Understanding built-in rule sets
Stormshield provides a series of rule sets contained in built-in security policies. You can also use them in your own custom policies. For more information, refer to the section Creating a security policy.
To view built-in SES Evolution rule sets, select the Policies menu and click on View shared rule sets. Built-in rule sets are those that have the prefix Stormshield - .
Built-in rule sets are updated in each new SES Evolution version. You will find the rule sets Release notes on your Mystormshield personal area.
New rule sets are also regularly published in the Downloads menu in Mystormshield.
Built-in rule sets can neither be modified nor deleted.
- The available protection rule sets are:
Rule set Allows Data leak prevention
Protection of the pool from theft of sensitive data by applying a defined list of applications.
Backend protection Protection of the SES Evolution backend. Agent handler protection Protection of SES Evolution agent handlers. Administration console protection Protection of the SES Evolution administration console.
Protection of the pool from any malicious activity. Advanced protections Detection and/or blocking of threats through a built-in heuristic analysis. Unlike protections that react to a strong individual event, advanced protections react to a pattern of several weak events, which when combined, represent a threat. Secured Wi-Fi hotspots Restriction of workstation connections to secure hotspots only. Anti-ransomware protection
Protection of the pool from ransomware attacks. The rule set includes:
- Rules that detect illegal encryption of files and block such attacks,
- Rules that protect volume shadow copies in order to allow file recovery if some files have been encrypted before the attack was blocked. For further information, refer to Managing a ransomware attack.
Common applications hardening Common applications to be prevented from performing potentially dangerous operations such as keylogging, application hooking or process access. Common network hardening Blocking of applications that may generate unwanted network traffic. This is the case of telemetry applications or non-Windows applications generating traffic used by zero-configuration networking for example.
- The available audit rule sets are:
Rule set Allows Audits of attack contexts Monitoring of events that occur in a pool. If it is placed before the protection rule sets, all events can be monitored. If it is placed after them, events that are not identified by protection rules can also be monitored.
It is essential in analyzing the attack context through incidents.
Windows Defender event forwarding
Reporting in SES Evolution Windows events relating to the Virus and threat protection feature. The event log analyzed is: Microsoft \ Windows \ Windows Defender \ Operational.
SES Evolution assigns its own severity to these events, which is different from the Windows severity.
Only the administrator can look up these events on the agent interface.