Use Case | Trend Micro Service Central

Views:

The Operations Behavior Anomaly Detection embodies the CPSDR concept and has a deep understanding of what the expected behaviors for each device are from learning the behaviors of each agent-device first. Every agent continuously analyzes its host device to establish and maintain a unique baseline fingerprint. Then in real-time, unexpected behaviors and deviations from this fingerprint can be detected at the individual agent level and then secondarily at the centralized control level to inform wider instability issues and prompt preventative actions.

See the following procedures as the recommended practice when you start using the Operations Behavior Anomaly Detection:

Toggle on the Learn mode of the Operations Behavior Anomaly Detection on the Policy page. Ensure that you toggle on the Script Behaviors, User Login, and Application Behavior as well.
Deploy all the required configuration, features, updates, or fixes, and run all the daily operation processes during the Learn mode.
Note:
If the Application Lockdown is enabled, ensure you turn on the maintennace mode when performing these deployments.
1. Toggle on the User Login:
  1. Use the required user accounts to log into the agent-device.
  2. Ensure you also log in from different IP addresses or domains if it is required during your daily operation processes.
  Note:
  You can also manually add approved user accounts and relevant details used in the operations and processes into the Policy-based Approved Login Accounts.
2. Toggle on the Application Behaviors:
  - Run the applications required for daily operation processes.
  - Download required applications or execute updates or fixes required for existing applications on the agent-device.
  Note:
  You can also manually add approved applications used in the operations and processes into the Policy-based Approved Applications.
3. Toggle on the Script Behavior:
  - Run the scripts required for your daily operation processes.
  - Run the scripts accompanied with parameters.
  Note:
  By default, StellarProtect monitors the commonly-abused script running applications such as Powershell.exe, wscript.exe, cscript.exe, mshta.exe, and psexec.exe. Ensure you manually add other commonly-abused applications used in your daily operation processes to the Policy-based Watchlist for strengthening security monitoring.
After all the operation processes have been executed and learned, switch to the Detect mode and check if any events will be triggered by the normal daily operations.
Note:
- You can check the Agent event logs to see if there's any anomalous operation or process detected. See Agent Events for more details.
- See Strict Mode and Strict Mode - Use Case for more details on using the Strict mode.
Switch to the Enforce mode for activating preventative actions (Script Behaviors only). If any unexpected script execution occurs, it should be blocked.
Note: If you also enable the Strict mode, only the exact script running processes (with exact parameters) that have been learned and stored in the baseline will be allowed. You can check the Situational Awareness > Script Behaviors page to make sure the specific full operation processes (parameters included) have been added in the agent baseline.