Classification Rules
Last updated
Last updated
The Classification Engine is a core component of the platform. Any property of an artifact can be set by using the classification engine. Classification rules and lists are used to set the properties of the artifacts. When setting the value of a property, any value of the artifact can be used for matching.
All artifacts have common properties. They are used to provide a common analysis and classification infrastructure.
Risk Score is between 0-100, indicating the risk level. For unknown artifacts that the threat intelligence analysis cannot identify, a score of 70 is set. Values greater than 90 are critical, values between 70-90 are high risk, and values between 33-70 are set as medium risk.
The "Is Malicious" property flags artifacts as malicious based on threat intelligence or artifact analysis results.
"Classification Rule Name" is used to identify which classification rule matched the artifact.
"Classification State" identifies if an artifact has been classified.
The "Is Acknowledged" flag enables the security teams to separate artifacts based on whether they have been investigated.
The platform provides default built-in classification rules and lists for all collected artifacts. Classification rules are accessed from the Rules & Policies -> Artifact Classification-> Query Based Classification menu. Classification rules can be filtered through the top right search or the dropdown selector in the middle. Global rules are read-only. Then can be cloned and modified using the "…" button. There are three types of classification rules:
Default is the classification rule which is used for setting the artifact properties.
The "Notify on Match" rule type is used to execute notifications. They are executed after classification and list rules.
The "Notify if no Match" rule type executes notifications when a specific artifact is not found. They are also executed after classification and list rules.
Adding an artifact property to lists for flagging as trusted or malicious by default is recommended. Each list sets the global artifact properties(Risk Score, Is Malicious, etc.). By default, Malware, Black, and White lists are available. List types can be accessed from List Management -> "…" -> List Types Management. To add a property to a list, right-click on any grid. From list management actions, the property can be added to any list. Adding wildcards or the hash value is also supported.
Classification rules should be used when it is necessary to perform the classification using multiple properties. Classification rules can set artifact properties, send notifications, and execute response actions. The system provides default responses like terminating a process or deleting a file. Additional responses can be configured using PowerShell commands or scripts. To add a property to a classification rule, right-click on any grid. From "Rule Management," the property can be added to a new rule, or the values can be appended to an existing rule. Adding wildcards or the hash value is also supported. When creating a new rule, assign a name and set a priority of execution. The highest valued items are executed last, making it a higher priority.
Classification rules consist of three major parts:
Match Conditions: Match conditions are used to match the artifact properties. Once the artifact property is chosen, different conditions can be used to match a property value. The "Is One of" condition provides a detailed filter in which multiple values can be added seamlessly.
Set Property Values: Any values of the artifact can be updated. It is typically used to assign a risk score, whitelist, or set an artifact as malicious.
Notifications: Notifications and response actions are added through this section.
