are prioritized based on a risk score aligned to your business, based on likelihood, impact, and confidence.

    ActOn Policy is a set of rules that consist of several conditional expressions which will help to transform the situations into an ActOn. ActOn Policies enable you to set numerous rules that are available in our Resolution Intelligence Cloud to customize and detect situations in order to respond or act quickly and efficiently.

    Scope and Precedence of ActOn Policy

    Tenant, Organization, and Domain level users can define ActOn policies with an established hierarchy.

    Precedence of ActOns is given at each individual scope (Tenant, Organization, and Domain). For example, if a situation is transformed to an ActOn for a Domain user, it will be an ActOn for that respective user only but it may or may not be an ActOn for Tenant or Organization level user.

    Order of Evaluation of Acton Policy

    • All rules are evaluated, and result is OR’ed at individual scopes and it is recorded in ActOn model at appropriate scope.
    • If the situation is an ActOn for a tenant user, it is automatically an ActOn for organization and domain users.
    • If the situation is an ActOn for an organization user, it is automatically an ActOn for domain users, but not for tenant users.
    • If the situation is an ActOn for a domain user, it is an ActOn for domain user only, but not for tenant or/and organization users.
    • Manual override: Any non-ActOn can be changed to an ActOn (at each individual scope)
    • ActOn cannot be changed back to non-ActOn (for any scope and at any time). To prevent such correlated signals to be converted to an ActOn in first place, you have to update the ActOn policy rules.

    Configuring a ActOn Policy

    User Permissions

    A Config manager, Owner, Global Admin, and users with Manager role can define the ActOn policy within our platform.

    To configure a policy, you need to follow the below steps.

    • From the Home screen, navigate to Configurations -->ActOns --> Policy.
    • In the ActOn Policy screen, click Create New Rule.
    • Enter a Rule Name and add Description(Optional).
    • Click +Add Condition or +Add Group to enable matching conditions.
      1. Select an Attribute, Operator, and Value from the respective dropdown menu.
      2. Clickmceclip0.png to remove the condition.
      3. Enable Negate next to the condition to isolate the condition.
      4. Check Box next to the Match All to select all conditions that you have added.
    • Under Define ActOn priority, select any of the following options
      • Set Priority: assigns importance to a situation. You can select the values from P0 to P3 from the dropdown.
      • Use System Defined Priority: System assigns the importance to a situation automatically. However, you can manually override the system defined priority using the following option.
        • Override priority if it is changed manually
          • Yes: overrides the previous priority
          • No: preserves the previous priority
    • Click Submit.

    Notifications & Escalations

    All signals will not be transformed to ActOns, unless you have setup an ActOn policy. When a policy is in force, our internal analytic engine matches the conditions and transforms the relevant signals into an ActOn. Whenever, an ActOn is generated, our platform notifies to the responders and allows the responder to take a necessary action to remediate the issue. Sometimes, when a responder is not available, our platform escalates the ActOn to the next level responders.

    Notifications and Escalations have scope limiting to the respective stakeholders. For example, if correlation rules are transformed into an ActOn for Domain user, only escalation policy for that Domain is executed. 

    If the ActOn generated for an Organization or Tenant users, their respective escalation policies are executed. Administrators can control the notification of signals and ActOns by enabling outbound integrations to the external environment. 

    If the outbound integration is setup at tenant level and an ActOn is generated at tenant premises, the ActOn will be sent to the tenant PSA only.

    Importing ActOn policies

    Resolution Intelligence Cloud enables you import external ActOn policies via interactive user interface in the JSON format.

    To import ActOn policies,

    1. From the ActOn Policy listing page, hover over mceclip0.png button and click From JSON 
      A dialog box appears 
    2. Select a JSON file from your local drive and click Open
      Your JSON file will be imported

    Exporting ActOn Policies

    You can export one or more ActOn policies that you defined in the Resolution Intelligence Cloud and share them with others in the same or different organization.

    To export ActOn policies,

    1. From the ActOn Policy listing page, hover over mceclip1.png button and click any of the following from the dropdown
      • All: exports all policies that are available in Resolution Intelligence Cloud
      • Selectively: enables you to select the policies that you wish to export
    2. ActOn policies will be downloaded in the JSON format and saved in your local drive

    Comparing New and Existing Rulesets

    You can preview and compare the existing and new situations from rulesets that are configured to generate ActOns. Resolution Intelligence Cloud facilitates this unique feature to reduce the manual efforts to copy the existing ruleset (that is configured previously) to a new one. 

    To preview and compare the situations for a new ruleset,

    • From the Home screen, navigate to Configurations --> ActOns --> Policy.
    • Click Open in Diff Mode at top right corner of your screen.
    • In the Diff Mode screen, select any or all existing rules and click Copy to New Ruleset to the right half of your screen.

    Note: You can create a new ruleset and combine it with the existing one. Also, you can always remove the Ruleset that is copied from the left half of your screen.

    • Click Preview Results to compare the situations from both current ruleset and new ruleset.
    • Click Save New Ruleset if you would like to save a new ruleset.
    • Click Exit Diff Mode to exit from Diff Mode screen.

     

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.