Automatic Allow Rule Generation

This enhancement allows for assisted rule generation when a false positive alert has been identified. 

Using this functionality will enable the user to quickly remedy unnecessary generated alerts by creating an Allow Rule. This functionality only works for the File Access, Network Access, and Program Access alert types all of which fall under Lockdown Rules. The Automatic Allow Rule generation ability is only for Lockdown rules and not for the Ransomware, Cryptojacking or Tampering rule types. 


Create an Add Allow Rule Policy 

For the purposes of this article, a simple policy was created containing only two rules:    

  1. The first rule prevents using commands like ‘nc’ and ‘ncat’.
  2. The second rule will prevent modifying files in directories that start with ‘/etc/cron’. 
Add Allow Policy-2

Following its creation, the policy was applied to a configuration profile, then assigned to an Endpoint. To learn how this was done please see the following articles:


Alert Generation 

  1. Ncat alert generation:
    1. On the ZeroLock® Management Console (ZMC) open a terminal window and ssh to the Endpoint you applied the Add Allow Rule policy to.
    2. Once there, enter the command: sudo nc -l 8080
      Note: you may have to Ctrl+ C to get back to an active prompt.
    3. On the Alerts homepage you will see that an alert has been generated.
      ncat Alert Generated_2.0.3-1Notice along the top of the screen, the yellow Open Alert square has a 1 representing an instance of a medium level alert.
  2. Modify alert generation:
    1. On the ZeroLock Management Console (ZMC) open a terminal window, and, using ssh, connect to Endpoint you applied the Add Allow Rule policy to.
    2. Once there enter the command: sudo touch /etc/cron.d/test
    3. On the Alerts homepage you will see that another alert has been generated. 
      Both Types Alerts 2.0.3-2

Looking at the yellow Open Alert square, the 1 is now a 2, showing there are now 2 medium level alerts. 

On the Endpoints homepage, both alerts have registered as well. 

Endpoint with Alerts 2.0.3-3


Creating Allow Rule 

On the Alerts homepage, select the alerts that you want to create an Allow Rule for.

Select AlertsNote: Currently, this functionality only works for File Access, Network Access, and Program Access alert types which are all Lockdown Rule types. 

From the Actions drop-down selecting Add Allow Rules brings up the first autogenerated Allow rule. The second rule can be viewed by clicking on its tab.

Allow Rule 1st Tab

Allow Rule 2nd tab-1

Clicking the Add Allow Rules button at the bottom of either screen will create a new Allow Rule for each of the selected alerts.

Allow Rule 2nd tab

Select Add Allow Rules at the bottom of the screen to automatically create the rules and add them to the selected policies as displayed in the following image.

Policy 2

The new Policy Rule 123* has been created.

*New policy rules are added to the bottom of the list Policy Rule list so the number of the policy rule you create may be different. 

Policy Rule 123_b

Note that automatically generated rules have ‘AUTOGENERATED’ instead of the version number for the rule and are not editable by the user. However, they may be duplicated then editing and deleting are possible. 

Now, we will use the ‘mv’ command to trigger rule 87 of the Add Allow Rule policy we created. SSH back into the system and run the following command: 

sudo mv /bin/bash /etc/cron.d/test 

MV Alert Generated

The ‘mv’ command was not in the previously autogenerated allow rule for ‘touch’. To add this new alert to that Allow Rule: 

  1. Select the alert generated by the ‘mv’ command.
  2. Then, from the Actions drop-down menu, select Add Allow Rule.
  3. Selecting Add Allow Rule will update Policy Rule 123 to include the “mv” command, as shown in the image below. 

     

    mv and touch rule

    Note that the newly generated allow rule now contains both the 'mv’ and ‘touch’ commands. 

    Because the auto-generation functionality is aware that Policy Rule 123 was autogenerated in response to Policy Rule 87 restrictions, it knows to only update Policy Rule 123 by adding the 'mv' command.

    This completes the tutorial on automatically generated allow rules. They make dealing with false positives from File Access, Network Access, and Program Access rules much easier!