Declarations of Policy Violation¶

Declarations of Policy Violation (DoPV) Overview and Key Features¶

Explore Page¶

The Explore page provides an overview of various categories of policy violations within the network, including Adware, Custom Policy Violations, and Potential Data Leakage. Each category displays key metrics such as:

New Victims: The number of new assets affected by the specific policy violation.
Covered Policies: The total number of policies associated with each violation type.
Detection Methods: The methods used to identify the violations, with counts indicating their usage.

This page facilitates quick assess to the current state of policy violations and understanding the scope and impact of each category within the network.

From the Explore page, you can easily navigate to each category of interest.

Policy Violation Families Pages¶

Each Policy Violation Family page provides insights into specific threat families related to policy violations within your network. This page is organized into three main tabs:

Assets Tab: Lists all assets affected by the selected threat family. It includes:

Asset Type: Displays the type of assets involved, such as IP addresses.
DoPV/DoC Threats: Shows associated threats linked to the threat family.
Seen Dates: Records the first and last seen dates of each asset concerning the threat.
Roles and Network Info: Provides additional context about the assets, including their roles within the network and related network information.

Metadata Tab: Provides detailed information about the specific IPs and hosts affected by the threat family. It includes:

IPs and Hosts: Lists the impacted IP addresses and hostnames.
Policy Violations: Identifies the specific policy violations associated with each IP or host.
First and Last Seen: Shows when these violations were first detected and when they were last observed.
Additional Details: Such as protocols and geographical locations, offering a broader context of the threat’s scope and impact.

Network Tree Tab: Offers a visual representation of the network infrastructure related to the threat family. It displays:

Hierarchical Relationships: Illustrates how different nodes are connected within the network, highlighting the flow and root of the policy violations.
Interactive Elements: Helps users pinpoint critical nodes and understand the spread of the threat within the network.

Each tab on the Threat Family page provides valuable data that aids in understanding, tracking, and managing the threat family across your organization’s network.

Additional Features:

Investigate Events Button:
- Located at the top right corner, this button allows you to dive deeper into the threat data by automatically applying a threat family filter and redirecting you to the Dashboards page. Here, you can explore all relevant information related to this threat family.
- You can navigate to specific pages like Hosts, Events or Detection Methods for further investigation and targeted actions. Also available in the Events page are the evidence logs and data that can include any related flow records, anomalies, alerts, protocol transactions, and file transaction logs, plus file extraction, packet capture (PCAP) and the detection logic of a specific event.
Threat Family Variants:
- Below the main description, the page may display different variants of the threat family, such as specific types of unwanted programs or adware variants. Each variant is listed with associated metrics like the number of methods, last seen dates, and version information, allowing you to distinguish between various subcategories of the threat.
Filters and Sorting:
- The filter input field allows you to refine the displayed data by applying filters based on asset type, threat, date ranges, and more. This helps in narrowing down the data to focus on specific aspects of the threat family that are most relevant to your investigation.
- Data in the Assets table can be sorted by columns such as asset type, first seen date, last seen date, providing flexibility in how you view and prioritize the information.
Export Options:
- The Metadata tab provides an export function (in csv format), allowing you to download the displayed data for offline analysis or reporting purposes. This can be particularly useful for documenting findings or sharing insights.

Each element of the Threat Family page is designed to provide detailed, actionable insights into the nature and impact of Policy Violations associated with specific threat families, enabling effective monitoring and response strategies.

Custom Declarations of Policy Violations¶

From the Hunting interface, it is possible to create custom Declarations of Policy Violation (DoPV) that will appear in the NDR app > Policy Violations > Explore page > in the Custom Policy Violations threat family.

Once you have created a filter that matches a specific violation in your environment, click the Policy Actions dropdown and select Create declaration events.

Then, you need to select the Policy Violation radio button. This option would allow you to create custom Declarations of Policy Violations (DoPVs) by specifying detection criteria based on various parameters.

If the filter allows detecting an already existing threat, select that threat otherwise create a new threat by clicking on the + icon next to the Threat Name section.

Defining Custom Detection for Declarations of Policy Violations¶

Track Options: The only allowed tracking option is Track Victim, which focuses on the impacted asset.
Victim Key: Enter the field name that represents the impacted asset, such as src_ip or dest_ip.
Victim Type: Choose the type of the impacted asset. Options include IP, Username, or Mail.
Kill Chain: This is always set to Policy Violation and cannot be modified.
Offender Key: Specify the field name that identifies the offending system, such as src_ip or dest_ip.
Offender Type: The offender type is predefined as IP and cannot be changed.
Ruleset: Select one or more rulesets in which to deploy the changes. This determines where the custom detection rules will be applied.

Then, you can decide to:

Generate DoPVs from historical data: You can generate DoPVs from historical data by checking the relevant option. This is useful for retroactive analysis of past data.
Generate webhooks events from historical data: When selected, this option will trigger webhook events based on historical data that matches the defined detection criteria. This enables integration with external systems by sending notifications.

Once all required fields are filled and options are configured, click Submit to save and activate the custom detection rule.

Depending on your environment, the generation of historical events may take some time. The progression can be observed under Status of tasks with a task named Stamus Events Creation (Management app > Appliances > Left Panel (Tasks) )

Important

Once a new Declaration of Policy Violation has been created, please update/push ruleset.

Note

Once you have created the custom DoPV, you will be redirected to the Policies page, where a specific Policy action for that Declaration of Policy Violation will be created.

Important

Deleting the associated Policy action will automatically delete the associated custom threat.

DoPV Suppression¶

You may decide to suppress a Declaration of Policy Violation from appearing. There are two approaches to creating a suppression.

Suppress By Metadata Fields Combinations in Hunting¶

To suppress specific metadata fields combinations within the Stamus Central Server Platform, you can use the Hunting -> Dashboard interface. Follow the steps below to apply suppression policies based on your desired filters:

Navigate to the Hunting -> Dashboard Interface
Apply Filters of interest
- Use the available filters in the Dashboard to select the metadata fields and values that you want to suppress. This can be any combination of fields relevant to your needs.
Add a Suppress Action:
- Once you have applied the desired filters, open the Policy Actions menu.
- Select Add a suppress Action from the dropdown.
Submit the Suppress Policy Action:
- Review your suppression settings and click Submit.
- Upon submission, you will be automatically redirected to the Policies page where your new suppression policy is listed.

Important

Don’t forget to update/push the ruleset to ensure that the suppression policy action is propagated throughout the system. This step is essential for your changes to take effect and be enforced during threat detection and response.

By following these steps, you can effectively suppress specific metadata fields combinations, improving the accuracy and relevance of your threat detection in the Stamus Security Platform.

Suppress By Method ID and IP address¶

With this approach, the suppression will be performed by combining a Method ID and an IP address, or subnet, of an Offender.

To do so:

Go to Management app
Go to the Rulesets page
Click on Edit ruleset (ruleset where the DoPV is deployed)
Under Expert mode, configure event suppression under Suppress events
Update/push ruleset in order to apply the suppression

suppress gen_id 2, sig_id 1002025885, track by_src, ip 107.182.230.25/8

The tracking can be either by_src, by_dst or by_either.

Note

gen_id corresponds to the gid of the signature, which is always 2 for Declarations of Policy Violations

Note

Variables can be used for the ip as well but make sure that this variable is defined on the probe settings

suppress gen_id 2, sig_id 1002025885, track by_either, $SCANNERS

Finding the sig_id¶

To find the sig_id required for the event suppression, go under Operational Center and:

Open the Asset Table
Unfold the desired asset such as 10.7.5.101
Under the Detection Methods tab, identify the sig_id of the appropriate signature as illustrated in the following screenshot

Finding the signature SID in assets table

Find the Offender IP¶

To find the Offender IP required for the event suppression, go under Operational Center and:

Go to Threat Family page
Select a Threat
Go to the Assets tab
Select Offenders from the Ctrl menu on the right of each impacted assets

Finding the offender IP in the assets table