Software Policies

What are Software Policies?

Software Policies allow you to define security rules for software, processes, and network connections across your organization. These policies determine what software is permitted, prohibited, or requires monitoring.

Why Use Software Policies?

Enforce Security Standards: Block known malware and unauthorized software
Compliance Requirements: Document approved software for audits
Risk Reduction: Identify high-risk applications before incidents occur
Automated Response: Configure actions from alerting to quarantine

Accessing Software Policies

Navigate to Security in the main menu
Select Software Policies
View the policy list with filters and search

Understanding the Policy List

The policy list displays all configured security policies:

Column	Description
Name	Product or malware name
Type	Blacklist or Whitelist
Severity	Critical, High, Medium, or Low
Action	What happens when detected
Status	Active or Inactive
Source	Manual or Threat Intelligence feed

Creating a New Policy

From Software Catalog

Click Add Policy
Select From Catalog option
Search for the software
Configure policy settings:
- Severity: How critical is this threat?
- Action: Alert, Block, Quarantine, or Monitor
- Reason: Why is this policy needed?
Click Create

Manual Entry

For malware or threats not in the catalog:

Click Add Policy
Select Manual Entry option
Enter:
- Product Name: Name of the software/malware
- Vendor: (Optional) Software vendor
- Description: Why this is being blacklisted
Configure severity and action
Click Create

Policy Settings

Severity Levels

Level	Description	Response Time
Critical	Active malware, ransomware, APT tools	Immediate
High	Known threats, C2 frameworks	Within 1 hour
Medium	Potentially unwanted programs	Within 24 hours
Low	Policy violations, unauthorized software	Scheduled review

Actions

Action	Behavior
Alert	Create event, send notification
Monitor	Log detection without alerting
Block Install	Prevent new installations
Quarantine	Isolate affected systems
Uninstall	Flag for removal

Reasons

Malware: Known malicious software
Security Risk: Vulnerability or exposure risk
Compliance: Regulatory requirement violation
Unauthorized: Not on approved software list
End of Life: Unsupported software version
License Violation: Licensing compliance issue

Policy Details

Click on any policy to view detailed information:

Basic Information

Product name and vendor
Policy type and severity
Configured action
Active/Inactive status

Detection Patterns

How the system identifies this software:

Name Patterns: Regex patterns for software names
Process Names: Known process executables
File Paths: Installation locations

Threat Intelligence

For threat-sourced policies:

Threat Type: Ransomware, Trojan, Botnet, etc.
Aliases: Alternative names for the malware
MITRE ATT&CK: Associated techniques
References: External documentation links

Network IOCs

For malware with known infrastructure:

Malicious IPs: Known command & control servers
Ports: Common communication ports
Domains: Malicious domain names

Exclusions

Prevent false positives:

Excluded Vendors: Trusted software vendors
Excluded Names: Specific software to ignore
Legitimate Paths: Known-good installation paths

Viewing Violations

When a policy is triggered:

Open the policy details
Click View Violations
See all detection events:
- Affected host
- Detection time
- Process/software details
- Current status

Managing Policies

Edit Policy

Click the policy row
Modify settings as needed
Click Save Changes

Disable Policy

Open policy details
Toggle Active to off
Policy will stop triggering detections

Delete Policy

Open policy details
Click Delete
Confirm deletion

Note: System default policies from threat intelligence cannot be deleted, only disabled.

Best Practices

Policy Organization

Use clear, descriptive names
Set appropriate severity levels
Document the reason for each policy
Review policies quarterly

False Positive Management

Add exclusions for known-good software
Review Medium/Low severity detections regularly
Document false positive patterns

Integration Tips

Connect alerting to your notification channels
Link policies to compliance frameworks
Export policy list for documentation

Common Use Cases

Block Known Malware

Create a critical blacklist policy for known ransomware:

Severity: Critical
Action: Quarantine
Reason: Malware

Monitor Shadow IT

Track unauthorized software installations:

Severity: Low
Action: Monitor
Reason: Unauthorized

Compliance Enforcement

Ensure only approved software is installed:

Create whitelist of approved software
Alert on anything not in the whitelist
Generate compliance reports

Threat Intelligence - Understanding threat data
Network IOC Scanning - Network monitoring
Security Events - Responding to detections

What are Software Policies?​

Why Use Software Policies?​

Accessing Software Policies​

Understanding the Policy List​

Creating a New Policy​

From Software Catalog​

Manual Entry​

Policy Settings​

Severity Levels​

Actions​

Reasons​

Policy Details​

Basic Information​

Detection Patterns​

Threat Intelligence​

Network IOCs​

Exclusions​

Viewing Violations​

Managing Policies​

Edit Policy​

Disable Policy​

Delete Policy​

Best Practices​

Policy Organization​

False Positive Management​

Integration Tips​

Common Use Cases​

Block Known Malware​

Monitor Shadow IT​

Compliance Enforcement​

Related Topics​