Policies

The policy feature analyzes collected data to detect threats according to established policies. The policy functionalities described in this section include:

  • Stream Rule: A feature that analyzes correlations based on patterns or specific conditions in real-time collected data to detect threats.
  • Batch Rule: A feature that detects threats by correlating different events that occur over time.
  • Playbook: A feature that automatically responds to detected threats based on real-time/batch rules.

The following features allow you to manage threat intelligence, related data, and asset information required for real-time and batch detection, as well as for security operations and playbook execution:

  • ML Models: A feature that analyzes and learns from data using Random Forest and Isolation Forest algorithms to predict data and identify/detect anomalous behavior.
  • Threat Intelligence: Management functionality for threat intelligence provided through Logpresso CTI or applications.
  • Behavior Profiles: A feature that periodically profiles past behaviors, enabling behavior-based detection.
  • ML Datasets: Data management functionality for training machine learning models.
  • Sites: Management functionality for sites subject to security monitoring.
  • Assets: Management functionality for the IP addresses of assets that need protection from threats.
  • Address Groups: Management functionality for IP address groups that can be utilized for blocking/allowing purposes.
  • Subnet Groups: Management functionality for IP network groups that can be utilized for blocking/allowing purposes.
  • Port Groups: Management functionality for TCP/UDP service port groups that can be utilized for blocking/allowing purposes.
  • User-Defined Filters: Management functionality for filters that can be used in real-time/batch rules.
  • Pattern Groups: Management functionality for defining pattern groups that specify what to search for in the data.
  • Alarm Groups: Management functionality for accounts that will receive alerts upon threat detection through real-time/batch rules.
  • Indicators: Management functionality for user-defined indicators of compromise.