# Group Policy Management

Genian Insights E provides group-specific event collection, detection, response and agent policy settings.
To add a new policy, you can create a new policy group through the Add Policy button in **Policy > Group Policy Management**.

## Default

All Endpoints connecting to Genian Insights E servers are initially subject to **DefaultPolicy**.
Policy consists of Policy for Collection, Detection, Response, Agent Settings, and Advanced Settings.
The policy group applied by the agent can be changed through **Policy Settings** in **Management, Groups**.

## collect

### Events to be collected

Item | collection event
---|---
Basic| Collect important events such as process execution, execution/document/compressed file creation, etc.
Designation| Collection of selected items among file, module, network, and registry events
All| Collect all collectable events

### file collection list

Policy|Description
---|---
Collect the list of executables | Collect a list of executable files. The list of collected files can be checked in the FileList index.
Index specified file list | The file information defined in the 'designated extension' is indexed and stored on the PC.
file crawling | Collect file information when PC is idle<br><br> **Document/Compressed File:** Collects document/compressed file information by checking the signature of all files.<br> **Specified file:** Collects file information defined in 'specified extension'.<br> **Quick Collection:** Aggressive use of System resources to gather information quickly.<br> **Executable File:** Collects the list of executables by checking the signatures of all files.<br> **Collect lock screen:** Crawl while on lock screen.<br> **Time to wait for action:** Starts crawling if there is no user input during Settings time.<br> **Crawling Run cycle:** Sets the cycle to rerun after crawling is completed.<br> **Exception Path Setting:** Sets the file crawl exception path.

### Collect Windows Events (ETW)

Windows Event provides various shutdown events that are important for security.
Insights E provides a function that allows users to collect and search for window events when they register a desired window event.

Policy|Settings
---|---
windowsEvent Collection List | Collection of event information recorded in Windows Event Viewer, XBA linkage Settings
Collect description| Collect event data in natural language form
Collect eventdata | Collect event data in json format

The set window event is saved in the winevt index and can be searched in **integrated search**.

## Detect

### Detection engine

Engine|Description
---|---
Indicators of Compromise (IOC)| When detecting known threats such as the minimum confidence level of 10%, IOC, YARA, etc., the Settings function is provided to detect only when the confidence level is higher than the set confidence level.
Machine Learning (ML)| It applies machine learning detection to files sent by the agent and provides detection information in the Discovery and Endpoints detailed menus when detecting threats.
Abnormal behavior (XBA)| **XBA Rule Sets** Settings feature.

## Response

<div class="admonition warning"><p class="admonition-title">Warning</p>

If the agent distribution method is single version, NAC linkage is not supported.
</div>

The corresponding settings are as follows.

Policy|Settings
---|---
Response to known malware | Response when detecting dangerous processes registered in YARA and IOC DB Settings
NAC Interworking | Tags to be assigned to the node when the agent detects Threats Settings
Response to unknown malware | Response Settings in case of detection by machine learning
Malicious IP | Response when a connection is detected with a malicious IP registered in the IOC DB Settings

You can set the corresponding policy settings according to the policy, such as displaying agent notifications, forcibly ending processes, and deleting files.

## Agent

### Default Settings

Policy|Settings
---|---
Connection Server IP|In case of multi-server configuration, enter the server IP or domain from which the agent will connect and download the policy for server load balancing.
User notification pop-up| Whether or not to display a notification pop-up on Endpoints when Management responds to **Force process termination** or **File deletion** after malware detection Settings
Display tray icon | show agent tray icon<br> (Disabled for NAC and agent icon integration)
Display Notification message | Write an alarm message text that occurs in Endpoints when network isolation and release<br> Quarantine Message: The text in the pop-up window displayed in Endpoints when the user performs the Network Quarantine command to Endpoints in the Web Console.<br> Release Message: The text of the popup displayed in Endpoints when the user performs the command to disable Network Quarantine on Endpoints from the Web Console.
Allowed IPs | IP settings to allow for network isolation<br> (Genian NAC and Genian Insights E server IP can communicate without separate settings)

### Block network access

Policy|Description
---|---
Network Block IP and Port | Enter the **IP and Port** to block access regardless of the network isolation policy. (TCP port)<br> Servers associated with Genian Insights E server operations are not blocked.

### Backup

Policy|Description
---|---
Windows VSS Backup | Backup all hard disk files using Windows VSS in preparation for ransomware attack.<br> To prevent snapshots from being deleted by ransomware when using the VSS function, you need to  **Policy > XBA Rule Management > XBA Rule Sets > Default** screen and set the 'Auto Response' setting of the "Document Extension Rename Threshold Exceeded" and "delete ShadowCopy" Rules.

### Etc

Policy|Description
---|---
Using API Hooking|Hooking the API to monitor various events.<br> Conflict with other software may occur, so it needs to be applied after stability test, and PC reboot is required when Settings `ON/OFF`.