Understanding the difference between protection, exception and audit rule sets

There are several types of rule sets: protection, exceptions, and audit.

They serve different purposes depending on the rule set to which the security rules belong.

  • In a protection rule set, rules can be used to block attacks on workstations, detect elevation of privileges and manage access to different applications, networks, peripherals, etc. 

  • In an audit rule set, the rules can be used to generate logs for the sole purpose of monitoring the activity of your pool, and possibly for reconstructing the context of an attack.

  • An exception rule set contains only exception rules. These are usually created from logs that you consider to be false positives. For further information, see Adding exceptions for logs.

The Threats tab of rule sets does not list exactly the same protections depending on whether it is a protection/exception set or an audit set. For more information, see the section Managing vulnerability exploitation.

Similarly, management of temporary web access and control of Wi-Fi board activation are only possible within the protection and exception rule sets.