Understanding built-in rule sets

Stormshield provides a series of rule sets contained in built-in security policies. You can also use them in your own custom policies. For more information, refer to the section Creating a security policy.

To view built-in SES Evolution rule sets, select the Policies menu and click on View shared rule sets. Built-in rule sets are those that have the prefix Stormshield - .

Built-in rule sets are updated in each new SES Evolution version. You will find the rule sets Release notes on your Mystormshield personal area.

New rule sets are also regularly published in the Downloads menu in Mystormshield.

Built-in rule sets can neither be modified nor deleted.

  • The available protection rule sets are:
    Rule setAllows
    Data leak prevention

    Protection of the pool from theft of sensitive data by applying a defined list of applications.

    Backend protectionProtection of the SES Evolution backend.
    Agent handler protectionProtection of SES Evolution agent handlers.
    Administration console protectionProtection of the SES Evolution administration console.

    Protection baseline

    Protection of the pool from any malicious activity.
    Advanced protectionsDetection and/or blocking of threats through a built-in heuristic analysis. Unlike protections that react to a strong individual event, advanced protections react to a pattern of several weak events, which when combined, represent a threat.
    Secured Wi-Fi hotspotsRestriction of workstation connections to secure hotspots only.
    Anti-ransomware protection

    Protection of the pool from ransomware attacks. The rule set includes:

    • Rules that detect illegal encryption of files and block such attacks,
    • Rules that protect volume shadow copies in order to allow file recovery if some files have been encrypted before the attack was blocked. For further information, refer to Managing a ransomware attack.
    Common applications hardeningCommon applications to be prevented from performing potentially dangerous operations such as keylogging, application hooking or process access.
    Common network hardeningBlocking of applications that may generate unwanted network traffic. This is the case of telemetry applications or non-Windows applications generating traffic used by zero-configuration networking for example.
  • The available audit rule sets are:
    Rule setAllows
    Audits of attack contextsMonitoring of events that occur in a pool. If it is placed before the protection rule sets, all events can be monitored. If it is placed after them, events that are not identified by protection rules can also be monitored.
    It is essential in analyzing the attack context through incidents.
    Windows Defender event forwarding

    Reporting in SES Evolution Windows events relating to the Virus and threat protection feature. The event log analyzed is: Microsoft \ Windows \ Windows Defender \ Operational.

    SES Evolution assigns its own severity to these events, which is different from the Windows severity.
    Only the administrator can look up these events on the agent interface.