# Group Policy Management Genian Insights E provides group-specific event collection, detection, response and agent policy settings. To add a new policy, you can create a new policy group through the Add Policy button in **Policy > Group Policy Management**. ## Default All Endpoints connecting to Genian Insights E servers are initially subject to **DefaultPolicy**. Policy consists of Policy for Collection, Detection, Response, Agent Settings, and Advanced Settings. The policy group applied by the agent can be changed through **Policy Settings** in **Management, Groups**. ## collect ### Events to be collected Item | collection event ---|--- Basic| Collect important events such as process execution, execution/document/compressed file creation, etc. Designation| Collection of selected items among file, module, network, and registry events All| Collect all collectable events ### file collection list Policy|Description ---|--- Collect the list of executables | Collect a list of executable files. The list of collected files can be checked in the FileList index. Index specified file list | The file information defined in the 'designated extension' is indexed and stored on the PC. file crawling | Collect file information when PC is idle

**Document/Compressed File:** Collects document/compressed file information by checking the signature of all files.
**Specified file:** Collects file information defined in 'specified extension'.
**Quick Collection:** Aggressive use of System resources to gather information quickly.
**Executable File:** Collects the list of executables by checking the signatures of all files.
**Collect lock screen:** Crawl while on lock screen.
**Time to wait for action:** Starts crawling if there is no user input during Settings time.
**Crawling Run cycle:** Sets the cycle to rerun after crawling is completed.
**Exception Path Setting:** Sets the file crawl exception path. ### Collect Windows Events (ETW) Windows Event provides various shutdown events that are important for security. Insights E provides a function that allows users to collect and search for window events when they register a desired window event. Policy|Settings ---|--- windowsEvent Collection List | Collection of event information recorded in Windows Event Viewer, XBA linkage Settings Collect description| Collect event data in natural language form Collect eventdata | Collect event data in json format The set window event is saved in the winevt index and can be searched in **integrated search**. ## Detect ### Detection engine Engine|Description ---|--- Indicators of Compromise (IOC)| When detecting known threats such as the minimum confidence level of 10%, IOC, YARA, etc., the Settings function is provided to detect only when the confidence level is higher than the set confidence level. Machine Learning (ML)| It applies machine learning detection to files sent by the agent and provides detection information in the Discovery and Endpoints detailed menus when detecting threats. Abnormal behavior (XBA)| **XBA Rule Sets** Settings feature. ## Response

Warning

If the agent distribution method is single version, NAC linkage is not supported.
The corresponding settings are as follows. Policy|Settings ---|--- Response to known malware | Response when detecting dangerous processes registered in YARA and IOC DB Settings NAC Interworking | Tags to be assigned to the node when the agent detects Threats Settings Response to unknown malware | Response Settings in case of detection by machine learning Malicious IP | Response when a connection is detected with a malicious IP registered in the IOC DB Settings You can set the corresponding policy settings according to the policy, such as displaying agent notifications, forcibly ending processes, and deleting files. ## Agent ### Default Settings Policy|Settings ---|--- Connection Server IP|In case of multi-server configuration, enter the server IP or domain from which the agent will connect and download the policy for server load balancing. User notification pop-up| Whether or not to display a notification pop-up on Endpoints when Management responds to **Force process termination** or **File deletion** after malware detection Settings Display tray icon | show agent tray icon
(Disabled for NAC and agent icon integration) Display Notification message | Write an alarm message text that occurs in Endpoints when network isolation and release
Quarantine Message: The text in the pop-up window displayed in Endpoints when the user performs the Network Quarantine command to Endpoints in the Web Console.
Release Message: The text of the popup displayed in Endpoints when the user performs the command to disable Network Quarantine on Endpoints from the Web Console. Allowed IPs | IP settings to allow for network isolation
(Genian NAC and Genian Insights E server IP can communicate without separate settings) ### Block network access Policy|Description ---|--- Network Block IP and Port | Enter the **IP and Port** to block access regardless of the network isolation policy. (TCP port)
Servers associated with Genian Insights E server operations are not blocked. ### Backup Policy|Description ---|--- Windows VSS Backup | Backup all hard disk files using Windows VSS in preparation for ransomware attack.
To prevent snapshots from being deleted by ransomware when using the VSS function, you need to **Policy > XBA Rule Management > XBA Rule Sets > Default** screen and set the 'Auto Response' setting of the "Document Extension Rename Threshold Exceeded" and "delete ShadowCopy" Rules. ### Etc Policy|Description ---|--- Using API Hooking|Hooking the API to monitor various events.
Conflict with other software may occur, so it needs to be applied after stability test, and PC reboot is required when Settings `ON/OFF`.