Managing policies and rules Create, apply, and view policy templates and rules. Understanding the Policy Editor The Policy Editor allows you to create policy templates and customize individual policies. The Policy Tree The Policy Tree lists the policies and devices on the system. Manage policies on the Policy TreeManage the policies on the system by taking actions on the Policy Tree. Set up rule and report for database audit trails A Privileged User Audit Trails report allows you to view the audit trail for modifications made to the database or to track access to a database or table that was associated with a specific database event. Normalization Rules are named and described by each vendor. As a result, the same type of rule often has different names, making it difficult to gather information for the types of events that are occurring. Rule types and their properties The Rule Types pane of the Policy Editor page allows you to access all rules by type. Default Policy settings You can set up the default policy to operate in alerts only mode or oversubscription mode. You can also view the status of the rule updates and initiate an update. Rule operations There are several operations you can perform on the rules to manage them and generate the information needed. Assign tags to rules or assets You can assign tags to rules, indicating their attributes, and then filter the rules by their tags. The ESM has a predefined set of tags but also provides you with the ability to add new tags and new tag categories. Modify aggregation settings Aggregated events are events that have fields that match. Override action on downloaded rules When rules are downloaded from the central server at McAfee, they have a default action assigned to them. Severity weights Event severity is calculated based on the severity weight given to assets, tags, rules, and vulnerabilities. View policy change history You can view or export a log of the changes that have been made to the policy. This log can hold a maximum of 1GB of data. When it reaches this limit, the oldest files are deleted as needed. Apply policy changes When you make changes to policies, you must roll out the changes to apply them. Changes made at the default policy level are applied to all policies when you roll out to all devices. Enable Copy Packet When Copy Packet is enabled for a rule, the packet data is copied to the ESM. If enabled, packet data is included within the source event data of an Internal Event Match or Field Match alarm.