As Strict mode performs stricter comparison between the established baseline and currently-running operational behaviors, it does not allow too much deviations from the baseline and thus may be more appropraite to be used for static environments that is intended to remain unchanged by users and administrators. For example, it may be a shared deployment environment with permanent infrastructure, where all the features and fixes are deployed once at the end of a planned release cycle.
Facing the growing prevalence of script-based attacks such as fileless malware or PowerShell abuse, the behavioral pattern identification along with parameter recognization for defending unknown threats adds an extra layer of protection without impacting the operational stability.
To illustrate: the global policy may restrict the use of PowerShell. However, one device uses PowerShell for regular system updates and there is a specific command run to complete the process. The agent for this device can allow PowerShell to be used for this specific process. No individual policy override is needed, and any other use of PowerShell on other devices will still be blocked.
See the following procedures as the recommended practice:
-
Organize the agents in the static environment as a group and set the Operations Behavior Anomaly Detection "Learn" mode as one of the group policy settings. Ensure that you toggle on the Script Behaviors.
-
Deploy all the required configuration, features, updates, or fixes, and run all the daily operation processes during the learning period.
Note:If the Application Lockdown is enabled, ensure you turn on the maintennace mode when performing the deployments.
-
For the specific agent-device that uses PowerShell as the regular system update tool, check the page to make sure the specific full operation process with parameter identification has been included in the agent baseline.
-
After all the operation processes have been executed and learned, switch to the Detect mode and check if any events will be triggered by the normal daily operations. When you run the PowerShell command on the specific agent and other agent-devices in the same group; one should treat it as a normal behavior and the other ones should treat it as anomalies and trigger events.
Note:You can check the Agent event logs to see if there's any anomalous operation or process detected. See Agent Events for more details.
-
Switch to the Enforce mode and enable the Strict mode for activating preventative actions. For most of the devices, the use of PowerShell should be blocked; for the specific device, only the exact process for running the PowerShell that have been learned and stored in the baseline will be allowed.