Use Case:
Customer would like to run a report on any rules with "Any Any Any" but exclude those with a rule name that includes 'UAC' or 'Auth'.
Referencing the current 'Any Any Any' AC-00007 Control:
Using filtering in Security Manager to determine the additional SIQL arguments required (Rule name does not contain 'UAC' and in a separate query- Rule does not contain 'Auth'. We joined the two by removing the bracket & joining with 'and'.
{ rulename !~ 'UAC' and rulename !~ 'Auth' }
We now join the exclusion arguments above with the SIQL we pulled from AC-00007:
rule{disabled=false and source.any = true and destination.any=true and (application.any=true or application.objectcount = 0 ) and service.any=true and action='ACCEPT' and rulename !~ 'UAC' and rulename !~ 'Auth' }
Test this in Security Manager to ensure the expected results are returned. Create a custom control in Administration>Compliance>Controls>Create>Rule Search> Enter the Control Name and query created.
Go to System>Reports>Create>Control Report>Title your control report, select the custom control, device group/devices (select 'include devices from child device groups if applicable), Control results (optional), Failed rules (all unless stated otherwise), and scheduled this report as desired, with appropriate notification settings.
Comments
0 comments
Please sign in to leave a comment.