Automatic Allow Rule Generation

This enhancement allows for assisted rule generation when a false positive alert has been identified. 

Using this functionality will enable the user to quickly remedy unnecessary generated alerts by creating an Allow Rule. This functionality only works for the File Access, Network Access, and Program Access alert types all of which fall under Lockdown Rules. The Automatic Allow Rule generation ability is only for Lockdown rules and not for the Ransomware, Cryptojacking or Tampering rule types. 


Create an Add Allow Rule Policy 

For this article, a simple policy was created containing only two rules:    

  1. The first rule prevents using commands like ‘nc’ and ‘ncat’.
  2. The second rule will prevent modifying files in directories that start with ‘/etc/cron’. 
Step_1_Create Policy

Following its creation, the policy was applied to a configuration profile and then assigned to an Endpoint. To learn how this was done please see the following articles:


Alert Generation 

  1. Ncat alert generation:
    1. On the ZeroLock® Management Console (ZMC) open a terminal window and ssh to the Endpoint you applied the Add Allow Rule policy to.
    2. Once there, enter the command: sudo nc -l 8080
      Note: you may have to Ctrl+ C to return to an active prompt.
    3. On the ALERTS homepage, you will see that an alert has been generated. Along the top of the screen, the yellow Open Alert square has a 1 representing an instance of a medium-level alert.Step_2_Alert generation-2

  2. Modify alert generation:
    1. On the ZeroLock Management Console (ZMC) open a terminal window, and, using ssh, connect to the Endpoint you applied the Add Allow Rule policy to.
    2. Once there enter the command: sudo touch /etc/cron.d/test
    3. On the Alerts homepage, you will see that another alert has been generated. Looking at the yellow Open Alert square, the 1 is now a 2, meaning there are 2 medium-level alerts. 

Step_3_Second Alert Generation

On the ENDPOINTS homepage, both alerts have been registered.

Step_4_Active Alerts on Endpoints-1 

 


Creating Allow Rule 

  1. On the ALERTS homepage, select the alerts to create an Allow Rule.Step_1A_Select Alerts-4
  2. From the Actions drop-down select Add Allow Rules.
    Step_1B_Actions Add Allow Rule-2
  3. Add Allow Rules brings up the first autogenerated Allow rule. The second rule can be viewed by clicking on its tab.Step_2_Tab for 2nd Add Allow Rule-1
  4. Note the policies listed under Policies to Modify. The rule(s) created will modify any policy in that section. Remove any policy that you do NOT wish to modify.Step_3A_Current Policies

  5. Clicking the Add Allow Rules button at the bottom of either screen will create a new Allow Rule for each alert and add them to the policies as displayed in the following screenshot.Step_3B_Policies to be Modified
  6. The new Policy Rule has been created.

    Note that automatically generated rules have ‘AUTOGENERATED’ instead of the version number for the rule and are not editable by the user. However, they may be duplicated then editing and deleting are possible.Step_5_Details of New Policy Rule

  7. Now, we will use the ‘mv’ command to trigger rule 103 of the Add Allow Rule policy we created. SSH back into the system and run the following command: 

    sudo mv /bin/bash /etc/cron.d/testStep_6_MV Alert Generated

  8. The ‘mv’ command was not in the previously autogenerated allow rule for ‘touch’. To add this new alert to that Allow Rule:
    1. Select the alert generated by the ‘mv’ command.
    2. From the Actions drop-down menu, select Add Allow Rule.
    3. Selecting Add Allow Rules will update Policy Rule 163 to include the “mv” command, as shown in the image below.Step_8_Adding to Add Allow Rule

Note that the newly generated allow rule now contains both the 'mv’ and ‘touch’ commands. 

Because the auto-generation functionality is aware that Policy Rule 123 was autogenerated in response to Policy Rule 87 restrictions, it knows to only update Policy Rule 123 by adding the 'mv' command.

This completes the tutorial on automatically generated allow rules.