Policy Naming Structure

Description

Table of Contents

 

When naming your policies, we request that you adhere to the best practice naming structure.
Following this naming structure gives everyone the ability to easily identify what functions and features are currently enabled in the policy.


The three primary functions to report on are File Actions, Memory Actions, and Script Control (when a protected policy is applied) states. Other functions and features should be listed if enabled.

The initial policy should be placed in a Monitoring only state to allow the Background Threat Detection scan to run. Background Threat Detection will perform a full disk scan to detect and analyze any dormant threats on the disk.

  • You should use this initial policy for a couple days to allow applications and processes that are typically used on the system to run and be analyzed by CylancePROTECT.
  • Based off the results of the scan, a baseline is established on all machines before enabling any protected features.

It is recommended to implement policy features in a phased approach to ensure performance and operations are not impacted. As you understand how Cylance functions in your environment, you can create new policies with more features enabled. Please reference the CylancePROTECT administrators guide for more detailed information.

Pre-staged Policy Examples:

1 - Monitor NoMem

  • Monitor
    • Abnormal and Unsafe files will only be alerted on
  • NoMem
    • Memory Protection is NOT yet enabled so there is no conflict with an existing AV at this time.

2 - AQT MemA SCA BDEA PREVENT

  • AQT
    • Abnormal and Unsafe files will be Auto Quarantined
  • MemA
    • Memory Protection in an Alert response
  • SCA
    • Script Control is enabled in an Alerting/logging mode only.
    • Cylance will record any Active, PowerShell or Macro scripts that run on the device.
  • BDEA
    • Aurora Focus Behavioral Detection Engine feature enabled in Alert mode
  • PREVENT
    • Prevent Service Shutdown mode is enabled.

Additional Acronym Examples:

File Actions

  • Monitor
    • Abnormal and Unsafe files will only be alerted on
  • AQT
    • Abnormal and Unsafe files will be Auto Quarantined

Memory Actions

  • MemA
    • Memory Protection in an Alerting response only
    • The Agent will record the violation and report the incident to the Console as an Exploit Attempt
  • MemB
    • Memory Protection in Blocking mode
    • If an application attempts a memory violation, the Agent will block the violating process call.
    • The application that made the call is allowed to continue to run.
    • Not recommended for most scenarios
  • MemT
    • Memory Protection in Terminate mode.
    • If an application attempts a memory violation, the Agent will block the violating process call and will also terminate the application that made the call.

Focus/Optics

  • BDEA
    • Aurora Focus Behavioral Detection Engine feature enabled in Alert mode
  • BDEB
    • Aurora Focus Behavioral Detection Engine feature enabled in Block mode

Script Control

  • SCA
    • Script Control is enabled in an Alerting/logging mode only.
    • Cylance will record any Active, PowerShell or Macro scripts that run on the device.
  • SCB
    • All Script Control options are set to Block (unless one of the following modifiers indicates differently)
    • Cylance will block any Active, PowerShell or Macro script that runs on the machine that has not been whitelisted.
    • This includes blocking PowerShell console usage.
    • Modifiers to SCB
      • PSC or PSC-Allow
        • PowerShell Console usage is allowed.
          • The check box is unchecked.
      • ASA
        • Active Script is set to Alert.
      • PSA
        • PowerShell is set to Alert.
      • MA
        • Macros are set to Alert.

Device Control

  • DCA
    • Device Control in Alerting/Allow mode only.
    • All mass storage devices have full access and will be recorded when used.
  • DCB
    • Device Control in a Blocking mode
    • Mass storage devices that are not in the exclusion list will be blocked from transferring data.

Prevent Service shutdown from devices

  • PREVENT
    • Cylance service is protected from being shutdown either manually or by another process on Windows devices.
    • This check box option is located under the Protection Settings section of the policy.

Related Articles

  • SOC EPP Alert Processing Summary
    Read More
  • Cylance - Recommended Agent Versions
    Read More
  • Cylance Protect - Script Control
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community
Chat