Configuring actions triggered by rules

When a protection rule blocks an operation performed on an SES Evolution agent, it will be logged, and you can determine the severity and destination of the log.

If you want it to, when this log is generated, it can trigger other actions on the agents in question. Various types of actions are possible:

  • Show a notification on the agent. This notification will appear at the bottom right of the screen, indicating that a prohibited action was blocked by a protection rule.
  • Run custom scripts.
  • Run a Yara scan. For further information, refer to the section Running Yara scans on SES Evolution agents.
    This action is available only for rules in which processes or files have been logged. It does not apply, for example, to Wi-Fi and ARP Spoofing rules.

EXAMPLE
This feature may be useful in triggering an antivirus analysis the moment the incident is logged, or it can move a dangerous file to a specific folder. Launching a Yara scan makes it possible to identify malware, for example.

  1. Select your security policy in the Policies tab, then select the set of rules. The main page of the rule set appears.
  2. Click on the tab of the rule that you want to modify.
  3. If you are in read-only mode, click on Edit in the upper banner.
  4. In the banner at the top of the rule, click on Action when logs generated icon. The window Action when logs generated appears.
  5. Enable a notification on the agent, if you wish to, for every time this rule triggers a log. This feature is available only for rules in Protection mode.
    Window Action when logs generated with notification enabled
  6. If you wish to run a script whenever this rule generates a log, click on Add an action.
    1. Enter a name for the action in the Run custom script window.
      1. To the right of the Script field, click on + to add the script to run.
      2. In the Arguments field, specify the arguments to add when the script is run.
      3. In the Run in list, choose Local service because this is an account with restricted privileges. Do not choose Interactive session or System accounts unless absolutely necessary.
  7.  

    Do note that scripts cannot be run during interactive sessions on a server with several remotely connected users.
    All scripts that were declared in SES Evolution appear in the Script list. Select an existing script and click on to view it or to import a new version of the script.

  1. If you wish to run a Yara scan whenever this rule generates a log, click on Add an analysis unit.
    1. Click on one or several analysis units to select them, then close this window.
    2. In the Action when logs generated window, click on Log settings to determine the severity and destination of the logs that the Yara rules generated.
    3. If necessary, select Shut down the processes detected to remove the dangerous processes, identified during the Yara scan, from the agent.
      If the rule is part of an audit rule set, or if the rule is in passive mode, the processes will not be shut down even when this setting is enabled.
  2. Click on OK.