# Policies This page contains the list of existing scan policies, summary information regarding to these scan policies, and allows you to operate on these existing scan policies. Scan policies contain the settings and the customized specifications according to our needs and determine the scope of the scan. FSProtect scanning engine consists of submodules that have different responsibilities and allows users to create a customizable scan procedure according to the user need. By default, there is one pre-defined scan policy named as **Default Policy**. Scan policies are allow user to; * Enable or disable the scan modules. * Define exclusions for scans. * Define exclusions for vulnerabilities. * Define thresholds for vulnerabilities. * Enable or disable the checker engines for vulnerabilities.

Tooltip provider that is above and right side on the table allows us to; * **Search**: Search in the scan policies table according to their names. * **Export**: Exports all scan policies and respective information that is listed in this table as a CSV file. ### **New Policy (Active Directory /** Azure) Creates a new scan policy by cloning one of the existing scan policies. You can select the type of the policy after clicking new policy button.

The checkboxes that can be found on the left side of the list can be used to perform bulk operations on the selected scan policies. Allowed operations are; * **Export:** Export the selected scan policies * **Export All:** Export all scan policies from the table * **Delete:** Delete the selected scan policies ![Creating new Policy](/files/AlGASb8BBIpQaSmGJWcf) New Policy can be created from Base Policy that is a virtual policy with default settings, all modules enabled, no general exclusions, all vulnerabilities enabled and no vulnerability exclusions. ### Export/Import Export/Import functionality can be used to save scan policies to a JSON file and importing them back. #### Exporting Policies **Bulk Export** * Navigate to the Policies section in the application. * Select the policies you wish to export by checking the boxes next to them. * Click on the Bulk Actions drop-down menu and select Export . * Choose whether to export all policies or only the selected ones. * The selected policies will be downloaded as a ZIP file containing individual JSON files.

**Individual Policy Export** * Locate the policy you want to export in the Policies list. * Click on the three-dot menu (...) next to the policy. * Select Export from the drop-down menu. * The policy will be downloaded as a JSON file.

#### **Importing Policies** Access the Import Policy Interface: * Navigate to the Policies section. * Click on the Import Policy button located at the top-right corner of the screen (refer to Image 2 ). Upload the Policy File:

In the Import Policy dialog box: * Click on the Upload your policy file area to select the JSON or ZIP file containing the policy(ies). After uploading the file:

* The system will display the GUID and name of imported policy that can be renamed if needed * Enter a new name for the policy in the text field provided. * Click Save to complete the import process. * New policy will be imported with new random GUID. ## General Information **Name**: Name of the scan policy. **Modules**: Names of the enabled modules, that are defined in the scan policy. ## General Operation

Three-dot button on the each row allows us to perform following operations on a scan policy; **Edit**: Redirects the user to the **Edit Scan Policy** page. The **Edit Scan Policy** page allows the user to change all the configurations and specifications belong to the scan policy. **Clone**: Creates a duplicate of the selected policy with the same configurations, allowing you to edit and save it as a new policy. **Delete**: Deletes the selected scan policy. ### **General Exclusions** Exclusions allow users to restrict the scanning of specific entities on the scan scope.

\ The search box, Status radio buttons, and Exclusion radio buttons can be used to filter or search a specific group of vulnerability policies. The checkboxes that can be found on the left side of the list can be used to perform bulk operations on the selected vulnerability policies. Allowed operations are; * **Enable All**: Enables control mechanism of the selected vulnerability policies. * **Disable All**: Disables control mechanism of the selected vulnerability policies. * **Clear Exclusions**: Deletes all defined exclusions of the selected vulnerability policies.

### **Vulnerability Exclusions** Vulnerability-based exclusions allow users to exclude or ignore the detected vulnerabilities on specific entities or relations. Vulnerability-based exclusions vary according to the type of vulnerability. Vulnerability-based exclusions are categorized as; * Object Exclusions * Object To Object Exclusions * Object Relation Object Exclusions #### **Object Exclusions** Object-based exclusions are defined for the vulnerabilities that are caused by issues on a single entity. `Inactive Users` vulnerability is an example of these types of vulnerabilities. To specify the entity, `FSName` of the regarding entity must be submitted to the input field. If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the `FSName` of the entity and Save. In addition, submitting the input fields as `Any` excludes the all objects from this vulnerability. The information tooltip shows the detailed definitions about the specifications. Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

Defining an Exclusion on Object to Object Relation

In addition, following actions can be used for ; * Delete: Delete selected exclusion item from the current vulnerability policy. * Clone: Duplicate selected exclusion item to the current vulnerability policy. * Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies. #### **Object-Relation-Object Exclusions** Object-relation-object based exclusions are defined for the vulnerabilities that are caused by issues on the existence of dynamic and various relations between two objects. (See [Relations](broken://pages/jMscwqxlzJflL7TPk2Qv)) `Dangerous Access Control Entries on Users` vulnerability is an example of these types of vulnerabilities. To specify the entities, `FSName` of the regarding entities must be submitted to the input fields. To specify the relation names, `relation name` of the regarding relation between entities must be submitted to the input field. If you have not any existing scan or the entity or relation you want to exclude has not been identified before, you can just enter the `FSName` of the entity and Save. In addition, submitting the input fields as `Any` excludes the all objects from this vulnerability. The information tooltip shows the detailed definitions like source, destination and relation about the specifications. Following figure shows the guideline of defining an exclusion over these types of vulnerabilities; In addition, following actions can be used for ; * Delete: Delete selected exclusion item from the current vulnerability policy. * Clone: Duplicate selected exclusion item to the current vulnerability policy. * Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Defining an Exlusion as Object-Relation-Object

#### **Apply To Others** The "Apply to Others" button allows us to add or delete the selected exclusion item to the other vulnerability policies that have the same exclusion definition type. To be able to apply the selected exclusion item to the other vulnerability policies, the current vulnerability policy must not have unsaved changes. As an example, the following figure shows how to add the selected exclusion item from the "Dangerous Access Control Entries on Users" vulnerability policy to "Dangerous Access Control Entries on Privileged/Admin Objects vulnerability policy;

As another example, the following figure shows how to delete the selected exclusion item from the "Dangerous Access Control Entries on Privileged/Admin Objects vulnerability policy;

### Vulnerability Policy Export/Import Vulnerability export/import functionality can be used to export and import only vulnerability settings which have enabled/disabled vulnerabilities and exclusions in them

**Exporting Vulnerability Policies** * Navigate to the Vulnerability Policies Section * Go to the Vulnerability tab within the policies section * Click on the Export Vulnerability Policies button located at the top-right corner of the screen. * The system will prompt you to download the exported file, which will typically be in JSON format (e.g., Default Policy-vulnerability-policies.json). **Importing the Vulnerability Policy File** * Click on the Import Vulnerability Policies button located at the top-right corner of the screen. * In the Import Policy dialog box, click on the "upload your policy file" area to select the JSON file containing the vulnerability policy. * After uploading the file, click "Save" to complete the import process. * Imported policies are fully populated with their defined settings.

{% content-ref url="/pages/UWcmL2EesJMMbPDA8gml" %} [AD Policies](/fsprotect/scans/policies/policies.md) {% endcontent-ref %} {% content-ref url="/pages/8ZakcdQJ7I7Y87ncPqAb" %} [Azure Policies](/fsprotect/scans/policies/azure-policies.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/scans/policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.