Skip to main content

Configuration

Default rules

Default rules are created and supported by Bitdefender. These rules cover the most popular operating systems and applications, as well as services and user entities, assuring the integrity of the endpoint.

For more information about default OS rules and default application rules, refer to Integrity Monitoring default rules.

Note

Some rules require additional configuration before they can be applied to the endpoint. In addition, deprecated rules need to be deleted.

gravityzone_cl_pt_fim_rules_config.png

For more information about editing rules, refer to Edit rules and Delete rules.

Custom rules

Custom rules are created and managed by any user with Partner, Company Administrator and Network Administrator role.

You must make sure that any custom rule you want to create is not already covered by a default rule. Running duplicate rules affects the overall performance of the product.

Custom rules with critical severity generate EDR alerts for registry keys and values, files, and directories. You can view these alerts in the Node details panel of EDR incidents.

FIM_custom_rules_node_details_79669_cl_pt_en.png

Note

Registry keys and registry values are only available for Windows endpoints.

For more information related to limitations when generating EDR events, refer to the Integrity Monitoring limitations section in Integrity Monitoring.

Create rules

You can create custom rules by following these steps:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Click the Action drop-down.

  3. Select New rule.

    gravityzone_cl_pt_fim_custom_rules.png

The following fields are available when you create a custom rule:

  • Rule name: must be unique. You cannot have two rules with the same name.

  • Description: general description of the rule.

  • Severity: this option can be set to: Low, Medium, High or Critical.

  • Entity type: the following types are available:

    • File

    • Directory

    • Registry key

    • Registry value

Once an entity type is selected, the following fields are available:

  1. File

    For this field, you have the following options:

    • OS Applicability: Windows or Linux.

    • Keys: this is where you add the prefix and/or the extension type.

    • Monitoring scope:

      • For Windows: you can monitor if the file is created, modified, deleted, renamed. File hash, size and attributes can be monitored as well.

        gravityzone_cl_pt_fim_file_windows.png

        Note

        Unwanted created files can also be deleted or moved to quarantine. You also have the to correct file attribute changes.

      • For Linux: you can monitor if the file is created, modified, deleted or renamed, or if there are changes in the hash, size, file permission, file owner and file group.

        gravityzone_cl_pt_fim_file_linux.png

        Note

        Unwanted created files can also be deleted or moved to quarantine. You also have the option to correct permission, owner, and group changes.

  2. Directory

    For this field, you have the following options:

    • OS Applicability: Windows or Linux.

    • Directory path: path to the monitored directory. You can also include the subdirectories by selecting the checkbox under this field.

    • Monitoring scope:

      • For Windows: you can monitor if a directory is created, deleted, renamed, and if its attributes have changed.

        gravityzone_cl_pt_fim_directory_windows.png

        Note

        You also have the option to correct directory attribute changes.

      • For Linux: you can monitor if a directory is created, deleted, renamed and if its permissions, owners and groups have changed.

        gravityzone_cl_pt_fim_directory_linux.png

        Note

        You also have the option to correct permission, owner, and group changes.

  3. Registry key

    For this field, you have the following options:

    • Registry key: add the registry key you want monitored.

    • Monitoring scope: you can monitor if a registry key is created and deleted, and if its subkeys and key values have changed.

      gravityzone_cl_pt_fim_registry_key.png
  4. Registry value

    For this field you have the following options:

    • Registry value: add the registry value you want monitored.

    • Monitoring scope: you can monitor if a registry value is created and deleted, the time the last value was modified, or if the registry hash and the registry value size have changed.

      gravityzone_cl_pt_fim_registry_value.png

      Note

      • When registry value hash changes, you have the option to correct it. In addition, for size change, you can choose to automatically delete the value.

      • When a registry value is corrected, it is restored to the value it had before the alert was generated. The rule processing mode can affect this correction.

Edit rules

You can edit rules by following these steps:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Select the rule you want to modify.

  3. Under Configuration, modify the rule.

  4. Click Save.

Delete rules

You can delete custom rules by following these steps:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Select the checkbox next to the rule you want to delete.

  3. Click the Actions drop-down.

  4. Select Delete.

  5. Confirm your selection by pressing the Delete button.

Restrictors

Integrity Monitoring has implemented restrictors. They are a layer of protection with the sole purpose of reducing alert fatigue. These restrictors aim to cover human errors.

For example, users cannot monitor files with the .log extension. These files are used for constant logging and are frequently changed. Therefore, monitoring these would generate a great deal of events which might flood the endpoint with notifications and/or events.

gravityzone_cl_pt_fim_restrictors.png

Rule sets

Rule sets are a collection of rules that you can assign to a GravityZone policy. Any rule that you want assigned to a policy must be part of a rule set.

Note

You must create a rule set, even if it only contains default rules, to enable Real-time monitoring in the policy settings.

Create rule sets

You can create a rule set by following these steps:

  1. Open the Integrity Monitoring Rules window.

  2. Select each rule you want added in your rule set by selecting the checkbox next to it.

  3. Click Actions and select New rule set from rules.

  4. In the new page, add the Rule set name and a Description (optional).

    Note

    These fields can only contain alphanumeric characters

  5. Click Save.

Edit rule sets

You can edit a rule set by following these steps:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Select the desired rule set.

  3. Click gravityzone_cl_op_pt_more_icon.png More.

  4. Select Edit.

  5. Edit the Rule set name and Description.

  6. Click Save.

Delete rule sets

You can delete rule sets by following these steps:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Select the desired rule set.

  3. Click gravityzone_cl_op_pt_more_icon.png More.

  4. Select Delete.

  5. Confirm your selection by pressing the Delete button.

Assign or remove existing rules to rule sets

To assign existing rules to a rule set you must:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Select the checkbox next to the rules you want assigned to the rule set.

  3. Click the Actions drop-down.

  4. Select Assign rules to rule sets.

  5. Select the rule set you want the rules to be assigned from the drop-down menu.

  6. Click Assign.

To remove rules from a rule set, you must:

  1. Go to Policies > Integrity Monitoring Rules.

  2. Select the checkbox next to the rules you want assigned to the rule set.

  3. Click the Actions drop-down.

  4. Select Unassign rules.

Assign rule sets to a policy

To assign Integrity Monitoring rule sets to a policy, you must first enable Real-time monitoring in the policy settings and then assign the rule sets that you want applied:

  1. Go to the Policies page.

  2. Add a new policy or edit an existing one.

  3. In the policy settings, go to the Integrity Monitoring section.

  4. Select the corresponding checkbox and add an existing rule set from the drop-down list.

  5. Make other configurations in the policy as preferred.

  6. Save the policy and apply it to endpoints.

    gravityzone_cl_pt_rules_policy.png

Once a policy is applied (or reapplied), the entity baseline attributes are renewed. Therefore, the next alert that comes after the policy is applied uses these renewed attributes as a basis of comparison for the next signaled alert. This renewal takes place regardless of whether Integrity Monitoring is suspended or not.

In addition, once the policy is applied, the endpoints start sending events to GravityZone. You can view them on the Integrity Monitoring Events page.

Important

On-Access exclusions added for file, folder, and process exclusions through configuration profiles or in-policy also apply to the Integrity Monitoring module. Integrity Monitoring is based on Extended Berkeley Packet Filter (eBPF) probes. These exclusions are propagated to eBPF probes (Kprobes) so that corresponding events that trigger Integrity Monitoring alerts are no longer generated.

Rules processing mode

The rules processing mode determines the speed at which events are processed and displayed in the Integrity Monitoring Events page:

  • Fast - events are processed as close to real-time as possible.

  • Normal - buffers events for 3 seconds and then processes them. This is the default setting.

  • Slow - buffers events for 6 seconds and then processes them.

To have an optimal resource footprint, all rule processing modes use event queues and compression.

For processed events, a set of deduplication actions are applied to provide the best information without succumbing to alert fatigue:

  • Events of the same type are compressed.

    For example, from multiple File hash was changed events for the same entity, Integrity Monitoring takes into consideration only the latest one.

  • Some actions are not processed anymore due to baseline change.

    For example, a quick succession of File hash was changed events, right before a File was deleted or File was renamed event, are discarded. In this case, the baseline for file hash change cannot be established because the object is not there anymore.

The deduplication actions are applied to File, Directory, Registry key and Registry value events in all processing modes. The Fast processing mode processes events in real-time, without delay. However, when all available resources are busy processing events, new events start queueing up. These queued events are processed as soon as resources are freed, but they are not exempt from deduplication actions.