Sensor Policies

System and policy administrators can configure security settings for sensors in their organization by creating custom policies that can be applied to sensor groups or individual sensors. Each policy contains a customized set of security settings, allowing organizations to configure and manage sensor security at scale.

System and policy administrators can configure security settings for sensors in their organization in the following ways:

• Create sensor security policies in the System > Policies management screen

• Assign policies to sensor groups

• Assign policies to individual sensors (sensors not in a sensor group)

• Override a specific policy settings on an individual sensor

• Personalize the installer package prior to installation (Windows only). For more information on this option contact Technical Support.

Using these methods, administrators can customize security settings for the following features:

• Anti-Malware

• Rule-based Behavioral Document Protection or AI-based Behavioral Document Protection

• Exploit Protection

• Fileless protection

• Behavioral execution prevention

• Predictive ransomware protection

• Anti-Ransomware

• Application control

• Endpoint controls - Device control and Endpoint controls - Personal firewall control

• Collection features

• Endpoint UI

While the Cybereason platform normally applies policy changes to sensors within two minutes, other factors may lead to increases in the sensor update time. In this case, the update time may take up to 12 hours.

Policy management video

The Default policy

When you first use your environment, the environment contains the Default policy. The Cybereason platform configures the initial Default policy with the default settings for each feature.

While you cannot set one of your created policies as the Default policy, you can edit the Default policy settings. If installation parameters specify security settings that conflict with Default policy settings, the sensor retains the installation settings, and is considered non-compliant with the Default policy. See Policy compliance for more information on non-compliance.

If an administrator does not assign a specific policy to the sensor, the sensor adopts the settings in the Default policy, denoted with a star icon in the Policies management screen. The Default policy is also automatically applied to all new sensors.

The Legacy Configuration policy

The Legacy Configuration policy, denoted by a clock icon , applies to sensors with a Cybereason version prior to 19.1, and contains settings previously defined on the Sensor policy screen. (Note that the Sensor policy screen is not available in versions 19.1 and later.) Sensors with individual settings retain their security settings.

For example, you might upgrade your Cybereason server to version 19.1, but do not upgrade sensor A. When the Cybereason server upgrade is complete, the UI will show sensor as having the Legacy Configuration policy.

Policy compliance

Policy compliance indicates whether or not any manual security settings that were applied to a specific sensor match the settings specified in the sensor’s assigned policy.

If you modify a specific security setting, such as the Anti-Malware mode, on an individual sensor, your setting overrides the setting in the sensor’s associated policy. Because of this, individual sensors may have security settings which differ from those in their assigned policy. These sensors are considered Non-compliant. Cybereason recommends that policy administrators configure individual sensors sparingly, as individual settings can be difficult to manage.

A sensor is considered compliant with its assigned policy if no sensor-specific configurations conflict with settings in the policy. For example, altering the Anti-Malware setting on a specific sensor will make that sensor non-compliant with its current policy.

Note

You can only set individual security settings for sensors that are either not in a sensor group, or whose sensor group does not have an assigned policy.

Note

Compliance does not apply to the Legacy Configuration policy.

View policy compliance

You can view and search for sensor compliance from the System > Sensors screen using the Policy compliance filter or column. Policy compliance values are as follows:

• True: The sensor’s security settings match those of its assigned policy (i.e. does not contain additional overrides).

• False: The sensor’s security settings are different than those specified in its assigned policy (for example, a sensor whose Anti-Malware settings was overridden using the System > Sensors screen).

In addition, the Policies management screen has a Non compliant sensor column that lists the number of sensors that are assigned to a particular policy but do not fully adhere to the policy.

Note

Policy compliance does not necessarily reflect the status of a given feature. For example, offline sensors can still be considered compliant with their assigned policy even though their features are not currently active.

As soon as you assign a policy to an individual sensor, the platform records the action with the “actionSuccess” label in the action log (which you can download from the Users screen), even if the sensor is offline. However, the Policy compliance column on the System > Sensors screen will not update until the sensor is back online. Therefore, it is possible for a policy to be successfully assigned to an offline sensor, but the policy compliance column may still read “Non-compliant” until the sensor is back online.

Related resources

• Sensor policies FAQ

• Onboarding best practices for sensor policy configurations

• Policy Best Practices Video

• Best practices for sensor security policies