Add a Behavioral Allowlisting Rule - Tutorial
This tutorial contains step-by-step examples of how to create a behavioral allowlisting rule.
In this topic:
Example 1 - Allowlist browser injection into Flash
In this example, you create a rule to prevent the Cybereason platform from generating a MalOp if certain browsers inject code into Flash Player. Normally, this type of behavior generates a Malicious By Code Injection MalOp
Tip: If you have behavioral allowlisting set for browser injections into Flash, the process will not generate a MalOp. However, you can still see that the behavior occurred by querying specific browser processes in the Investigation screen and looking at the Evidence and Suspicions section of the Element Details pane.
Step 1.1: Name and describe the rule
In the Behavioral Allowlisting screen, click Create rule.
In the rule creation screen, specify the following:
Rule Name: Browser injecting Flash
Root Cause Type: Malicious Code Injection
Description: Allow browser injection into flashPlayer
The Define rule properties field displays.
Step 1.2: Add the first expression
Click Select an element and select Process from the drop-down menu. The Process element will be the first Element you select for most behavioral allowlisting rules.
When you select Process, the screen displays:
A filter icon to the right of Process.
A plus (+) sign below Process.
Select the plus (+) sign to add another Element to the rule.
Select the Original injector process Element.
Select the filter icon for Original injector process, type p in the filter field, and select Process name from the list of filters.
Complete the filter using the default contains operator, and replace any string with a browser name such as Firefox or the process name such as firefox.exe.
Click the OR button that appears to add more browsers, such as Explorer (explorer.exe) or Chrome (chrome.exe).
Click outside the filters field and click Add to add the expression to the rule.
Now you’re ready to add your second expression. The behavior must match all the expressions in the rule to be considered benign.
Step 1.3: Add the second expression
To add a second expression to the rule, click Select an element and select Process from the drop-down menu.
Select the plus (+) sign and add the Host process Element.
Select the filter icon, type p in the filter field, and select Process name from the list of filters.
Complete the filter using the default contains operator,and replace <any string>**with **flashPlayer.
Press Enter until the Add button activates, and click Add to add the expression to the rule.
You now have a valid behavioral rule that prevents Cybereason from triggering a Malop when Firefox injects code into Flash player. You can also add additional expressions, as shown in the next step.
Step 1.4: Add the third expression
To add a third expression to the rule, click Select an element again and select Process.
Select the filter icon, type i in the filter field, and select Injection method from the list of filters.
Complete the filter using the is operator, and select Anonymous RWX from the value drop-down menu.
Click outside the filters field and click Add to add the expression to the rule.
Example 2 - Allowlist a connection to a malicious IP address
If your users may have legitimate reasons to access an IP address on the blocklist, you might want to define ths rule.
Step 2.1: Name and describe the rule
In the Behavioral Allowlisting screen, click Create rule.
In the rule creation screen, specify the following:
Rule name: Chrome to blocklisted IP
Root Cause Type: Connection to blocklisted IP address
Description: Allow Chrome connection to a blocklisted IP address
The Define rule properties field displays.
Step 2.2: Add the first expression
To start building the rule, click Select an element and select Process from the drop-down menu.
Select the filter icon, type p, and select Process name from the list of filters.
Complete the filter using the contains operator, and replace <any string> with Chrome or chrome.exe.
Press Enter until the Add button activates, and click Add to add the expression to the rule.
The Cybereason platform adds the expression to the rule.
Step 2.3: Add the second expression
To add a second expression to the rule, click Select an element again and select IP address.
Select the filter icon and complete the filter with the IP address that is usually blocklisted.
Press Enter until the Add button activates, and click Add to add the expression to the rule.
Click Save to save your completed rule.
Example 3 - Allowlisting for connection to a malicious domain
If you want the Cybereason platform to classify the Symantec management agent as benign when the agent connects to a malicious domain, you can create an appropriate allowlisting rule.
Step 3.1: Name and describe the rule
In the Behavioral Allowlisting screen, click Create rule.
In the rule creation screen, specify the following:
Rule name field: Connection to malicious domain - Symantec management agent
Root Cause Type: Connection to a malicious domain
Description: Allow Symantec management agent to connect to a malicious domain
Step 3.2: Add first expression
To start building the rule, click Select an element and select Process from the drop-down menu.
Select the filter icon, type p, and select Process name from the list of filters.
Complete the filter using the is operator, and replace <any string> with AeXNSAgent.exe.
Select the plus (+) sign and add the File Element to the rule.
Select the filter icon, type s, and select Signer from the list of filters.
Complete the filter using the contains operator, and replace <any string with Symantec.
Press Enter until the Add button activates, and click Add to add the expression to the rule.
Step 3.3: Add second expression
To add the second expression, click Select an element and select Domain name.
Select the filter field, type n and select Name from the list of filters.
Complete the filter using the contains operator, and replace <any string>* with **Google.
Press Enter until the Add button activates, and click Add to add the expression to the rule.
Click Save to save your completed rule.