ActOn Policies

  • Updated
Table of Contents:

This article covers the steps required to setup ActOn policies and how to import, export and compare rulesets of an ActOn policy.

Resolution Intelligence Cloud generates actionable insights you can act on, called ActOns. ActOns present highly curated, contextual data – like related alerts, asset, and user data. You can focus on what matters most because ActOns are prioritized based on a risk score aligned to your business, based on likelihood, impact, and confidence.

ActOn Policy is a set of rules that consist of several conditional expressions which will help to transform the situations into an ActOn. ActOn Policies enable you to set numerous rules that are available in our Resolution Intelligence Cloud to customize and detect situations in order to respond or act quickly and efficiently.

Scope and Precedence of ActOn Policy

Tenant, Organization, and Domain level users can define ActOn policies with an established hierarchy.

Precedence of ActOns is given at each individual scope (Tenant, Organization, and Domain). For example, if a situation is transformed to an ActOn for a Domain user, it will be an ActOn for that respective user only but it may or may not be an ActOn for Tenant or Organization level user.

Order of Evaluation of Acton Policy

  • All rules are evaluated, and result is OR’ed at individual scopes and it is recorded in ActOn model at appropriate scope.
  • If the situation is an ActOn for a tenant user, it is automatically an ActOn for organization and domain users.
  • If the situation is an ActOn for an organization user, it is automatically an ActOn for domain users, but not for tenant users.
  • If the situation is an ActOn for a domain user, it is an ActOn for domain user only, but not for tenant or/and organization users.
  • Manual override: Any non-ActOn can be changed to an ActOn (at each individual scope)
  • ActOn cannot be changed back to non-ActOn (for any scope and at any time). To prevent such correlated signals to be converted to an ActOn in first place, you have to update the ActOn policy rules.

Configuring a ActOn Policy

User Permissions

A Config manager, Owner, Global Admin, and users with Manager role can define the ActOn policy within our platform.

To configure a policy, you need to follow the below steps.

  1. From the Home screen, navigate to Configurations -->ActOns --> Policy. The ActOn listing page appears. 
  2. Click Create New Rule. This opens the side panel. 
  3. Enter a Rule Name and add Description(Optional).

  4. Select a label or create a new label by adding the label name. You can link multiple labels to an ActOn Policy.

    Labels are the keywords that provide additional context and filter the ActOn policies in the listing page. 

  5. Click +Add Condition or +Add Group to enable matching conditions.
    1. Select an Attribute, Operator, and Value from the respective drop down menu.
    2. Clickmceclip0.png to remove the condition.
    3. Enable Negate next to the condition to isolate the condition.
    4. Check Box next to the Match All to select all conditions that you have added.
  6. Under Define ActOn priority, select any of the following options
    • Set Priority: assigns importance to a situation. You can select the values from P0 to P3 from the drop down.
    • Use System Defined Priority: System assigns the importance to a situation automatically. However, you can manually override the system defined priority using the following option.
      • Override priority if it is changed manually
        • Yes: overrides the previous priority
        • No: preserves the previous priority
  7. Click Submit.

Notifications & Escalations

All signals will not be transformed to ActOns, unless you have setup an ActOn policy. When a policy is in force, our internal analytic engine matches the conditions and transforms the relevant signals into an ActOn. Whenever, an ActOn is generated, our platform notifies to the responders and allows the responder to take a necessary action to remediate the issue. Sometimes, when a responder is not available, our platform escalates the ActOn to the next level responders.

Notifications and Escalations have scope limiting to the respective stakeholders. For example, if correlation rules are transformed into an ActOn for Domain user, only escalation policy for that Domain is executed. 

If the ActOn generated for Organization or Tenant users, their respective escalation policies are executed. Administrators can control the notification of signals and ActOns by enabling outbound integrations to the external environment. 

If the outbound integration is setup at tenant level and an ActOn is generated at tenant premises, the ActOn will be sent to the tenant PSA only.

Importing ActOn Policies

Resolution Intelligence Cloud enables you to import external ActOn policies via an interactive user interface in the following ways:

  1. From Account Hierarchy: The account hierarchy is defined as follows:
      • If you are in a tenant account, you can import ActOn policies from the organization, domain, or platform levels.
      • If you are in an organization account, you can import ActOn policies from domain or platform levels.
      • If you are in a domain account, you can import ActOn policies from platform levels.
  2. From JSON: import the ActOn policies in JSON format from your local drive.

To import ActOn policies,

  1. From the ActOn policies listing page, hover over the mceclip0.png button and click any one of the following from the drop-down:
    1. From Account Hierarchy:
      1. Select the policies that you would prefer to import.
      2. Click Next.
      3. Click Proceed to Summary once you have added your required policies.
      4. Select the following:
        • Append: adds the policies to the existing list without overriding.
        • Overwrite: replaces the existing policies.
      5. Click Submit.
    2. From JSON:
      1. Select your desired policy file in the dialog box.
      2. Click Open.

Exporting ActOn Policies

You can export one or more ActOn policies that you defined in the Resolution Intelligence Cloud and share them with others in the organization or tenants.

To export ActOn policies,

From the ActOn Policy listing page, hover over mceclip1.png button and click any of the following from the drop-down.

  • All: exports all policies that are available in Resolution Intelligence Cloud to a JSON file.
  • Selectively: enables you to select the policies that you wish to export to a JSON file. 

Comparing New and Existing Rulesets

You can preview and compare the existing and new situations from rulesets that are configured to generate ActOns. Resolution Intelligence Cloud facilitates this unique feature to reduce the manual efforts to copy the existing ruleset (that was configured previously) to a new one. 

To preview and compare the situations for a new ruleset,

  • From the Home screen, navigate to Configurations --> ActOns --> Policy.
  • Click Open in Diff Mode at the top right corner of your screen.
  • In the Diff Mode screen, select any or all existing rules and click Copy to New Ruleset on the right half of your screen.

Note: You can create a new ruleset and combine it with the existing one. Also, you can always remove the Ruleset that is copied from the left half of your screen.

  • Click Preview Results to compare the situations from both the current ruleset and the new ruleset.
  • Click Save New Ruleset if you would like to save a new ruleset.
  • Click Exit Diff Mode to exit from the Diff Mode screen.

Viewing the list of ActOn policies

Use this procedure to view the list of ActOn policies created and filter the policies based on the defined search criteria. If there are many policies, you can use the search option to search for the ActOn policy you want. 

To view ActOn policies:

  1. Navigate to Configurations --> ActOns.
  2. Click Policy.
    The ActOn listing page appears. 
  3. Click the Filter icon to view the following fields using which you can filter the ActOn policies:
      • Time Frame 
        • Always - Displays the policies that are always active. 
        • Once - Displays the policies that are active only for a certain period. 
        • Recurring - Displays the policies that are recurring.  
      • Labels - Can view the labels that are used in rule. Select the check box corresponding to the labels to filter by those. 
  4. Click Apply to apply the selected filters. 
  5. Review this ActOn policy information:
Field name Field description
Order Change the position of the policy in the list, using this button
Name The name of the ActOn policy.
Matching Conditions The conditions applied for the ActOn policy. 
Actions Performed The actions performed by this rule.
Applicable Time Frame The time during which the rule is applicable. 
Created Date The date on which the rule was created.
Created By The user who created this rule.
Updated Date The date on which the rule was updated.
Updated By The user who last updated the rule. 

You can perform the following actions on the listing page of ActOn policies, using the Settings icon corresponding to each policy:

  • Disable the policy if it not required, using the Disable option. You can later add the disabled policy to the list, using the enable option that you see in the disabled list of policies. 
  • Modify the ActOn policy details, using the Edit option.
  • Change the position of policies, using the Move option. You can drag and drop the ActOn policies to the position you want using the reordering option, but you can reorder the policies on the same page. 
  • View the details of an ActOn policy, using the View option. 
  • Delete the ActOn policy, using the Delete option. 

To import rules from the domain or organization, see Importing ActOn Policies.

To export selected or all rules to the JSON file, see Exporting ActOn Policies.

Related articles

Comments

0 comments

Please sign in to leave a comment.