Group Policy Management
Genian Insights E provides group-specific event collection, detection, response and agent policy settings. To add a new policy, you can create a new policy group through the Add Policy button in Policy > Group Policy Management.
Default
All Endpoints connecting to Genian Insights E servers are initially subject to DefaultPolicy. Policy consists of Policy for Collection, Detection, Response, Agent Settings, and Advanced Settings. The policy group applied by the agent can be changed through Policy Settings in Management, Groups.
collect
Events to be collected
| Item | collection event |
|---|---|
| Basic | Collect important events such as process execution, execution/document/compressed file creation, etc. |
| Designation | Collection of selected items among file, module, network, and registry events |
| All | Collect all collectable events |
file collection list
| Policy | Description |
|---|---|
| Collect the list of executables | Collect a list of executable files. The list of collected files can be checked in the FileList index. |
| Index specified file list | The file information defined in the 'designated extension' is indexed and stored on the PC. |
| file crawling | Collect file information when PC is idle Document/Compressed File: Collects document/compressed file information by checking the signature of all files. Specified file: Collects file information defined in 'specified extension'. Quick Collection: Aggressive use of System resources to gather information quickly. Executable File: Collects the list of executables by checking the signatures of all files. Collect lock screen: Crawl while on lock screen. Time to wait for action: Starts crawling if there is no user input during Settings time. Crawling Run cycle: Sets the cycle to rerun after crawling is completed. Exception Path Setting: Sets the file crawl exception path. |
Collect Windows Events (ETW)
Windows Event provides various shutdown events that are important for security. Insights E provides a function that allows users to collect and search for window events when they register a desired window event.
| Policy | Settings |
|---|---|
| windowsEvent Collection List | Collection of event information recorded in Windows Event Viewer, XBA linkage Settings |
| Collect description | Collect event data in natural language form |
| Collect eventdata | Collect event data in json format |
The set window event is saved in the winevt index and can be searched in integrated search.
Detect
Detection engine
| Engine | Description |
|---|---|
| Indicators of Compromise (IOC) | When detecting known threats such as the minimum confidence level of 10%, IOC, YARA, etc., the Settings function is provided to detect only when the confidence level is higher than the set confidence level. |
| Machine Learning (ML) | It applies machine learning detection to files sent by the agent and provides detection information in the Discovery and Endpoints detailed menus when detecting threats. |
| Abnormal behavior (XBA) | XBA Rule Sets Settings feature. |
Response
Warning
If the agent distribution method is single version, NAC linkage is not supported.
The corresponding settings are as follows.
| Policy | Settings |
|---|---|
| Response to known malware | Response when detecting dangerous processes registered in YARA and IOC DB Settings |
| NAC Interworking | Tags to be assigned to the node when the agent detects Threats Settings |
| Response to unknown malware | Response Settings in case of detection by machine learning |
| Malicious IP | Response when a connection is detected with a malicious IP registered in the IOC DB Settings |
You can set the corresponding policy settings according to the policy, such as displaying agent notifications, forcibly ending processes, and deleting files.
Agent
Default Settings
| Policy | Settings |
|---|---|
| Connection Server IP | In case of multi-server configuration, enter the server IP or domain from which the agent will connect and download the policy for server load balancing. |
| User notification pop-up | Whether or not to display a notification pop-up on Endpoints when Management responds to Force process termination or File deletion after malware detection Settings |
| Display tray icon | show agent tray icon (Disabled for NAC and agent icon integration) |
| Display Notification message | Write an alarm message text that occurs in Endpoints when network isolation and release Quarantine Message: The text in the pop-up window displayed in Endpoints when the user performs the Network Quarantine command to Endpoints in the Web Console. Release Message: The text of the popup displayed in Endpoints when the user performs the command to disable Network Quarantine on Endpoints from the Web Console. |
| Allowed IPs | IP settings to allow for network isolation (Genian NAC and Genian Insights E server IP can communicate without separate settings) |
Block network access
| Policy | Description |
|---|---|
| Network Block IP and Port | Enter the IP and Port to block access regardless of the network isolation policy. (TCP port) Servers associated with Genian Insights E server operations are not blocked. |
Backup
| Policy | Description |
|---|---|
| Windows VSS Backup | Backup all hard disk files using Windows VSS in preparation for ransomware attack. To prevent snapshots from being deleted by ransomware when using the VSS function, you need to Policy > XBA Rule Management > XBA Rule Sets > Default screen and set the 'Auto Response' setting of the "Document Extension Rename Threshold Exceeded" and "delete ShadowCopy" Rules. |
Etc
| Policy | Description |
|---|---|
| Using API Hooking | Hooking the API to monitor various events. Conflict with other software may occur, so it needs to be applied after stability test, and PC reboot is required when Settings ON/OFF. |