Add a Detect-Only Policy Group to a New Device

Modified on Fri, 16 Feb at 3:13 PM

TABLE OF CONTENTS


Follow the directions below to create a policy group, create a device group, add overrides, and finally add the detect-only policy group to the new device.


Part 1: Create Policy Group

  1. Go to Protection > Policies. Select the green plus icon.
  2. Select Start a blank Policy Group.
  3. In the top field, rename the group to "DetectOnly" and add a description. Select Next.
  4. Set all values to Detect except AZT Self Protect. Select Apply.



Part 2: Create Device Group

  1. Go to Endpoints > Device Groups. Select the green plus icon.
  2. In the top field, rename the group to "Staging". 
  3. Select the DetectOnly Protection Policy created in Part 1. Select Create Group.
    Note: If you have a NetworkAgent License, select the Default Network Policy Group.
  4. Ensure the following global settings are set to Allowed:
    • Allow_TrustID_Create
    • FileMonitor_Create_TrustIDs
    • FileMonitor_Scan_OnBoot
    • Inherited Trust
    • Publisher Trust
  5. Select Apply Now.
  6. Skip adding devices for now. Select Finish.
  7. In the pop-up, select Yes.


Part 3: Install and Verify Operations of New Agent Endpoint

  1. Install any applications that you expect to use on the new device. 
  2. Install AZT Agent on the endpoint using the instructions provided in the AZT user guide.
  3. As soon as the endpoint is displayed in the Trust Center in the default device group, move the device to the Staging device group.

Note: Wait for device to show as online before proceeding to Part 4. This ensures that the initial file scan is complete and the endpoint's inventory has been uploaded to the Trust Center. Depending on the speed of the virtual machine (VM), this process could take from 20 minutes to several hours depending on the size and speed of your disk.



Part 4: Trust Publishers

  1. Go to Inventory > Publishers > Discovered.
  2. Mark any newly found Publishers as Trusted.
    Important: If you do not recognize any of the listed publishers, do not add them as trusted and investigate where they came from.


Part 5: Apply Countermeasure Overrides

  1. Go to Alerts & Logs > Security Alerts.
  2. Review the newly reported alerts. In particular, review any alerts that will likely be ongoing and should be added as countermeasure overrides. For example, these alerts could include:
    • Read Buffer

    • Write Buffer

    • Privilege Escalation

  3. Drill down on each alert you would like to add an override policy to. Click on the alert, then Alert Details, then Override Policies. On the Override Policies screen, toggle the countermeasure override to On. Select the Protection Mode you would like to use:
    • Select Ignore to prevent future alerts from being generated.
    • Select Detect to allow the application to run while continuing to receive alerts.



Part 6: Verify Operations

After you have initially trusted publishers and applied overrides, you should perform some functions on your devices to see what other alerts may be triggered under normal use. We recommend performing the following:

  • Start each primary application and use some of the features.
  • Ask any anti-virus application to perform a file scan.
  • If possible, reboot the device to check any initial start up behaviors.

As you perform these tests, check Publishers and Security Alerts for any new items to be addressed.

We suggest that the new endpoint remains in this group for several days before moving the device to a different device group.



Part 7: Move the Device to the New Device Group

Once you are satisfied with the operations on the device, you may move the device to a more restricted device group.

The target device group should have the following settings set to Allowed:

  • Inherited Trust
  • Publisher Trust

Follow the directions below to move the device.

  1. Go to Endpoints > Devices.
  2. Find the device you want to move.
  3. Under the Device Group column, move the selected device to the new device group.

After you apply the new device group, check that functionality is not impacted.







Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article