Utilizing the Platform Effectively and Interpreting the Artifact Analysis Results

Once the SIGMA & YARA results are available, using classification rules and lists for whitelisting the artifacts is recommended. Using hash values, signing company, image, and parent image path enables fast classification. Using wildcards for certain paths also simplifies the whitelisting process.

YARA results enable identifying the risky files that are passive inside the system but can create false positives. For every file, digital signature information is added. Using the signer information in the classification rules can minimize the number of false positives.

After whitelisting, creating a notification template and enabling the "Notify on Match" rules in Sysmon is recommended. When an unknown process to threat intelligence performs a risky behavior, it will be identified.

A generic notification template can be used to send a notification when a malicious artifact is identified. The malicious activity rule is sufficient to assign the template to the "All Artifact." Artifact-specific classification rules should be used to get a more detailed notification.

Windows Security Controls are used to secure the Windows endpoints. Creating a classification rule to identify which security controls will be omitted is recommended. A template is provided. It can be cloned, and the controls can be selected. Once identified, creating a test group and applying the security controls to test devices and monitor for a week is recommended. After initial monitoring, controls can be applied to the endpoints first and then to the servers.

Commonly used security software packages can be deployed by the platform. Creating an automated job for automated installation on endpoints where the security software is not deployed is possible.