Rule Sets
This feature is available on request. Contact your Proofpoint representative.
Rule Sets provide more granular and advanced control over which rules apply to specific Realms.
To assign a rule to a source, such as Endpoint, you select the source in the Detection rule. (See Source Defaults for Detection Rules.)
When you assign a Rule Set to a Realm the Source Default defined no longer applies. You can define either a Source Default for a specific source or a Rule Set for specific Realms.
A Rule Set contains one or more rules that are associated with specific Realm(s). With Rule Sets, alerts are fired only when the Agent detects a match to activity defined in one of the rules in the rule set in one of the specified Realms.
If you do not define a rule set, all rules configured for the Realm will trigger. However, once a Realm is configured to use Rule Sets, only the subset of rules configured to execute on the associated Realms will fire.
For example, your company has several Realms, more than one for each location. You are interested in monitoring the Boston offices more closely so you set up a rule that detects file exfiltration activity for the Boston offices only. You create a Rule Set that is for all of the Boston Offices Realms and the rule that will trigger an alert when it detects any file exfiltration. When an alert is triggered by this rule, it is triggered for the Realms you specified.
-
To access Rule Sets, from the Proofpoint Information and Cloud Security Platform, select the Administration app. Select Policies > Rule Sets.
The list of Rule Sets displays.
The table below describes the parameters that display in the Rule Sets list.
| Parameter | Description |
|---|---|
| Name | Name of the Rule Set. |
| Realms | Realms assigned to the Rule Set. |
| Rules | Number of rRules assigned to the Rule Set. |
| Modified on | Date Rule Set was last modified. |
| Created on | Date Rule Set was created. |
| Status |
Status of Rule Set (on/off). |
Adding a Rule Set
-
From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select Policies > Rule Sets.
-
Click Add Rule Sets.
-
Provide the Name and Description for your Rule Set.
-
In the Realms area, click Add Realms and select the Realms you want from the list. Click Done.
-
In the Rules area, click Add Rules and select the Rules you want from the list. Click Done.
-
Click Save.
Validating Rule Sets
From the Alerts view, click the actvity/alert you want to validate. From the details panel, select the Summary tab. Scroll down to see the Rules in the Indicator and Matches area.
Related Topics: