You can manually edit behaviors. System learns the behavior in the Discovery Mode, so you can skip adding any allowed behaviors initially. Behaviors include process executions, command-line arguments, network connections, and more.

Prerequisites

You have a scope with the added service.

Procedure

  1. From the left navigation pane, filter and click the required scope.
  2. Click the Services tab.
  3. Search and click the required service.
    In the right panel, make sure that you are in the Behaviors tab.
  4. Filter behaviors based on the time frame. For example, you can filter behaviors seen in last 24 hours and determine an applications most recent execution.
  5. Go the behavior that you want to edit, and click the card.
    Note: On the behavior card, if you see Last updated time stamp instead of Last seen, then either behavior time stamp feature is not enabled or AppDefense is not upgraded to the supported version.
    You can view the behavior details.
  6. Select the required CLI from the list.
  7. Click Edit.
  8. Edit the required parameters.
    Parameter Description
    Path Edit the absolute full path.
    MD5 Edit the MD5 hash.
    SHA256 Edit the SHA256 thumbprint.
    CLI

    You can view details by expanding > next to the CLI.

    • To add new CLI, click Add New CLI.
    • Enter the full path and then any arguments that can run like: /path/to/file/executable.exe -Argument1 -Argument2.
    Outbound Connections The outbound connection listed is added to the allowed behavior list.
    • To add new outbound connection, click + Add, and then select or enter Protocol, Remote Port, Remote Address, and Local Port.
    • To add more destination, click +.

      Select the required destination type as:

    • Service: If you select destination type as Service, then service to service communication is allowed. You can select the required scope and service name from the list. Any communication between the service members on the provided port and protocol becomes the allowed behavior. You can select service within same scope, or select service from a different scope. System does not generate any alerts when the specified outbound connection occurs.
    • IP: Enter valid IP address or *. When you wildcard the IP address (*), any IP address trying to make an outbound connection on the provided port and protocol is allowed.
    • FQDN: Enter a valid fully qualified domain name. You can wildcard (*) FQDN as follows:
      • Preceding wildcard character. For example, *.xyz.com.
      • Trailing wildcard character. For example, www.xyz.*.
      • Preceding and trailing wildcard character. For example, *.xyz.*.

      You cannot add * in the domain name. For FQDNs, there is no automatic connection grouping or abstraction.

    • Based on the selected destination type, select or enter the valid values.

    • To delete a destination, click .
    Inbound Connections The inbound connection listed is added to the allowed behavior list.
    • To add more connections, click + Add, and then select or enter Protocol and Port details.
    • To delete a connection, click .
  9. To delete the added CLI, click the trash icon.
  10. Click Save.
    The behavior is changed. System starts learning based on the updated behavior.