You can use the CSA and various rules and features of the product to report behavior you want to monitor on certain systems. The two methods used are: Monitor Rules and Application Behavior Investigation. The remaining portion of the chapter discusses these two methods.
You can create rules that do not enforce any security Allow or Deny actions but rather log an event only when the matching rule is triggered. These rules use an action of Monitor. You can create any type of rule with this type of action. The following are examples of rules that might be useful:
- Monitor execution of a specific application, such as a known P2P, Instant Messenger, or other unapproved application.
- Monitor FTP, TFTP, IRC, and other connections that should not leave your corporate network.
- Monitor file access of certain directories and file types.
You can use these rules when needed or create a Rule Module that includes several different types of rules with the Monitor action, each tied to a specific empty application class. Using this approach, you can add an executable to this application class when you locate a process you want to monitor, and you instantly begin to receive forensic data about the process after the next rule generation. This can provide you a Honey-Pot approach to monitoring that is available to you anywhere in the deployment at any time.
Application Behavior Investigation
The CSA product also provides a mechanism for monitoring a process natively named Application Behavior Investigation. This is configured by selecting Analysis>Application Behavior Investigation>Windows Behavior Analyses. Select New to create an investigation. You define the matching application class and the host the investigation should target. After completion and after a specified period or number of executions, you receive a report that displays all the network interaction, file interaction, COM object interaction, and registry interaction of that process. This can be a useful way to collect data about what a process does as part of research and also prior to creating and application control policy for this software.