Vali Cyber Knowledge Base

ZeroLock®

Alerts

Alerts Homepage on the ZeroLock® Management Console

Overview of the Alerts Homepage on the ZeroLock® Management Console

Overview

The Alerts homepage is the gateway to detailed information on alerts. In addition to providing information, this page enables management of all alerts, active or inactive.

An alert is generated when ZeroLock detects system behavior that meets criteria set forth by previously configured Control Policies and Rules.

There are two (2) types of alerts: Active and Inactive

Active – Active alerts have an ACTIONS drop-down menu with the Kill (without remediating) or Release.
Inactive - An inactive alert is when action has already been taken or too much time has elapsed resulting in the impacted files no longer being in the Cache. The buttons will be visible until some action has been taken.

Alert Homepage - Alert List

Alerts Columns Numbered v3.2.1

The main portion of the Alerts homepage consists of nine (9) columns:

Checkbox - Check this if you want to select all alerts or select the beside specific alerts.
ID – This is the number of the alert. ID numbers increase sequentially from the 1st alert generated when the Endpoint is started.
TIME - Time alert occurred. The timing of the alert could help to narrow down how or by whom the malware was introduced into your system. Formatting is dd-mm-yy hh:mm:ss:ms.
SEVERITY – The Severity level is defined in the Configuration Profile for a particular endpoint. The levels are Low, Medium, and High. The default Endpoint profile settings are Low for SSH MFA connections; Medium severity for attempts at Tampering (Canary Files, File Access, Network Access, malware), Cryptojacking, and HASH rules; High severity alerts are generated by ransomware. Assigning alert severity levels is ultimately up to the user.
For more information on setting alert severity use this link: Applying Policy to A Configuration Profile.
STATUS - Detected, Killed, Remediated, Success, Suspended.
1. Detected – ZeroLock detects system behavior that meets criteria set forth by previously configured Control Policies and Rules.
2. Killed - all associated processes are stopped.
3. Remediated - the threat processes have been stopped, corruption removed, and all impacted files restored.
4. Success - is for SSH-MFA login attempts.
5. Suspended – the process that triggered the alert is stopped but no further action is taken. If so configured, the Administrator is also notified.
TYPE – Refers to the type of detection that generated the alert.
1. Blocked – Ruleset to block actions that meet a specific criterion.
2. Cryptojacking - Ruleset for what criteria and actions are taken when cryptojacking is detected on the Endpoint system.
3. File Access – Ruleset on processes is attempting to perform prohibited actions on a system files.
4. Network Access – Ruleset on what processes can/cannot access the network.
5. Program Execution – Ruleset on what processes or commands can or cannot execute specific programs on an Endpoint.
6. Ransomware – Ruleset for what criteria and actions are taken when malware is detected on the Endpoint.
7. SSH MFA – Ruleset providing granular control of remote access.
8. Tampering – Ruleset for what actions are taken when processes are detected that meet the criterion of the rules.
ENDPOINT – This is the identifier of the Endpoint where the threat was detected.
INFO - For an SSH-MFA login attempt, it will be the User identification - User: testuser1 IP:10.0.0.1. For a cyberthreat, it is the number of files affected - E:1 – 45 files affected. For a lockdown rule, it’s the name of the rule violated - MITRE T1041 Block wget.
ACTIONS– This refers to what actions may be taken regarding that alert. When the alert appears, depending on the Response Type settings, there will either be one or two (2) buttons visible in this column.
If the Response Type setting is Do Nothing you will see a single Actions button. Otherwise, there will be two (2) buttons:
1. Kill and Remediate
2. Actions - this is a drop-down menu containing options to Kill (without remediating) and Release.

Both are covered in detail below.

Alert - Actions

Alert Responses v3.2.1

From this screen, the user has two avenues to react to alerts. There is the primary ACTIONS drop-down menu over the list of alerts. The second is the ACTIONS drop-down which appears on the same row as the alert.

The primary ACTIONS drop-down menu consists of:

Kill and Remediate Alert kills the processes involved in the malicious behavior, issues an alert, remediates by removing any files created by the malware, removes the malware file(s) themselves, restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes (Default setting).
Kill Alert will stop the processes involved in the malicious behavior and generate an alert. Remediation is NOT automatically done.
Release Alert releases the process and allows the system to continue to run. The release function does no file restoration or deletion and should be used when the user believes the alert is a false positive.
Archive Alert removes an alert from the list. This may be done if the list is getting too long or cluttered. For example, if you do not want to see SSH connection alerts, they can be turned off but the previous alerts must be archived to remove them from the list.
Add Allow Rule* lets the user create a rule that allows the process to run and will no longer generate an alert. This is useful for known false positives.

*The Allow Rule creation ability is only for Lockdown rules and not for the Cryptojacking, Ransomware, or Tampering rule types.

Note: The available actions (those not greyed out) depend on the Response Type setting for the Endpoint. For more information: Response Type Settings and Alert Generation.

Action Dropdown options v3.2.1

Again, depending on the Response Type setting, the buttons in the Actions column will be either Kill or Release. Selecting Kill changes the status from Detected to KILLED and a REMEDIATE tab will appear. Clicking that tab engages the remediation process.

Remediate

Alert - Detail

Double-clicking an alert opens the details page displaying the details of an alert. Studying the details allows for a review of the attack process tree and the files touched by the malware.

Not Remediated v3.2.1

Status	Displays status of the attack - Detected, Killed, Remediated, Success, Suspended.
Host	System’s hostname.
Download Link	Allows for downloading the alert details in JSON format.
File Tab	Displays a list of files touched by the malware. Created, modified, or deleted files are listed on this tab. The action column identifies the file interaction, and the Status column displays the file’s current status.
Processes Tab - Tree View	Graphical representation of the attack process tree. Red blocks indicate a high threat rating and are processes associated with the attack. Each block, if clicked on, shows details concerning the individual process.
Processes Tab - List View	List of processes in the attack thread.

On the Alert Details page, there are three (3) buttons: Kill and Remediate, Kill Process, or Release Process which allow individual processes to be addressed.

Alert Detail Response Options v3.2.1

Filter Alert via View

On the right upper corner of the screen is VIEW. The options in the VIEW drop-down list are All alerts or those of High Severity Only.

Export Alert Data

On the left of the screen, directly above the main Actions tab, is EXPORT DATA with a download symbol . Selecting either will, by default, download all the Endpoint’s alerts in CSV format. If you wish to see only select files, hover the cursor to the left of the file number and select the box that appears. Repeat this process until you have selected the files you want then use either download option.

File View

The details for an alert are provided for the files involved and for any associated processes. In the Files view, files impacted may be viewed in list format while the processes involved will be in both tree and list formats.

Process List View

The Process List view provides information for all the processes involved in the alert.

Process Tree View

In the Tree view, individual processes are represented by red and grey rectangles that, when opened, provide details of that process. Red indicates a high threat presence as they are deemed malicious. In the image below, selecting the red rectangle on the far left will bring up the Process Information screen providing details on that particular process.

Process Information View

The Process Information screen for a particular process includes everything in the list view, the Parent Process ID (PPID), port designations on which connections were received, the Group identifier, the User, and the Endpoint ID.

To the right of the HASH checksum are two (2) boxes, BLOCK and ALLOW, which create HASH rules that are applied to all Policies.

BLOCK enables a user to prevent a process by that HASH from ever running in that configuration.
ALLOW is normally used when a process ZeroLock has alerted to is deemed benign and considered a false positive. This process will always be allowed to run. Using ALLOW, the customer will override the ZeroLock detection and "allow" that process to run without generating alerts in the future.