Alerts Homepage on the ZeroLock® Management Console

Overview of the Alerts Homepage on the ZeroLock® Management Console

Overview

The Alerts homepage is the gateway to detailed information on alerts.  In addition to providing information, this page enables management of all alerts, active or inactive.  

An alert is generated when ZeroLock detects system behavior that meets criteria set forth by previously configured Control Policies and Rules.

There are two (2) types of alerts:  Active and Inactive

• Active – Active alerts will have two (2) visible buttons to choose from in the Actions column on the far right - Kill & Remediate or Actions.  Under Actions the options are Kill (without remediating) or Release.
• Inactive - An inactive alert is when action has already been taken or too much time has elapsed resulting in the impacted files no longer being in the Cache.  The buttons will be visible until some action has been taken. 

Alert Homepage - Alert List

The main portion of the Alerts homepage consists of nine (9) columns:

1. Checkbox  - Check this if you want to select all alerts or you can select the  beside specific alerts.
2. ID – This is the number of the alert. ID numbers increase sequentially from the 1st alert generated when the Endpoint is started.
3. TIME -  Time alert occurred.  The timing of the alert could help to narrow down how or by whom the malware was introduced into your system.  Formatting is dd-mm-yy   hh:mm:ss:ms.
4. SEVERITY – The Severity level is defined in the Configuration Profile for a particular endpoint.  The levels are Low, Medium, High.  The default Endpoint profile settings are: Low for SSH MFA connections; Medium severity for attempts at Tampering (Canary Files, File Access, Network Access, malware), Cryptojacking, and HASH rules; High severity alerts are generated by ransomware.  Assigning alert severity levels are ultimately up to the user.  For more information on setting alert severity use this link: Applying Policy to A Configuration Profile. 
5. STATUS  -  Detected, Killed, Remediated, Success, Suspended.
   1. Detected – ZeroLock detects system behavior that meets criteria set forth by previously configured Control Policies and Rules.
   2. Killed -  all associated processes are stopped.
   3. Remediated - the threat processes have been stopped, any corruption removed, and all impacted files have been restored.
   4. Success - is for SSH-MFA login attempts.
   5. Suspended – the process that triggered the alert is stopped but no further action is taken.  If so configured, the Administrator is also notified. 
6. TYPE – Refers to the type of detection that generated the alert.
   1. Blocked – Ruleset to block actions that meet a specific criterion. 
   2. Cryptojacking -  Ruleset for what criteria and actions are taken when cryptojacking is detected on the Endpoint system.
   3. File Access – Ruleset on processes is attempting to perform prohibited actions on a system files.
   4. Network Access – Ruleset on what processes can/cannot access the network.
   5. Ordered Ruleset – Rules are evaluated top-to-bottom, with rules on top resolving actions before proceeding to the next rule.
   6. Program Execution – Ruleset on what processes or commands can or cannot execute specific programs on an Endpoint.
   7. Ransomware – Ruleset for what criteria and actions are taken when malware is detected on the Endpoint.
   8. SSH MFA – Ruleset providing granular control of remote access.
   9. Tampering – Ruleset for what actions are taken when processes are detected that meet the criterion of the rules.
7. ENDPOINT – This is the identifier of the Endpoint where the threat was detected.
8. INFO - For an SSH-MFA login attempt, it will be the User identification - User: testuser1 IP:10.0.0.1.  For a cyberthreat, it is the number of files affected - E:1 – 45 files affected.  For a lockdown rule it’s the name of the rule violated - MITRE T1041 Block wget.
9. ACTION – This refers to what actions may be taken regarding that alert. When the alert appears, depending on the Response Type settings there will either be one or two (2) buttons visible in this column. 
   If the Response Type setting is Do Nothing you will see a single Actions button.  Otherwise, there will be two (2) buttons: 
   1. Kill and Remediate 
   2. Actions - this is a drop-down menu containing options to Kill (without remediating) and  Release.

Both will be discussed in greater detail below.

Alert - Actions

From this screen, the user has two avenues with which to react to alerts.  There is the primary ACTIONS drop-down menu over the list of alerts.  The second is the ACTIONS drop-down which appears on the same row as the alert.

The primary ACTIONS drop-down menu consists of:

1. Kill and Remediate Alert kills the processes involved in the malicious behavior, issues an alert, and then remediates by removing any files created by the malware, removes the malware file(s) themselves, restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes (Default setting).
2. Kill Alert will stop the processes involved in the malicious behavior and an alert is generated.  Remediation is NOT automatically done.
3. Release Alert releases the process and allows the system to continue to run. The release function does no file restoration or deletion and should be used when the user believes the alert is a false positive.
4. Archive Alert  removes an alert from from the list.  This may be done if the list is getting too long or cluttered.  For example, if you do not want to see SSH connection alerts, they can be turned off but the previous alerts must be archived to remove them from the list.
5. Add Allow Rule* lets the user create a rule that will allow the process to run and will no longer generate an alert.  This is useful for known false positives.
   
   

Note: The available actions, those not greyed out, depend on the Response Type setting for the Endpoint.  For more information on this please see Response Type Settings and Alert Generation.

*The Allow Rule creation ability is only for Lockdown rules not for the Ransomware, Cryptojacking or Tampering rule types.

 

Again, depending on the Response Type setting, the buttons in the Actions column will be either Kill & Remediate  with the Actions drop-down menu or just Actions.  Selecting Kill changes the status to KILLED and a REMEDIATE tab will appear.  Clicking that tab engages the remediation process.

Alert  - Detail

Double-clicking an alert opens the details page displaying the details of an alert.  Studying the details allow for the review of the attack process tree and the files touched by the malware.

 

---

Filter Alert via View

On the right upper corner of the screen is VIEW.  The options in the VIEW drop-down list are focused on severity of alert. The options are show All alerts or those of High Severity Only.

 

---

Export Alert Data

On the left of the screen, directly above the main Actions tab, is EXPORT DATA with a download symbol .   Selecting either will, by default, download all the Endpoint’s alerts in CSV format. If you wish to see only select files, hover the cursor to the left of the file number and select the box that appears.  Repeat this process until you have selected the files you want then use either download option.

 

---

File View

The details for an alert are provided both for the files involved and for any associated processes.  In the Files view, files impacted may be viewed in list format while the processes involved will be in both tree and list formats.  

---

Process List View

The Process List view provides information for all the processes involved in the alert. 

 

---

Process Tree View

In the Tree view, individual processes are represented by red and grey rectangles which, when opened, provide details of that process.   Red indicates a high threat presence as they are deemed malicious.  In the image below, selecting the red rectangle on the far left will bring up the Process Information screen providing details on that particular process. 

 

---

Process Information View

The Process Information screen for a particular process includes everything in the list view plus the Parent Process ID (PPID), port designations on which connections were received, the Group identifier, the User, and the Endpoint ID. 

To the right of the HASH checksum are two (2) boxes, BLOCK and ALLOW, which create HASH rules that are applied to all Policies.

• BLOCK enables a user to prevent a process by that HASH from ever running in that configuration.
• ALLOW is normally used when a process ZeroLock has alerted to is determined to be benign and so is considered a false positive.  This process will always be allowed run. Using ALLOW, the customer will override the ZeroLock detection and "allow" that process to run without generating alerts in the future.