icon-zwp.svg
Posture Control (ZPC)

Managing Security Policies

ZPC offers actions such as enabling or disabling a policy, allowing or disallowing remediation on a policy, or setting policy severity for individual and bulk security policies. You can edit or delete a previously created policy if it's no longer relevant to your organization's security posture needs. If you delete the custom security policy, all alerts generated by the custom policy are closed.

Enabling or Disabling a Single Policy

To enable or disable a single policy, you can do the following:

  1. On the Policies page, click the Cloud Policies or IaC Policies tab.
  2. Do one of the following actions:
    • Select the checkbox for the policy you want to enable or disable.
    • Click the Column Menu icon for the security policy you want to enable or disable.
    • Click the Policy Name to view the policy drawer.
  3. Click Enable or Disable under the Actions column in one of the following locations:
    • On the Cloud Policies or IaC Policies tab.
    • In the security policy drawer for the security policy name you selected.
  4. In the Enable Policy or Disable Policy window, select the I understand the consequences and want to proceed checkbox.
  5. Click Enable or Disable.

Enabling or Disabling Bulk Policies

To enable or disable bulk security policies, you can do the following:

  1. On the Policies page, click the Cloud Policies or IaC Policies tab.
  2. Select the checkboxes for the security policies you want to change policy state.
  3. Click Enable or Disable under the Actions drop-down menu.
  4. In the Enable Policy or Disable Policy window, select the I understand the consequences and want to proceed checkbox.
  5. Click Enable or Disable.

Change Severity for a Single Policy

To change severity for a single security policy, you can do the following:

  1. On the Policies page, click the Cloud Policies or IaC Policies tab.
  2. Do one of the following actions:
    • Select the checkbox for the policy you want to change severity.
    • Click the Column Menu icon for the security policy you want to change severity.
    • Click the Policy Name to view the policy drawer.
  3. Click Change Severity under the Actions column in one of the following locations:
    • On the Cloud Policies or IaC Policies tab.
    • In the security policy drawer for the security policy name you selected.
  4. In the Change Policy Severity window, use the Policy Severity drop-down menu to change the policy severity.
  5. Select the I understand the consequences and want to proceed checkbox, then click Change.

Change Severity for Bulk Policies

To change the security policy severity for bulk security policies, you can do the following:

  1. On the Policies page, click the Cloud Policies or IaC Policies tab.
  2. Select the checkboxes for the security policies you want to change policy severity.
  3. Click Change Severity under the Actions drop-down menu.
  4. In the Change Policy Severity window, use the Policy Severity drop-down menu to change the policy severity.
  5. Select the I understand the consequences and want to proceed checkbox, then click Change.

Editing Custom Security Policies

Editing a custom security policy might have impact on the alerts ZPC generates. If you edit the custom policy information, such as policy title or remediation procedure, the new information reflects in the Alerts page and the Cloud Threats dashboard. If you edit the custom policy query logic, ZPC determines that the custom policy has changed and closes all existing alerts. It generates new alerts based on the new custom policy query logic. To edit a custom security policy:

  1. Go to Policies.
  2. Click the Actions icon for the custom policy you want to edit.
  3. Click Edit.

View the edit action button

  1. On the Query Builder tab, edit the query. To learn how to use the query builder, see Creating Custom Security Policies.
  2. When you are done editing the query, click Test Run.
  3. Click Accept and Proceed.
  4. On the Remediation Procedure tab, click Add Remediation Procedure.
  5. Enter the remediation procedure in Markdown, then click Save.
  6. On the Recommendations tab, click Add Recommendations.
  7. Enter the recommendation in Markdown, then click Save.
  8. Click Next.
  9. Edit any of the following fields:
    • Policy Name: The name of the security policy.
    • Policy Description: The description of the policy.
    • Policy Severity: Static value signaling the severity of policy failure. The value can be Critical, High, Medium, or Low.
    • Alert Description: The description of the alert.
    • Threat Category: The threat category to which the policy belongs.
    • MITRE ATT&CK: The link to the technique on the MITRE ATT&CK website.
    • Compliance: The compliance benchmark associated with the policy.

    To enter compliance details, the query logic must be focused on assets and the asset type predicate has to be defined.

    • Domain: The compliance benchmark domain associated with the policy.
    • Control Section: The control section associated with the compliance benchmark domain of the policy.
  10. Click Save Changes.

Deleting Custom Security Policies

When you delete a custom policy, all alerts previously generated by the policy are closed. To delete a custom security policy:

  1. In the left-side navigation, select Policies.
  2. Click the Actions icon for the custom policy you want to delete.

  1. A confirmation message appears asking if you want to delete the policy. Click Delete.

Allowing or Disallowing Remediation on a Single Policy

You can allow remediation of alerts generated by a specific policy when Support Remediation is enabled for the policy.

To allow or disallow remediation for a single policy:

  1. In the left-side navigation, select Policies.
  2. On the Policy page, click the Cloud Policies tab.
  3. Do one of the following actions:
    • Click the Column Menu icon for the policy and click Allow Remediation or Disallow Remediation.

    • Click the Policy Name to view the policy drawer, and click Allow Remediation or Disallow Remediation under the Actions column.

  4. In the Allow Remediation or Disallow Remediation window, select the I understand the consequences and want to proceed checkbox.

  5. Click Allow or Disallow.

    A message appears indicating that remediation is allowed or disallowed on the policy.

Allowing or Disallowing Remediation on Bulk Policies

To allow or disallow remediation on bulk security policies:

  1. In the left-side navigation, select Policies.
  2. On the Policy page, click the Cloud Policies tab.
  3. Select the checkboxes for the security policies you want to allow or disallow remediation and the Supports Remediation column is set to Yes.

  4. Click Allow Remediation or Disallow Remediation under the Actions drop-down menu.
  5. In the Allow Remediation or Disallow Remediation window, select the I understand the consequences and want to proceed checkbox.
  6. Click Allow or Disallow.

    A message appears indicating that remediation is allowed or disallowed on the selected policies.

Related Articles
About Security PoliciesViewing Security Policy DetailsCreating Custom Security PoliciesManaging Security Policies