Login

Cisco Secure Workload User Guide SaaS, Release 3.10

Get Started with Cisco Secure Workload
- Introduction to Security Cloud Control
- Manage Secure Workload in Security Cloud Control
- Supported Web Browsers
- Quick Start Wizard
- Get Started with Segmentation and Microsegmentation
  - General Process for Implementing Microsegmentation
  - Set Up Microsegmentation for Workloads Running on Bare Metal or Virtual Machines
  - Set Up Microsegmentation for Cloud-Based Workloads
  - Set Up Microsegmentation for Kubernetes-Based Workloads
Deploy Software Agents on Workloads
- Deploy Software Agents
  - Supported Platforms and Requirements
  - Install Linux Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites to Install Linux Agents
    - Supported Methods to Install Linux Agents
      - Install Linux Agent using the Agent Image Installer Method
      - Install Linux Agent Using the Agent Script Installer Method
      - Agent Support for NVIDIA Bluefield Networking Platform
    - Verify Linux Agent Installation
  - Install Windows Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites for Installing Windows Agent
    - Supported Methods to Install Windows Agents
      - Install Windows Agent using the Agent Script Installer Method
      - Install Windows Agent using the Agent Image Installer Method
    - Verify Windows Agent Installation
    - Verify Windows Agent in the Configured Service User Context
    - Modify Service Account
    - Deploying Agents on a VDI Instance or VM Template (Windows)
      - Install the agent on a golden image in a VDI environment or VM template
      - Create a new VDI instance VM
    - Windows Agent Installer and Npcap—For Windows 2008 R2
    - Windows Agent Flow Captures: For All Windows OS Excluding Windows Server 2008 R2
  - Install AIX Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites for Installing AIX Agents
    - Install AIX Agent using the Agent Script Installer Method
    - Verify AIX Agent Installation
  - Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement
    - Kubernetes or OpenShift Overview
    - Requirements and Prerequisites
    - Install Kubernetes or OpenShift Agent using the Agent Script Installer Method
    - Deep Visibility and Enforcement with Istio Service Mesh
  - Install Solaris Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites for Installing Solaris Agents
    - Install Solaris Agent using the Agent Script Installer Method
    - Verify Solaris Agent Installation
  - (Manual Installations Only) Update the User Configuration File
  - Other Agent-Like Tools
  - Connectivity Information
- Security Exclusions
- Service Management of Agents
  - Service Management for RHEL, CentOS, OracleLinux-6.x, and Ubuntu-14
  - Service Management for RHEL, CentOS, OracleLinux-7.x and Later
  - Service Management for Windows Server or Windows VDI
  - Service Management for AIX
  - Service Management for Kubernetes Agent Installations
  - Service Management for Solaris
- Enforce Policies with Agents
  - Agent Enforcement on the Linux Platform
    - Linux iptables or ip6tables
    - Caveats
  - Agent Enforcement on the Windows Platform in WAF mode
    - Windows Firewall with Advanced Security
    - Secure Workload Rules and the Windows Firewall
    - Security Profiles
    - Effective Setting and Mixed-List Policies
    - Stateful Enforcement
    - Caveats
  - Agent Enforcement on the Windows Platform in WFP Mode
    - Windows Filtering Platform
    - Advantages of WFP over WAF
    - Agent Support for WFP
    - Agent WFP support and Windows Firewall
    - Effective Setting and Mixed-List Policies
    - Stateful Enforcement
    - Visibility of Configured WFP Filters
    - Disable Stealth Mode Filters in WFP Mode
    - Delete Configured WFP Filters
    - Known Limitations in WFP Mode
  - Configure Policies for Windows Attributes
  - Recommended Windows OS-Based Policy Configuration
    - Known limitations
    - Caveats
    - Verify and Troubleshoot Policies with Windows OS-Based Filtering Attributes
      - Policies Based on Application Name
      - Policies Based on Service Name
      - Policies Based on User Group or User Name
  - Enforcement of Kubernetes Pods on Windows Nodes
  - Agent Enforcement on AIX Platform
    - IPFilter
    - Caveats
    - Known Limitations
  - Agent Enforcement on Solaris 11.4 Platform
  - Agent Enforcement on the Solaris 10 Platform
  - Check Agent Status and Statistics
  - View Agent Details
- Configure Software Agents
  - Requirements and Prerequisites for Configuring Software Agents
    - User Roles and Access to Agent Configuration
  - Configure Software Agents
    - Create an Agent Configuration Profile
    - Creating an Agent Config Intent
- View Detailed Agent Status in the Workload Profile
- Rehoming of Agents
  - Enable Rehoming
  - Select Agents to Rehome
  - Disable Rehoming
- Generate Agent Token
- Disable Enforcement on Workload
- Host IP Address Change When Enforcement is Enabled
- Upgrade Software Agents
  - Upgrade Agents from UI
  - Upgrade Behaviour of Kubernetes/Openshift Agent
- Remove Software Agents
  - Remove Deep Visibility or Enforcement Linux Agent
  - Remove a Deep Visibility or Enforcement Windows Agent
  - Remove a Deep Visibility or Enforcement AIX Agent
  - Remove Universal Linux Agent
  - Remove Universal Windows Agent
  - Remove an Enforcement Kubernetes or OpenShift Agent
  - Remove a Deep Visibility Solaris Agent
- Data collected and exported by workload agents
  - Registration
  - Agent upgrade
  - Config server
    - Network Flow Information
    - Machine information
    - Agent statistics
- Enforcement Alerts
  - Enforcement UI Alerts Details
  - Enforcement Alert Details
    - Example of alert_details for an enforcement alert
- Sensor Alerts
  - Sensor UI Alerts Details
  - Sensor Alert Details
    - Example of alert_details for a sensor alert
- Frequently Asked Questions
  - General
  - Agent deployment
    - Linux
    - Windows
    - Kubernetes
  - Anomaly Types
    - Agent Inactivity
    - Upgrade Failure
    - Convert Failed
    - Convert Capability
    - Policy Out of Sync
    - Flow Export: Pcap Open
    - Flow Export: HTTPS Connectivity
  - Certificate Issues
    - Windows
  - Certificate Issues for NPCAP installer
  - Windows Host Rename
  - Check If Platform Is Currently Supported
    - Windows
    - Linux
    - AIX
  - Windows Installer Issues
  - Required Windows Services
  - Npcap Issues
    - Npcap will not upgrade (manually or via agent)
    - Npcap will not install
    - Verify if Npcap is fully installed
    - Network Connectivity issues during NPCAP installation or upgrade
    - NIC teaming compatibility issues with NPCAP
    - VDI instance VM does not report network flows
    - Network Performance with NPCAP
    - OS Performance and/or stability Issues
  - GPO Configurations
  - Agent To Cluster Communications
    - Types of connections
    - Checking the connection state
  - SSL Troubleshooting
    - Agent Communications Overview
    - Configuring IP traffic for Agent Communications
    - Troubleshooting SSL/TLS Connections
  - Agent operations
  - Agent Troubleshooting Tool
External Orchestrators in Secure Workload
- Navigate to the External Orchestrators Page
- List of External Orchestrators
- Create External Orchestrator
- Edit External Orchestrator
- Delete External Orchestrator
- Orchestrator generated labels
- Amazon Web Services
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Instance-specific labels
  - Troubleshooting
- Kubernetes/OpenShift
  - Requirements and Prerequisites
  - Configuration Fields
  - Orchestrator Golden Rules
  - Workflow
  - Kubernetes Role-Based Access Control (RBAC) Resource Considerations
  - Orchestrator-generated labels
  - Troubleshooting
- VMware vCenter
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Instance-specific labels
  - Caveats
  - Troubleshooting
- DNS
  - Prerequisites
  - Configuration fields
  - Workflow
  - Generated labels
  - Caveats
  - Troubleshooting
  - Behavior of Full/Delta polling for DNS Orchestrators
  - Unsupported Features
- Infoblox
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Generated labels
  - Caveats
  - Troubleshooting
- F5 BIG-IP
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Generated labels
  - Policy enforcement for F5 BIG-IP
  - Policy Enforcement for F5 Ingress Controller
  - Caveats
  - Troubleshooting
- Citrix Netscaler
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Generated labels
  - Policy enforcement for Citrix Netscaler
  - Caveats
  - Troubleshooting
- TAXII
  - Prerequisites
  - Configuration fields
  - Workflow
  - Generated labels
  - Caveats
  - Troubleshooting
  - Behavior of Full polling for TAXII Orchestrators
Configure and Manage Connectors for Secure Workload
- What are Connectors
  - Connectors for Flow Ingestion
    - NetFlow Connector
      - What is NetFlow
      - Flow Ingestion to Secure Workload
      - Rate Limiting
      - Supported Information Elements
      - How to configure NetFlow on the Switch
      - How to Configure the Connector
      - Limits
    - F5 Connector
      - What is F5 BIG-IP IPFIX
      - Flow Ingestion to Secure Workload
      - How to configure IPFIX on F5 BIG-IP
      - How to Configure the Connector
      - Limits
    - NetScaler Connector
      - What is Citrix NetScaler AppFlow
      - Flow Ingestion to Secure Workload
      - How to configure AppFlow on NetScaler
      - How to Configure the Connector
      - Limits
    - Cisco Secure Firewall Connector
      - Flow Ingestion to Secure Workload
      - Handling NSEL Events
      - How to Configure NSEL on Secure Firewall ASA
      - How to Configure the Connector
      - Limits
    - Meraki Connector
      - What is NetFlow
      - Flow Ingestion to Secure Workload
      - Handling NetFlow Records
      - How to configure NetFlow on Meraki Firewall
      - How to Configure the Connector
      - Limits
    - ERSPAN Connector
      - What is ERSPAN
      - What are the SPAN Agents
      - What is the Ingest Appliance for ERSPAN
      - How to configure the source ERSPAN session
      - Supported ERSPAN formats
      - Performance considerations when configuring ERSPAN source
      - Security considerations
      - Troubleshooting
      - Limits
  - Connectors for Endpoints
    - AnyConnect Connector
      - What is AnyConnect NVM
      - How to configure AnyConnect NVM
      - Processing NVM records
      - Duplicate UDIDs in Windows Endpoints
      - Periodic Tasks
      - How to Configure the Connector
      - Limits
    - ISE Connector
      - How to Configure the Connector
      - ISE Instance Configuration
      - Processing ISE records
      - Periodic Tasks
      - Limits
  - Connectors for Inventory Enrichment
    - ServiceNow Connector
    - How to Configure the ServiceNow Connector
    - ServiceNow Instance Configuration
    - Processing ServiceNow records
    - Sync Interval Configuration
    - Explore Command to Delete the Labels
    - Finding VRF ID for a Tenant
    - Getting to Explore Command UI
    - Running the Commands
    - Frequently Asked Questions
    - Limitations of ServiceNow Connectors
  - Connector Alerts
    - Alert Configuration
    - Alert Type
      - Appliance/Connector down
      - Appliance/Connector system usage
      - Connector Configuration Error
    - Connector UI Alert Details
    - Alert Details
    - Example of Alert Details
  - Virtual Appliances for Connectors
    - Types of Virtual Appliances
      - Secure Workload Ingest
      - Secure Workload Edge
    - Deploying a Virtual Appliance
    - Decommissioning a Virtual Appliance
    - Monitoring a Virtual Appliance
    - Security Considerations
  - Configuration Management on Connectors and Virtual Appliances
    - Test and Apply
      - NTP Configuration
      - Log Configuration
      - Endpoint Configuration
      - Slack Notifier Configuration
      - PagerDuty Notifier Configuration
      - Kinesis Notifier Configuration
      - Email Notifier Configuration
      - Syslog Notifier Configuration
      - Syslog Severity Mapping Configuration
      - ISE Instance Configuration
    - Discovery
      - LDAP Configuration
    - Remove
- Connectors for Alert Notifications
  - Syslog Connector
    - Syslog Severity Mapping
    - Limits
  - Email Connector
    - Limits
  - Slack Connector
    - Limits
  - PagerDuty Connector
    - Limits
  - Kinesis Connector
    - Limits
- Webex and Discord Alert Connectors
  - Webex Connector
  - Configure Webex Connector
  - Limitations of Webex Connector
  - Discord Connector
  - Configure Discord Connector
  - Limitations of Discord Connectors
- Cloud Connectors
  - AWS Connector
    - Requirements and Prerequisites for AWS
    - (Optional) Configure cross AWS account access in AWS
    - Authentication Using Roles
    - AWS Connector Configuration Overview
    - Create a New AWS Connector
    - Edit a New AWS Connector
    - Deleting Connectors and Data
    - Best Practices When Enforcing Segmentation Policy for AWS Inventory
    - View AWS Inventory Labels, Details, and Enforcement Status
    - Troubleshoot AWS Connector Issues
    - Managed Kubernetes Services Running on AWS (EKS)
      - Requirements and Prerequisites for EKS
      - EKS Roles and Access Privileges
      - EKS specific RBAC considerations
      - Configure EKS Settings in the AWS Connector Wizard
      - Support for EKS Load Balancer
  - Azure Connector
    - Requirements and Prerequisites for Azure
    - Azure Connector Configuration Overview
    - Create an Azure Connector
    - Create a New Azure Connector
    - Edit an Azure Connector
    - Deleting Connectors and Data
    - Best Practices When Enforcing Segmentation Policy for Azure Inventory
    - View Azure Inventory Labels, Details, and Enforcement Status
    - Troubleshoot Azure Connector Issues
    - Managed Kubernetes Services Running on Azure (AKS)
      - Requirements and Prerequisites for AKS
      - Support for AKS Load Balancer
  - GCP Connector
    - Requirements and Prerequisites for GCP Connector
    - Configure Multiple Projects Access in GCP
    - GCP Connector Configuration Overview
    - Create a New GCP Connector
    - Create a GCP Connector
    - Edit a GCP Connector
    - Deleting Connectors and Data GCP
    - Best Practices When Enforcing Segmentation Policy for GCP Inventory
    - GKE Inventory Labels, Details, and Enforcement Status
    - Troubleshoot GCP Connector Issues
    - Managed Kubernetes Services Running on GCP (GKE)
      - Requirements and Prerequisites
- Secure Connector
  - Technical Details
  - Requirements for Secure Connector Client
  - Secure Connector Client Deployment
    - Proxy Support
    - Deployment Overview
    - Deploy the Secure Connector Client
      - Download Latest Secure Connector Client RPM
      - Generate Registration Token
      - Copy the Token and Start the Client
    - [Optional] Deploy Specific Version of Secure Connector Client
  - Secure Connector Client Status
  - Verify Secure Connector Client State
  - Secure Connector Alerts
  - Upgrade Secure Connector Client
  - Uninstall Secure Connector Client
  - Secure Connector Client Maintenance
    - Distribution of Secure Connector client software
    - Installation and Upgrade of Secure Connector Client software
    - Release Schedule of Secure Connector client software
    - Network Attack Surface of Secure Connector Client daemons
    - High Availability Best Practices for Secure Connector client
- Identity Connectors
- OpenLDAP Connector
  - Configure Identity Connector with OpenLDAP
  - Inventory
  - Event Log
  - Advanced Settings
- Active Directory
  - Configure Active Directory with Identity Connector
  - Active Directory Inventory
  - Event Log
  - Advanced Settings
- Microsoft Entra ID Connector
  - Configure Microsoft Entra ID
  - Microsoft Entra ID Inventory
  - Microsoft Entra ID Event Log
  - Advanced Settings
- Life Cycle Management of Connectors
  - Enable a Connector
  - Viewing Connector-Related Information
  - Deleting a Connector
  - Monitoring a Connector
- Troubleshooting
  - Allowed set of commands
    - Show Logs
    - Show Service Logs
    - Show Running Configuration
    - Show Service Running Configuration
    - Show System Commands
    - Show Docker Commands
    - Show Docker Instance Commands
    - Show Supervisor Commands
    - Show Supervisor Service Commands
    - Network Connectivity Commands
    - List Files
    - List Service Files
    - Packet Capture
    - Update Listening Ports of Connectors
    - Update Alert Notifier Connector Log Configuration
    - Collect Snapshot From Appliance
    - Collect Snapshot From Connector
    - Collect Controller Profile
    - Collect Connector Profile
    - Override connector alert interval for Appliance
    - Override connector alert interval for Connector
  - Hawkeye Dashboards
    - Appliance Controller Dashboard
    - Service Dashboard
    - AnyConnect Service Dashboard
    - Appliance and Service DIO Dashboard
  - General Troubleshooting Guidelines
    - Log Files
      - Debug Mode
- Cisco Secure Firewall Management Center
Manage Inventory for Secure Workload
- Workload Labels
  - Importance of Labels
  - Subnet-based Label Inheritance
  - Label Prefixes
    - Labels Generated by Cloud Connectors
    - Labels Related to Kubernetes Clusters
  - Importing Custom Labels
    - Guidelines for Uploading Label Files
    - Label Key Schema
    - Upload Custom Labels
    - Search Labels
    - Manually Assign or Edit Custom Labels
    - Download Labels
    - Change Labels
  - Disable Labels
  - Review Label Change Impact
  - Delete Labels
  - Bulk Delete Labels
  - View Labels Usage
  - Create a Process for Maintaining Labels
- Scopes and Inventory
  - Scopes
    - Scope Filter
    - Full Scope Queries
    - Providing Access to Scopes
    - Viewing Scope
    - Searching for flows referencing a scope
    - Creating a New Scope
    - Scope Overlap
    - Editing Scopes
      - Editing a scope query
      - Editing the parent of a scope
    - Delete a Scope
    - Reset the Scope Tree
    - Commit Changes
    - Change Log
    - Creating a New Tenant
  - Inventory
    - Searching Inventory
    - Suggest Child Scopes
    - Steps to perform scope suggestion
- Filters
  - Create an Inventory Filter
  - Bulk Delete Inventory Filters
  - Review Filter Change Impact
  - Create a Domain Filter
  - Restrict to Ownership Scope
- Review Scope/Filter Change Impact
  - Scope Query Change Impact Modal
    - Membership Changes
    - Dependencies
  - Filter Query Change Impact Modal
    - Membership Changes
    - Dependencies
- Inventory Profile
- Workload Profile
  - Labels and Scopes Tab
  - Agent Health Tab
  - Process List Tab
  - Process Snapshot Tab
  - Interfaces Tab
  - Software Packages Tab
  - Vulnerabilities Tab
  - Agent Configuration Tab
  - Agent Statistics Tab
  - Concrete Policies Tab
  - Container Policies Tab
  - Network Anomalies Tab
  - File Hashes Tab
- Software Packages
  - Packages Tab
  - Common Vulnerabilities and Exposures
  - Windows Packages and CVEs
  - Inventory Filters
- Vulnerability Data Visibility
  - Workload Profile Page
    - Packages Tab
    - Process List Tab
    - Process Snapshot Tab
    - Vulnerabilities Tab
  - Inventory Filters
    - CVE ID Based Filter
    - Common Vulnerability Scoring System Impact Score Based Filter
    - CVSS V2 Attributes Based Filters
    - CVSS V3 Attributes Based Filters
    - Cisco Security Risk Score-Based Filter
    - Cisco Security Risk Score Attributes-Based Filters
    - Malicious Inventory-Based Filter
- Service Profile
- Pod Profile
- Container Vulnerability Scanning
Manage Policy Lifecycle in Secure Workload
- Segmentation Policy Basics
- Use Workspaces to Manage Policies
  - Working with Policies: Navigating to the Workspaces Page
  - Create a Workspace
  - Primary and Secondary Workspaces
  - Rename a Workspace
  - View Workloads in a Scope
  - Deleting Workspaces
- About Policies
  - Policy Attributes
  - Policy Rank: Absolute, Default, and Catch-All
  - Policy Inheritance and the Scope Tree
  - About Consumer and Provider in Policies
  - Policy Example
- Create and Discover Policies
  - Best Practices for Creating Policies
  - Manually Create Policies
    - If the Add Policy Button Is Not Available
  - Policies for Specific Purposes
    - Create InfoSec Policies to Block Traffic from Outside Your Network
    - Create Policies to Address Immediate Threats
    - Create a Policy to Quarantine Vulnerable Workloads
  - Policy Templates
    - System-Defined Policy Templates
    - Create Custom Policy Templates
      - JSON Schema for Policy Templates
      - Template Sample
      - Template Import
    - Applying a Template
  - Discover Policies Automatically
    - Policy Discovery Details
    - How to Automatically Discover Policies
    - Discover Policies for One Scope or for a Branch of the Scope Tree
      - Discovering Policies for a Branch of the Scope Tree: Additional Information
    - Verify the Workloads That Policy Discovery Will Apply To
    - Automatically Discover Policies
    - Stop Automatic Policy Discovery in Progress
    - Advanced Features of Automatic Policy Discovery
      - External Dependencies
        
        Tips for Exploring External Dependencies
        
        Fine-Tune External Dependencies for a Workspace
      - Policy Discovery Flow Filters
        
        Configure, Edit, or Delete Inclusion Flow Filters
        
        Enable or Disable Inclusion Flow Filters
        
        Configure, Edit, or Delete Exclusion Filters
        
        Enable or Disable Exclusion Filters
      - Advanced Configurations for Automatic Policy Discovery
        
        Include Data From Load Balancers and Routers When Discovering Policies
        
        Cluster Granularity
        
        Port Generalization
        
        Policy Compression
        
        Hierarchical policy compression
        
        Clustering Algorithm (Input to Clustering)
        
        Auto accept outgoing policy connectors
        
        Auto Approve Generated Policies
        
        Ignore Flows Matching Exclusion Filters
        
        Enable service discovery on agent
        
        Carry over Approved Policies
        
        Skip clustering and only generate policies
        
        Enable redundant policy removal
      - Default Policy Discovery Config
        
        Default Exclusion Filters
      - Retrieving LoadBalancer Configurations for Advanced Policy Discovery Configuration
        
        Citrix Netscaler
        
        F5 BIG-IP
        
        HAProxy
        
        Normalized JSON
    - Approve Policies
      - Approved Policies
      - Troubleshoot Approved Policies
    - Iteratively Revise Policies
      - Re-running Automatic Policy Discovery
      - Important: Before You Re-run Automatic Policy Discovery
    - View, Compare, and Manage Discovered Policy Versions
    - Policy Discovery Kubernetes Support
  - Import/Export
    - Export a Workspace
    - Import
  - Platform-Specific Policies
    - Windows
      - Recommended Windows OS-Based Policy Configuration
      - Configure Policies for Windows Attributes
        
        Known limitations
        
        Caveats
        
        Verify and Troubleshoot Policies with Windows OS-Based Filtering Attributes
        
        Policies Based on Application Name
        
        Policies Based on Service Name
        
        Policies Based on User Group or User Name
    - Kubernetes and OpenShift
      - (Optional) Additional Policies for Kubernetes Workloads
        
        Policies for Kubernetes Nginx Ingress Controller Running in Host-network Mode
        
        Policies for Kubernetes Nginx/Haproxy Ingress controller running as Deployment/Daemonset
- Grouping Workloads: Clusters and Inventory Filters
  - Clusters
    - Cluster Confidence
    - View Clusters
    - Making Changes to Clusters
    - Convert a Cluster to an Inventory Filter
    - Creating or Deleting Clusters
    - Comparing Versions of Generated Clusters: Diff Views
    - Preventing Cluster Modification During Automatic Policy Discovery Reruns
    - Approving Clusters
- Address Policy Complexities
  - Policy Priorities
    - Policy Global Ordering and Conflict Resolution
    - Validate the Order and Priority of Policies
    - (Advanced) Change Policy Priorities
  - When Consumer and Provider Are in Different Scopes: Policy Options
    - (Advanced) Create Cross-Scope Policies
      - Policy Requests
        
        Viewing, Accepting, and Rejecting Policy Requests
        
        Automate Handling of Cross-Scope Policy Requests
        
        Auto-pilot Rules
        
        Auto Accept Policy Connectors
        
        Resolved Policy Requests
      - Provided Services
    - Troubleshoot Cross-Scope Policies
  - Effective Consumer or Effective Provider
- About Deleting Policies
- Review and Analyze Policies
  - Review Automatically Discovered Policies
    - Address Low-Confidence Policies
    - Troubleshoot Automatic Policy Discovery Results
  - Policy Visual Representation
  - Quick Analysis
  - Live Policy Analysis
    - Start Live Policy Analysis
    - Stop Live Policy Analysis
    - Policy Analysis Results: Understand the Basics
    - Example: Impact of Policies Analyzed in Other Scopes
      - Analysis without Policies
    - Policy Analysis Details
    - Suggested Steps for Investigating Flows
    - Run Policy Experiments to Test Current Policies Against Past Traffic
    - After Changing Policies, Analyze Latest Policies
    - Policy Label Flags
    - View, Compare, and Manage Analyzed Policy Versions
    - Activity Logs of Policy Analysis
- Enforce Policies
  - Check Agent Health and Readiness to Enforce
  - Enable Policy Enforcement
  - Policy Enforcement Wizard
  - Enforcement on Containers
  - Verify Enforcement Works as Expected
    - View Enforced Policies for a Specific Workload (Concrete Policies)
    - Verify That Enforcement Is Enabled for Agents
    - Verify That Enforced Policies Are Being Pushed to Agents
    - If There Are Too Many Policies for the Agent
- Modify Enforced Policies
  - Enforce New and Revised Policies
  - View, Compare, and Manage Enforced Policy Versions
  - Revert Enforced Policies to an Earlier Version
  - Disable Policy Enforcement
  - Enforcement History
- About Policy Versions (v* and p*)
  - Comparison of Policy Versions: Policy Diff
  - Activity Logs and Version History
  - Automatic Deletion of Old Policy Versions
- Conversations
  - Conversations Table View
    - Choosing Consumer or Provider
    - Conversation Filters
  - Explore Observations
    - Conversation Observation Hovered
    - Filtering
  - Top Consumers/Providers of Conversations
- Automated Load Balancer Config for Automatic Policy Discovery (F5 Only)
  - Terminology
  - Deployment
  - Clusters
  - Policies
  - Caveats
- Policies Publisher
  - Prerequisites
  - Getting Kafka Client Certificates
  - Protobuf Definition File
  - Data Model of Secure Workload Network Policy
  - Reference Implementation of Secure Workload Network Policies Client
Configure and Monitor Forensic Events
- Compatibility
- Forensics Signals
  - Privilege Escalation
  - User Log on
  - User Log on Failed
  - Shellcode
  - File Access
  - User Account
  - Unseen Command
  - Unseen Library
  - Raw Socket Creation
  - Binary Changed
  - Library Changed
  - Side Channel
  - Follow User Logon
  - Follow Process
- Forensic Configuration
  - Forensic Rules
    - Adding a Forensic Rule
    - Basic Forensic Rule Composition
    - Default Secure Workload Rules
    - Default MITRE ATT&CK Rules
    - Bulk Delete Forensic Rules
  - Forensic profiles
    - Add a Profile
    - Edit a Profile
    - Clone a Profile
    - Default Profile - Secure Workload Profile
    - Default Profile - MITRE ATT&CK Profile
    - Bulk Delete Forensic Profiles
- Forensic visualization
  - Accessing Forensic Page
  - Browsing Forensic Events
  - Inspecting a Forensic Event
- Fields Displayed in Forensic Events
  - Common Fields
  - Process Info
  - Privilege Escalation
  - User Logon
  - User Logon Failed
  - Shellcode
  - File Access
  - User Account
  - Unseen Command
  - Unseen Library
  - Raw Socket Creation
  - Library Changed
  - Side Channel
  - Follow User Logon
  - Follow Process
  - Network Anomaly
- Forensic Analysis - Searchable Fields
  - Miscellaneous Fields
- Search Terms in Forensic Analysis
  - Common Fields
  - Binary Changed
  - File Access
  - Follow Process
  - Follow User Logon
  - Ldap
  - Library Changed
  - Privilege Escalation
  - Process Info
  - Raw Socket
  - Shellcode
  - Side Channel
  - Unseen Command
  - Unseen Library
  - User Account
  - User Logon
  - User Logon Failed
- Forensics alerts
  - Accessing Forensic Alerts
  - Checking Alert Details
  - External Integration
- Forensics Score
  - Where to See Forensic Score
  - How the Forensic Score is Calculated
  - How to Improve Forensic Score
  - Caveats
- PCR-Based Network Anomaly Detection
  - Forensic Rules for Network Anomaly Events
    - Rule Attributes
    - Rule Actions
  - Where to See Network Anomaly Events
  - Rule Severities and Network Anomaly Scores
  - PCR Data and Network Anomaly Events Retention
  - Network Anomaly Latency
  - Caveats
- Process Hash Anomaly Detection
  - How to Enable Process Hash Feature
  - Where to See Process Hash Score
  - How the Process Hash Score is Calculated
  - How to Improve Process Hash Score
  - Threat Info Details
  - Caveats
Network Flows-Traffic Visibility
- Network Traffic Flows
- Corpus Selector
- Columns and Filters
- Filtered Time series
- Top N Charts
- Observations List
  - Flow Details
- Explore Observations
- Client-Server Classification
  - Sensor Type Recommendation
  - Identifying Producers (aka Servers) and Consumers (aka Clients) for a flow
- Conversation Mode
- Visibility in Proxied Flows
- Visibility of Well-Known Malicious IPv4 Addresses
Configure Alerts
- Alert Types and Publishers
- Create Alerts
- Alert Configuration Modal
  - Summary Alerts
  - Snooze and Mute Alerts
  - Summarization Versus Snoozing
  - Secure Workload Alerts Notifier (TAN)
  - Configure Notifiers
  - Choose Alert Publishers
  - External Syslog Tunneling Moves to TAN
  - Connection Chart
  - View Alerts Trigger Rules
    - Alerts Trigger Rules Details
- Generate Test Alerts
- Current Alerts
- Alert Details
  - Common Alert Structure
  - General Alert Format by Notifier
    - Kafka (DataTaps)
    - Email
    - PagerDuty
    - Syslog
    - Slack
    - Kinesis
Monitor Configurations in Secure Workload
- Agent Monitoring
- Agent Monitoring Type
- Agent Status and Statistics
- Enforcement Status
- Enforcement Status for Cloud Connectors
- Pause Policy Updates
View Security Dashboard
- View the Security Dashboard
- Security Score
- Security Score Categories
- High-Level View
- Scope Level Score Details
  - Overall Score
  - Daily Time Series
  - Score Breakdown
- Score Details
  - Vulnerability Security Score
  - Process Hash Score
  - Attack Surface Score
  - Forensics Score
  - Network Anomaly Score
  - Segmentation Compliance Score
View Vulnerability Dashboard
- Vulnerability Dashboard
- CVEs Tab
- Packages Tab
- Workloads Tab
- Pods Tab
View Reporting Dashboard
- Reporting Dashboard
  - Schedule Email Reports
- Summary Reports
  - Summary Reports of Segmentation, Workload, Traffic Flow and Security
  - Operation Summary for Workload, Telemetry and Segmentation
  - Summary Reports for Security Compliance
Setup System Configurations in Secure Workload
- Create Users and Assign Roles
  - Add a User
  - Add a User when SMTP is Disabled
  - Edit User Details or Roles
  - Deactivating a User Account
  - Reactivating a User Account
  - Change Log – Users
- Roles
  - Abilities and Capabilities
  - Menu Access by Role
  - Create a Role
  - Edit a Role
- Change Log
- Collection Rules
  - Rules
  - Priority
- Session Configuration
- Idle Session
- Preferences
  - Change Your Landing Page Preference
  - Change a Password
  - Recover Password
- Scopes
Secure Workload OpenAPIs
- OpenAPI Authentication
  - Generate API Key and Secret
- Workspaces and Security Policies
  - Workspaces
    - Workspace Object
    - List Applications
    - Retrieve a Single Workspace
    - Create a Workspace
    - Import a New Version
    - Validate a Set of Policies
    - Delete a Workspace
    - Update a Workspace
    - Retrieve Workspace Details
    - List Workspace Versions
    - Delete Workspace Version
    - Compare Workspace versions
    - Analyze latest policies
    - Disable policy analysis on a single workspace
    - Enforce a single workspace
    - Disable enforcement for a single workspace
    - Initiate Automatic Policy Discovery
    - Get Status of a Policy Discovery Run
  - Policies
    - Policy object
    - Get Policies
    - Get Specific Policy
    - Search for a Specific Policy With Policy Identifier
    - Create a Policy
    - Update a Policy
    - Adding Service Ports to a Policy
    - Updating Service Ports of a Policy
    - Deleting Service Ports of a Policy
    - Deleting a Policy
    - Deleting a Policy with Identifier
    - Policy Quick Analysis
    - Policy Statistics
    - Unused Policies
  - Policy Templates
    - Get Policy Templates
    - Get Specific Policy Template
    - Create a Policy Template
    - Update a Policy Template
    - Deleting a Policy Template
    - Download a Policy Template
  - Clusters
    - Cluster object
    - Get Clusters
    - Get Specific Cluster
    - Create a Cluster
    - Update a Cluster
    - Deleting a Cluster
  - Conversations
    - Search Conversations in a Policy Discovery Run
    - Top N Conversations in a Policy Discovery Run
    - Supported Dimensions
    - Supported metrics
  - Exclusion Filters
    - Exclusion Filter object
    - Get Exclusion Filters
    - Get Specific Exclusion Filter
    - Create an Exclusion Filter
    - Update an Exclusion Filter
    - Deleting an Exclusion Filter
  - Default Exclusion Filters
    - Default Exclusion Filter object
    - Get Default Exclusion Filters
    - Get Specific Default Exclusion Filter
    - Create a Default Exclusion Filter
    - Update a Default Exclusion Filter
    - Deleting a Default Exclusion Filter
  - Live Analysis
    - Flow dimensions available in Live Analysis
    - Flow metrics available in Live Analysis
    - Download flows available through Live Analysis
- Scopes
  - Scope object
  - Get scopes
  - Create a scope
  - Get specific scope
  - Update a scope
  - Delete a specific scope
  - Get scopes in policy priority order
  - Update the policy order
  - Commit scope query changes
  - Submit a group suggestion request
  - Get group suggestion status
- Configure Alerts
  - Alert Object
  - Get Alerts
  - Create an Alert
  - Get Specific Alert
  - Update an Alert
  - Delete Specific Alert
- Roles
  - Role object
  - Get roles
  - Create a role
  - Get specific role
  - Update a role
  - Give a role access to scope
  - Delete specific role
- Users
  - User object
  - Get users
  - Create a new user account
  - Get specific user
  - Update a user
  - Enable/reactivate a deactivated user
  - Add role to the user account
  - Remove role from the user account
  - Delete specific user
- Inventory filters
  - Inventory Filter Object
  - Get inventory filters
  - Create an inventory filter
  - Validate an inventory filter query
  - Get specific inventory filter
  - Update specific inventory filter
  - Delete a specific inventory filter
- Flow Search
  - Query for Flow Dimensions
  - Query for Flow Metrics
  - Query for Flows
    - Filters
    - Primitive Filter Types
    - Logical Filter Types
  - TopN Query for Flows
  - Flow Count
- Inventory
  - Query for inventory dimensions
  - Inventory search
  - Inventory Statistics
  - Inventory count
  - Inventory vulnerability
  - Retrieve Malicious IP Addresses
- Workload
  - Workload details
  - Workload Statistics
  - Installed Software Packages
  - Workload Vulnerabilities
  - Aggregated Workload Vulnerability Summary
  - Workload Long Running Processes
  - Workload Process Snapshot Summary
  - Workload Process Snapshot
  - JSON Object Definitions
- Default Policy Generation Config
  - Policy Generation Config object
  - Get the Default Policy Generation Config
  - Set the Default Policy Generation Config
- Forensics Intent
  - Forensic intent object
  - Listing a forensic intents
  - Retrieving a Single Forensic Intent
  - Creating a Forensic Intent
  - Update a Forensic Intent
  - Delete a Forensic Intent
- Forensics Intent Orders
  - Forensic Intent Order Object
  - Retrieve the Current Forensic Intent Order
  - Creating a Forensic Intent Order
- Forensics Profiles
  - Forensic Profile Object
  - Listing Forensic Profiles
  - Retrieving a Single Forensic Profile
  - Creating a Forensic Profile
  - Update a Forensic Profile
  - Delete a Forensic Profile
- Forensics Rules
  - Forensic Rule Object
  - Listing a Forensic Rules
  - Retrieving a Single Forensic Rule
  - Creating a Forensic Rule
  - Update a Forensic Rule
  - Delete a Forensic Rule
- Enforcement
  - Agent Network Policy Config
  - Concrete Policy Statistics
  - JSON Object Definitions
- Client Server configuration
  - Host Config
  - Port Config
- Software Agents
  - Agent APIs
  - Software agent configuration using Intents
  - Interface Config Intents
  - VRF configuration for agents behind NAT
- Secure Workload software download
  - API to get supported platforms
  - API to get supported software version
  - API to create installer ID
  - API to download Secure Workload software
- Secure Workload Agents Upgrade
  - API to upgrade an agent to specific version
- User Uploaded Filehashes
  - User Filehash Upload
  - User Filehash Delete
  - User Filehash Download
- User-Defined Labels
  - Scope-Dependent APIs
  - Scope-Independent APIs
  - Scope-Independent Labels
- Virtual Routing and Forwarding
  - VRF Object
  - Get VRFs
  - Create a VRF
  - Get Specific VRF
  - Update a VRF
  - Delete Specific VRF
- Orchestrators
  - Orchestrator Object
  - Ingress Controller
  - Pod Selector
  - Controller Config
  - Infoblox Config
  - Get Orchestrators
  - Create Orchestrators
  - Get Specific Orchestrator
  - Update an Orchestrator
  - Delete Specific Orchestrator
- Orchestrator Golden Rules
  - Orchestrator Golden Rules Object
  - Get Orchestrator Golden Rules
  - Create or Update Golden Rules
- FMC Orchestrator Domains
  - Orchestrator FMC Domains Object
  - Get FMC Domains
  - Update FMC Domain Configuration for FMC External Orchestrator
- RBAC (Role-Based Access Control) Considerations
- High Availability and Failover Considerations
- Kubernetes RBAC Resource Considerations
- Service Health
  - Get Service Health
- Secure Connector
  - Get Status
  - Get Token
  - Rotate Certificates
- Kubernetes Vulnerability Scanning
  - Get Kubernetes Registries used for Pod Vulnerability Scanning
  - Add Credentials to Kubernetes Registry
  - Get Kubernetes Pod Scanners
  - Edit Scanner Filter Query and Action
- Policy Enforcement Status for External Orchestrators
  - Get Policy Enforcement Status for All External Orchestrators
  - Get Policy Enforcement Status for an External Orchestrator
- Download Certificates for Managed Data Taps and Datasinks
  - Get List of Managed Data Taps for a Given VRF ID.
  - Download Managed Data Tap Certificates for a Given MDT ID
  - Get List of DataSinks for a Given VRF ID
  - Download DataSink Certificates for a Given DataSink ID
- Change Logs
  - Change Log Object
  - Search
- Non-Routable Endpoints
  - Non-Routable Endpoint Object
  - GET Non-Routable Endpoints
  - Create a Non-Routable Endpoint
  - GET Specific Non-Routable Endpoints with Name
  - GET Specific Non-Routable Endpoints with ID
  - Update Specific Non-Routable Endpoint Name
  - Delete Specific Non-Routable Endpoint with Name
  - Delete Specific Non-Routable Endpoint with ID
- Config and Command Schemas for External Appliances and Connectors
  - Config Groups APIs
    - API to Get the Schema of Config
    - API to Get the Schema of Troubleshooting Commands
  - External Appliances
    - External Appliances APIs
      - API to Get List of Appliances
      - API to Create an Appliance
      - API to Delete an Appliance
      - API to Get an Appliance by ID
      - API to Rename an Appliance
      - API to Get the Configs on Config Type
      - API to Add a New Config to External Appliance
      - API to Delete a Config
      - API to Get the Config
      - API to Get Appliance Schema
      - API to List Troubleshooting Commands Available for an Appliance
      - API to List Troubleshooting Commands
      - API to Create a Troubleshooting Command
      - API to Delete a Troubleshooting Command
      - API to Return a Troubleshooting Command
      - API to Download the Output of the Appliance Command as a File
  - Connectors
    - Connectors APIs
      - API to Get All Types of Connectors
      - API to Delete a Connector
      - API to Get a Connector by ID
      - API to Rename a Connector
      - API to Get the Connector Info with Details
      - API to Get Connectors
      - API to Create a Connector
      - API to Get the Configs on Connector Config Type
      - API to Add a New Config to Connector
      - API to Delete a Config
      - API to Get the Config
      - API to List Troubleshooting Commands Available for Connector
      - API to List Troubleshooting Commands
      - API to Create a Troubleshooting Command
      - API to Delete a Troubleshooting Command
      - API to Return a Troubleshooting Command
      - API to Download the Output of the Connector Command as a File
Configuration Limits in Secure Workload
- Cloud Connectors
- Connectors
- Label Limits
- Limits Related to Policies
- Additional Features
- Data-In or Data-Out

Software Secure Workload

Activity Configure

Configure and Monitor Forensic Events Forensic Configuration Forensic Rules Adding a Forensic Rule

Last updated: Jun 09, 2025

Adding a Forensic Rule

This section explains how to add new forensic rules.

Before You Begin

You must login as Site Admin, Customer Support or Scope Owner in the system.

Procedure

1

In the navigation bar on the left, click Defend > Forensic Rules.

2

Click Create Rule.

3

Enter the appropriate values in the following fields.

Field	Description
Rule Name	Enter a name for the rule. Name cannot be empty.
Ownership scope	Enter an ownership scope for this rule.
Actions	Select actions when this rule is triggered. Record means matching security events persist for further analysis. Alert action means to publish matching security events to Secure Workload Alert system.
Severity	Select severity level of this rule: LOW, MEDIUM, HIGH, CRITICAL or REQUIRES IMMEDIATE ACTION
Clause	Enter a rule clause. A clause must contain security event signals from either a process forensic event or a workload event. A clause is invalid if it contains both process and workload signals.

Create rule — Figure 1: Create rule

4

Click Save.

Previous topic Forensic Rules Next topic Basic Forensic Rule Composition