Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
5
Helpful
5
Replies

Best way to edit default rule in CSA

Go to solution
NAVIN PARWAL
Level 2
Level 2

‎06-21-2006 07:44 AM - edited ‎03-09-2019 03:20 PM

Folks,

Could someone please guide me the best way to edit the default rules on CSA MC. I would like to tune some of the rules and I am not sure how to change the default rules, may be copy them and change them and raise the priority???

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tsteger1
Level 8
Level 8
In response to NAVIN PARWAL

‎06-21-2006 02:26 PM

Use the wizard to create the exception. The default is it will create an exception to the policy by creating a new rule module and assigning it to the policy. Then you can see how the exception works and you can change the exception rather than the rule. This keeps the orignal rules unchanged but allows you to make any changes necessary to get your apps to work.

Tom S

View solution in original post

5 Replies 5

Go to solution
tsteger1
Level 8
Level 8

‎06-21-2006 09:51 AM

Make exceptions to the rule rather than change the rule at first. You can change it later if you want.

Tom S

0 Helpful

Go to solution
NAVIN PARWAL
Level 2
Level 2
In response to tsteger1

‎06-21-2006 12:35 PM

Tom,

Thanks for the response. I will surely rate all posts.

How do i creat exception to the rule and what would be the best way to change it? change the original rule or clone it edit it and then raise the priority.

Any help would be highly appreciated.

0 Helpful

Go to solution
tsteger1
Level 8
Level 8
In response to NAVIN PARWAL

‎06-21-2006 02:26 PM

Use the wizard to create the exception. The default is it will create an exception to the policy by creating a new rule module and assigning it to the policy. Then you can see how the exception works and you can change the exception rather than the rule. This keeps the orignal rules unchanged but allows you to make any changes necessary to get your apps to work.

Tom S

Go to solution
NAVIN PARWAL
Level 2
Level 2
In response to tsteger1

‎06-21-2006 04:05 PM

Tom you are awesome! Please i would appreciate if you could assist a little more:

1) At the present time i am in a tunning process. I have 2 applications shouting all the time svchost and internet explorer trying to make changes to the registry. How do i tackle such problems?

If an application complains and i know that it is a valid application, how do i create an exception for it?

what about CSA complaining about IE trying to make changes to the regitry, what should i do about it?

0 Helpful

Go to solution
tsteger1
Level 8
Level 8
In response to NAVIN PARWAL

‎06-22-2006 11:26 AM

The trick is to figure out what protection you want, put machines the necessary groups then start looking at events. You can pretty much guess what normal behavior is so you can tune those out first using the wizard to either allow the action, or deny and stop logging it (unless you want to see it). I would start out with very little protection at first and in test mode, then work your way up from there.

0 Helpful
Customers Also Viewed These Support Documents