Understanding built-in rule sets

Stormshield provides a series of rule sets built into the console. Some are already contained in the built-in security policies. You can also use them in your own custom policies. For more information, refer to the section Creating a security policy.

To view built-in SES Evolution rule sets, select the Policies menu and click on View shared rule sets. Built-in rule sets are those that have the prefix Stormshield - .

Other rule sets that Stormshield provides are not built into the console and can be downloaded from your MyStormshield personal area, or from the Stormshield download server.

Rule sets are regularly updated. You will find the Release notes regarding these rule sets on your Mystormshield personal area and from the panel in which updates can be downloaded.

In addition, new rule sets are regularly added on the Stormshield update server and also published on the MyStormshield download area.

The sequence of rule sets in a policy matters. For more information, refer to Organizing rules and rule sets in a policy.

Built-in rule sets can neither be modified nor deleted.

  • The available protection rule sets are:
    Rule setMakes it possible to...
    Data leak prevention

    Protect the pool from theft of sensitive data by applying a defined list of applications.

    Backend protectionProtect the SES Evolution backend.
    Agent handler protectionProtect SES Evolution agent handlers.
    Administration console protectionProtect the SES Evolution administration console.

    Protection baseline

    Protect the pool from any malicious activity.
    Advanced protectionsDetect and/or block threats through a built-in heuristic analysis. Unlike protections that react to a strong individual event, advanced protections react to a pattern of several weak events, which when combined, represent a threat.
    Secured Wi-Fi hotspotsRestrict workstation connections to secure hotspots only.
    Anti-ransomware protection

    Protect the pool from ransomware attacks. The rule set includes:

    • Rules that detect illegal encryption of files and block such attacks,
    • Rules that protect volume shadow copies in order to allow file recovery if some files have been encrypted before the attack was blocked. For further information, refer to Managing ransomware attacks.
    Common applications hardeningPrevent common applications from performing potentially dangerous operations such as keylogging, application hooking or process access.
    Common network hardeningBlock applications that may generate unwanted network traffic. This is the case of telemetry applications or non-Windows applications generating traffic used by zero-configuration networking for example.

    II901 (five sets)

    Protect sensitive information systems, in line with the French interministerial instruction no. 901 drafted by the ANSSI. These five rule sets are templates. To use them, adapt them to your environment by duplicating them in your security policies.

    Protection against malicious usage of LOLBIN (to be downloaded from Downloading Stormshield updates)Prevent hackers from maliciously using certain Microsoft LOLBIN binary files to download malicious payloads, run files or create permanent access for attackers.

    Block-list of known dangerous applications (to be downloaded from Downloading Stormshield updates)

    Block the execution of known harmful applications identified by hash or by certificate
  • The available audit rule sets are:
    Rule setMakes it possible to...
    Audits of attack contextsMonitor events that occur in a pool. If it is placed before the protection rule sets, all events can be monitored. If it is placed after them, events that are not identified by protection rules can also be monitored.
    It is essential in analyzing the attack context through incidents.
    Windows Defender event forwarding

    Report in SES Evolution Windows events relating to the Virus and threat protection feature. The event log analyzed is: Microsoft \ Windows \ Windows Defender \ Operational.

    SES Evolution assigns its own severity to these events, which is different from the Windows severity.
    Only the administrator can look up these events on the agent interface.

    Monitoring of known dangerous or vulnerable drivers (to be downloaded from Downloading Stormshield updates)Raise alerts when a known dangerous or vulnerable driver is loaded.