Creating configurations

Overview

Configurations are groups of settings that control the behavior of Threat Response components. You can create different configurations for each Threat Response component to control how it performs on specific groups of endpoints.

For example, you might want to apply and scan for specific intel on one group of endpoints, but not other groups. Or, you might want to apply a subset of Threat Response capabilities to a group of endpoints. Use configurations to customize which intel to apply, how and when to evaluate intel, how to index file systems, and which events to record on all the endpoints in an enterprise.

You can orchestrate configurations for intel, the engine, the recorder, and index in a profile that is assigned to one or more computer groups. You can import and export configurations to make them easy to apply to target groups of computers.

Create intel configurations

Intel configurations are sets of intel that you can group together for deployment to computer groups and apply them to endpoints efficiently. For example, you can create intel configurations that target computer groups that contain only Linux endpoints, or that are exclusively virtual assets.

  1. From the Threat Response menu, click Management > Configurations. Select Intel. Click Create.
  2. In the General Settings section, provide a name and description for the Intel configuration.
  3. In the Intel section, click Add Intel. Select the intel you want to add. Click Add.
  4. Select Intel that you have added to Threat Response. Click OK.
  5. Click Save.

After you have deployed intel configurations to endpoints, you can create engine configurations to generate alerts when the intel is matched on endpoints.

Create engine configurations

Engine configurations instruct the engine how to scan endpoints for intel matches. To avoid scanning important endpoints or to limit when the engine is active, you can include blackout periods to prevent scans during those times.

  1. From the Threat Response menu, click Management > Configurations. Select Engine. Click Create.
  2. In the General Settings section, provide a name and description for the engine configuration.
  3. In the Engine Options section, select the hours and days for the Scan Blackout period.
  4. Configure the Advanced Engine Settings.
  5. Click Save.

After you have deployed engine configurations to endpoints, you can view and manage alerts that result from intel matches. See Managing alerts.

Create recorder configurations

The recorder saves forensic evidence for each endpoint in a local database. With recorder configuration settings, you can restrict database volume by size and days of storage.

Adjust the settings for each endpoint database to suit a specific environment. Systems with different roles can generate a higher volume of certain types of events. For example, domain controllers typically generate more security events and network traffic than an average end-user workstation. You can build custom configurations that maximize event retention across an environment, while excluding unwanted activity.

  1. From the Threat Response menu, click Management > Configurations. Select Recorder. Click Create. Provide a name and description for the recorder configuration.
  2. In the Database Configuration section, configure settings for the recorder database.
  3. In the Recorded Events section, select the types of events to record for the current configuration.

    Registry

    [Windows only] Changes to the registry, such as the creation or alteration of registry keys and values. Includes the associated process and user context.

    Network

    Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP connections.

    File

    File system events, such as files written to directory locations on the endpoint. The associated process and user context are included. Examples: A malware file copied to a location that Windows Update uses, or content changes made to a file.

    Security

    Security events such as authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled.

    DNS

    [Windows 8.1 or later] Request information, including the process path, user, query, response, and the type of operation.

  4. In the Process Filters section, click Add Process Filter to exclude events based on the process path, name, or (Mac and Linux only) command-line argument. Select the operating system for which the process filter applies, and provide a name. Provide a path to exclude all processes in that folder. You can use regular expressions to search for more complex patterns and to further constrain the scope of the process filter. For example, C:\Program Files (x86)\Google\Chrome\Application\* filters all processes in the Applications folder. And ^(if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  5. In the Network Filters section, click Add Network Event to exclude network events that match the defined IP address or port, and operation values. Select the operating system for which the network filter applies, and provide a name. Provide an IP address, port, and operation. For example, Address: 127.0.0.1, Port 80, Operation: Connection Accepted. Wildcards are not supported for network filters.

    Ports that you specify in Network Events match the destination port. The destination port is the port to which a connection is made on the targeted host.

  6. In the Registry Filters section, click Add Registry Event to exclude Windows registry events from recording when specific key-value pairs match. Select the operating system for which the registry filter applies, and provide a name. Provide a key and value that you want to exclude from recording. For example, Key: \HKEY_LOCAL_MACHINE\Software\ and Value: \StaleList\. Wildcards are not supported for registry filters.
  7. In the File Filters section, click Add File Filter to specify how you want to exclude files from recording. Provide a path from which you want file events excluded. For example, C:\Program Files\Tanium\Tanium Client\ or /proc. Wildcards are not supported for file filters.
  8. Click Save.

After you have deployed recorder configurations, you can view events that occur on the endpoints where you have applied the configuration. See Connecting to live endpoints and exploring data.

Create index configurations

Use an index configuration to detect and report threat indicators for files at rest. Index creates an index of local file systems, computes file hashes, and gathers file attributes and magic numbers in an SQLite database on the endpoint.

Index configurations determine how file indexing and hashing occur on the local file systems of endpoints. Index is optimized to minimize endpoint resource use and work with journaled file systems, when available.

  1. From the Threat Response menu, click Management > Configurations. Select Index. Click Create. Provide a name and description for the index configuration.
  2. Configure the Index Settings.
  3. In the Exclude From Hashing section, click Add Hashing Exclusion to exclude specific files from hashing. For more information about hashing exclusions, see Indexing and hashing exclusions.
  4. In the Exclude From Indexing section, click Add Indexing Exclusion to exclude specific file paths by using regular expressions and names from indexing. For more information about indexing exclusions, see Indexing and hashing exclusions.
  5. Click Save.

After you have deployed index configurations to endpoints, you can use sensors to query indexed files. See Using sensors to query indexed files.

Create indexing and hashing exclusions

To improve performance and save system resources, create configurations to exclude files from being indexed or hashed. When hashing is enabled, every file that is indexed is hashed by default.

For example, consider creating an exclusion if you have an application that writes to a temp file. With an exclusion, the temp file is not indexed and hashed every time it changes.

Hashing

Create exclusions from hashing to exclude specific files and paths from having hash values calculated.

  1. From the Threat Response menu, click Management > Exclusions and select Hashing. Click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to match a path to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, ^(if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Indexing

Create exclusions to keep specific files and paths out of file system indexes.

  1. From the Threat Response menu, click Management > Exclusions and select Indexing. Click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, ^(if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Import and export configurations and filters

Import and export configurations and filters to apply them in a different Threat Response environment. For example, you can export configurations or filters that you have tested from a lab environment and import them into a production environment. With the exception of index configurations, both configurations and filters are imported and exported exclusively as JSON files. You can import either config.ini files or JSON files for Index configurations.

Export configurations or filters

  1. From the Threat Response menu, click Management > Configurations for configurations or Management > Filters for filters.
  2. Click the tab for any type of configuration or filter. Click Import/Export. Select Export All.
  3. On the export page, provide a name and click Export. All of the configurations in the Threat Response environment are exported.

Import configurations or filters

  1. From the Threat Response menu, click Management > Configurations for configurations or Management > Filters for filters.
  2. Click the tab for any type of configuration or filter. Click Import/Export. Select Import JSON or Import INI and browse to a JSON file, or an INI file for index configurations.
  3. Click Import.

 

 

Last updated: 9/17/2019 1:47 PM | Feedback