4. Enabling Classification Rules

Query Classification Rules and List Based Classification enable the classification of the collected forensic artifacts. Once the data is collected, reviewing and whitelisting the collected artifacts is recommended to minimize the false positives. Whitelisting can be done by using any property of the collected information. File hash, domain, IP address, signer, and file path are the most commonly used properties for whitelisting. Please go to "Rules & Policies" -> "Artifact Classification" -> "Query Based Classification" and click on the search bar. Type "Windows" and click on the three dots upper left side of the grid. Select "Enable All Rules Displayed." Users can clone, edit, or create new rules on this page. Searching for "Windows" and enabling all of them is initially recommended.

PreviousmacOS: Downloading and Deploying The macOSAgent Next5. Review The Results & White Listing

Last updated 5 months ago