Enabling In-Depth Analysis

The CyberCyte portal provides built-in policy rules, but some policies need to be specified manually for accurate analysis. For that, users need to configure object and honeypot access policy, threat monitoring policy and file activity tracking policy.

This section is dedicated to creating a new policy for "In-Depth Analysis", in the default groups all the necessary policies are active and selected.

Enabling Policies

Configuration of Windows Object and Honeypot Access Policy: This policy is designed for specific object access, CyberCyte uses honeypot for detection and these accesses can be managed by Windows object and honeypot access rules. The users can trust the processes with their signature or path. To edit Windows Object and Honeypot Access Rules, please go to Rules & Policies -> Artifact Collection Parameters -> Windows Object and Honeypot MonitorRules. That page allows users to edit/create/clone/enable/disable rules. Users can specify the rules that fit their requirements. With these rules, artifacts are specially analyzed for specific actions.

Configuration of Windows Threat Monitoring Policy: This policy is designed for threat monitoring with customization options. The users can specify which rules are going to be used for this policy. Users can trust the processes with their signatures or paths. The portal provides live-action responses that can terminate processes, which can be enabled in this policy. For editing "Windows Threat Monitoring Rules", please go to "Rules & Policies" -> "Artifact Collection Parameters" -> "Windows Threat Monitoring Rules". That page allows users to edit/create/clone/enable/disable rules. Users can specify the rules that fit their requirements. With these rules, artifacts are specially analyzed for specific actions.

Configuration of Windows File Activity Tracking Policy: This policy is designed for threat monitoring with customization options. The users can trust the processes with their signature or paths, this is needed for optimizing and enrichment of the data. Also, users can monitor all executable artifact activities, whitelisted artifact activities and terminate or delete unknown/risky/malicious files or processes.

Assigning Policies To The Group

Please go to Rules & Policies -> Policy Management -> Group Management. Click three dots on the right side of the group entry and select the "Edit" option. Select the policies to assign and click the "Save" button under the page.

Enabling Classification Rules for In-Depth Analysis

Please go to "Rules & Policies" -> "Artifact Classifications" -> "Query-Based Classification". Search "Windows Object and Honeypot Access", "Threat Monitor" and "File Activity". Enable all the rules displayed on the grid. After enabling classification rules, the portal will analyze the data sets, and users can see the results under "Threat Hunting" -> "Analysis & Investigation".

PreviousEnabling Windows Security Benchmark Analysis NextWindows Hardening

Last updated 9 months ago

Was this helpful?

Enabling Policies

Configuration of Windows Object and Honeypot Access Policy: This policy is designed for specific object access, CyberCyte uses honeypot for detection and these accesses can be managed by Windows object and honeypot access rules. The users can trust the processes with their signature or path. To edit Windows Object and Honeypot Access Rules, please go to Rules & Policies -> Artifact Collection Parameters -> Windows Object and Honeypot MonitorRules. That page allows users to edit/create/clone/enable/disable rules. Users can specify the rules that fit their requirements. With these rules, artifacts are specially analyzed for specific actions.

Configuration of Windows Threat Monitoring Policy: This policy is designed for threat monitoring with customization options. The users can specify which rules are going to be used for this policy. Users can trust the processes with their signatures or paths. The portal provides live-action responses that can terminate processes, which can be enabled in this policy. For editing "Windows Threat Monitoring Rules", please go to "Rules & Policies" -> "Artifact Collection Parameters" -> "Windows Threat Monitoring Rules". That page allows users to edit/create/clone/enable/disable rules. Users can specify the rules that fit their requirements. With these rules, artifacts are specially analyzed for specific actions.

Configuration of Windows File Activity Tracking Policy: This policy is designed for threat monitoring with customization options. The users can trust the processes with their signature or paths, this is needed for optimizing and enrichment of the data. Also, users can monitor all executable artifact activities, whitelisted artifact activities and terminate or delete unknown/risky/malicious files or processes.

Enabling Classification Rules for In-Depth Analysis

Please go to "Rules & Policies" -> "Artifact Classifications" -> "Query-Based Classification". Search "Windows Object and Honeypot Access", "Threat Monitor" and "File Activity". Enable all the rules displayed on the grid. After enabling classification rules, the portal will analyze the data sets, and users can see the results under "Threat Hunting" -> "Analysis & Investigation".