Analyzing Violations

Declaration of Policy Violation®

Overview

Declarations of Policy Violations® (DoPV) are a high-precision event category within the Clear NDR® Central Server Platform, designed to identify and alert on unauthorized activities and policy violations in your network.

Similar to Declaration of Compromise® (DoC), DoPVs focus on specific policy breaches, such as the use of clear text passwords, outdated TLS versions, Exired TLS certificates, outdated and legacy protocols, insecure cipher suites, TOR browser usage and other.

Important

Any DoPV event, including custom defined ones, as well as any detection event is accompanied by its corresponding Evidence.

Key Features

  • High-Fidelity Alerts: DoPVs provide clear and actionable notifications for specific policy violations, helping security and IT teams to identify issues promptly.

  • Custom DoPVs: Users have the ability to create custom DoPVs to monitor policy violations that are unique to their organization’s requirements.

  • Proactive Security: By receiving precise alerts on policy breaches, teams can quickly address these issues to prevent them from escalating into security incidents or breaches.

DoPVs empower your security and IT teams with the visibility and control needed to enforce policy compliance across the organization, ensuring a stronger security posture and reducing the risk of breaches due to policy violations.

DoPVs Concept Example

Continuous Compliance and Security Audits

The power of the DoPV is that it gives security, governance, and risk personnel a continuous and real-time understanding of significant policy violations taking place in their organizations.

Unlike Declarations of Compromise (DoC) which alert organizations to high-priority threats, DoPVs focus on unauthorized activities or policy violations that may not necessarily be malicious but still pose a risk to the organization.

Examples may include insecure protocols, outdated TLS versions, expired TLS certificates, vulnerable systems, software, TOR browser usage, or unencrypted (clear text) passwords. These fall largely into two families of detections:

  • Adware – This detection family identifies unwanted software designed to display advertisements to users, most often within a web browser. These are dangerous because they can become weaponized

  • Potential Data Leakage – This detection family identifies security vulnerabilities and risky behaviors that could lead to unauthorized data exposure or exfiltration. The detections focus on conditions that create pathways for sensitive information to leave the organization through insecure channels or compromised systems.

You can see more detailed examples from the Potential Data Leakage family coverage here:

Declarations of Policy Violations

How to Identify DoPVs in Clear NDR® User Interface

You may start an investigation into a policy violation from the Operations Center. Click on Declaration of Policy Violations (Policy Violations)

Declarations of Policy Violations

Custom DoPVs

In addition to those built-in and included in the daily threat detection updates, users may create their own through a process known as escalation, whereby the results of an investigation or hunt can be turned into a DoPV rule. These custom DoPVs are built using the filters and may be used for real-time policy violation detection on future network traffic or applied retroactively to historic data. More information can be found here Custom Declarations of PoPV

Viewing the DoPVs in the Hunt and Investigation Console

To view all DoPVs from Clear NDR® Hunting dashboard, toggle the event type Detection and Sightings to the off position, add a filter to add the events in the policy violation phase of the kill chain. See instructions below.

Declarations of Policy Violations

How to Identify a DoPV Event Using a SIEM Query

Below is an example of how to query your SIEM for a DoPV.

Note

The query uses Event Type \= Stamus and the DoPV qualifier: Stamus events that are not associated with a kill chain phase. This query and results are valid for U42 and later releases.

Query:

"event_type":"stamus" + "kill_chain":"pre_condition" + unique  asset_info.incident_id

This will return the DoC JSON log entry that includes Stamus Event information. See example below.

"stamus": {
  "extra_info": null,
  "source": "212.193.30.21",
  "family_name": "Adware",
  "incidents_id": [118],
  "threat_id": 1058,
  "asset_net_info": "wifi-users-hq.organization-acme",
  "pk": 1218,
  "asset_info": {
    "last_seen": "2025-07-24T03:36:27.077767Z",
    "event_id": 183,
    "first_seen": "2025-07-24T03:36:27.077767Z",
    "incident_id": 118,
    "kill_chain": "pre_condition",
    "state": "new"
  },
  "method_id": 1002010595,
  "family_type": "family",
  "event_id": 183,
  "offender_type": "ip",
  "asset_type": "ip",
  "family_id": 23,
  "threat_name": "Potentially Unwanted Program",
  "asset": "192.168.100.238",
  "kill_chain": "pre_condition"
}

Note

This query returns only the first Stamus Event that triggered a DoPV.

Important

For detailed explanation of each field please refer to Stamus Events

DoPV Page

Explore Page

The Explore page provides an overview of various categories of policy violations within the network, including Adware, Custom Policy Violations, and Potential Data Leakage. Each category displays key metrics such as:

  • New Victims: The number of new assets affected by the specific policy violation.

  • Covered Policies: The total number of policies associated with each violation type.

  • Detection Methods: The methods used to identify the violations, with counts indicating their usage.

Explore Page Overview

This page facilitates quick assess to the current state of policy violations and understanding the scope and impact of each category within the network.

From the Explore page, you can easily navigate to each category of interest.

Policy Violation Families Pages

Each Policy Violation Family page provides insights into specific threat families related to policy violations within your network. This page is organized into three main tabs:

Assets Tab: Lists all assets affected by the selected threat family. It includes:

  • Asset Type: Displays the type of assets involved, such as IP addresses.

  • DoPV/DoC Threats: Shows associated threats linked to the threat family.

  • Seen Dates: Records the first and last seen dates of each asset concerning the threat.

  • Roles and Network Info: Provides additional context about the assets, including their roles within the network and related network information.

Metadata Tab: Provides detailed information about the specific IPs and hosts affected by the threat family. It includes:

  • IPs and Hosts: Lists the impacted IP addresses and hostnames.

  • Policy Violations: Identifies the specific policy violations associated with each IP or host.

  • First and Last Seen: Shows when these violations were first detected and when they were last observed.

  • Additional Details: Such as protocols and geographical locations, offering a broader context of the threat’s scope and impact.

Network Tree Tab: Offers a visual representation of the network infrastructure related to the threat family. It displays:

  • Hierarchical Relationships: Illustrates how different nodes are connected within the network, highlighting the flow and root of the policy violations.

  • Interactive Elements: Helps users pinpoint critical nodes and understand the spread of the threat within the network.

Each tab on the Threat Family page provides valuable data that aids in understanding, tracking, and managing the threat family across your organization’s network.

Additional Features:

  • Investigate Events Button:

    • Located at the top right corner, this button allows you to dive deeper into the threat data by automatically applying a threat family filter and redirecting you to the Dashboards page. Here, you can explore all relevant information related to this threat family.

    • You can navigate to specific pages like Hosts, Events or Detection Methods for further investigation and targeted actions. Also available in the Events page are the evidence logs and data that can include any related flow records, anomalies, alerts, protocol transactions, and file transaction logs, plus file extraction, packet capture (PCAP) and the detection logic of a specific event.

  • Threat Family Variants:

    • Below the main description, the page may display different variants of the threat family, such as specific types of unwanted programs or adware variants. Each variant is listed with associated metrics like the number of methods, last seen dates, and version information, allowing you to distinguish between various subcategories of the threat.

  • Filters and Sorting:

    • The filter input field allows you to refine the displayed data by applying filters based on asset type, threat, date ranges, and more. This helps in narrowing down the data to focus on specific aspects of the threat family that are most relevant to your investigation.

    • Data in the Assets table can be sorted by columns such as asset type, first seen date, last seen date, providing flexibility in how you view and prioritize the information.

  • Export Options:

    • The Metadata tab provides an export function (in csv format), allowing you to download the displayed data for offline analysis or reporting purposes. This can be particularly useful for documenting findings or sharing insights.

Explore Page Overview

Each element of the Threat Family page is designed to provide detailed, actionable insights into the nature and impact of Policy Violations associated with specific threat families, enabling effective monitoring and response strategies.

See also

If you want to know more about enabling/disabling threat families and threats with regards to Declarations of Policy Violations ™, read this section.