The Internal Audit Sink Policy is responsible for transmitting audit records to external endpoints based on executed policy logic. It behaves like a published service policy or global policy fragment--Assertions can be used to further influence the behavior of a policy. For example: The Internal Audit Sink Policy can be configured to send audit records for requests that originate from one network to one endpoint. Alternatively, the policy can be configured to send audit records for requests from another network to a separate endpoint. Another comment example is to generate certain alerts or alarms for certain audit detail codes.

An administrator may wish to be notified if a particular endpoint is unavailable or if a certain assertion is falsified. In the primary example to be used in this article--an administrator wishes to be notified via email if one or more Threat Protection assertions are violated in policy.

All supported versions of the API Gateway

The source policy is attached to this article.

This policy iterates through all of the audit detail messages in an audit record. Each individual audit detail message code is examined. A series of conditions are defined within the At least one assertion folder. These individual conditions are defined within the single All assertion folder. Each All folder allows an administrator to specify a conditional code via the Compare Expression assertion. It also allows an administrator to specify an action to execute when that code is encountered. The example above may do one of the following when a particular audit code is encountered:

1. Send an email for code 7153
2. Trigger an SNMP trap for code 9409
3. Log a message via a preconfigured Log Sink for code 7238
4. Transmit an HTTP GET against a published service for code 7204.

These codes and the assertions that are executed can be changed. This sample services as a baseline example for how to perform policy logic in the audit sink policy.

Attachments:

• auditPolicyByDetailCode.xml