Organizing rules and rule sets in a policy
The agent evaluates protection and audit rules in the same order that rule sets appear in the policy, and in the same order as the rules inside these sets. If several rule sets apply to the same resources, ensure that the order of the rule sets is correct, as rules will no longer be evaluated once a rule is applied to the agent. This means that the rules highest up in the rule set are applied.
All rules in a policy, regardless of whether they belong to private or shared rule sets, are aggregated as if they were created in the same policy. If a policy contains two rule sets, all the rules from the first set will be read before the rules in the second set.
In general, if you use both protection and audit rule sets in the same policy, we recommend that you put audit rules before protection rules. This guarantees that logs will be generated for the actions that you want to monitor. If you put protection rule sets before audit rule sets, and both sets apply to the same resources, audit rules will not be read once a protection rule applies, and no audit logs will be generated.
Conversely, even when an audit rule applies, the agent continues to read rules, so protection rules will be evaluated.
In the event that you wish to create a policy comprising audit rule sets and protection rule sets provided by Stormshield in shared rule sets, and custom rule sets tailored to your environment, we advise you to take inspiration from the order of rule sets recommended in the Recommendations section of the Release notes SES Evolution.
For more information on rule sets provided by Stormshield, refer to the section Understanding built-in rule sets.
-
Hover your mouse over a rule set to display the drag-and-drop icon on the left of the set and change the order.
The order of rules in the same protection rule set also matters, as they follow the same evaluation criteria as those in rule sets. Rules are evaluated in order and will stop being evaluated once a rule applies. Rules that apply to specific resources must therefore be placed before more general rules. The same goes for specific behavior in a rule. Refer to the next section for more information on specific behavior.