Skip to main content

Managing recommendations

PHASR provides actionable recommendations to enhance security by analyzing user behavior on its devices. These recommendations will be issued for pairs of users and devices named Behavioral profiles. A recommendation can contain multiple behavioral profiles.

PHASR will generate Restrict access recommendations for the behavioral profiles that are not actively using tools from the monitored categories. If the user's behavior changes, PHASR will adapt by generating Allow access recommendations.

PHASR bases its recommendations on monitored rules related to activity types such as Tampering tools, Living Off the Land Binaries, Crypto miners, Piracy tools, Remote admin tools.

You can find a list of all PHASR recommendations under the PHASR recommendations page.

PHASR_recommendations_page_981499_en.png

  1. The View options menu. This section provides you with multiple functions for working with views:

    • Reset view - Revert the saved view to its original state.

    • Show or hide filters - Hide or display the filters menu.

    • Open settings - Display the Settings panel.

      You can use this panel to customize what columns are displayed in the view and enable or disable the Compact view.

  2. The Filters section. You can use these options to customize the risks that are displayed in the below grid.

    The following filters are currently available:

    Filtering option

    Details

    Company

    Use the searchable drop-down menu to filter the list of recommendations based on the name of the company they belong to.

    Only recommendations belonging to the selected company are displayed. This filter is available only to Partner type companies.

    Name

    Use the searchable drop-down menu to filter the list of recommendations based on their name.

    Only selected recommendations are displayed.

    Created on

    Use the calendar to select two dates.

    Only recommendations created between the selected dates are displayed.

    Behavioral profile identities

    Use the searchable drop-down menu to filter the list of recommendations based on the name of the identity they were made for.

    Only recommendations made for the selected identities are displayed.

    Behavioral profile resources

    Use the searchable drop-down menu to filter the list of recommendations based on the name of the resource they were made for.

    Only recommendations made for the selected resources are displayed.

    Targeted activity type

    Use the drop-down menu to filter the recommendations based on the name of the targeted activity type.

    Only recommendations targeting the selected activity types are displayed.

    Action taken

    Use the drop-down menu to filter the recommendations based on the action they recommend to be taken.

    Only recommendations that suggest the selected actions be taken are displayed.

  3. The Recommendations grid. The grid displays all known PHASR recommendations, based on the PHASR learning phase.

    The information available for each findings is displayed under the following columns:

    • Name - The name of the recommendation.

    • Attack surface reduction - Indicates the impact applying the recommendation would have on the total attack surface.

    • Created on - The time and date when the recommendation was created.

    • Description - A description for the recommendations.

    • Targeted activity type - The type of activity targeted by the recommendation.

      Possible values:

      • Tampering tools

      • Living of the Land Binaries

      • CryptoMiners

      • Remote admin tools

      • Piracy tools

    • Monitored rule - Displays the rule name that was used to generate the recommendation. This column can be hidden.

    • Behavioral profiles - The total number of profiles affected by the vulnerability covered by the recommendation. The column displays a maximum of 9999 items, with the exact count displayed when hovering over the icon.

      Clicking the behavioral profiles icon in the grid opens the Behavioral profiles side panel, which lists the behavioral profiles for which this recommendation was generated.

    • Action taken - The action that was taken as a result of the recommendation.

      Possible values:

      • Action needed

      • Applied

      • Partially applied

    • Company - The company where the recommendation was made.

    Note

    More details regarding the information in each column are available type in the Filters section.

  4. Actions menu - Clicking on the inline menu button displays a list of actions available for the recommendation:

    • Restrict access - This option will automatically apply the actions suggested by the recommendation and restrict access for the selected users to the recommended asset. The Action taken field associated with the recommendation will change to Applied or Partially applied.

    • Allow access - This option will automatically apply the actions suggested by the recommendation and allow access for the selected users to the recommended asset. The Action taken field associated with the recommendation will change to Applied or Partially applied.

    Note

    PHASR issues recommendations as it completes the learning phase for different behavioral profiles. The same recommendation may be generated multiple times, but only if the previous one has a status of Applied or Partially Applied, because the initial learning phase is completed at different times on different endpoints.

    If the recommendation has the Action Needed status, it will be updated with more behavioral profiles as the learning phase completes.

Restricting access based on a received recommendation

When PHASR detects that user behavior has changed for a user which currently has access to certain assets, it will generate an Restrict access recommendation. Once this recommendation is generated you can review the behavioral profiles for which it was generated and allow the recommendation to by applied.

You can restrict access based on a specific recommendations by using on of these methods:

  • Click the menu button on the right side of the Recommendations grid and select Restrict access.

  • Click the name of the recommendation under the Name column and select Restrict access from the displayed details side bar.

This will display the Restrict access window:

PHASR_remove_access_recommendation_981499_en.png

You can restrict access for an entire department, for specific users, or for specific users on specific devices using the checkboxes available in the Behavioral profiles section.

Select Apply to save your changes.

Allowing access based on a received recommendation

When PHASR detects that user behavior has changed for a user which previously had its access restricted, it may generate an Allow access recommendation. Once this recommendation is generated you can review the behavioral profiles for which it was generated and allow the recommendation to by applied.

You can restrict access based on a specific recommendations by using on of these methods:

  • Click the menu button on the right side of the Recommendations grid and select Allow access.

  • Click the name of the recommendation under the Name column and select Allow access from the displayed details side bar.

After selecting Allow access, the Allow access window is displayed.

PHASR_allow_access_recommendation_981499_en.png

You can allow access for an entire department, for specific users, or for specific users on specific devices using the checkboxes available in the Behavioral profiles section.

Select Apply to save your changes.

Viewing recommendation details

You can view additional information regarding a recommendation by opening the Recommendation details side panel. To open the side panel, click the name of the recommendation under the Name column:

PHASR_recommendations_sidebar_981499_en.png

  • General - this section contains the following information:

    • Target activity type - The type of activity targeted by the recommendation.

    • Attack surface reduction - Indicates the impact applying the recommendation would have on the total attack surface.

    • Created on - The time and date when the recommendation was created.

    • Monitored rule - Displays the rule name that was used to generate the recommendation.

    • Behavioral profiles - Displays the total number of profiles for recommendation.

    • Action taken - The action that was taken as a result of the recommendation.

  • Details - This section provides a written description of the vulnerability and how it can be exploited

  • Recommendation mitigation - The action suggested to fix the vulnerability.

  • The action button - Depending on the status of the recommendation this button will allow you to Restrict access.

In this section: