Managing policies

You can create allowlist and blocklist policies in QRadar® EDR that are not linked with alerts. You can also activate preexisting protection policies on your endpoints through the QRadar EDR Agent, and create custom detection strategy policies.

About this task

QRadar EDR has four types of policies.

Allowlist
Use an allowlist policy to specify false positives and behavior for which you don't want to receive an alert. An allowlist policy can override a protection policy.
Blocklist
Use a blocklist policy to either automatically block processes or automatically create an alert for a process. Blocklist policies have the highest priority. Other policies cannot override a blocklist policy.
Blocklist policies that start with Hive-Cloud policy are added automatically by the Hive-Cloud service when an executable file that is observed for the first time in your infrastructure is identified as malicious. Hive-Cloud determines whether the executable file is malicious by comparing it with information that is retrieved from public threat intelligence sources. These policies are in alert-only mode and their scope is global.
Protection
When a protection policy is enabled, the QRadar EDR Agent switches from EDR mode to EPP mode and automatically blocks any process that triggers the policy. When the agent blocks a process, it creates an alert. An allowlist policy can override a protection policy.
DeStra
Detection strategy (DeStra) policies are custom policies that you create based on information that is gathered from events that the QRadar EDR Agent collects. DeStra policies use LUA scripts and run at the endpoint level. DeStra policies are supported on Linux®, macOS, and Windows.

QRadar EDR includes some allowlist, blocklist, and protection policies. You can create your own allowlist, blocklist, and detection strategy policies.

Viewing policy priority

The highest priority based first on the scope of a policy, then the type of the policy, and then the matchers of the policy.

About this task

The following table shows the policy priority matrix.

Table 1. Policy priority matrix
1. Scope 2. Type 3. Matchers
  1. Subgroup
  2. Group
  3. Global
  1. Blocklist
  2. Allowlist
  3. Protection
  1. Trigger Hash
  2. Trigger Filename+Cert
  3. Trigger Directory
  4. Process Hash
  5. Process Cert
  6. Process Directory

Procedure

  1. Hover over a policy name and select the checkbox that appears.
    Tip: You can select more than one policy at a time to see the priority of multiple policies in relation to each other.
  2. Click Show Priority.

Creating an allowlist policy

Procedure

  1. Click Policies.
  2. Click Create Policy.
  3. Click Whitelist.
  4. Enter a Policy Name and Description for your policy.
  5. If you're in an MSSP environment, select the target clients or groups for your policy.

    If you select a client, all groups within the client inherit the policy.

  6. Choose the Matcher for your policy.
    • Application
      1. Select App Directory or Binary Hash.
      2. If you chose App Directory, enter app directories in a comma-separated list.
      3. If you chose Binary Hash, enter one binary hash per line, or separated by spaces on one line.
    • Behaviour-based
      1. Select App Directory or Binary Hash.
      2. Choose a Trigger Type from the list.
      3. If you chose App Directory, enter app directories in a comma-separated list.
      4. If you chose Binary Hash, enter one binary hash per line, or separated by spaces on one line.
  7. Click Create.

Creating a blocklist policy

Procedure

  1. Click Policies.
  2. Click Create Policy.
  3. Click Blacklist.
  4. Enter a Policy Name and Description for your policy.
  5. If you're in an MSSP environment, select the target clients or groups for your policy.

    If you select a client, all groups within the client inherit the policy.

  6. Choose the Matcher for your policy.
    • Application
      1. Select App Directory or Binary Hash.
      2. If you chose App Directory, enter app directories in a comma-separated list.
      3. If you chose Binary Hash, enter one binary hash per line, or separated by spaces on one line.
    • Behaviour-based
      1. Select App Directory or Binary Hash.
      2. Choose a Trigger Type from the list.
      3. If you chose App Directory, enter app directories in a comma-separated list.
      4. If you chose Binary Hash, enter one binary hash per line, or separated by spaces on one line.
  7. If you want to receive an alert rather than block the process, select Alert only.
  8. Click Create.

Editing an allowlist or blocklist policy

About this task

Important: You can edit only the name, description, targets, directory, and hash of a policy. You cannot edit default policies, policies with a source alert, or the scope of a policy to change a global policy to a group policy or vice versa.

Procedure

  1. Click Policies.
  2. Click a policy in the policy list.
  3. Click Edit policy, and update the policy data that you want to change.
  4. Click Save.

Enabling or disabling a policy

Procedure

  1. Click Policies.
  2. Click a policy in the policy list.
  3. Set the policy status to Enabled or Disabled.
  4. Click Yes, Enable or Yes, Disable.

Deleting a policy

Procedure

  1. Click Policies.
  2. Click a policy in the policy list.
  3. Click Delete Policy.
  4. Click Delete.

Creating a DeStra policy

Before you begin

You need to write a LUA script to use with your DeStra policy. For more information about writing LUA scripts for your DeStra policies, including examples, see https://github.com/ReaQta/destra-docs.

If you need assistance with writing LUA scripts to use with your DeStra policies, contact Security Expert Labs (www.ibm.com/security/security-expert-labs) or sel@us.ibm.com.

About this task

Important: Test your DeStra policy in a test group before you apply it globally or to groups that contain sensitive endpoints.

Procedure

  1. Click Destra.
  2. Click Create Detection.
  3. Enter a Destra Name and a Description for your DeStra policy.
  4. Select one or more Binding Events from the list.
    The operating systems that are associated with the binding events are added to the Applied OS field.
  5. If you don't want your DeStra policy to apply to a specific operating system, remove it from the Applied OS field.
  6. If you're in an MSSP environment, select the target clients or groups for your DeStra policy.
  7. Add your LUA script to the Script field.
  8. Click Submit.

Enabling or disabling a DeStra policy

Procedure

  1. Click Destra.
  2. Click a detection strategy in the detection strategy list.
  3. Set the DeStra policy status to Enabled or Disabled.

Deleting a DeStra policy

Procedure

  1. Click Destra.
  2. Click a detection strategy in the detection strategy list.
  3. Click Delete Destra.
  4. Click Delete.