Home > Articles > Cisco Network Technology > General Networking > Creating Custom Policies for the Cisco Security Agent

Creating Custom Policies for the Cisco Security Agent

Chapter Description

Creating your own policies is a major part of operating a successful CSA deployment. To accomplish this, you must thoroughly understand the components available to you and the methods of research available. Understanding the rule types and the events caused by those rules helps you move forward in your deployment and perform day-to-day support. A solid grasp of the fundamentals and advanced components not only makes you an effective administrator but also an efficient one. This chapter will help you get started with this.


You can use the CSA and various rules and features of the product to report behavior you want to monitor on certain systems. The two methods used are: Monitor Rules and Application Behavior Investigation. The remaining portion of the chapter discusses these two methods.

Monitor Rules

You can create rules that do not enforce any security Allow or Deny actions but rather log an event only when the matching rule is triggered. These rules use an action of Monitor. You can create any type of rule with this type of action. The following are examples of rules that might be useful:

  • Monitor execution of a specific application, such as a known P2P, Instant Messenger, or other unapproved application.
  • Monitor FTP, TFTP, IRC, and other connections that should not leave your corporate network.
  • Monitor file access of certain directories and file types.

You can use these rules when needed or create a Rule Module that includes several different types of rules with the Monitor action, each tied to a specific empty application class. Using this approach, you can add an executable to this application class when you locate a process you want to monitor, and you instantly begin to receive forensic data about the process after the next rule generation. This can provide you a Honey-Pot approach to monitoring that is available to you anywhere in the deployment at any time.

Application Behavior Investigation

The CSA product also provides a mechanism for monitoring a process natively named Application Behavior Investigation. This is configured by selecting Analysis>Application Behavior Investigation>Windows Behavior Analyses. Select New to create an investigation. You define the matching application class and the host the investigation should target. After completion and after a specified period or number of executions, you receive a report that displays all the network interaction, file interaction, COM object interaction, and registry interaction of that process. This can be a useful way to collect data about what a process does as part of research and also prior to creating and application control policy for this software.