Create a Policy

This guide walks you through creating a new policy in AttackLens. Policies define the security requirements your assets must satisfy and organize rulesets into logical sections.

INFO

Requires Admin role or the Create Policy permission.

Before You Begin

Before creating a policy, ensure that:

• You have at least one ruleset created or available from the built-in feed
• You understand which assets or asset groups this policy should target
• You know which compliance framework or security objective this policy serves

Step 1: Navigate to the Policy Form

1. Go to Policies in the left navigation menu
2. Click the Add Policy button in the top-right corner

Step 2: Set Policy Status

At the top of the form, you will see an Active toggle switch. This controls whether the policy is included in posture evaluations.

• Active (default): The policy will be evaluated against assets immediately after creation
• Inactive: The policy is saved but will not generate findings until activated

TIP

If you are still building out the policy's sections and rulesets, set it to Inactive first. Activate it once you are satisfied with the configuration.

Step 3: Enter Basic Information

Fill in the following fields:

Field	Required	Description
Name	Yes	A descriptive name for the policy (e.g., "ISO 27001 - Access Control")
Description	No	An explanation of the policy's purpose, scope, and applicable framework

Step 4: Define Prerequisites (Optional)

Prerequisites are conditions checked against inventory data before the policy runs on an asset. If prerequisites are not met, the policy is skipped for that asset.

To add a prerequisite:

1. Click Add Prerequisite
2. Configure the check:
   • Title: A description of what this prerequisite verifies
   • Dataset Type or Resource Type: The inventory data source to check
   • Property Path: The specific property to evaluate
   • Operator: The comparison operator (equals, contains, greater than, etc.)
   • Expected Value: The value the property must match

To create compound conditions (e.g., "Linux AND has OpenSSH installed"):

1. Click Add Condition (AND/OR)
2. Choose the logical operator (AND or OR)
3. Add child checks within the condition node

INFO

If no prerequisites are defined, the policy will be evaluated on all assets that match the scope. Prerequisites are optional but recommended for framework-specific policies.

Step 5: Create Sections

Sections organize your policy into logical groupings. Each section can contain rulesets and child sections.

To add a section:

1. Click Add Section
2. Fill in the section details:
   • Title: The section heading (e.g., "A.9 Access Control")
   • Description: Optional explanation of the section's scope
   • Key: Auto-generated from the title; used internally as an identifier
3. Assign rulesets to the section by selecting from the available ruleset list
4. Optionally, add child sections for deeper organizational nesting

Organizing Sections

For compliance frameworks, a common pattern is:

Policy: ISO 27001
  Section: A.5 Information Security Policies
    Ruleset: Information security policy document
    Ruleset: Review of information security policies
  Section: A.9 Access Control
    Child Section: A.9.1 Business Requirements
      Ruleset: Access control policy
    Child Section: A.9.2 User Access Management
      Ruleset: User registration and de-registration
      Ruleset: Privilege management

Step 6: Save the Policy

1. Review your configuration
2. Click Create to save the new policy

After creation, you will be redirected to the policy detail page where you can review the policy structure and navigate to the status tab to see evaluation results.

WARNING

If the policy is set to Active, evaluation will begin on the next inventory cycle. Make sure your rulesets and sections are properly configured before activating.

What Happens After Creation

Once an active policy is created:

1. AttackLens identifies all assets in scope (based on prerequisites)
2. Each ruleset in the policy's sections is evaluated against the matching assets
3. Findings are generated for each asset-ruleset combination
4. A posture score is calculated showing the compliance percentage

Next Steps

• Manage Policies: Edit, delete, or change policy status
• Assign a Policy: Configure policy scope and target assets
• Evaluate a Policy: Trigger manual evaluation and review results