Customizing Classification Rules

Classification rules are the core engine of the platform. Every collected piece of information is classified, tagged, and enriched by the classification rules. The platform provides built-in rules as a template. The rules can be customized by cloning them. The built-in rules are read-only.

Classification rules are accessed from Rules & Policies -> Artifact Classification -> Query Based Classification. The rules can be filtered through the selector on the top-middle section of the primary grid.

The “…” button on the right “+ Rule ” button provides ease-of-use options for enabling/disabling rules, immediate execution, and import/export support.

A rule can be cloned by clicking the “…” button. Once cloned, the rule can be customized.

The main properties of a rule are as follows:

Rule Type: there are three kinds of classification rules:

1. Classification Rule: This is the default rule type.

2. Notify on Match: When this rule type is selected, notifications can be executed based on a match condition.

Priority: Higher values override the flags set in the previous rules.

Origin: It can be global or user-defined.

Status: It can be enabled or disabled.

Once a rule is opened for editing, detailed options are provided for configuration:

Artifact Type: The type of artifact the rule will execute. The “All Artifacts” option is available for executing a rule on all artifacts.

Rule Type: Rule types are explained previously. When Notify on Match or Notify on Non-Existence rule type is selected, notification actions are available.

Rule Priority: Higher values take precedence. A priority number can be generated automatically by clicking the button to the right of the property.

Name: Name for the rule.

Description: Description of the rule.

Recommendations: Reccomendation for the rule execution.

Stop Rule if Existing Risk Score is Higher: When a rule is executed, it can be stopped if it matches an artifact with a higher risk score.

Status: Used for enabling or disabling a rule.

KPI: When enabled, the number of matches to the rule is recorded as a KPI value for historical analysis.

Only Process Records Updated: The rules can be set to be executed on artifacts identified at a specified time interval. For rules executing notification actions, it is recommended to select an interval. A value of the last 12 hours is recommended for notification actions.

Check per Group of: The field for checking the computer name and device ID.

Match Conditions: Any parameter of the artifact can be used to create match rules. When creating match rules, a filter is provided to display artifacts based on risk level to enable easier management. Any unclassified artifact can be added to match the configured rule and enable classification.

Aggregate Conditions: The options for aggregation of notifications.

Notifications: Notifications can be created from these sections. When Notify on Match or Notify on Non-Existence rule type is selected, notification actions are available. Notifications can be configured based on match conditions by adding notification actions.

A classification rule consists of two main parts for selecting and updating artifact information

Match Conditions: The rule is triggered based on the artifact properties matched. Any property of an artifact can be used for matching.

Set Property Values: Once a rule matches an artifact, the artifact properties are set through set property values. Risk Score, Investigation State, Category, and “Is Malicious” are some of the properties.

Artifact Format

Every information collected by the platform is normalized and enriched. Common attributes are also added to enable better classification, as detailed below:

Risk Score: A value between 0-100 can be set. Higher values indicate a bigger risk. Values between 0-33 are classified as low risk, 34-66 are classified as medium risk, and values between 67-100 are classified as high risk.

Tags: Tags are used to create a standard definition for collected information. It is possible to add tags as needed.

Classification State: The classification state tracks if a collected artifact matches a classification rule. It can have the following values:

- Classified Manually

- Classified by Intelligence Database

- Matched a Rule

- New Entry

- No Matching Rule

Classification Category: This property can be used to categorize collected artifacts.

Investigation State: When set to “Investigation Request,” anonymous artifact information is shared with the threat intelligence system for investigation. It is recommended to set it to “Investigation Request” through the rules for unknown or high-risk artifacts.

Is Malicious: This flag is set to true for artifacts detected as malicious

Hints:

· Use the classification rules to select the artifacts permitted within the organization. Once the rules are configured, unknown artifacts will be highlighted. Built-in rules can be used to extend the trusted artifacts. Each rule type contains a rule for this purpose. The rule can be cloned and extended.

· The system performs analysis through threat intelligence platforms to identify unknown and malicious artifacts. Built-in rules are available for automated classification based on threat intelligence.

· Unknown files not matched by threat intelligence set a risk score of 70 for high risk. It is recommended to review artifacts having a high-risk score.

· For Windows, Autoruns and processes match conditions based on company and signature can be used to minimize unclassified artifacts

PreviousJob Management NextEnabling Windows Event Log Analysis

Last updated 9 months ago

Was this helpful?