Declarations of Policy Violation®

See also

If you want to know more about Declarations of Policy Violation® concept, read this page.

Custom Declarations of PoPV

From the Hunting interface, it is possible to create custom Declarations of Policy Violation (DoPV) that will appear in the NDR app > Policy Violations > Explore page > in the Custom Policy Violations threat family.

Once you have created a filter that matches a specific violation in your environment, click the Policy Actions dropdown and select Create declaration events.

Then, you need to select the Policy Violation radio button. This option would allow you to create custom Declarations of Policy Violations (DoPVs) by specifying detection criteria based on various parameters.

If the filter allows detecting an already existing threat, select that threat otherwise create a new threat by clicking on the + icon next to the Threat Name section.

Defining Custom Detection for DoPV

  • Track Options: The only allowed tracking option is Track Victim, which focuses on the impacted asset.

  • Victim Key: Enter the field name that represents the impacted asset, such as src_ip or dest_ip.

  • Victim Type: Choose the type of the impacted asset. Options include IP, Username, or Mail.

  • Kill Chain: This is always set to Policy Violation and cannot be modified.

  • Offender Key: Specify the field name that identifies the offending system, such as src_ip or dest_ip.

  • Offender Type: The offender type is predefined as IP and cannot be changed.

  • Ruleset: Select one or more rulesets in which to deploy the changes. This determines where the custom detection rules will be applied.

Declaration of Policy Violation Modal

Then, you can decide to:

  • Generate DoPVs from historical data: You can generate DoPVs from historical data by checking the relevant option. This is useful for retroactive analysis of past data.

  • Generate workflows events from historical data: When selected, this option will trigger webhook events based on historical data that matches the defined detection criteria. This enables integration with external systems by sending notifications.

Once all required fields are filled and options are configured, click Submit to save and activate the custom detection rule.

Depending on your environment, the generation of historical events may take some time. The progression can be observed under Status of tasks with a task named Stamus Events Creation (Management app > Appliances > Left Panel (Tasks) )

Important

Once a new Declaration of Policy Violation has been created, please update/push ruleset.

Note

Once you have created the custom DoPV, you will be redirected to the Policies page, where a specific Policy action for that Declaration of Policy Violation will be created.

Important

Deleting the associated Policy action will automatically delete the associated custom threat.

DoPV Suppression

You may decide to suppress a Declaration of Policy Violation from appearing. There are two approaches to creating a suppression.

Suppress By Metadata Fields Combinations in Hunting

To suppress specific metadata fields combinations within the Clear NDR® Central Server Platform, you can use the Hunting -> Dashboard interface. Follow the steps below to apply suppression policies based on your desired filters:

  1. Navigate to the Hunting -> Dashboard Interface

  2. Apply Filters of interest

    • Use the available filters in the Dashboard to select the metadata fields and values that you want to suppress. This can be any combination of fields relevant to your needs.

  3. Add a Suppress Action:

    • Once you have applied the desired filters, open the Policy Actions menu.

    • Select Add a suppress Action from the dropdown.

  4. Submit the Suppress Policy Action:

    • Review your suppression settings and click Submit.

    • Upon submission, you will be automatically redirected to the Policies page where your new suppression policy is listed.

Edit or delete custom DoPV

Important

Don’t forget to update/push the ruleset to ensure that the suppression policy action is propagated throughout the system. This step is essential for your changes to take effect and be enforced during threat detection and response.

By following these steps, you can effectively suppress specific metadata fields combinations, improving the accuracy and relevance of your threat detection in Clear NDR®.

Suppress By Method ID and IP address

With this approach, the suppression will be performed by combining a Method ID and an IP address, or subnet, of an Offender.

To do so:

  1. Go to Management app

  2. Go to the Rulesets page

  3. Click on Edit ruleset (ruleset where the DoPV is deployed)

  4. Under Expert mode, configure event suppression under Suppress events

  5. Update/push ruleset in order to apply the suppression

suppress gen_id 2, sig_id 1002025885, track by_src, ip 107.182.230.25/8

The tracking can be either by_src, by_dst or by_either.

Note

gen_id corresponds to the gid of the signature, which is always 2 for Declarations of Policy Violations

Note

Variables can be used for the ip as well but make sure that this variable is defined on the probe settings

suppress gen_id 2, sig_id 1002025885, track by_either, ip $SCANNERS

Finding the sig_id

To find the sig_id required for the event suppression, go under Operational Center and:

  • Open the Asset Table

  • Unfold the desired asset such as 10.7.5.101

  • Under the Detection Methods tab, identify the sig_id of the appropriate signature as illustrated in the following screenshot

Finding the signature SID in assets table

Find the Offender IP

To find the Offender IP required for the event suppression, go under Operational Center and:

  • Go to Threat Family page

  • Select a Threat

  • Go to the Assets tab

  • Select Offenders from the Ctrl menu on the right of each impacted assets

Finding the offender IP in the assets table