Policy Naming Structure

Description

Table of Contents

 

When naming your policies, we request that you adhere to the best practice naming structure.
Following this naming structure gives everyone the ability to easily identify what functions and features are currently enabled in the policy.


The three primary functions to report on are File Actions, Memory Actions, and Script Control (when a protected policy is applied) states. Other functions and features should be listed if enabled.

The initial policy should be placed in a Monitoring only state to allow the Background Threat Detection scan to run. Background Threat Detection will perform a full disk scan to detect and analyze any dormant threats on the disk.

  • You should use this initial policy for a couple days to allow applications and processes that are typically used on the system to run and be analyzed by Aurora CylancePROTECT.
  • Based off the results of the scan, a baseline is established on all machines before enabling any protected features.

It is recommended to implement policy features in a phased approach to ensure performance and operations are not impacted. As you understand how Aurora Cylance functions in your environment, you can create new policies with more features enabled. Please reference the  Aurora CylancePROTECT setup guide for more detailed information.

Pre-staged Policy Examples:

1 - Monitor NoMem

  • Monitor
    • Abnormal and Unsafe files will only be alerted on
  • NoMem
    • Memory Protection is NOT yet enabled so there is no conflict with an existing AV at this time.

2 - AQT MemA SCA BDEA PREVENT

  • AQT
    • Abnormal and Unsafe files will be Auto Quarantined
  • MemA
    • Memory Protection in an Alert response
    • Will also report on Macro scripts that run on the device
  • SCA
    • Script Control is enabled in an Alerting/logging mode only.
    • Aurora Cylance will record any Active, PowerShell, Python, and .NET DLR scripts that run on the device.
  • BDEA
    • Aurora Focus Behavioral Detection Engine feature enabled in Alert mode
  • PREVENT
    • Prevent Service Shutdown mode is enabled.

Additional Acronym Examples:

File Actions

  • Monitor
    • Abnormal and Unsafe files will only be alerted on
  • AQT
    • Abnormal and Unsafe files will be Auto Quarantined

Memory Actions

  • MemA
    • Memory Protection in an Alerting response only
    • The Agent will record the violation and report the incident to the Console as an Exploit Attempt
  • MemB
    • Memory Protection in Blocking mode
    • If an application attempts a memory violation, the Agent will block the violating process call.
    • The application that made the call is allowed to continue to run.
    • Not recommended for most scenarios
  • MemT
    • Memory Protection in Terminate mode.
    • If an application attempts a memory violation, the Agent will block the violating process call and will also terminate the application that made the call.

Focus/Optics

  • BDEA
    • Aurora Focus Behavioral Detection Engine feature enabled in Alert mode
  • BDEB
    • Aurora Focus Behavioral Detection Engine feature enabled in Block mode

Script Control

  • SCA
    • Script Control is enabled in an Alerting/logging mode only.
    • Aurora Cylance will record any Active, PowerShell, Python, and .NET DLR scripts that run on the device.
  • SCB
    • All Script Control options are set to Block (unless one of the following modifiers indicates differently)
    • Aurora Cylance will block any Active, PowerShell, Python, and .NET DLR scripts that runs on the machine that has not been whitelisted.
    • This includes blocking PowerShell console usage.
    • Modifiers to SCB
      • PSC or PSC-Allow
        • PowerShell Console usage is allowed.
          • The PowerShell Console option is configured as Disabled or Alert.
      • ASA
        • Active Script is set to Alert.
      • PSA
        • PowerShell is set to Alert.
      • PYA
        • Python is set to Alert.
      • .NA
        • .NET DLR is set to Alert.
      • MA
        • Macros are set to Alert.
        • The Macros setting under Script Control applies only to agent version 2.1.1578 and earlier. For newer agents, use the Dangerous VBA macro violation type on the Memory Protection tab. Any macro exclusions that you created previously for script control must be added to the memory protection exclusions for the Dangerous VBA macro violation type.

Device Control

  • DCA
    • Device Control in Alerting/Allow mode only.
    • All mass storage devices have full access and will be recorded when used.
  • DCB
    • Device Control in a Blocking mode
    • Mass storage devices that are not in the exclusion list will be blocked from transferring data.

Prevent Service shutdown from devices

  • PREVENT
    • This feature selection is located under the Agent Settings section of the policy.
    • When enabled, device users cannot stop the service for the Aurora Protect Desktop agent or for these versions of the Aurora Focus agent:
      • Aurora Focus agent for Windows 3.1 or later with Aurora Protect Desktop 3.0 or later
      • Aurora Focus agent for macOS 3.3 or later with Aurora Protect Desktop 3.1 or later
    • When enabled, a macOS user can stop the services only if the Self Protection Level in the device properties is set to Local Admin (Assets > Devices > click the device).
    • Windows users cannot stop the agent services as long as this setting is enabled.

Related Articles

  • MSS CAS Migrations: Frequently Asked Questions (FAQs)
    Read More
  • Cloud Threat Analytics: SaaS Alerts Onboarding
    Read More
  • Cylance - Support Collection Tool
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community
Chat