This enhancement allows for assisted rule generation when a false positive alert has been identified.
Using this functionality will enable the user to quickly remedy unnecessary generated alerts by creating an Allow Rule. This functionality only works for the File Access, Network Access, and Program Access alert types all of which fall under Lockdown Rules. The Automatic Allow Rule generation ability is only for Lockdown rules and not for the Ransomware, Cryptojacking or Tampering rule types.
Create an Add Allow Rule Policy
For this article, a simple policy was created containing only two rules:
- The first rule prevents using commands like ‘nc’ and ‘ncat’.
- The second rule will prevent modifying files in directories that start with ‘/etc/cron’.
Following its creation, the policy was applied to a configuration profile and then assigned to an Endpoint. To learn how this was done please see the following articles:
- Creating a New Policy
- Applying Policy to a Configuration Profile
- Applying a Configuration Profile to an Endpoint
Alert Generation
- Ncat alert generation:
- On the ZeroLock® Management Console (ZMC) open a terminal window and ssh to the Endpoint you applied the Add Allow Rule policy to.
- Once there, enter the command: sudo nc -l 8080
Note: you may have to Ctrl+ C to return to an active prompt. - On the ALERTS homepage, you will see that an alert has been generated. Along the top of the screen, the yellow Open Alert square has a 1 representing an instance of a medium-level alert.
- Modify alert generation:
-
- On the ZeroLock Management Console (ZMC) open a terminal window, and, using ssh, connect to the Endpoint you applied the Add Allow Rule policy to.
- Once there enter the command: sudo touch /etc/cron.d/test
- On the Alerts homepage, you will see that another alert has been generated. Looking at the yellow Open Alert square, the 1 is now a 2, meaning there are 2 medium-level alerts.
On the ENDPOINTS homepage, both alerts have been registered.
Creating Allow Rule
- On the ALERTS homepage, select the alerts to create an Allow Rule.
- From the Actions drop-down select Add Allow Rules.
- Add Allow Rules brings up the first autogenerated Allow rule. The second rule can be viewed by clicking on its tab.
- Note the policies listed under Policies to Modify. The rule(s) created will modify any policy in that section. Remove any policy that you do NOT wish to modify.
- Clicking the Add Allow Rules button at the bottom of either screen will create a new Allow Rule for each alert and add them to the policies as displayed in the following screenshot.
- The new Policy Rule has been created.
Note that automatically generated rules have ‘AUTOGENERATED’ instead of the version number for the rule and are not editable by the user. However, they may be duplicated then editing and deleting are possible.
- Now, we will use the ‘mv’ command to trigger rule 103 of the Add Allow Rule policy we created. SSH back into the system and run the following command:
sudo mv /bin/bash /etc/cron.d/test
- The ‘mv’ command was not in the previously autogenerated allow rule for ‘touch’. To add this new alert to that Allow Rule:
- Select the alert generated by the ‘mv’ command.
- From the Actions drop-down menu, select Add Allow Rule.
- Selecting Add Allow Rules will update Policy Rule 163 to include the “mv” command, as shown in the image below.
Note that the newly generated allow rule now contains both the 'mv’ and ‘touch’ commands.
Because the auto-generation functionality is aware that Policy Rule 123 was autogenerated in response to Policy Rule 87 restrictions, it knows to only update Policy Rule 123 by adding the 'mv' command.
This completes the tutorial on automatically generated allow rules.