How to set the anomaly detection policy
All Endpoints apply Default registered in XBA Rule Sets. If it is necessary to apply a separate anomaly rule to a specific endpoint, you can add a ruleset and set it to apply the separately created ruleset to the group policy to which the endpoints belong.
Abnormal behavior detection Settings
Default
Item | Description |
---|---|
Category | Insights E Rule and MITER ATT&CK Rule are supported. |
Name | Predefined diagnostic name. |
OS | It is an OS that can diagnose abnormal behavior, and currently only Windows is supported. |
Enable | Use of anomaly diagnosis rule is an option. (Default: on) |
Event Type | When diagnosing abnormal behavior, the diagnosis policy is different depending on the event type (file, module, network, process, registry). |
Reliability | Internally defined reliability. |
Threats Type | Threats types are divided into 8 categories: Anomaly, Autorun, Exploit, Fake, LateralMovement, Ransomware, Rootkit, UacBypass. |
MITER ATT&CK Technique | Miter ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge - a knowledge base that provides a framework for tactics, techniques, and procedures from an attacker's perspective) If there is MITER ATT&CK Technique information, click it to go to the relevant information site. |
Auto Response Rules | Sets the method (notification, forced process termination, no response) to automatically respond when abnormal behavior is detected by the abnormal behavior rule. |
Exception Rules | abnormal behavior rule is set to diagnose by default, but you can set the exception rule not to use the abnormal behavior rule. In Policy > XBA Rule Management > Exception Rules, you can create an exception rule and select a rule to reflect exception handling, or set the exception handling rule directly on the Abnormal Behavior Rule System Details screen. |
Description | Enter Users memo for the anomalous rule. |
Add ruleset
If there are rules to be applied or excluded only for specific Endpoints other than Default, you can add rulesets to which exceptions are applied.
- Click the Add button, select the ruleset to be copied, and click the Create button.
- After modifying the ruleset to be applied differently, click Save and the ‘Apply Policy Immediately’ button at the top.
- On the detailed screen of the created policy in the Policy > Group Policy Management > Group Policies menu, select the XBA Rule Sets created in step 1, and then save and apply the policy immediately.
Response when abnormal behavior is detected
When detection by anomaly policy, false positives and frequent alarms may occur, so the basic response is to be recognized only by users in the Web Console. When a notification is required on the terminal (PC) or the process of abnormal behavior needs to be terminated, you can respond to threats through the automatic response settings.
- Click the name of the anomalous behavior rule you want to set the response settings to, and select 'automatic response' in the detailed settings.
- When selecting automatic response, you must click the Save button in the upper left for the changes to be reflected, and after saving is complete, click the ‘Apply Policy Immediately’ button in the upper right to deliver the policy to the agent.
- If an abnormal behavior set in the automatic response settings is detected, you can check the automatic response policy item in the summary information of the corresponding threat in the Analysis > Management menu.
Abnormal behavior detection exception Settings
Anomaly engine detects anomaly rules predefined in the Web Console.
To reduce false positives, you can set the exception policy before detection or handle exceptions through Management after false positives.
Exception Rules before detection
Create Exception Rules
- Go to Policy > XBA Rule Management > Exception Rules menu and click the ‘Add’ button at the top.
- After setting the rule name, operation mode and exception rule, click the ‘Save’ button.
- | Item | Description |
---|---|---|
Exception application Type | All | Apply the Diagnostic Exception Policy to all Endpoints. |
Exception application Type | Setting The Target Not applied | Set the target not to apply exception handling. |
Exception application Type | Setting The Target applied | Set the target to apply exception handling. |
The target of policy application can be set by entering IP or department information. After setting the policy exception handling target, enter the rest of the detailed information and click the Save button. 3. You can check the exception settings registered by the user in the list, and click the ‘Apply Policy Immediately’ button next to the top right menu 4. The policy application pop-up window will be displayed, and if you click the ‘OK’ button, it will be applied to Endpoints immediately.
Modify Exception Rules
- Go to Policy > XBA Rule Management > Abnormal Behavior Rule System > Exception Rules menu and click the name of the rule to be modified.
- After modifying the rules, click the
Save
button. - Click the
Apply Now
button next to the top right menu. - The policy application pop-up window will be displayed, and if you click the ‘OK’ button, it will be applied to Endpoints immediately.
Delete Exception Rules
- Go to Policy > XBA Rule Management > Abnormal Behavior Rule System > Exception Rules menu and select the checkbox of the list to be deleted. Click the ‘Delete’ button when it becomes active.
Exception Rules Excel Export
- Go to Policy > XBA Rule Management > Abnormal Behavior Rule System > Diagnostic Exception Settings, click the Save button in the upper left corner, and click the Export menu.
- If no list is selected in step 1, the entire currently registered list is exported, and only the selected item can be exported when selecting the list.
Exception Rules Import Excel
- Go to Policy > XBA Rule Management > Abnormal Behavior Rule System > Diagnosis Exception Settings menu, click the ‘Save’ button in the upper left corner, and click the Import menu.
- After overwriting the Excel list on the list registered on the Users page or deleting the registered list, only the list registered in the Excel file can be registered.
- Retain Existing Data When data A exists on the server and data A exists in the same Excel file, if you select Keep Existing Data and upload the file Existing data retention counts are displayed.
Exception Rules after detection
Anomalies diagnosed as false positives can be handled by users directly in the Web Console.
- Go to the Analysis > Threats > Management menu.
- Click the
Details
button on the right screen of the anomaly detection list to be treated as an exception among the threats detected list. - The detailed information screen for the detected threats is displayed. Click the
Management(new)
button in the upper right corner. - The Management Details screen is displayed, and click the
Assign to me
button. - If you select the
Safe
radio button in the Threats verdict, the blue buttonSetting Detection Exception - Add to Exception
is activated Click theAdd to Exception
button. - A pop-up window for adding a diagnostic exception rule with the process name or file path or suspicious file path automatically created as a false positive appears. After entering the rule name freely, click the
Save
button. - Click the
Save
button under the Add Diagnostic Exception Rule button to complete the exception settings. - The
Apply Now
button is blinking in the upper right corner, and click to apply the exception policy to the agent immediately. - If the same behavior as in Exception Settings occurs next time, it is treated as an exception in diagnosis as an abnormal behavior.
- Details of exception handling on the Management screen can be checked in the list by going to Policy > XBA Rule Management > Exception Rules menu.