Policies are used for automated response actions on alerts. Policies define either generic actions on alert criticality, or specific actions on alerts that are triggered by specific rules.
One or more endpoints where a specific alert is seen are all remediated immediately if the remediation action policy is defined.
On deployment, a large set of generic and rule specific policies are automatically activated by the product based on well-known attacks and exploits. The analyst can add new policies or modify existing policies as suitable for a specific environment.
Generic Policies
Generic Policies apply across alerts and define the generic actions that will be taken in the environment. If no rule specific policies are defined for a particular rule, then the generic policy that applies, if defined, will be invoked. The policy match of a generic policy with an alert occurs on Alert Severity or endpoint scope or reputation of the endpoints or a combination of these.
Defining a Generic policy
Analyst can define a generic policy by selecting the following:
The Alert Severity, Scope, Reputation and Whitelisted processes, if any
Actions to be taken on Policy match include: Kill process, Add to BlockList, Quarantine Process, Isolate Endpoint, Set the Endpoint Reputation, Restore the Endpoint, Delete process, Notify user
Rule Specific Policies
Rule Specific policies mandatorily have a Rule selected, primarily based on this rule trigger that the policy action is executed.
Defining a Rule Specific Policy
Analyst can define a rule specific policy by selecting the following:
The Rule Name, Scope, Reputation and Whitelisted processes, if any
Actions to be taken on Policy match include: Kill process, Add to BlockList, Quarantine Process, Isolate Endpoint, Set the Endpoint Reputation, Restore the Endpoint, Delete process, Notify user.