Understanding the difference between protection rule sets and audit rule sets

There are two types of rule sets: audit and protection.

They serve different purposes depending on the rule set to which the security rules belong. In a protection rule set, the rules allow you to block attacks on workstations, detect privilege escalation attempts, and manage access to various applications, networks, devices, etc. In an audit rule set, they allow you to generate logs only to monitor activity in your pool, and if necessary, reconstruct the context of an attack.

The Threats tab in rule sets does not always list the same protections, as this depends on whether you are looking at a protection rule set or audit rule set. For more information, see the section Managing vulnerability exploitation.

Likewise, temporary web access and Wi-Fi card activation can only be managed in a protection rule set.

In protection rule sets, the agent evaluates rules individually and in this order:

  • If an action is prohibited for a resource, the agent will generate a log, block the action and stop scanning any other rules that apply to this resource.
  • If an action is explicitly allowed for a resource, the agent will allow it and stop scanning any other rules that apply to this resource.
  • If a rule does not apply to a resource, the agent will continue scanning the rules that follow.

Use this mode to protect your workstations from malicious activity, and restrict access to protect your device pool from dangerous user behavior.

In protection rule sets, all rules that control access to resources or devices have a Passive rule mode. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode.

In audit rule sets, if Audit is selected as the action in a rule, the agent sends logs to indicate the actions performed by applications. The agent scans all the rules that follow in all cases.
Use this mode to monitor access to certain resources and send relevant information to the administrator without blocking access, so that abnormal behavior can be detected.

Audit rules can also be configured to monitor collaborators’ activity: the applications that they use most often, or the versions of the applications that they use for example.

To prevent too many logs from being generated, create precise rules that do not cover too wide a range of resources or applications.

Audit rules can be used transparently in SES Evolution if you choose not to show logs on the agent or console, or if you choose not to send them to a syslog server. However, during an attack, the logs generated and saved on the agent can help to reconstruct the context of the attack, which is illustrated in a chart. For further information, refer to the section Analyzing incidents to understand attacks.

In audit rules, each action can be set to: Allow or Audit. Allow means that the rule will not do anything. It may be useful when you want to configure a default action and one or several specific actions in a rule. You can select Audit for specific actions and Allow for the default action. It is also useful when there are several actions available for a resource and you want to monitor only one type of action.