AutoTrust settings for policies
AutoTrust settings for a policy define how applications and processes that are not part of policy rules must be treated. In Xprotect, AutoTrust is an added layer of security on the hosts.
AutoTrust and AutoTrust settings are helpful to build Xprotect policies by the MD5 hashes of the applications and processes. AutoTrust violations are listed as Trust alerts on the Alerts pages, and you can convert such alerts to Xprotect policy rules. This can help you build effective policies for the hosts managed from the Xprotect instance.
AutoTrust values
AutoTrust values are risk-related labels that the Xprotect Threat Intelligence engine assigns to the applications and processes running on the hosts. AutoTrust values are set for the MD5 hash of an application or process.
The five AutoTrust values in Xprotect are:
-
Good - the Threat Intelligence engine found no risk associated with running the application or process.
-
Unknown - the Threat Intelligence engine has not yet analyzed the application or process for known risks.
-
Low Risk - the application or process has a low level of risk associated with it.
-
Medium Risk - a few reputed Threat Hunting sources found the application or process malicious or suspicious.
-
High Risk - a considerable number of reputed Threat Hunting sources found the application or process to be malicious or suspicious.
AutoTrust values are available as scopes when you define the AutoTrust settings for a policy and as query operands to filter the Trust alerts on the Alerts pages.
AutoTrust tab
All AutoTrust settings for an Xprotect policy are listed in the AutoTrust tab for the policy. The settings are scoped at four levels - Low Risk, Medium Risk, High Risk, and risk Unknown. Also, AutoTrust settings are only applicable to Xprotect Host policies. All Host policies come with a set of default AutoTrust settings, and you can change them at any point in time.
Scope, controls, and alerts
See the following table for the scope at which the AutoTrust settings can be defined, their controls, and the alert generated when violations occur.
Scope |
Controls |
Alert |
| Unlike Xprotect policy rules whose scope is set at the level of a directory, path, file name, and command lines, AutoTrust settings are scoped at the level of the risk associated with the applications and processes.
By design, the AutoTrust settings are processed at all scopes on the hosts ( Directory, Path, File Name, and Command lines) associated with the policy. |
|
|
Default AutoTrust settings
The default AutoTrust settings for a policy are that Low Risk, Medium Risk, and Unknown applications and processes are monitored, and High Risk applications and processes are blocked, and alerts are generated.
Set AutoTrust settings for Policy
AutoTrust settings for a policy can be changed at any time during the lifecycle of the policy. Change the AutoTrust settings from the defaults to control (decrease or increase the number of) the Trust alerts reported for the instance.
The following steps assume that you are changing the AutoTrust settings of an existing policy. You can also set the preferred AutoTrust settings when you create a policy.
-
Go to Policies.
-
Click the 3-dot menu of a policy and click View and Edit Policy.
-
Click AutoTrust.
-
Set/change the AutoTrust settings for the relevant scopes and set the required controls.
The changes are saved automatically and apply to the applications and processes that run on the hosts protected by the policy.
Override AutoTrust values
AutoTrust values set by the Threat Intelligence engine can be overridden if needed. Such overrides are instance level and are in effect on all the hosts managed from the instance.