In one of our previous articles, we explained How to Install HX. Now, let’s talk about how to group our endpoints, how to create our policies and how to connect these policy-hostset pairs we created.
To Create Host Sets;
1- Go to Admin > Host Sets
2- Click Related Button.
3- At this point, we can create two types of Host Sets. At this point, we can create two types of Host Sets. One of them is “Static Host Set” and the other is “Dynamic Host Set”
A- Static Host Set: Static Host Sets are host sets containing only endpoints that we add ourselves.
B- Dynamic Host Set(Set Builder): Dynamic host sets are host sets that we create according to certain criteria. When the endpoints that meet these criteria are included in our environments, they will be included in the host sets where these relevant criteria are met, without the need for us to take any action.
As you can see here, two criteria have been created that meet this host set.
1- Having version 34.28.6
2- Including the word “WIN” in the hostname.
As it can be understood from the cluster sign in the middle, the common point of these two conditions is taken, that is, the endpoints with 34.28.6 version and “WIN” in their Hostname.
4- Now that we have created our Host Set, we can create our Policy.
Let’s go to Admin > Policy Tab.
5- We can add the relevant features to our policy by ticking them as seen on the right. The important part here is knowing which feature does what.
To summarize some of them briefly;
- Process Tracker: A module that allows tracking of processes encountered for the first time.
- UAC Protect : A module that provides protection against UAC bypass attacks.
- Host Remediation: A module that allows us to connect to the shell screen of the relevant host with System rights.
- Host Management: A module that provides tabular information about hosts and shows which host is “online” and “offline”.
- Deny List: A module that allows us to block or quarantine files by hash(md5,sha256) or file path.
- Device Guard: A module used to block or allow devices used as storage or MTA by means such as vendor, serial number.
- Event Streamer: A module that allows sending Windows event logs to helix or Syslog server.
- Logon Tracker: It is the HX Module designed to investigate lateral movement in Windows, Linux and macOS environments. The information about which endpoints are connected to other endpoints with information such as protocol, port, user can also be seen in this visual interface.
- Malware Protection: It is an antivirus module that contains traditional methods and machine learning models.
- Exploit Guard: It is a module that blocks exploits that attempt to exploit vulnerabilities of known applications (Adobe, MS Office, Google Chrome…).
- Real Time Indicator: A module that detects suspicious activities using IOCs provided by FireEye’s Cloud (DTI-Dynamic Threat Intelligence).
- Server Health: A module that allows FireEye Endpoint administrators to monitor critical service errors and identify potential problems in the product.
- Notification Center: This is the module that informs us about what changes the user made on the HX Server.
- AMSI: It is the module that enables HX to detect attacks that may come from shell scripts, thanks to the AMSI interface developed by Microsoft.
- Process Guard: Module that detects possible suspicious accesses to LSASS.exe.
- API Documentation: A module for obtaining detailed data about agents, policies, Hostsets… with specific API queries.
- Enricher: Queries the status of files and processes over Dti(cloud) and returns us the answers about them. With the integration of AX or VX product, it also adds sandboxing feature to HX.
6- We have to adjust the settings for all the feautres we add. For example, if we want to terminate the relevant process for Exploit Guard, we must tick the relevant box or to use this feature on Servers, we must tick the box again.
7- Then, enable the policy.
8- On the Host Set page, let’s click the “Assign Policies To Host Sets” button and assign our policy to the Host Set.
9- We can click on our host set from the host sets section on the left and match it from the policies section on the right. Note: By default, all host sets are assigned the Defaul Policy.
After an average of 5 minutes, the end points in our Host Set will receive the policies. We can control this from the Host Management module interface.
Stay Tuned for my other articles.
Leave a Reply