Question & Answer
Question
What do you need to know about QRadar EDR (formerly ReaQta) policies and configuration?
Answer
Agent Policy Information
The ReaQta-Hive solution supports 4 different types of policies, created by the Dashboard user, and delivered to the Agent. Through the policies, it is possible to configure some of the behaviors of the agent, such as: suppress the generation of an alert, block, or alert when a process is executed, automatically block a behavior. ReaQta supports the following policy types:
Allowlist: Through them, it is possible to “suppress” the generation of an alert in presence of a False Positive or given specific behavior for which the user is not interested in receiving an alert. The allowlist can override the protection policy. For example, if an application is generating an alert and the corresponding protection policy is ON, by creating the corresponding allowlist, the specific application will not trigger a protection alert.
Blocklist: Through them, it is possible to automatically block (kill the process) of specific applications and receive an alert every time a “block listed” process is executed. The blocklist also supports the “Alert Only” mode, if specified, the process is not killed but the user receives a “Policy Hit” alert. The blocklist has the highest priority and cannot be allowlisted.
Protection: Through them, it is possible to switch the agent from EDR (Endpoint Detection and Response) mode to EPP (Endpoint Protection Platform) mode. By activating one or more protection policies the Agent automatically blocks (kill) a specific trigger (Cross-Process Operation, ransomware Behavior). The protection policy generates an Alert when suspicious behavior is detected regardless the name, hash, or path of the executable application involved. A specific icon (Shield) indicates the presence of a protective action. The protection policies can be allowlisted.
DeStra: Stands for Detection Strategy and offers the capability to create custom detections based on the information gathered by the events collected from the agent.
Hive-Cloud (Optional if endpoints are internet connected): the policies beginning with “Hive-Policy” are automatically generated by the external service Hive-Cloud. Hive-Cloud are blocklist policies in “Alert Only” mode. The policy is generated when an executable application observed for the first time in the infrastructure is identified as malicious by Hive-Cloud, which retrieves the information from a public Threat Intelligence source. The generated policy has a global scope, and it is applied to the entire infrastructure.
Important: The Hive-Cloud policy is created once for each detected malicious executable application per server. If a Hive-Cloud policy is deleted, the Hive-Brain does not re-create the policy if the same malicious executable application is seen again.
Blocklist: Through them, it is possible to automatically block (kill the process) of specific applications and receive an alert every time a “block listed” process is executed. The blocklist also supports the “Alert Only” mode, if specified, the process is not killed but the user receives a “Policy Hit” alert. The blocklist has the highest priority and cannot be allowlisted.
Protection: Through them, it is possible to switch the agent from EDR (Endpoint Detection and Response) mode to EPP (Endpoint Protection Platform) mode. By activating one or more protection policies the Agent automatically blocks (kill) a specific trigger (Cross-Process Operation, ransomware Behavior). The protection policy generates an Alert when suspicious behavior is detected regardless the name, hash, or path of the executable application involved. A specific icon (Shield) indicates the presence of a protective action. The protection policies can be allowlisted.
DeStra: Stands for Detection Strategy and offers the capability to create custom detections based on the information gathered by the events collected from the agent.
Hive-Cloud (Optional if endpoints are internet connected): the policies beginning with “Hive-Policy” are automatically generated by the external service Hive-Cloud. Hive-Cloud are blocklist policies in “Alert Only” mode. The policy is generated when an executable application observed for the first time in the infrastructure is identified as malicious by Hive-Cloud, which retrieves the information from a public Threat Intelligence source. The generated policy has a global scope, and it is applied to the entire infrastructure.
Important: The Hive-Cloud policy is created once for each detected malicious executable application per server. If a Hive-Cloud policy is deleted, the Hive-Brain does not re-create the policy if the same malicious executable application is seen again.
How to create an allowlist
- Log in to the ReaQta Hive dashboard.
- Go to the policies page and click "Create Policy" button, a new drop-down box is displayed with the supported policies, select allowlist:
- Complete the next Create allowlist Policy fields:
Policy Name: Name of the policy to reflect the specific behavior you are looking for across all your endpoints.
Description (optional): Brief description of what the policy is intending to do.
Targets: It represents the scope of the policy, where policies are applied, Global or Group.
Matcher: Describes the matching criteria for the policy to get triggered. Two types of matchers are found here based on Application and Behavior.
- Application: as its name implies it applies to the application itself and allow action can be configured in 2 ways:
- App Directory: To allow the application, based on the directory the application is allocated.
Example:
Results: Applications running within the specified App Directory are added to the allowlist and are trusted by the organization. - Binary Hash: To allow the application, based on the specific hash of the application.
Example:
Results: It adds "application.exe" to the allowlist granting it access without generating any alert as it is now trusted by the organization.
- App Directory: To allow the application, based on the directory the application is allocated.
- Behavior-based: Focuses on the application only when it exhibits a behavior and as same as the application matcher it can be configured in 2 ways:
- App Directory: To allow the application based on the directory the application it is allocated along with the trigger type that, represents the intended application behavior.
Example:
Results: Trust files access from applications in 'Program Files' - Binary Hash: To allow the application based on the specific hash of the application allocated along with the trigger type that, represent the intended application behavior.
Example:
Results: Applications matching the specified hash and trigger type (application behavior) are added to the allowlist to become trusted by the organization.
- App Directory: To allow the application based on the directory the application it is allocated along with the trigger type that, represents the intended application behavior.
How to create a blocklist
- Log in to the ReaQta Hive dashboard.
- Go to the policies page and click "Create Policy" button, a new drop-down box is displayed with the supported policies, select blocklist:
- Complete the next Create allowlist Policy fields:
Policy Name: Name of the policy to reflect the specific behavior you are looking for across all of your endpoints.
Description (optional): Brief description of what the policy is intending to do.
Targets: It represents the scope of the policy, where policies are applied, Global or Group.
Matcher: Describes the matching criteria for the policy to get triggered. Two types of matchers are found here based on Application and Behavior.
- Application: as its name implies it applies to the application itself and allow action can be:
- App Directory: To block the application based, on the directory the application is allocated.
Example:
Results: Any application running within the specified directory and subdirectories are blocked.
- Binary Hash: To block the application based on the specific hash of the application.
Example:
Results: Applications matching the specified hash are blocked.
- App Directory: To block the application based, on the directory the application is allocated.
- Behavior-based: Focuses on the application only when it exhibits a behavior and as same as the application matcher it can be configured in 2 ways:
- App Directory: To block the application based on the directory the application is allocated along with the trigger type that, represents the intended application behavior.
Example:
Results: Any application running within the specified directory and subdirectories exhibiting ransomware behavior are blocked.
- Binary Hash: To block the application based on the specific hash of the application allocated along with the trigger type that, represent the intended application behavior.
Example:
Results: Applications matching the specified hash and trigger type (application behavior) are blocked.
- App Directory: To block the application based on the directory the application is allocated along with the trigger type that, represents the intended application behavior.
Note: Never create a blocklist with a single * as this can have a major performance impact to the environment.
How to create a Destra policy
In order to create a DeStra policy login to the Hive dashboard, select DeStra page and then click the "Create Detection" button. From there and once creation DeStra pull-down is displayed complete the next steps:
- Give it a name to reflect the specific behavior you are looking for across all your endpoints.
- Select one or more binding events that it looks for the customized logic against.
- Select the applicable operating system that it would specifically apply to. If it applies to all operating systems, it can be a multiselection.
- Select the target, which represents the scope of the policy, Global or Group.
- Select the blank script environment to pre-fill the necessary logic to look for the specific events. To allowlist a behavior triggered by a DeStra policy, it is necessary to edit the policy script. The complete documentation can be found at the following address: ReaQta DeStra Docs
Example:
How to create an Antimalware Exception
This option is license enabled, which means it is only available when the Hive Guard (Anti-malware module) is set up at the backend level, hive ReaQta server.
- From the dashboard, go to the Administration page and select Configure Anti-Malware.
- Click “Create Exception”
- Complete the fields of the Create Exception form and press the create button to finish
There are 2 types of Exceptions:
- Directory based.
Example: C:\Temp\*
- Specific process based. Add the following into the path for the exception <process><PATH>\<processname>
Example: <process>C:\ProgramFiles\Viruses\maliciousvirus.exe
Note: Currently, Anti-Malware is only available in 64-bit Windows operating system (OS) machines, Windows 32-bit operating system is not supported.
Policy Priority Matrix
How does it work?
It defines how the policies are applied based on order and priority during ReaQta execution.
What order does it use to process the different policies?
It defines how the policies are applied based on order and priority during ReaQta execution.
What order does it use to process the different policies?
The schema is divided into 3 columns where the priority has the following order (from higher to lower):
Scope, Type, Matcher. Each category enumerates from the higher to the lower priority, up to down, such as:
- Scope: Subgroup > Group > Global.
- Type: Blocklist > Allowlist > Protection
- Matcher: Trigger Hash (higher) to Process Directory (lower)
How to view Policy Priority Matrix?
To view the priority of one or multiple policies, do as follows:
- From the Policies page, hover on the wanted policy. A check box is displayed on the left of the policy entry.
- Check the box next to the policy or policies and a blue bar is displayed at the very end of the screen with the option to view priority.
- Click Show Priority to open the View Priority window.
Policy FAQ
What is Agent Isolation and how does it work?
Agent Isolation allows the Analyst to isolate the endpoint by stopping all network connections on the endpoint except the connection to the ReaQta-Hive Brain. It uses OS firewall to stop all traffic to and from agent.
How to isolate an endpoint?
From the Hive dashboard, go to Endpoints > Select the Endpoint > Select the ‘ISOLATE’ button.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSHAA2","label":"Configuration-\u003EPolicies"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
17 May 2023
UID
ibm16564717