0% found this document useful (0 votes)

371 views305 pages

AdminGuide 3.1

Uploaded by

fbolivarbuitrago

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

371 views305 pages

AdminGuide 3.1

Uploaded by

fbolivarbuitrago

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 305

Administrator Guide

Version 3.1

Classification: Restricted
JULY 2021
DI-AG-CA-3.1-A01

Legal Notice

Copyright © 2021 Deep Instinct (USA) Inc. All rights reserved.

Deep Instinct and the Deep Instinct Logo are trademarks or registered trademarks of Deep
Instinct (USA) Inc. or its affiliates in other countries. Other names may be trademarks of their
respective owners.

The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Deep Instinct (USA)
Inc. and its licensors, if any.

This document contains proprietary information and as such is protected by Deep Instinct’s Non-
Disclosure Agreement (NDA), with all that is included in this agreement.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. DEEP INSTINCT (USA) INC. AND ITS AFFILIATES SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR
USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
SUBJECT TO CHANGE WITHOUT NOTICE.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 1 of 303
Contents
Introduction ............................................................................................................................................................. 5
About this Guide ............................................................................................................................................... 5
Getting Started........................................................................................................................................................ 6
Understanding Deep Instinct™ Software.................................................................................................... 6
Deep Instinct™ Management Console ........................................................................................................ 7
Management Console Requirements....................................................................................................... 7
Open the Management Console Without MSP Support...................................................................... 8
Open the Management Consoles with MSP Support........................................................................ 14
Dashboard, Monitoring and Reports.............................................................................................................. 27
Dashboard....................................................................................................................................................... 27
Monitor Screens............................................................................................................................................. 33
Event Lists..................................................................................................................................................... 36
File List Screen............................................................................................................................................. 43
Event Details Screen ..................................................................................................................................... 45
Suspicious Event Details Screen ................................................................................................................ 53
File Details Screen ......................................................................................................................................... 58
Monitor Screen Filters .................................................................................................................................. 62
Date Picker.................................................................................................................................................... 64
Event Remediation and Management...................................................................................................... 66
Delete Malicious Files Remotely.............................................................................................................. 67
Terminate Process ...................................................................................................................................... 69
Device Isolation ........................................................................................................................................... 71
Upload Files to the D-Appliance.............................................................................................................. 73
Download Files ............................................................................................................................................ 74
File Analysis .................................................................................................................................................. 76
Close Events ................................................................................................................................................. 80
Notifications .................................................................................................................................................... 84
Device List Screen.......................................................................................................................................... 85
Device List Table.......................................................................................................................................... 88
Device Details Screen ................................................................................................................................... 91
Executive Summary Report......................................................................................................................... 95
Create an On-Demand Report .............................................................................................................. 100
Create a New Scheduled Report........................................................................................................... 101
Policy Configuration .......................................................................................................................................... 104
Policy Screens ............................................................................................................................................... 104
Policy List Screen ...................................................................................................................................... 105
Windows Policy............................................................................................................................................. 108
Deep Static Analysis Configuration....................................................................................................... 109
Behavioral Analysis Configuration ........................................................................................................ 111
Suspicious Activity Monitoring Configuration .................................................................................... 114
Script Control Configuration .................................................................................................................. 115
D-Client Control......................................................................................................................................... 117
Scheduled Scan Configuration .............................................................................................................. 121
macOS Policy ................................................................................................................................................ 121
Deep Static Analysis Configuration....................................................................................................... 122

D-Client Control......................................................................................................................................... 125

Scheduled Scan Configuration .............................................................................................................. 126
Linux Policy.................................................................................................................................................... 127
Deep Static Analysis Configuration....................................................................................................... 127
D-Client Control......................................................................................................................................... 129
Android Policy............................................................................................................................................... 130
Deep Static Analysis Configuration....................................................................................................... 130
Behavioral Analysis Configuration ........................................................................................................ 131
Compliance Monitoring........................................................................................................................... 132
Administrator Contact Details Configuration..................................................................................... 134
Chrome OS Policy ........................................................................................................................................ 134
Deep Static Analysis Configuration....................................................................................................... 135
Behavioral Analysis Configuration ........................................................................................................ 136
Compliance Monitoring........................................................................................................................... 137
Administrator Contact Details Configuration..................................................................................... 138
iOS Policy ....................................................................................................................................................... 139
Behavioral Analysis Configuration ........................................................................................................ 139
Compliance Monitoring........................................................................................................................... 140
Administrator Contact Details Configuration..................................................................................... 141
Network Agentless Policy........................................................................................................................... 141
Deep Static Analysis Configuration....................................................................................................... 142
Allow List ........................................................................................................................................................ 144
File Hash Allow List ................................................................................................................................... 148
Script Allow List.......................................................................................................................................... 160
File Certificate Allow List.......................................................................................................................... 167
File Path Allow List .................................................................................................................................... 176
Behavioral Analysis Allow List ................................................................................................................ 182
File Hash Deny List ...................................................................................................................................... 190
Adding File Hashes to the Deny List..................................................................................................... 191
Exclusion Lists............................................................................................................................................... 201
Process Exclusion List.............................................................................................................................. 201
Folder Exclusion List................................................................................................................................. 203
Editing an Allow List/Deny List/Exclusion Entry.................................................................................... 210
Removing Allow List/Deny List/Exclusion Entries................................................................................. 211
Managing Devices.............................................................................................................................................. 214
Custom Policy ............................................................................................................................................... 214
Creating a New Policy .............................................................................................................................. 214
Removing a Custom Policy ..................................................................................................................... 216
Device Group List......................................................................................................................................... 216
Create Group and Edit Group Screens ............................................................................................... 220
Group Priority ............................................................................................................................................ 227
Creating a New Device Group................................................................................................................ 228
Edit a Device Group.................................................................................................................................. 230
Removing a Device Group ...................................................................................................................... 233
Troubleshooting Tools ................................................................................................................................ 233
Debug Log Collection............................................................................................................................... 234
Disable/Enable D-Client........................................................................................................................... 236

Create a Memory Dump File .................................................................................................................. 239

Change the D-Appliance Address......................................................................................................... 239
D-Appliance Management............................................................................................................................... 240
Signing In........................................................................................................................................................ 240
Signing out..................................................................................................................................................... 247
Settings........................................................................................................................................................... 248
General Settings........................................................................................................................................ 248
Integration and Notification ................................................................................................................... 253
Managing Administrator Accounts ....................................................................................................... 272
Release Notes Screen................................................................................................................................. 285
My Profile ....................................................................................................................................................... 287
Audit Log ........................................................................................................................................................ 288
D-Appliance Support................................................................................................................................... 289
MSP and Tenant Management....................................................................................................................... 290
MSP List Screen............................................................................................................................................ 290
Creating a New MSP Account ................................................................................................................ 294
Removing an MSP Account..................................................................................................................... 295
Tenant List Screen ....................................................................................................................................... 296
Creating a New Tenant Account ............................................................................................................ 299
Removing a Tenant Account................................................................................................................... 300
Glossary ............................................................................................................................................................... 302

1. Introduction
1.1. About this Guide
This guide has been written for the security administrator in your organization. It will assist the
administrator in configuring, implementing and integrating Deep Instinct™ into your organization.
This guide includes the configuration and monitoring for all your endpoint devices with Deep
Instinct.

Chapter 1: Introduction Provides a general introduction to the guide.

Chapter 2: Getting Started Provides a brief understanding on how Deep Instinct™ works
and how to start using Deep Instinct.

Chapter 3: Dashboard, Provides a detailed description of the Dashboard, the

Monitoring and monitoring abilities of the system and reports. It includes
Reports detailed information on the screens and functions of the
monitoring screens. This chapter also contains information on
the Detail screens (Event, Suspicious Event, Device, File) and
tasks related to handling events.

Chapter 4: Policy Provides information on the methods and options to configure

Configuration the system. It includes information and procedure on how to
configure the policies (Windows Policy, macOS Policy, Linux
Policy, Android Policy, Chrome OS Policy, iOS Policy and
Network Agentless Policy). This chapter also contains detail
information on the usage and procedures related to the allow
list, deny list and exclusion list in the system.

Chapter 5: Managing Devices Provides information and procedures to manage the devices in
your organization. It includes detail information to create
custom groups and policies for managing selected devices.

Chapter 6: D-Appliance Provides information on the procedures and features related to

Management managing the access and use of the Management Console. It
includes detail information on signing in and out the
Management Console, general settings, integration and
notification, managing administrators, D-Client versions, My
Profile and Audit logs.

Chapter 7 MSP and Tenant Provides information and procedures to manage MSP and
Management Tenant accounts.

Chapter 8: Glossary Provides a list of acronyms and terms that appear or is related
to this guide.

2. Getting Started
This chapter gives a brief understanding on how Deep Instinct™ works and how to start using
Deep Instinct in your organization.

2.1. Understanding Deep Instinct™ Software

Deep Instinct™ provides real-time detection and prevention of zero-day threats and advanced
persistent threat (APT) attacks for mobile devices and endpoints. The proactive protection
provides unprecedented accuracy in detection and real-time prevention, protecting the
organization’s entire assets from any threat (known and unknown).

Deep Instinct™ utilizes the following key components to implement its security solution:

▪ Deep Instinct™ Neural Network: The deep learning neural networks are located at the Deep
Instinct™ labs. It is the core component of the deep learning cyber defense solution
developed by Deep Instinct™. It continuously learns, reflecting the ever-evolving cyber threat
arena. The output of its continuous deep learning process is a lightweight prediction model
(D-Brain). The D-Brain is then distributed to all managed D-Clients.

▪ D-Brain (Prediction Model): D-Brain is a lightweight prediction model, which is the output of
the training phase that detects cyber threats. It is installed on the client software (D-Client).
Once installed on the devices, the prediction model is used to autonomously detect and
prevent cyber threats on the devices, enabling on-device zero-day and APT protection.

▪ Deep Instinct™ Servers: The liaison component between Deep Instinct™ Neural Network
and all the management servers. It sends the latest prediction model (D-Brain) to the
management server, which updates the D-Clients.

▪ D-Cloud: The D-Cloud Intel is the database composed of billions of files, collected from
various data sources, and labelled into different verdicts and classes. It serves as the
dataset for training and testing of the D-Brain.
The D-Cloud Live provides a second layer of protection. Using the D-Cloud services, files can
be re-classified using the D-Cloud database of intellectual information on known files and
the right verdict is updated in real-time.
▪ D-Appliance (Management Console): Management and monitoring server, hosted in the
cloud. It provides the security administrator with an effective visualization of security events
for easy monitoring, including management tools for configuring the organization's security
policy.

▪ D-Client: A lightweight client software installed on the device according to its platform
(Windows, macOS, Linux, Android, Chrome OS, iOS and iPadOS). It encompasses the
essence of the Deep Instinct™ prediction model (D-Brain) enabling on-device Deep Static
Analysis, Deep Behavioral Analysis and other key protection engines in a lightweight,

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 6 of 303
Getting
Started

autonomous and real-time way. It communicates with the management server for receiving
policy and software updates, and for sending events.

Deep Instinct Architecture

2.2. Deep Instinct™ Management Console

2.2.1 Management Console Requirements
Deep Instinct Management Console supports most of the popular web browsers available. The
following table lists all supported web browsers and display resolutions.

Supported Browsers:

Google Chrome Latest version

Microsoft Edge Latest version

Firefox Latest version

Display:

Supported Resolutions 1366 x 768

1920 x 1080

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 7 of 303
Getting
Started

2.2.2 Open the Management Console Without MSP Support

This section describes the procedure for opening the Management Console for the first time and
running the Startup Wizard. If your system includes MSP support, see Open the Management
Consoles with MSP Support.

To open Deep Instinct™ Management Console:

1. To open Deep Instinct, enter the FQDN of the D-Appliance in the Address bar of the browser
(for example, https://customer.deepinstinctweb.com).

The following Sign In dialog box appears in the left pane:

2. Enter your username and password and Click Sign In. To view and verify the password, click
the eye icon .

Note: After the initial installation, the default user is predefined with the username
admin and password admin.

3. The Startup Wizard starts.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 8 of 303
Getting
Started

4. Click Next. The Enter Your Email Address dialog box appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 9 of 303
Getting
Started

5. Enter the email address for the admin user and click Next. The Change Default Password
dialog box appears.

6. Type the new password. The password must meet the following requirements:

▪ Password length must be between 8 and 35 characters

▪ Password must include both upper-case and lower-case letters

▪ Password must include one or more numerical digits

▪ Password must include one or more special characters

7. As you comply with each requirement, the requirement changes to green. To view and verify
the new password, click the eye icon .

8. Click Next and the End User License Agreement appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 10 of 303
Getting
Started

9. Read the EULA and click I Accept. The Set Disable Password dialog box appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 11 of 303
Getting
Started

10. The disable password is used to locally disable Deep Instinct from Windows, macOS and
Linux devices. Type the disable password. The password must meet the following
requirements:

▪ Password length must be between 8 and 35 characters

▪ Password must include both upper-case and lower-case letters

▪ Password must include one or more numerical digits

▪ Password must include one or more special characters

11. As you comply with each requirement, the requirement changes to green. To view and verify
the disable password, click the eye icon .

12. Once the disable password has been defined, the disable password may be changed from
the device policies. For more information, see D-Client Control in Windows Policy, D-Client
Control in macOS Policy and D-Client Control in Linux Policy.

13. Click Next and the Set Uninstall Password dialog box appears.

14. The uninstall password is used to locally uninstall D-Client from Windows, macOS and Linux
devices. Type the uninstall password. The password must meet the following requirements:

▪ Password length must be between 8 and 35 characters

▪ Password must include both upper-case and lower-case letters

▪ Password must include one or more numerical digits

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 12 of 303
Getting
Started

▪ Password must include one or more special characters

15. As you comply with each requirement, the requirement changes to green. To view and verify
the uninstall password, click the eye icon .

16. Once the uninstall passwords have been defined, the uninstall passwords may be changed
separately from the device policies. For more information, see D-Client Control in Windows
Policy, D-Client Control in macOS Policy and D-Client Control in Linux Policy.

17. Click Next and the SMTP Settings dialog box appears. As an option, you may define the
SMTP Server parameters. To skip this option, click Skip. These parameters may also be
defined from the SMTP Server screen. To continue with defining the SMTP Server
parameters, perform the following:

a. The SMTP Server configuration defines the parameters for communicating with the SMTP
server. The SMTP server is required to send emails for deployment of mobile devices and
email notifications.

b. If secure SMTP is used, verify that Secure SMTP is enabled.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 13 of 303
Getting
Started

c. Enter the IP address or host name for the SMTP server.

d. Enter the port number for the SMTP server.

e. Enter the username and password for the SMTP server.

f. Enter the email address to be displayed in the From box of the deployment emails.

g. To perform a test of the SMTP Server configuration, an email needs to be sent. Enter the
email address of the test email recipient in the Email to box and click Test.

18. A message appears to confirm that the Startup Wizard completed successfully.

19. Now you can continue to further define your system. By clicking one of the options, you can
perform any of the following tasks:

▪ Create administrator accounts

▪ Define policies

▪ Define system settings

▪ Define device groups

2.2.3 Open the Management Consoles with MSP Support

Deep Instinct™ system with MSP support uses two Management Consoles:

▪ Hub Console

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 14 of 303
Getting
Started

▪ MSP Management Console

The Hub Console is used by integrators to monitor and define MSP accounts. For each MSP, there
is an MSP Management Console that allows each MSP to monitor and define their system. This
section describes the procedure for opening each of these consoles for the first time and running
the associated Startup Wizard.

To open Deep Instinct™ Hub Console:

1. To open Deep Instinct, enter the FQDN of the D-Appliance in the Address bar of the browser
(for example, https://customer.deepinstinctweb.com).

The following Sign In dialog box appears in the left pane:

2. Enter your username and password and Click Sign In. To view and verify the password, click
the eye icon .

Note: After the initial installation, the default user is predefined with the username
admin and password admin.

3. The Startup Wizard starts.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 15 of 303
Getting
Started

4. Click Next. The Enter Your Email Address dialog box appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 16 of 303
Getting
Started

5. Enter the email address for the admin user and click Next. The Change Default Password
dialog box appears.

6. Type the new password. The password must meet the following requirements:

▪ Password length must be between 8 and 35 characters

▪ Password must include both upper-case and lower-case letters

▪ Password must include one or more numerical digits

▪ Password must include one or more special characters

7. As you comply with each requirement, the requirement changes to green. To view and verify
the new password, click the eye icon .

8. Click Next and the End User License Agreement appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 17 of 303
Getting
Started

9. Read the EULA and click I Accept. The SMTP Settings dialog box appears.

10. As an option, you may define the SMTP Server parameters. To skip this option, click Skip.
These parameters may also be defined from the SMTP Server screen. To continue with
defining the SMTP Server parameters, perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 18 of 303
Getting
Started

a. The SMTP Server configuration defines the parameters for communicating with the SMTP
server. The SMTP server is required to send emails for deployment of mobile devices and
email notifications.

b. If secure SMTP is used, verify that Secure SMTP is enabled.

c. Enter the IP address or host name for the SMTP server.

d. Enter the port number for the SMTP server.

e. Enter the username and password for the SMTP server.

f. Enter the email address to be displayed in the From box of the deployment emails.

g. To perform a test of the SMTP Server configuration, an email needs to be sent. Enter the
email address of the test email recipient in the Email to box and click Test.

11. A message appears to confirm that the Startup Wizard completed successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 19 of 303
Getting
Started

12. Click Start and the MSP List appears:

To open Deep Instinct™ MSP Management Console:

1. To open Deep Instinct, enter the FQDN of the D-Appliance in the Address bar of the browser
(for example, https://customer.deepinstinctweb.com).

The following Sign In dialog box appears in the left pane:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 20 of 303
Getting
Started

2. Enter your username and password and Click Sign In. To view and verify the password, click
the eye icon .

Note: This username and password are defined for you by the hub administrator.
Once the Startup Wizard is completed the password may be changed. For more
information, see My Profile.

3. The Startup Wizard starts.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 21 of 303
Getting
Started

4. Click Next and the End User License Agreement appears.

5. Read the EULA and click I Accept. The Set Disable Password dialog box appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 22 of 303
Getting
Started

6. The disable password is used to locally disable Deep Instinct from Windows, macOS and
Linux devices. Type the disable password. The password must meet the following
requirements:

▪ Password length must be between 8 and 35 characters

▪ Password must include both upper-case and lower-case letters

▪ Password must include one or more numerical digits

▪ Password must include one or more special characters

7. As you comply with each requirement, the requirement changes to green. To view and verify
the disable password, click the eye icon .

8. Once the disable password has been defined, the disable password may be changed from
the device policies. For more information, see D-Client Control in Windows Policy, D-Client
Control in macOS Policy and D-Client Control in Linux Policy.

9. Click Next and the Set Uninstall Password dialog box appears.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 23 of 303
Getting
Started

10. The uninstall password is used to locally uninstall D-Client from Windows, macOS and Linux
devices. Type the uninstall password. The password must meet the following requirements:

▪ Password length must be between 8 and 35 characters

▪ Password must include both upper-case and lower-case letters

▪ Password must include one or more numerical digits

▪ Password must include one or more special characters

11. As you comply with each requirement, the requirement changes to green. To view and verify
the uninstall password, click the eye icon .

12. Once the uninstall passwords have been defined, the uninstall passwords may be changed
separately from the device policies. For more information, see D-Client Control in Windows
Policy, D-Client Control in macOS Policy and D-Client Control in Linux Policy.

13. Click Next and the SMTP Settings dialog box appears. As an option, you may define the
SMTP Server parameters. To skip this option, click Skip. These parameters may also be
defined from the SMTP Server screen. To continue with defining the SMTP Server
parameters, perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 24 of 303
Getting
Started

a. The SMTP Server configuration defines the parameters for communicating with the SMTP
server. The SMTP server is required to send emails for deployment of mobile devices and
email notifications.

b. If secure SMTP is used, verify that Secure SMTP is enabled.

c. Enter the IP address or host name for the SMTP server.

d. Enter the port number for the SMTP server.

e. Enter the username and password for the SMTP server.

f. Enter the email address to be displayed in the From box of the deployment emails.

g. To perform a test of the SMTP Server configuration, an email needs to be sent. Enter the
email address of the test email recipient in the Email to box and click Test.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 25 of 303
Getting
Started

14. A message appears to confirm that the Startup Wizard completed successfully.

15. Now you can continue to further define your system. By clicking one of the options you can
perform any of the following tasks:

▪ Create administrator accounts

▪ Define policies

▪ Define system settings

▪ Define tenants

3. Dashboard, Monitoring and Reports

3.1. Dashboard
The Dashboard is the main page in the Management Console. It provides a single page overview
of the organization status that summarizes all indicators in the system. From this screen, all other
operational screens can be accessed.

Dashboard Screen with Callouts

Dashboard Drop-Down

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 27 of 303
Dashboard,
Monitoring and Reports

Dashboard Screen Components

Item Term Description

1 Navigation Pane The left pane allows you to easily access the main screens (right
pane), including MSPs, Dashboard, Monitor, Policy, Devices, Tenants,
Reports and Settings screens.
MSPs and Tenants are only displayed on systems with MSP support.
Based on the console and the permissions of the administrator,
some options may not be displayed.

2 Tenant Selection This option is only available on Dashboards with MSP support, which
displays information for a specific MSP. This drop-down box allows
the selection of a specific tenant or all tenants in the MSP.
Use this drop-down box to display the information for a specific
tenant.

3 Open Detection Displays the number of events, files and devices identified from open
Event Counters detection events, listed in the Events List (Suspicious Events are not
included). Use the drop-down box to select the time period included
in the displayed counters.
For the selected time period, the following counters are displayed:
▪ Detection Events – Displays the number of currently open events,
where Deep Instinct detected a threat without preventing its
operation. Click this counter to open the Event List and display
more information on these events.
▪ Detection Events by File – Displays the number of unique files (with
unique hash values) identified from open detection events. Click
this counter to open the File List and display more information on
these files.
▪ Detection Events by Device – Displays the number of devices from
open detection events.
▪ To display counters per platform, hover over a counter to display
the Information icon, . Then click the icon. Click a platform
counter to open the appropriate Monitor screen and display
additional relevant information.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 28 of 303
Dashboard,
Monitoring and Reports

4 Open Prevention Displays the number of events, files and devices identified from open
Event Counters prevention events, listed in the Events List (Suspicious Events are not
included). Use the drop-down box to select the time period included
in the displayed counters.
For the selected time period, the following counters are displayed:
▪ Prevention Events – Displays the number of currently open events,
where Deep Instinct prevented a threat from activation. Click this
counter to open the Event List and display more information on
these events.
▪ Prevention Events by File – Displays the number of unique files
(with unique hash values) identified from open prevention events.
Click this counter to open the File List and display more
information on these files.
▪ Prevention Events by Device – Displays the number of devices from
open prevention events.
▪ To display counters per platform, hover over a counter to display
the Information icon, . Then click the icon. Click a platform
counter to open the appropriate Monitor screen and display
additional relevant information.

5 Drop-down Click this drop-down arrow to display additional counters.

Arrow

6 Registered Displays the current number of registered devices in the

Devices organization. Click this counter to open the Device List and display
more information on these devices.

7 Disconnected Displays the number of registered devices that have stopped

Devices communicating with the D-Appliance.
Click this counter to open the Device List and display more
information on these devices.
Hover over this counter to display the Information icon, . Then click
the icon to display counters per platform. Click a platform counter to
open the Device List and display more information on the
disconnected devices for the selected platform.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 29 of 303
Dashboard,
Monitoring and Reports

8 Non-Compliant Displays the number of devices with open non-compliance events,

Devices where Deep Instinct detected non-compliance issues. Use the drop-
down box to select the time period for the displayed counter.
Hover over this counter to display the Information icon, . Then click
the icon to display counters per platform. Click a platform counter to
open the Device List and display more information on open non-
compliant devices for the selected platform.

9 Scanned Files Displays the total number of files that were scanned. After a relevant
update occurs, existing files may be scanned again and the counter
indicates the number of scans.
Hover over this counter to display the Information icon, . Then click
the icon to display counters per platform.
For Dashboards with MSP support, the information displayed is for
the selected MSP.

10 High Risk Displays the list of devices that have the highest risk based on the
Devices number of open events.
Use the drop-down box to define the time period of the events for
the list. Events from the last day to 1 year can be selected to create
the list of high risk devices.
Click the device name to display more details for this device. The
Device List opens displaying more information about this device.
Click X to close this widget.

11 High Risk Users Displays the list of users that have the highest risk based on the
number of open events.
Use the drop-down box to define the time period of the events for
the list. Events from the last day to 1 year can be selected to create
the list of high risk users.
Click the username to display more details for this user. The Event
List opens displaying more information about this user.
Click X to close this widget.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 30 of 303
Dashboard,
Monitoring and Reports

12 Top Deep Displays the list of threat classifications that have the highest
Classification occurrences. To the right of the list, a pie chart illustrates the
information in the list.
Use the drop-down box to define the time period of the events for
the list. Events from the last day to 1 year can be selected to create
the list of the top malicious file types.
Click the classification to open the Event List and display all events
related to the selected classification.
Click X to close this widget.

13 Top Malicious Displays the list of file types that have the highest occurrences of
File Types malicious files. To the right of the list, a pie chart illustrates the
information in the list.
Use the drop-down box to define the time period of the events for
the list. Events from the last day to 1 year can be selected to create
the list of the top malicious file types.
Click the file type to open the Event List and display all events related
to the selected file type.
Click X to close this widget.

14 Deployment Displays information of the deployment status and device status. It

Status indicates the progress of the deployment, as well as the status of the
devices in your organization. To the right of the list, a pie chart
illustrates the information in the list.
The information displayed is per platform. Use the drop-down box to
select the platform.
Click the status in the list to open the Device List and display all
devices related to the selected status.
Click X to close this widget.

15 D-Client Version Displays the list of D-Client versions installed on the devices in your
organization.
The information displayed is per platform. Use the drop-down box to
select the platform.
Click the version number to open the Device List and display all
devices with the selected version.
Click X to close this widget.
By default, this is not displayed. To display this widget, use the drop-
down box on the bottom of the screen to select this widget and click
Add Widget.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 31 of 303
Dashboard,
Monitoring and Reports

16 Top Non- Displays the list of compliance issues that have the highest
Compliant Types occurrences for generating non-compliance events. To the right of
the list, a pie chart illustrates the information in the list.
Use the drop-down box to define the time period of the events for
the list. Events from the last day to 1 year can be selected to create
the list of the top non-compliant types.
Click the non-compliant type to open the Event List and display all
events related to the selected non-compliant type.
Click X to close this widget.

17 D-Brain Package Displays the list of D-Brain packages installed on the devices in your
organization.
The information displayed is per platform. Use the drop-down box to
select the platform.
Click the package number to open the Device List and display all
devices with the selected packages.
Click X to close this widget.
By default, this is not displayed. To display this widget, use the drop-
down box on the bottom of the screen to select this widget and click
Add Widget.

18 Reset Dashboard Click to reset all the widgets in the Dashboard to their default
settings.

19 Customize Customizes the Dashboard by adding widgets to the Dashboard. To

Dashboard add a widget, use the drop-down box on the bottom of the screen to
select the widget and click Add Widget.
The Dashboard may contain several instances of the same widget.
This allows the same widget to be displayed for different time
periods.
Widgets can be moved using a drag-and-drop operation.
Widgets can be deleted by clicking X in the widget.

20 Help Icon Click the Help icon and a list of help options is displayed, as
follows:
▪ About Deep Instinct – Opens the About screen. It displays the
current version of the Management Console and allows you to
download the user manuals.
▪ Release Notes – Opens the Release Notes screen. From this screen
you can display all the D-Client versions available for use. It

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 32 of 303
Dashboard,
Monitoring and Reports

includes detail information for each version and permits you to

download the installation package for each D-Client version.
▪ Deep Instinct Portal – Opens the Deep Instinct portal to give
access to training, support tickets and other useful information.

21 Notification Icon In the top Navigation bar for all Deep Instinct screens, the
Notification icon is displayed to notify you about system alerts and
file analysis notifications.

22 Administration Click the Administration icon and a list of options is displayed to

Icon permit the administrator to access miscellaneous administrative
tasks and information, as follows:
▪ My Profile – Opens My Profile screen and displays the account
details for the administrator that is currently signed in. It also
allows the administrator to change his password.
▪ Audit Log – Opens the Audit Log screen, which displays a log of all
administrative activities.
▪ Sign Out – Click to sign out from Deep Instinct.

3.2. Monitor Screens

Deep Instinct™ has several screens to display information for easy monitoring. These screens are
available from the Management Console and Hub Console. Deep Instinct contains the following
monitor screens:

▪ Event List

▪ Suspicious Event List

▪ Device List

▪ File List

The following figure illustrates a typical monitoring screen with numbered callouts. The callouts
are described in the table below.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 33 of 303
Dashboard,
Monitoring and Reports

Event List Screen with Callouts

Monitor Screens Components

Item Term Description

2 Clear Filter Click to clear all column filters.

3 View Click to select an option to define preset and current views of the

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 34 of 303
Dashboard,
Monitoring and Reports

▪ Rename – Opens a dialog box to change the name of the current

preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view based
on the current table settings. Once created, this view becomes the
current preset view.

4 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

5 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

6 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Details screen – Click an entry to open the associated Details
screen for the selected entry. To view the Details screen in a
separate tab, right-click the entry and select Open in a new tab. For
more information, see Event Details, Suspicious Event
Details, Device Details and File Details screens.
▪ Action Options – Right-click an entry to open the available options
that can be performed with the selected entry.

7 Selection Checkboxes are available to allow entries to be selected. This allows

Checkbox the administrator to select multiple entries, to implement a single
action, on multiple events, devices or files. Select an action using the
Action Options, item 10.

8 Select All / Select this checkbox to select all entries or clear all selected entries.
Clear All Select an action for all selected items using the Action Options, item
10.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 35 of 303
Dashboard,
Monitoring and Reports

9 Filters Filters the data in the table by entering text in the text filters below
the table headers, in the relevant column. Text can be entered by
manually typing the text or by selection. Only entries with data that
match the text entered are displayed.

10 Action Options Once entries have been selected, this feature appears. Click this
drop-down menu to open the available options that can be
performed to the selected entries.

11 Items per Page Sets the number of entries per page. From the footer of the page you
may select whether 25, 50,100 or 150 entries are included per page.

12 Page View Sets the page currently viewed. From the footer of the page you can
select the page to be displayed.

3.2.4 Event Lists

Deep Instinct™ includes two lists that are used to monitor all events. The following lists are
available from the Management Console and Hub Console:

▪ Event List

▪ Suspicious Event List

3.2.4.1 Event List Screen

The Event List screen displays a table that contains detail information for most events. All other
events are displayed in the Suspicious Event List. To open the Event List screen, select Monitor >
Events from the left pane. The table of events includes the following information:

▪ Start Date – Date and time that the event started based on the D-Appliance clock. When the
D-Client and the D-Appliance clocks are different, the date and time displayed is the date
and time on the D-Appliance when event occurred on the D-Client.

▪ End Date – Date and time that the event was closed based on the D-Appliance clock. If the
event is not closed, no value is displayed. By default, this information is not displayed. To
display this information, change the settings in the Column Selector.

▪ Last Reoccurrence – Date and time of last occurrence for duplicate events (same event on
the same device). When an event has no reoccurrence, there is no value displayed. By
default, this information is not displayed. To display this information, change the settings in
the Column Selector.

▪ Reoccurrences – For duplicated events, displays the number of reoccurrences, which is the
value of one less than the number of event occurrences. By default, this information is not
displayed. To display this information, change the settings in the Column Selector.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 36 of 303
Dashboard,
Monitoring and Reports

▪ ID – A unique identification number assigned to the event by Deep Instinct™.

▪ Status – Displays the current status of the event. It indicates whether the event is open or
closed.

▪ Action – It identifies whether the action of the event was detected, prevented or the event
was non-compliant.

▪ Type – This identifies the type of event that occurred. By default, this information is not
displayed. To display this information, change the settings in the Column Selector.

▪ Deep Classification – Displays the primary classification for the file identified in the event.
After a PE (Portable Executable) file is identified as a threat, the file is analyzed using deep
learning to determine its classifications.

▪ Threat Severity – Displays the threat severity level for the file identified in the event. By
default, this information is not displayed. To display this information, change the settings in
the Column Selector.

▪ Details – Detail information about the event. This identifies the filename, type of attack or
type of non-compliant issue.

▪ Event Trigger – Displays the reason that the event was triggered. By default, this information
is not displayed. To display this information, change the settings in the Column Selector.

▪ File Hash – Hash value (SHA-256) of the file identified. By default, this information is not
displayed. To display this information, change the settings in the Column Selector.

▪ File Type – Type of the file identified.

▪ File Size – Size of the file identified. By default, this information is not displayed. To display
this information, change the settings in the Column Selector.

▪ Signed – Specifies whether the file identified is signed by a certificate. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector.

▪ Certificate Thumbprint – Displays the thumbprint of the certificate for signed files
associated with the event. By default, this information is not displayed. To display this
information, change the settings in the Column Selector.

▪ Certificate Owner – Displays the Subject (owner) of the certificate for signed files associated
with the event. By default, this information is not displayed. To display this information,
change the settings in the Column Selector.

▪ Last Action – Displays the last action performed related to the event and whether the action
was successful (for example: File quarantined successfully, File restored successfully).

▪ Device Name – Assigned name for the device.

▪ Logged in Users – For Windows, macOS and Linux devices, displays all the users that were
logged on to the device at the time of the event. By default, this information is not
displayed. To display this information, change the settings in the Column Selector.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 37 of 303
Dashboard,
Monitoring and Reports

▪ IP Address – IP address of the device. By default, this information is not displayed. To display
this information, change the settings in the Column Selector.

▪ MAC Address – MAC address of the device. By default, this information is not displayed. To
display this information, change the settings in the Column Selector.

▪ Device ID – A unique identification number assigned to the device by Deep Instinct. By

default, this information is not displayed. To display this information, change the settings in
the Column Selector.

▪ Platform – Type of platform (OS) on the device.

▪ Policy – Name of the policy associated with the device at the time the event occurred. By
default, this information is not displayed. To display this information, change the settings in
the Column Selector.

▪ Device Group – Name of the Device Group associated with the device at the time the event
occurred. By default, this information is not displayed. To display this information, change
the settings in the Column Selector.

▪ MSP – Name of the MSP associated with the device that triggered the event. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector. This column is only available from the Hub Console.

▪ Tenant – Name of the tenant that owns the device that triggered the event. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector. This column is only available on systems with MSP support.

▪ Tag – Displays the Device Tag of the device that triggered the event. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector.

▪ D-Client Version – Version number of the D-Client installed on the device at the time the
event occurred. By default, this information is not displayed. To display this information,
change the settings in the Column Selector.

▪ D-Brain Package – Package number of the D-Brain installed on the device at the time the
event occurred. By default, this information is not displayed. To display this information,
change the settings in the Column Selector.

▪ Active User – Displays the name of the user that initiated the event. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector.

▪ File Status – Displays whether the file associated with the event was uploaded to the D-
Appliance. The file must first be uploaded to the D-Appliance to perform a threat analysis
on the file or to download the file. By default, this information is not displayed. To display
this information, change the settings in the Column Selector.

▪ Report Status – The status of the file threat analysis report. If the status is set to Cannot be
generated, a report cannot be generated for the file or the file has not been uploaded from

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 38 of 303
Dashboard,
Monitoring and Reports

the device. By default, this information is not displayed. To display this information, change
the settings in the Column Selector.

▪ Comment – Displays comments for the event entered by the security administrator.

▪ Closed by D-Cloud – Indicates whether the event was closed based on the information
received from the D-Cloud.

By default, these closed events are not displayed, as well as this column. To display these
events and this column, parameter Show events that were closed by D-Cloud must be set to
Show from General Settings. Once set to Show, the column is hidden but available. To
display this column, change the settings in the Column Selector.

Event List

From this screen, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Define the location for each column

▪ Create, view, update and remove custom preset views of the table.

▪ Clear all filters in the table

▪ Export the data from the table to an Excel file.

▪ Access the Event Details screen for a selected event.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 39 of 303
Dashboard,
Monitoring and Reports

▪ Add or edit comments for events.

▪ Add files, scripts, paths, certificates or processes identified in the events to the allow list.

▪ Add files identified in the events to the deny list.

▪ Add folders identified in the events to the exclusion list.

▪ Upload files identified in the events to the D-Appliance.

▪ Perform file analyses for identified files and display the reports.

▪ Delete malicious files identified in the events.

▪ Terminate the processes associated to the files identified in the events.

▪ Download files identified in the events.

▪ Close open events.

3.2.4.2 Suspicious Event List Screen

The Suspicious Event List screen displays a table that contains detail information for events that
were trigger by suspicious activities. All other events are displayed in the Event List. To open the
Event List screen, select Monitor > Events from the left pane. The table of events includes the
following information:

▪ ID – A unique identification number assigned to the event by Deep Instinct.

▪ MITRE ATT&CK ID – Displays the identification number of the MITRE ATT&CK Tactic and

Technique for the suspicious activity associated with the event.

▪ MITRE Tactic Name – Displays the name of the MITRE ATT&CK Tactic for the suspicious

activity associated with the event.

▪ MITRE Technique Name – Displays the name of the MITRE ATT&CK Technique for the

suspicious activity associated with the event.

▪ MITRE Sub-Technique Name – Displays the MITRE ATT&CK Sub-Technique for the suspicious

activity associated with the event.

▪ Threat Severity – Displays the threat severity level for the suspicious activity associated with
the event.

▪ Details – Detail information about the event.

▪ Event Status – Displays the current status of the event. It indicates whether the event is
open or closed.

▪ Rule Trigger – Displays the category of the rule that triggered the event.

▪ Remediation – Displays the remediation action that was performed to the threat.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 40 of 303
Dashboard,
Monitoring and Reports

▪ Event Action – It identifies whether the action of the event was detected, prevented or
remediated.

▪ Event Type – This identifies the type of event that occurred.

▪ Event Trigger – Displays the reason that the event was triggered. By default, this information
is not displayed. To display this information, change the settings in the Column Selector.

▪ File Hash – Hash value (SHA-256) of the file identified. By default, this information is not
displayed. To display this information, change the settings in the Column Selector.

▪ File Type – Type of the file identified.

▪ Last Action – Displays the last action performed related to the event and whether the action
was successful (for example: File quarantined successfully, File restored successfully).

▪ Device Name – Assigned name for the device.

▪ IP Address – IP address of the device. By default, this information is not displayed. To display
this information, change the settings in the Column Selector.

▪ MAC Address – MAC address of the device. By default, this information is not displayed. To
display this information, change the settings in the Column Selector.

▪ Device ID – A unique identification number assigned to the device by Deep Instinct. By

default, this information is not displayed. To display this information, change the settings in
the Column Selector.

▪ Platform – Type of platform (OS) on the device.

▪ Tag – Displays the Device Tag of the device that triggered the event. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 41 of 303
Dashboard,
Monitoring and Reports

▪ Active User – Displays the name of the user that initiated the event. By default, this
information is not displayed. To display this information, change the settings in the Column
Selector.

▪ Comment – Displays comments for the event entered by the security administrator.

Suspicious Event List

From this screen, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Define the location for each column

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 42 of 303
Dashboard,
Monitoring and Reports

▪ Create, view, update and remove custom preset views of the table.

▪ Clear all filters in the table

▪ Export the data from the table to an Excel file.

▪ Access the Suspicious Event Details screen for a selected event.

▪ Add or edit comments for events.

▪ Add scripts or processes identified in the events to the allow list.

▪ Delete malicious files identified in the events.

▪ Terminate the processes associated to the files identified in the events.

▪ Close open events.

3.2.5 File List Screen

The File List screen displays a table that contains detail information for all malicious files identified
from the events. The table contains one entry per hash value. To open the File List screen,
select Monitor > Files from the left pane. The table of files includes the following information:

▪ File Hash – File hash value (SHA-256) for the file identified from the events.

▪ File Names – Displays the names of all the files with the hash value specified.

▪ File Type – Determined file type for the hash value specified.

▪ Deep Classification – Displays the primary classification of the file with the hash value
specified. After a PE file is identified as a threat, the file is analyzed using deep learning to
determine its classifications.

▪ Signed – Specifies whether the file in the entry contain a signed certificate.

▪ Certificate Thumbprint – When the file in the entry is signed, the thumbprint of the
certificate is displayed. By default, this information is not displayed. To display this
information, change the settings in the Column Selector.

▪ Certificate Owner – When the file in the entry is signed, the Subject (owner) of the certificate
is displayed. By default, this information is not displayed. To display this information, change
the settings in the Column Selector.

▪ Platform – Displays the platforms (OS) for all the devices that generated file events per hash
value.

▪ Event Actions – Displays the categories for all file events per hash value. It identifies whether
the actions of the events detected threats and/or prevented threats.

▪ Event Statuses – Displays the current statuses for the events where the file was identified. It
indicates whether the events are open, closed, or the device has open and closed events.
By default, this information is not displayed. To display this information, change the settings
in the Column Selector.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 43 of 303
Dashboard,
Monitoring and Reports

▪ MSPs – Displays the MSPs for all the devices that generated file events per hash value. By
default, this information is not displayed. To display this information, change the settings in
the Column Selector. This column is only available from the Hub Console.

▪ Tenants – Displays the tenants for all the devices that generated file events per hash value.
This column is only available on systems with MSP support.

▪ Devices – Names of the devices from where the file was identified.

▪ Events – Number of events where the file was identified.

▪ First Seen – Displays the date and time of the first event that identified the file per hash
value. The date and time are based on the D-Appliance clock.

▪ Last Seen – Displays the date and time of the last event that identified the file per hash
value. The date and time are based on the D-Appliance clock. By default, this information is
not displayed. To display this information, change the settings in the Column Selector.

▪ File Status – Displays whether a file with the specified hash value was uploaded to the D-
Appliance. By default, this information is not displayed. To display this information, change
the settings in the Column Selector.

▪ Comment – Displays comments for the file hash, entered by the security administrator.

File List

From this screen, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 44 of 303
Dashboard,
Monitoring and Reports

▪ Define which columns are displayed.

▪ Define the location for each column

▪ Create, view, update and remove custom preset views of the table.

▪ Clear all filters in the table

▪ Export the data from the table to an Excel file.

▪ Access the File Details screen for a selected device.

▪ Add or edit comments for files.

▪ Add file hashes or certificates to the allow list.

▪ Add file hashes to the the deny list.

▪ Download files.

▪ Close open events.

3.3. Event Details Screen

The Event Details screen provides a detailed and deep view of an event incident, allowing the
administrator to better understand the impact of the threat. Detail information is available for all
events. The information displayed is based on the event type and its remediation. To display the
Event Details screen for a specific event, open the Event List and click the event entry.

The following figures illustrate a typical Event Details screen and previews with numbered callouts.
The callouts are described in the table below.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 45 of 303
Dashboard,
Monitoring and Reports

Event Details Screen with Callouts

Events by This Hash Preview with Callouts

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 46 of 303
Dashboard,
Monitoring and Reports

Events by This Device Preview with Callouts

Event Details Screen Components

Item Term Description

2 Event Details These tabs switch the information displayed for the selected event.
Tabs The tabs are as follows:
▪ Information – Displays detail information about the event and the
device that triggered the event.
▪ Static Analysis – Displays the results from the static threat analysis
of the file that triggered the event.
▪ Sandbox Analysis – Displays the results from the dynamic threat
analysis of the file that triggered the event.

3 Export Click to create a HTML file that contains the data available from all
the tabs in this screen.

4 Options Icon Click this icon to open the available options that can be performed in
association with the displayed event. The options available vary
based on the type of event. From this icon, you may perform the
following tasks:
▪ Add or edit comments for the event.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 47 of 303
Dashboard,
Monitoring and Reports

▪ Add file, script, path, certificate or process identified in the event to

the allow list.
▪ Add the file identified in the event to the deny list.
▪ Add the folder identified in the event to the exclusion list.
▪ Upload the file identified in the event to the D-Appliance.
▪ Download the file identified in the event.
▪ Close the event.
▪ Terminate the process associated with the event .
▪ Delete the file from the device.

5 Deep Displays the classification of PE (Portable Executable) files. After a PE

Classification file is identified as a threat, the file is analyzed using the Deep
Classification’s prediction model to determine its classification.
When multiple classifications are displayed, the percentages indicate
the probability for each threat type. For example, if the percentages
are close, the percentages indicate that the threat has several
characteristics.
The available classifications are as follows:
▪ Ransomware – A type of threat that encrypts, publishes, wipes
or blocks the victim’s data, unless a ransom is paid.
▪ Backdoor – A type of threat that bypasses authentication,
privileges or encryption to access data, computer or network.
▪ Dropper – A type of threat (malware component) that installs
malware to a target system.
▪ Potentially Unwanted Application (PUA) – A threat that may
compromise privacy, weaken the machine or network security,
download/install additional content or present ads.
▪ Spyware – A type of threat that gathers information about a
machine, person or organization without their knowledge.
▪ Virus – A type of threat that, when executed, replicates itself by
modifying other computer programs and inserting its own code.
▪ Worm – A type of threat that is a standalone program that
replicates itself in order to spread to other computers.

6 General Event This section displays general information about the event. It includes
Information the following information:
▪ Event ID – A unique identification number for the event, assigned
to the event by Deep Instinct™.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 48 of 303
Dashboard,
Monitoring and Reports

▪ Event Status – Specifies the current status of the event. It indicates

whether the event is open or closed.
▪ Event Action – Displays the category of the event that occurred. It
identifies whether the action of the event was detected, prevented
or the event was non-compliant.
▪ Event Type – Displays the type of event that occurred.
▪ Threat Severity – Displays the threat severity level for the file
identified in the event.
▪ Reoccurrences – For duplicated events (same event on the same
device), displays the number of reoccurrences, which is the value
of one less than the number of event occurrences. This
information is only displayed for events that have reoccurrences.
Move the mouse pointer on the information icon to display
more information about the reoccurences.
▪ Details – Displays more information about the event. This identifies
the filename, type of attack or type of non-compliant issue.
▪ File Type – Type of the file identified.
▪ File Size – Size of the file identified.
▪ File Hash – Hash value (SHA-256) of the file identified. Using this
hash value, the following actions may be performed:
▪ Google – Click to search this hash value using Google Search.
▪ VT – Click to open VirusTotal and display information about the
file identified in the event.
▪ AlienVault – Click to open AlienVault and display information
about the file identified in the event.
▪ Certificate – Displays the Subject (owner) and thumbprint of the
certificate for signed files associated with the event.
▪ Comment – Displays comments for the event entered by the
security administrator.

7 MITRE Mapping Displays the MITRE ATT&CK mapping for the event. This section
includes the following information:
▪ Tactic – Displays the MITRE ATT&CK Tactic names and identification
numbers mapped for the suspicious activity associated with the
event.
Click the tactic information to open the MITRE ATT&CK website
and display more information the tactic.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 49 of 303
Dashboard,
Monitoring and Reports

▪ Technique – Displays the MITRE ATT&CK Technique names and

identification numbers mapped for the suspicious activity
associated with the event.
Click the technique information to open the MITRE ATT&CK
website and display more information about the technique.

▪ Sub-Technique – Displays the MITRE ATT&CK Sub-Technique

names and identification numbers mapped for the suspicious
activity associated with the event.
Click the sub-technique information to open the MITRE ATT&CK
website and display more information about the sub-technique.

8 Events by This Displays additional information related to the file identified in this
Hash event. Based on the hash value of the file, this section includes the
following information:
▪ Events by This Hash – Displays the number of events triggered by
files with the same hash value.

– The red number indicates the number of triggered detection

events. Click this number to open the Event List and display more
information on these detection events.

– The blue number indicates the number of triggered

prevention events. Click the number to open the Event List and
display more information on these prevention events.

▪ Devices – Displays the number of devices that triggered events by

a file with the same hash value. Click the white number to open the
Device List and display more information on these devices.
▪ – Click Preview to display a preview of the last five events
triggered.

9 Events by This Based on the hash value of the file in this event, this displays a
Hash Preview preview of the last five events triggered by a file with the same hash
value. The preview includes the following information:
▪ Start Date – Date and time that the event started based on the D-
Appliance clock.
▪ Device Name – The assigned name for the device that triggered
the event.
▪ Details – Displays more information about the event. This identifies
the filename and location of the associated file.
▪ Last Action – Displays the last action performed related to the
event and whether the action was successful.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 50 of 303
Dashboard,
Monitoring and Reports

▪ View in Device List – Click to open the Device List and display all
devices that triggered events by a file with the same hash value.
▪ View in Event List – Click to open the Event List and display all
events triggered by files with the same hash value.

10 Process Chain Displays the sequence of processes that initiated and triggered the
event. The information displayed includes the process name and
process ID (PID).
The last process is the process that gets terminated when the
Terminate Process action is performed.

11 Life Cycle Displays the sequence of actions for the event, in chronological
order. The information displayed includes the following:
▪ Start and end actions for the event.
▪ Intermediate actions related to the event, including file deleted,
restored and quarantined.
▪ Date and time of each action.

12 Device This section displays general information about the device that
Information triggered the event. The information displayed is at the time of the
event. It includes the following:
▪ Device Name – Assigned name for the device that triggered the
event.
▪ Device ID – Unique identification number for the device that
triggered the event.
▪ Platform – Type of platform (OS) on the device that triggered the
event.
▪ OS Version – Version number of the operating system. By default,
this information is not displayed.
▪ IP Address – IP address of the device that triggered the event.
▪ MAC Address – MAC address of the device that triggered the event.
▪ D-Client Version – Version number of the D-Client installed on the
device that triggered the event.
▪ D-Brain Package – Package number of the D-Brain installed on the
device that triggered the event.
▪ Policy – Name of the policy associated with the device that
triggered the event.
▪ Device Group – Name of the Device Group associated with the
device that triggered the event.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 51 of 303
Dashboard,
Monitoring and Reports

▪ MSP Name – Name of the MSP associated with the device. This
information is only displayed on the Hub Console.
▪ Tenant – Name of the tenant that owns the device that triggered
the event. This information is only displayed on systems with MSP
support.
▪ Tag – Device Tag of the device that triggered the event.
▪ Active User – For Windows and macOS devices, displays the name
of the active user at the time of the event.
▪ Logged in Users – For Windows, macOS and Linux devices, displays
all the users that were logged on to the device at the time of the
event.

13 Events by This Displays additional information related to all the events that were
Device triggered by the device described in this screen. It includes the
following information:
– The red number indicates the number of detection events
triggered by this device. Click the number to open the Event List to
view all detection events triggered by this device.

– The blue number indicates the number of prevention events

triggered by this device. Click the number to open the Event List to
view all prevention events triggered by this device.

– The orange number indicates the number of non-compliance

events triggered by this device. Click the number to open the Event
List to view all non-compliance events triggered by this device.

– The white number indicates the number of suspicious activity

events triggered by this device. Click the number to open the
Suspicious Event List to view all suspicious events triggered by this
device.

– Click Preview to display a preview of the last five events

triggered by this device.

14 Events by This Based on the device that triggered this event, this displays a preview
Device Preview of the last five events triggered by this device and the last five
suspicious events triggered by this device. The preview includes the
following information:
▪ Start Date – Date and time that the event started based on the D-
Appliance clock.
▪ Event Type – Displays the type of event that occurred.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 52 of 303
Dashboard,
Monitoring and Reports

▪ Details – Displays more information about the event. This identifies

the filename and location.
▪ Last Action – Displays the last action performed related to the
event and whether the action was successful.
▪ View in Event List – Click to open the Event List and display all
events in this list that was triggered by this device.
▪ View in Suspicious Event List – Click to open the Event List and
display all suspicious events triggered by this device.

3.4. Suspicious Event Details Screen

The Suspicious Event Details screen provides a detailed and deep view of a suspicious event
incident, allowing the administrator to better understand the possible threat. Detail information is
available for all suspicious events. The information displayed is based on the event type and its
remediation. To display the Suspicious Event Details screen for a specific event, open the
Suspicious Event List and click the event entry.

The following figures illustrate a typical Suspicious Event Details screen and preview with
numbered callouts. The callouts are described in the table below.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 53 of 303
Dashboard,
Monitoring and Reports

Suspicious Event Details Screen with Callouts

Suspicious Events by This Device Preview with Callouts

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 54 of 303
Dashboard,
Monitoring and Reports

Suspicious Event Details Screen Components

Item Term Description

2 General Event This section displays general information about the event. It includes
Information the following information:
▪ Event ID – A unique identification number for the event, assigned
to the event by Deep Instinct™.
▪ Event Status – Specifies the current status of the event. It indicates
whether the event is open or closed.
▪ Event Action – Displays the category of the event that occurred. It
identifies whether the action of the event was detected, prevented
or the event was non-compliant.
▪ Event Type – Displays the type of event that occurred.
▪ Threat Severity – Displays the threat severity level for the file
identified in the event.
▪ Details – Displays more information about the event. This identifies
the filename, type of attack or type of non-compliant issue.
▪ File Type – Type of the file identified.
▪ Path – Displays the path associated with the event.
▪ Rule Trigger – Displays the category of the rule that triggered the
event.
▪ Remediation – Displays the remediation action that was performed
to the threat.
▪ Source – Displays the source of the suspicious activity associated
with the event.
▪ Comment – Displays comments for the event entered by the
security administrator.

3 MITRE Mapping Displays the MITRE ATT&CK mapping for the event. This section
includes the following information:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 55 of 303
Dashboard,
Monitoring and Reports

▪ Tactic – Displays the MITRE ATT&CK Tactic names and identification

numbers mapped for the suspicious activity associated with the
event.
Click the tactic information to open the MITRE ATT&CK website
and display more information the tactic.

▪ Technique – Displays the MITRE ATT&CK Technique names and

identification numbers mapped for the suspicious activity
associated with the event.
Click the technique information to open the MITRE ATT&CK
website and display more information about the technique.

▪ Sub-Technique – Displays the MITRE ATT&CK Sub-Technique

4 Life Cycle Displays the sequence of actions for the event, in chronological
order. The information displayed includes the following:
▪ Start and end actions for the event.
▪ Intermediate actions related to the event, including file deleted,
restored and quarantined.
▪ Date and time of each action.

5 Device This section displays general information about the device that
Information triggered the event. The information displayed is at the time of the
event. It includes the following:
▪ Device Name – Assigned name for the device that triggered the
event.
▪ Device ID – Unique identification number for the device that
triggered the event.
▪ Platform – Type of platform (OS) on the device that triggered the
event.
▪ OS Version – Version number of the operating system. By default,
this information is not displayed.
▪ IP Address – IP address of the device that triggered the event.
▪ MAC Address – MAC address of the device that triggered the event.
▪ D-Client Version – Version number of the D-Client installed on the
device that triggered the event.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 56 of 303
Dashboard,
Monitoring and Reports

▪ D-Brain Package – Package number of the D-Brain installed on the

device that triggered the event.
▪ Policy – Name of the policy associated with the device that
triggered the event.
▪ Device Group – Name of the Device Group associated with the
device that triggered the event.
▪ MSP Name – Name of the MSP associated with the device. This
information is only displayed on the Hub Console.
▪ Tenant – Name of the tenant that owns the device that triggered
the event. This information is only displayed on systems with MSP
support.
▪ Tag – Device Tag of the device that triggered the event.
▪ Active User – For Windows and macOS devices, displays the name
of the active user at the time of the event.
▪ Logged in Users – For Windows, macOS and Linux devices, displays
all the users that were logged on to the device at the time of the
event.

6 Events by This Displays additional information related to all the events that were
Device triggered by the device described in this screen. It includes the
following information:
– The red number indicates the number of detection events
triggered by this device. Click the number to open the Event List to
view all detection events triggered by this device.

– The blue number indicates the number of prevention events

triggered by this device. Click the number to open the Event List to
view all prevention events triggered by this device.

– The orange number indicates the number of non-compliance

events triggered by this device. Click the number to open the Event
List to view all non-compliance events triggered by this device.

– The white number indicates the number of suspicious activity

events triggered by this device. Click the number to open the
Suspicious Event List to view all suspicious events triggered by this
device.

– Click Preview to display a preview of the last five events

triggered by this device.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 57 of 303
Dashboard,
Monitoring and Reports

7 Events by This Based on the device that triggered this event, this displays a preview
Device Preview of the last five events triggered by this device and the last five
suspicious events triggered by this device. The preview includes the
following information:
▪ Start Date – Date and time that the event started based on the D-
Appliance clock.
▪ Event Type – Displays the type of event that occurred.
▪ Details – Displays more information about the event. This identifies
the filename and location.
▪ Last Action – Displays the last action performed related to the
event and whether the action was successful.
▪ View in Event List – Click to open the Event List and display all
events in this list that was triggered by this device.
▪ View in Suspicious Event List – Click to open the Event List and
display all suspicious events triggered by this device.

8 Options Icon Click this icon to open the available options that can be performed in
association with the displayed event. The options available vary
based on the type of event. From this icon, you may perform the
following tasks:
▪ Add or edit comments for the event.
▪ Add script or process identified in the event to the allow list.
▪ Close the event.
▪ Terminate the process associated with the event .
▪ Delete the file from the device.

3.5. File Details Screen

The File Details screen provides detailed information about a single entry from the File List. Each
entry is a collection of information which focuses on a single file hash value. The File Details
screen allows the administrator to better understand the impact of a threat caused by files with
the same hash value. Detail information is available for all files that have triggered an event. The
type of information displayed is based on the file type and whether an advanced file analysis was
performed on the file. To display the File Details screen for a file hash with a specific hash value,
open the File List and click the file entry.

The following figures illustrate a typical File Details screen and previews with numbered callouts.
The callouts are described in the table below.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 58 of 303
Dashboard,
Monitoring and Reports

File Details Screen with Callouts

Hash Related Events Preview for the file with Callouts

File Details Screen Components

Item Term Description

2 File Details Tabs These tabs switch the information displayed for the files detailed in
this screen. The tabs are as follows:
▪ Information – Displays detail information about the files and the
events that were trigger by these files.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 59 of 303
Dashboard,
Monitoring and Reports

▪ Static Analysis – Displays the results from the ATA static analysis of
the files.
▪ Sandbox Analysis – Displays the results from the ATA dynamic
analysis of the files.

3 Options Icon Click this icon to open the available options that can be performed in
association with the displayed file. The options available vary based
on the file details. From this icon, you may perform the following
tasks:
▪ Add or edit comments for the file.
▪ Add file hashes or certificate to the allow list.
▪ Add the file hashes to the deny list.
▪ Download the file.
▪ Close the event..

4 Deep Displays the classification of PE (Portable Executable) files. After a PE

Dropper – A type of threat (malware component) that installs

malware to a target system.

Potentially Unwanted Application (PUA) – A threat that may

compromise privacy, weaken the machine or network security,
download/install additional content or present ads.

Spyware – A type of threat that gathers information about a

machine, person or organization without their knowledge.

Virus – A type of threat that, when executed, replicates itself by

modifying other computer programs and inserting its own code.

Worm – A type of threat that is a standalone program that

replicates itself in order to spread to other computers.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 60 of 303
Dashboard,
Monitoring and Reports

5 File Hash This section displays general information about files with the same
Information hash value. It includes the following:
▪ File Names – Names of all the files identified in your system with
the hash value displayed.
▪ File Type – File type for the files detailed in this screen.
▪ File Size – Displays the size of the files detailed in this screen.
▪ File Hash – The file hash value (SHA-256) for the files detailed in
this screen.
▪ File Type – File type for the files detailed in this screen.
▪ Certificate – When the files related to this screen are signed, the
Subject (owner) and thumbprint of the certificate is displayed.
▪ Comment – Displays comments for the file hash, entered by the
security administrator.

6 History Displays additional information about files with the same hash value.
It includes the following information:
▪ First Seen – Date and time when the first event was trigger by a file
with the same hash value.
▪ Last Seen – Date and time when the last event was trigger by a file
with the same hash value.

7 Device This section displays general information about the devices were files
Information with the same hash value were identified. It includes the following
information:
▪ MSPs – Displays the MSPs for all the devices that generated file
events per hash value. This information is only displayed on the
Hub Console.
▪ Tenants – Displays the tenants for all the devices that generated
file events per hash value. This information is only displayed on
systems with MSP support.
▪ Platforms – Displays the platforms (OS) for all the devices that
generated file events per hash value.
▪ OS Versions – Displays the OS versions for all the devices that
generated file events per hash value.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 61 of 303
Dashboard,
Monitoring and Reports

8 Events by This Displays information related to the events triggered by files with the
Hash hash value specified and the devices that triggered the events. It
includes the following information:
▪ Events by This Hash – Displays the number of events triggered by
files with the hash value specified.

– The red number indicates the number of triggered detection

events. Click this number to open the Event List and display more
information on these detection events.

– The blue number indicates the number of triggered

prevention events. Click the number to open the Event List and
display more information on these prevention events.

▪ Devices – Displays the number of devices that triggered events by

a file with the same hash value. Click the number to open the
Device List and display more information on these devices.
▪ – Click Preview to display a preview of the last five events
triggered.

9 Events by This Based on the files with the hash value specified, this displays a
Hash Preview preview of the last five events triggered. The preview includes the
following information:
▪ Start Date – Date and time that the event started based on the D-
Appliance clock.
▪ Device Name – The assigned name for the device that triggered
the event.
▪ Details – Displays more information about the event. This identifies
the filename and location.
▪ Last Action – Displays the last action performed related to the
event and whether the action was successful.
▪ View in Device List – Click to open the Device List and display all
devices that triggered events by a file with the same hash value.
▪ View in Event List – Click to open the Event List and display all
events triggered by files with the same hash value.

3.6. Monitor Screen Filters

All monitoring screens include a filter feature to filter the information displayed in the table. Each
column, includes a filter box below each table header. Multiple filter boxes may be used to filter

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 62 of 303
Dashboard,
Monitoring and Reports

from multiple columns. Only entries with data that comply with the information in the filter boxes
are displayed.

The information specified in the filter boxes are defined by the filter parameters, which
contain two components:

▪ Parameter Control

▪ Parameter Value(s)

The Parameter Control is defined by the icons inside the filter boxes. Click the icon to see which
controls are available and select the control you want. The available icons are as follows:

▪ Equals – Only entries with data that match the entered values are displayed.

▪ Contains – Only entries with data that contain the typed values are displayed.

▪ Starts with – Only entries with data that starts with the typed values are displayed.

▪ Greater than or equal to – Only entries with dates equal to or later than the entered
date are displayed.

▪ Less than or equal to – Only entries with dates equal to or later than the entered date
are displayed.

▪ Between – Only entries with dates within the specified range of dates are displayed.

▪ Reset – Click to clear the parameter value from the filter box.

The methods to enter the parameter values into the filter box can vary based on the column and
the type of data. The options are as follows:

▪ Type the value directly in the filter box. This is typically used on columns with a large
variation of data.

▪ Select values from a selection list and then click OK. Click the relevant filter box and the
appropriate selection list opens. This is typically used on columns with specific values.
Multiple values can be selected from this list.

▪ Select date and time from the Date Picker dialog box to select a date or range of dates. Click
the relevant filter box and the Date Picker dialog box opens. This is used on columns
containing dates. Multiple values can be selected from this list.

In addition to the filter options above, you can also perform the following:

▪ Sort the information by clicking on column headings or right-click the heading and select
the sort order. The information in the table is sorted based on the selected column.

▪ The columns displayed can be controlled from the Column Selector icon above the
table. Click this icon and select the appropriate checkboxes to define which columns are
display.

▪ The columns and filters in the table can be reset to their default settings. Click the Reset
icon above the table and select whether you want to reset the columns, filters or both.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 63 of 303
Dashboard,
Monitoring and Reports

Once you have defined what is displayed, this table can then be exported to an Excel file. To
export the data, click the Export icon above the table and select one of the following options:
▪ Export all columns – Creates an Excel file that contains all entries displayed in the table, with
data from all columns available.

▪ Export visible columns – Creates an Excel file that contains all entries displayed in the table,
with data from all columns displayed.

3.6.6 Date Picker

To select a date or range of dates to filter information in a table, the Date Picker dialog box is
used. First select the Parameter Control, as describes in Monitor Screen Filters. Then open the
Date Picker dialog box by clicking the filter text box of the date column again. Based on the
selected Parameter Control, a different Date Picker dialog box opens.

The following figures illustrate the Date Picker dialog boxes with numbered callouts. The callouts
are described in the table below.

Date Picker with callouts for a single date

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 64 of 303
Dashboard,
Monitoring and Reports

Calendar with callouts for a range of dates

Date Picker Components

Item Term Description

1 Date Defines the dates used in the filters.

To enter a single date, type the date or click the date in the
calendar.
For a range of dates, the upper date defines the From Date, where
all entries prior to this date is filtered out. The lower date is the To
Date, where all entries after this date is filtered out.
To enter a range of dates, select the Custom preset and type the
dates. To use the calendar to enter a range, click the date for the
From Date and then click a later date for the To Date.
The format for the date is MM/DD/YYYY, where:
▪ MM – Month, using two-digit format
▪ DD – Day of the month, using two-digit format
▪ YYYY – Year, using four-digit format

2 Time Defines the time of day used in the filters. The format for the time is
hh:mm. where:
▪ hh – Hour, using two-digit 24-hour format
▪ mm – Minutes, using two-digit format

3 Presets When selecting a range of dates, you can select one of the following
preset options:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 65 of 303
Dashboard,
Monitoring and Reports

▪ Today – Displays only the entries that were added today.

▪ Last 3 days – Displays the entries added today, and the previous 2
days.
▪ Last 7 days – Displays the entries added today, and the previous 6
days.
▪ Last 30 days – Displays the entries added today, and the previous
29 days.
▪ Custom – Enables you to enter a range of dates and times as
described above.

4 Calendar Date The Calendar defines and displays the dates used in the filters.
Picker To select a single date, click on the date and the selected date is
displayed in the Date box.
To select a range of dates, select the Custom preset and click the
date for the From Date; then click a later date for the To Date. the
range of dates are then displayed in the Date boxes.

3.7. Event Remediation and Management

Typically, when an event occurs, the administrator views and investigates each event. Once the
problem has been identified, the administrator works to resolve and close the event. The system
includes features to assist the administrator in resolving and closing open events. The system
includes the following solutions:

▪ Automatically quarantines malicious files – When the Deep Static Analysis identifies a
malicious file and triggers a prevention event, the system typically quarantines the file at the
pre-execution level. When the file is successfully quarantined, it is indicated in the event.

▪ Automatically terminates malicious processes – When the Behavioral Analysis identifies a

malicious process and triggers a prevention event, the system automatically terminates the
process. When the process is successfully terminated, it is indicated in the event.

▪ Automatically remediates suspicious activities – When a suspicious activity occurs,

a suspicious event is triggered. If the device policy is set to remediate suspicious activities,
the system will automatically remediate the threat based on the activity. Remediations
include:

▪ Registry key reverted

▪ Registry key cleaned

▪ Registry key deleted

▪ Process terminated

▪ File deleted

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 66 of 303
Dashboard,
Monitoring and Reports

▪ Delete malicious files remotely – When an event is triggered, the associated file can be
deleted remotely by the administrator from Windows, macOS and Linux devices.

▪ Terminate processes – When a detection event is triggered, the process related to the
associated threat can be remotely terminated by the administrator.

▪ Isolate and release devices – Isolate infected devices from the network and release it from
isolation once the device is determined to be clean.

▪ Allow List – When an event occurs, the object (file, script, process) that triggered the event
can be added to the allow list. In addition, associated objects, such as paths and file
certificates can also be added the an allow list. When a file is added to the allow list, it is
restored to its original location.

▪ File Hash Deny List – When a file is on the deny list, the system typically prevents and
quarantines the file.

▪ Upload files – When a file is identified in an event, the file can be uploaded to the D-
Appliance by the administrator to perform a file threat analysis or to be downloaded for
further analysis.

▪ Download identified files for further analysis.

▪ Perform a threat analysis on malicious files to further analyze the files.

▪ Add comments to the events to further describe the events. This information can then be
used as a reminder or to inform other administrators.

▪ Close open events.

3.7.1 Delete Malicious Files Remotely

Once a threat has been identified on a Windows, macOS or Linux device, the associated file can
be deleted remotely by the administrator. Deep Instinct™ has several methods to delete malicious
files remotely:

▪ Delete a malicious file using a single event from the Event Lists

▪ Delete one or more malicious files using multiple events

▪ Delete a malicious file from the Event Details or Suspicious Event Details screen

To delete a malicious file, using a single event:

1. Select Monitor > Events or Monitor > Suspicious Events from the left pane to open the
Event List or Suspicious Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 67 of 303
Dashboard,
Monitoring and Reports

2. Right-click the event where the malicious file was identified and then select Delete file
remotely. A dialog box opens to confirm your request.

3. Click Delete to delete the file. A message appears to confirm that the request to delete the
file was sent. The file is deleted during the next connection of the device to the D-Appliance.

To delete one or more malicious files, using multiple events:

1. Select Monitor > Events or Monitor > Suspicious Events from the left pane to open the
Event List or Suspicious Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 68 of 303
Dashboard,
Monitoring and Reports

2. Select the files to be deleted, by selecting the checkboxes of the events where the files have
been identified. The Actions Icon appears in the header of the table.

3. Click and select Delete files remotely to delete the files from the devices. A dialog
box opens to confirm your request.

4. Click Delete to delete the files. A message appears to confirm that requests to delete the
files were sent. Each file is deleted during the next connection of the relevant device to the
D-Appliance.

3.7.2 Terminate Process

Once a detection event has been triggered by a Windows or macOS device, the process related to
the associated threat can be remotely terminated by the administrator. Deep Instinct™ has
several methods to terminate processes remotely:

▪ Terminate a process using a single event from the Event Lists

▪ Terminate one or more processes using multiple events

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 69 of 303
Dashboard,
Monitoring and Reports

▪ Terminate a process using a single event from the Event Details or Suspicious Event Details
screen

To terminate a process, using a single event:

1. Select Monitor > Events or Monitor > Suspicious Events from the left pane to open the
Event List or Suspicious Event List.

2. Right-click the event where the malicious file was identified and then select Terminate
process. A dialog box opens to confirm your request.

3. Click Terminate to terminate the process. A message appears to confirm that the request to
terminate the process was sent. The process is terminated during the next connection of
the device to the D-Appliance.

To terminate one or more processes, using multiple events:

1. Select Monitor > Events or Monitor > Suspicious Events from the left pane to open the
Event List or Suspicious Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 70 of 303
Dashboard,
Monitoring and Reports

2. Select events where the threats were detected, by selecting the checkboxes of the events.
The Actions Icon appears in the header of the table.

3. Click and select Terminate processes to terminate the processes associated with
the events. A dialog box opens to confirm your request.

4. Click Terminate to terminate the processes. A message appears to confirm that the request
to terminate the processes were sent. The process is terminated during the next connection
of the device to the D-Appliance.

3.7.3 Device Isolation

Deep Instinct has implemented an Isolation feature for Windows or macOS platforms to isolate an
infected device from the network. This feature allows the administrator to easily isolate a device of
concern and then release it from isolation once the device is determined to be clean.

By default, communications with an isolated device is only available with the D-Appliance.
However, additional connections can be created from the policy to communicate with isolated
devices. For more information, see D-Client Control in Windows Policy and D-Client Control in
macOS Policy.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 71 of 303
Dashboard,
Monitoring and Reports

Deep Instinct™ has several methods to isolate devices from the network and released them from
isolation:

▪ Enable/disable device isolation by selecting a device from the Device List

▪ Enable/disable device isolation by selecting multiple devices

▪ Enable/disable device isolation from the Event Details or Device Details screen

To remotely isolated one device from the network or released one device from isolation:
1. Select Devices > Device List from the left pane to open the Device List.

2. Right-click the device from where you want to enable/disable device isolation and then
select Isolate device or Release from isolation. A dialog box opens to confirm your request.

3. Click Isolate/Release to enable/disable device isolation for the device.

4. A message appears on the device to inform the user of the device’s isolation status.

To remotely isolate multiple devices from the network or release multiple devices from
isolation:
1. Select Devices > Device List from the left pane to open the Device List.

2. Select the devices from where you want to enable/disable device isolation, by selecting the
checkboxes of the entries for the devices. The Actions Icon appears in the header
of the table.

3. Click and select Isolate device or Release from isolation. A dialog box opens to
confirm your request.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 72 of 303
Dashboard,
Monitoring and Reports

4. Click Isolate/Release to enable/disable device isolation for the devices.

5. A message appears on each device to inform the user of the device’s isolation status.

3.7.4 Upload Files to the D-Appliance

Once a file has been identified in an event, the file can be uploaded to the D-Appliance by the
administrator to be used for further analysis. Once the file has been uploaded from the D-Client,
the file can then be downloaded to the administrator or a file threat analysis can be performed.
Deep Instinct™ has several methods to upload a file to the D-Appliance:

▪ Upload a file from the Event List

▪ Upload a file from the Event Details screen

To upload a file to the D-Appliance from the Event List:

1. Select Monitor > Events from the left pane to open the Event List.

2. Right-click the event where the file you want uploaded was identified and then select
Upload file to D-Appliance. A dialog box opens to confirm your request.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 73 of 303
Dashboard,
Monitoring and Reports

3. Click Upload. After the file has been uploaded to the D-Appliance successfully, a notification
is sent and the File Status changes to Uploaded. The File Status changes for all events
associated with the uploaded file.

To upload a file to the D-Appliance from the Event Details screen:

1. Open the Event Details screen.

2. Click and then click Upload file to D-Appliance to upload the file. A dialog box opens to
confirm your request.

3.7.5 Download Files

Files identified in an event can be downloaded for further analysis, once it has been uploaded to
the D-Appliance. The downloaded file is archived requiring a password to open. The password is
DIPasswordInfected.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 74 of 303
Dashboard,
Monitoring and Reports

Warning: Downloaded malicious files may harm your computer. Use extra precautions in
handling these files. All downloaded files are archived requiring a password for
extra protection.

To download a file:
1. Select Monitor > Events from the left pane to open the Event List or select Monitor > Files to
open the File List.

2. Display the entry with the file to be downloaded and verify that the File Status is Uploaded.
By default, the File Status column is not displayed. Change the settings in the Column
Selector to display this column. If the status is Not Uploaded, the file is not uploaded to the
D-Appliance. For more information, see Upload Files to the D-Appliance.

3. Right-click the event where the file was identified and then select Download file. A dialog box
opens to confirm your request.

4. Click Download to download the file.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 75 of 303
Dashboard,
Monitoring and Reports

3.7.6 File Analysis

The File Analysis performs additional threat analysis for any PE malicious files identified. It
produces a report that displays a wide range of information to assist you in further analyzing
threats. The analysis is performed on an isolated virtual machine and are performed on demand.
The information in the report includes:

▪ Static Analysis – Results from the static analysis of the threat. The information from the
results may include file metadata, sections, resources, permissions, imports, exports and
strings.

▪ General Information – General information about the threat, including file size, type and
hash values.

▪ Sandbox Analysis – Results from the dynamic analysis of the threat. The information from
the results may include related processes, dropped files metadata, sections, resources.
Import table and strings.

▪ Screenshots – Displays the screenshots while running the threat during the Sandbox
Analysis.

▪ Signatures – Uses the results of the Static and Sandbox Analyses to help determine the
functions and features of the threat.

▪ Search Feature – The report also includes a search feature that allows you to search key
words throughout the complete report, including all segments of the report.

File Analysis Report

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 76 of 303
Dashboard,
Monitoring and Reports

3.7.6.3 File Analysis Workflow

1. Once a PE malicious file has been identified, an event occurs and the file can be uploaded
to the D-Appliance from the Event List or Event Details screen. Before the file is uploaded,
the File Status is Not Uploaded and the Report Status is Cannot be generated.

2. After the file has been uploaded successfully, the File Status changes to Uploaded and the
Report Status changes to Ready to generate.

3. From the Event List or Event Details screen, the file analysis is initiated by selecting the event
with the threat to be analyzed.

4. The Report Status changes to In Progress and a notification is sent to inform administrators
that a file analysis is in progress for the selected file.

5. Once the file analysis is completed, the Report Status changes to Report Completed and a
notification is sent to inform the administrators.

6. From the Event List, open the Event Details screen. The report of the file analysis can be
viewed from the Static Analysis and Sandbox Analysis tabs.

3.7.6.4 Performing a File Analysis

Once a file has been uploaded successfully, the Report Status changes to Ready to generate and
the file can be analyzed. Deep Instinct™ has several methods to perform an analysis on files:

▪ Perform an analysis on a file using a single event from the Event List

▪ Perform an analysis on files using multiple events from the Event List

▪ Perform an analysis on a file from the Event Details screen

To perform an analysis on a single file from the Event List:

1. Select Monitor > Events from the left pane to open the Event List.

2. Open the Event List to display the event with the PE file to be analyzed.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 77 of 303
Dashboard,
Monitoring and Reports

3. Display the event with the PE file to be analyzed and verify that the Report Status is Ready to
generate. By default, the Report Status column is not displayed. Change the settings in the
Column Selector to display this column. If the status is Cannot be generated, the PE file is
not uploaded to the D-Appliance. For more information, see Upload Files to the D-
Appliance.

4. Right-click the entry with the file to be analyzed. and then select Generate file analysis to
initiate the analysis. A message appears to inform you that the analysis is in progress and
the Report Status changes to In Progress. You may need to refresh the screen to display the
change.

5. Close the message box. When the analysis has been completed, a new notification is sent
and the Report Status changes to Report completed.

To perform an analysis on multiple files:

1. Select Monitor > Events from the left pane to open the Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 78 of 303
Dashboard,
Monitoring and Reports

2. Display the entries with the PE files to be analyzed and verify that the Report Status is Ready
to generate. By default, the Report Status column is not displayed. Change the settings in
the Column Selector to display this column. If the status is Cannot be generated, the file is
not uploaded to the D-Appliance. For more information, see Upload Files to the D-
Appliance.

3. Select the files to be analyzed, by selecting the checkboxes of the entries for the files. The
Actions Icon appears in the header of the table.

4. Click and select Generate file analyses to analyze the files. A message appears to
inform you that the analyses are in progress and the Report Status changes to In Progress.
You may need to refresh the screen to display the change.

5. Close the message box. When each file analysis is completed, a new notification is sent and
the Report Status changes to Report Completed.

To view a file analysis report:

1. Select Monitor > Events from the left pane to open the Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 79 of 303
Dashboard,
Monitoring and Reports

2. Display the event with the analyzed file and verify that the Report Status is Report
Completed. If the status is In Progress, the file analysis has not been completed.

3. Right-click the event with the analyzed file and then select View file analysis. The Event
Details screen opens, and the report of the file analysis can be viewed from the Static
Analysis and Sandbox Analysis tabs.

3.7.7 Close Events

Once an event is resolved by the administrator, the event can be closed. For example, when an
administrator resolves a detected or non-compliance event, the event may need to be closed

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 80 of 303
Dashboard,
Monitoring and Reports

separately. Once the event is closed, an end date is added to the event and is not included in the
Dashboard’s Event counters. Deep Instinct™ has several methods to close events:

▪ Close a single event from the Event List or Event Details.

▪ Close multiple events from the Event List.

▪ Close one or more events associated with one or more files from the File List.

The following procedure demonstrates the method to close a single event from the Event List.

To close a single event:

1. Select Monitor > Events from the left pane to open the Event List.

2. Right-click the open event you want to close and then select Close event. A dialog box opens
to confirm your request.

3. Click Close Event to close the selected event. A message appears to confirm that the event
was closed successfully. The date and time that the event was closed is now displayed in the
End Date column. The Event counters in the Dashboard are then updated to reflect the
closed event.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 81 of 303
Dashboard,
Monitoring and Reports

The following procedure demonstrates the method to close multiple events from the Event List.

To close multiple events, from the Event List:

1. Select Monitor > Events from the left pane to open the Event List.

2. Select the checkboxes of the open events you want to close. The Actions Icon
appears in the header of the table.

3. Click and select Close events to close all the selected events. A dialog box opens to
confirm your request.

4. Click Close Events to close the selected events. A message appears to confirm that the
events were closed successfully. The date and time that the events were closed are now
displayed in the End Date column. The Event counters in the Dashboard are then updated
to reflect the closed events.

The following procedure demonstrates the method to close all events associated with a single
hash value from the File List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 82 of 303
Dashboard,
Monitoring and Reports

To close all events, associated with a single file:

1. Select Monitor > Files from the left pane to open the File List.

2. Right-click the file, where you want to close all associated events and then select Close
events. A dialog box opens to confirm your request.

3. Click Close Events to close the all events associated with the selected file. A message
appears to confirm that the events were closed successfully. The date and time that the
events were closed are now displayed in the End Date column in the Event List. The Event
counters in the Dashboard are then updated to reflect the closed events.

The following procedure demonstrates the method to close all events associated with multiple
hash value from the File List.

To close all events, associated with multiple files:

1. Select Monitor > Files from the left pane to open the File List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 83 of 303
Dashboard,
Monitoring and Reports

2. Select the checkboxes of files, where you want to close all associated events. The Actions
Icon appears in the header of the table.

3. Click and select Close events to close all the associated events. A dialog box opens
to confirm your request.

4. Click Close Events to close the all events associated with the selected files. A message
appears to confirm that the events were closed successfully. The date and time that the
events were closed are now displayed in the End Date column in the Event List. The Event
counters in the Dashboard are then updated to reflect the closed events.

3.8. Notifications
The Notifications feature is used to notify the security administrator when a system alert or a file
analysis notification occurred. In the top Navigation bar for all Deep Instinct™ screens, there is a
Notifications icon with a counter that indicates the amount of open notifications. Click on the icon
or Event Counter to open the Notifications list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 84 of 303
Dashboard,
Monitoring and Reports

Notifications List

These notifications include the following:

▪ Description – Describes the system alert or file analysis notification. For system alerts, click
on the description to open a message box with details about the selected alert.

▪ Date – Indicates the date and time that the notification occurred based on the D-Appliance
clock.

▪ Eye Icon – Click this icon to close the notification. The notification is then removed from
the list and is not included in the counter. To remove all notifications from the list, click this
icon in the heading.

▪ Notification Selection – In the header, use the drop-down box to define which notifications
are displayed, as follows:

▪ All – Displays system alerts and file analysis notifications

▪ File Analysis – Displays only file analysis notifications

▪ System Alerts – Displays only system alerts

3.9. Device List Screen

The Device List screen displays a table that contains detail information for all devices, including
information that can be used to monitor the deployment and installation progress in your
organization. To open the Device List screen, select Devices > Device List from the left pane.

The following figure illustrates a typical Device List screen with numbered callouts. The callouts are
described in the table below.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 85 of 303
Dashboard,
Monitoring and Reports

Device List Screen with Callouts

Device List Screen Components

Item Term Description

2 Device List Table A table that displays information about your organization’s devices
and their deployment.

3 Clear Filter Click to clear all column filters.

4 View Click to select an option to define preset and current views of the

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 86 of 303
Dashboard,
Monitoring and Reports

▪ Update to match current view – Saves the current view as the

default of the current preset view.
▪ Rename – Opens a dialog box to change the name of the current
preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view
based on the current table settings. Once created, this view
becomes the current preset view.

5 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

6 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Table Settings to define which columns are
displayed.

7 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Details screen – Click an entry to open the associated Device
Details screen for the selected entry. To view the Details screen in a
separate tab, right-click the entry and select Open in a new tab.
▪ Action Options – Right-click an entry to open the available options
that can be performed with the selected entry.

8 Selection For entries in the table, there are checkboxes that allow table entries
Checkbox to be selected. This allows the administrator to select multiple
entries, to implement a single action on multiple devices.

9 Select All / Select this checkbox to select all entries or click again after all entries
Clear All have been selected to clear all selected entries.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 87 of 303
Dashboard,
Monitoring and Reports

10 Filters Filters the data in the table by entering text in the text filters below
the table headers, in the relevant column. Text can be entered by
manually typing the text, by selection. Only entries with data that
match the text entered are displayed.

11 Action Options Once entries have been selected, this feature appears. Click this
drop-down menu to open the available options that can be
performed to the selected entries.

12 License Usage Click to open the License Usage screen. It includes the following
information:
▪ Licenses Used – Number of Deep Instinct licenses currently in use.
▪ Available Licenses – Number of Deep Instinct licenses available for
deployment.

13 Items per Page Sets the number of entries per page. From the footer of the page
you may select whether 25, 50,100 or 150 entries are included per
page.

14 Page View Sets the page currently viewed. From the footer of the page you can
select the page to be displayed.

3.9.8 Device List Table

The Device List table displays information about your organization’s devices and their
deployment. The table includes the following information:

▪ Device Name – Assigned name for the client.

▪ Device ID – A unique identification number assigned to the device by Deep Instinct. By

default, this information is not displayed. To display this information, change the
configuration in the Table Settings.

▪ Email – Email address of the user associated with the mobile device.

▪ Deployment Status – Displays the status of deployment for the device. After deployment, it
displays the current status of the device.

▪ Connectivity Status – Specifies the connectivity status of the device.

▪ License Status – Specifies the current status of the D-Client license on the device.

▪ Last Deployment Status Update – Date and time that the Deployment Status was last
changed.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 88 of 303
Dashboard,
Monitoring and Reports

▪ Up to Date – Displays whether the client software is up to date on the device, including the
latest D-Brain, policy, allow list and deny list. By default, this information is not displayed. To
display this information, change the configuration in the Table Settings.

▪ Platform – Type of platform (OS) on the device.

▪ OS Version – Version number of the operating system. By default, this information is not
displayed. To display this information, change the configuration in the Table Settings.

▪ D-Client Version – Version number of the D-Client installed on the device.

▪ IP Address – IP address of the device.

▪ MAC Address – MAC address of the device. By default, this information is not displayed. To
display this information, change the configuration in the Table Settings.

▪ D-Brain Package – Package number of the D-Brain installed on the device. By default, this
information is not displayed. To display this information, change the configuration in the
Table Settings.

▪ Policy – Current name of the policy associated with the device. By default, this information is
not displayed. To display this information, change the configuration in the Table Settings.

▪ Device Group – Current name of the Device Group associated with the device.

▪ Domain Name – When the device is associated with a domain, it displays the name of the
domain. By default, this information is not displayed. To display this information, change the
configuration in the Table Settings.

▪ OU – When the device is associated with an OU (Organization Unit), it displays the name of
the OU. By default, this information is not displayed. To display this information, change the
configuration in the Table Settings.

▪ MSP – Name of the MSP associated with the device. By default, this information is not
displayed. To display this information, change the configuration in the Table Settings. This
column is only available from the Hub Console.

▪ Tenant – Name of the tenant that owns the device. This column is only available on systems
with MSP support.

▪ Tag – Displays the Device Tag of the device. By default, this information is not displayed. To
display this information, change the configuration in the Table Settings.

▪ Logged in Users – For Windows, macOS and Linux devices, displays all the users that are
logged on to each device.

▪ Source – Specifies the method of deployment. By default, this information is not displayed.
To display this information, change the configuration in the Table Settings.

▪ Deployment Update – Date and time that the Deployment Status was last changed.

▪ Last Contact – Date and time the D-Appliance last communicated with the device.

▪ Log Status – Status for debug log collection.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 89 of 303
Dashboard,
Monitoring and Reports

▪ Comment – Displays additional information.

Device List

From this table, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Define the location for each column

▪ Create, view, update and remove custom preset views of the table.

▪ Clear all filters in the table

▪ Export the data from the table to an Excel file.

▪ Access the Device Details screen for a selected device.

▪ Add or edit comments to the device entry.

▪ Collect and download Debug Logs.

▪ Uninstall D-Client from devices.

▪ Disable and enable D-Client from Windows, macOS and Linux devices.

▪ Deactivate D-Client from mobile and Chrome OS devices.

▪ Isolate devices from the network.

▪ Release devices from isolation.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 90 of 303
Dashboard,
Monitoring and Reports

3.10. Device Details Screen

The Device Details screen provides a detailed and deep view of a device and its deployment. It
allows the administrator to better understand the status of a specific device. Detail information is
available for all devices. To display the Device Details screen for a specific device, open the Device
List and click the device.

The following figures illustrate a typical Device Details screen and preview with numbered callouts.
The callouts are described in the table below.

Device Details Screen with Callouts

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 91 of 303
Dashboard,
Monitoring and Reports

Events Preview for the Device with Callouts

Activity Log Preview for the Device with Callouts

Device Details Screen Components

Item Term Description

2 Options Icon Click this icon to open the available options that can be performed in
association with the displayed device. The options available vary
based on the status of the device. From this icon, you may perform
the following tasks:
▪ Add or edit comments to the device entry.
▪ Collect and download Debug Logs from the device.
▪ Isolate the device from the network.
▪ Release the device from isolation.
▪ Disable and enable D-Client.
▪ Uninstall D-Client from the device.
▪ Deactivate D-Client from the device.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 92 of 303
Dashboard,
Monitoring and Reports

3 Device and This section displays the current information about the device and its
Deployment deployment. It includes the following information:
Information ▪ Device Name – Assigned name for the client.
▪ Device ID – Unique identification number assigned to the device by
Deep Instinct.
▪ MSP – Name of the MSP associated with the device. This
information is only displayed on the Hub Console.
▪ Tenant – Name of the tenant that owns the device. This
information is only displayed on systems with MSP support.
▪ Tag – Device Tag of the device.
▪ Status – Current status of the device.
▪ Connectivity Status – Specifies the connectivity status of the device.
▪ License Status – Specifies the current status of the D-Client license
on the device.
▪ Last Deployment Status Update – Date and time that the
Deployment Status was last changed.
▪ Up to Date – Displays whether the client software is up to date on
the device, including the latest D-Brain, policy, allow list and deny
list.
▪ Scanned Files – Total number of files scanned by the device.
▪ Source – Specifies the method of deployment.
▪ Log Status – Status for the debug log collection.
▪ Email – Email address of the user associated with the device.
▪ Comment – Displays additional information.

4 Device This section displays the general information about the device,
Properties and including device properties and network information. It includes the
Network following information:
Information ▪ Platform – Type of platform (OS) on the device.
▪ OS Version – Version number of the operating system.
▪ IP Address – IP address of the device.
▪ MAC Address – MAC address of the device.
▪ Domain Name – When the device is associated with a domain, it
displays the name of the domain.
▪ OU – When the device is associated with an OU (Organization
Unit), it displays the name of the OU.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 93 of 303
Dashboard,
Monitoring and Reports

5 D-Client Displays information related to the D-Client. It includes the following

Information information:
▪ D-Client Version – Version number of the D-Client installed on the
device.
▪ D-Brain Package – Package number of the D-Brain installed on the
device.
▪ Policy – Current name of the policy associated with the device.
▪ Device Group – Current name of the Device Group associated with
the device.

6 User Information Displays information related to the users of the device. It includes the
following information:
▪ Logged in Users – For Windows, macOS and Linux devices, displays
all the users that are logged on to each device.

9 History Displays additional information on the activities of the device. It

includes the following information:
▪ Last Event – Date and time when the last event was trigger by the
device, based on the D-Appliance clock.
▪ Last Contact – Date and time the D-Appliance last communicated
with the device.

8 Events by This Displays information related to all the events that were triggered by
Device the device. It includes the following information:
– The red number indicates the number of detection events
triggered by this device. Click the number to open the Event List
displaying all detection events triggered by this device.

– The blue number indicates the number of prevention events

triggered by this device. Click the number to open the Event List
displaying all prevention events triggered by this device.

– The orange number indicates the number of non-compliance

events triggered by this device. Click the number to open the
Events screen displaying all non-compliance events triggered by
this device.

– The white number indicates the number of suspicious activity

events triggered by this device. Click the number to open the
Suspicious Event List to view all suspicious events triggered by this
device.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 94 of 303
Dashboard,
Monitoring and Reports

– Click Preview to display a preview of the last five events

triggered by this device.

9 Event Preview Displays a preview of the last five events triggered by this device. The
preview includes the following information:
▪ Start Date – Date and time that the event started based on the D-
Appliance clock.
▪ Event Type – Displays the type of event that occurred.
▪ Details – Displays more information about the event. This identifies
the filename and location.
▪ Last Action – Displays the last action performed related to the
event and whether the action was successful.
▪ View in Event List – Click to open the Event List and display all
events triggered by this device.
▪ View in Suspicious Event List – Click to open the Event List and
display all suspicious events triggered by this device.

10 Activity Log Displays the number of entries in the D-Client Activity Log for the
device. This log includes activity information about the D-Client and
the device, as it relates to Deep Instinct.
To display a preview of the log entries, click Preview.

11 Activity Displays a preview of log entries about the D-Client and the device, as
Log Preview it relates to Deep Instinct. The preview includes the following
information:
▪ Date – Date and time the activity was logged based on the D-
Appliance clock.
▪ Username – Username of the administrator that initiated the
activity. When the activity was not initiated by the administrator,
SYSTEM is displayed.
▪ Description – Description of the activity.

3.11. Executive Summary Report

The Executive Summary report gives an overview of the organization status that summarizes the
indicators in the system for a specified period of time. It allows your organization to understand
their threat landscape and see changes that may indicate the need for further analysis. On
systems with MSP support, the reports can be generated for specific MSPs or tenants.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 95 of 303
Dashboard,
Monitoring and Reports

Executive Summary reports can be generated on-demand or automatically generated at

scheduled intervals. To generate on-demand or scheduled reports, click Reports from the left
pane.

The following figures illustrate the Report screens with numbered callouts. The callouts are
described in the table below.

On-Demand Reports Screen with Callouts

Scheduled Reports Screen with Callouts

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 96 of 303
Dashboard,
Monitoring and Reports

Reports Screen Components

Item Term Description

2 Report Tabs These tabs switch between the available Report screens. The tabs
are as follows:
▪ On-Demand – Defines and immediately generates an Executive
Summary report for a specified period of time.
▪ Scheduled – Displays all defined report schedules that
automatically generate Executive Summary reports at specified
intervals.

3 MSP/Tenant The MSP Selection and Tenant Selection are only available on
Selection systems with MSP support. It defines the report to include specific
MSPs or tenants, as follows:
▪ Use the MSPs drop-down box from the Hub Console to create an
Executive Summary report about specific MSPs.
▪ Use the Tenants drop-down box from the Management Console
for a specific MSP to create an Executive Summary report about
the MSP’s tenants.

4 Report Period Defines the time period included in the report. The report
summarizes the information collected by the management server
from the specified time period to now.

5 Recipient Defines the email address to where the On-Demand report is sent.
This parameter is optional. For all On-Demand reports, a notification
is also sent to the Notifications list when the report is completed. On-
Demand reports can also be downloaded from this notification.
When generating an On-Demand report from the Hub Console, the
On-Demand report is only sent to the recipient’s email address.
Therefore, this parameter is required from the Hub Console.

6 Create Click to generate a new On-Demand report.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 97 of 303
Dashboard,
Monitoring and Reports

7 Scheduled Table that displays all defined schedules to generate Executive

Report Table Summary reports. The table includes the following information:
▪ Report Name – Name of the Scheduled Report.
▪ Creation Date – Date the schedule for generating reports was
created.
▪ Report Period – Time period of the summarized information
included in the report.
▪ Report Frequency – Specifies how frequently the Executive
Summary report is generated.
▪ Last Sent – Date the last report was generated.
▪ Created By – Name of the administrator that created the
Scheduled Report.
▪ Last Edited By – Name of the administrator that last edited the
Scheduled Report.
▪ Recipient – Email address of the recipient for the Executive
Summary reports.
▪ MSPs – Displays all the MSPs included in the report. This column is
only available on the Hub Console.
▪ Tenants – Displays all the tenants included in the report. This
column is only available on the MSP Management Console.

From this table, you can do the following:
▪ Filter the information to only display the relevant information.
▪ Sort the information by clicking on column headings. The
information in the table is sorted based on the selected column.
▪ Define which columns are displayed.
▪ Reset columns and filters to their default settings.
▪ Export the data from the table to an Excel file.

8 Scheduled Click to create Scheduled Reports, which is a schedule for

Reports automatically generating Executive Summary reports at specified
intervals.

9 Clear Filter Click to clear all column filters.

10 View Click to select an option to define preset and current views of the

Configuration table. These views are defined separately for each administrator. The
options are as follows:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 98 of 303
Dashboard,
Monitoring and Reports

▪ Views – Select the preset view to define the current view and how
the table is displayed. The current view defines the column
location, width, sort, filters, and which column is displayed.
▪ Reset – Resets the table view to the default settings of the current
preset view.
▪ Update to match current view – Saves the current view as the
default of the current preset view.
▪ Rename – Opens a dialog box to change the name of the current
preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view
based on the current table settings. Once created, this view
becomes the current preset view.

11 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

12 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

13 Filters Filters the data in the table by entering text in the text filters below
the table headers, in the relevant column. Text can be entered by
manually typing the text or by selection. Only entries with data that
match the text entered are displayed.

14 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Edit – Click an entry to edit the Scheduled Report. The Edit screen
opens for the selected Scheduled Report.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 99 of 303
Dashboard,
Monitoring and Reports

▪ Action Options – Right-click an entry to open the available options

that can be performed on the selected Scheduled Report. From an
entry, you may perform the following tasks:
▪ Open in a new tab – Opens the Scheduled Report in a new tab
to view or edit.
▪ Remove – Remove the Scheduled Report.

15 Selection Checkboxes are available to allow entries to be selected. This allows

Checkbox the administrator to select multiple entries, to implement a single
action, on multiple events, devices or files. Select an action using the
Action Options, item 17.

16 Select All / Select this checkbox to select all entries or clear all selected entries.
Clear All Select an action for all selected items using the Action Options, item
17.

17 Action Options Once entries have been selected, this feature appears. Click this
drop-down menu to open the available options that can be
performed to the selected entries.

From the Report screens, you can do the following:

▪ Generate an Executive Summary report for a specified period of time.

▪ Create a new Scheduled Report.

▪ Edit a Scheduled Report.

▪ Display all report schedules that automatically generate Executive Summary reports.

▪ Delete Scheduled Reports.

3.11.1 Create an On-Demand Report

To create an on-demand Executive Summary report:
1. Click Reports from the left pane to open the On-Demand Report screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 100 of 303
Dashboard,
Monitoring and Reports

2. When creating an Executive Summary report from the Hub Console, click the MSPs
dropdown box and select the MSPs for the report. The report will be generated for the
selected MSPs.

3. When creating an Executive Summary report from the Management Console for a specific
MSP, click the Tenants dropdown box and select the tenants for the report. The report will
be generated for the selected MSP’s tenants.

4. Select the Report Period of the Executive Summary reports. This defines the time period of
the information used to generate the report.

5. In the Recipient box, type the email address to where you want the Executive Summary
reports to be sent.

This parameter is optional, except when generating a report from the Hub Console. From all
other consoles, a notification is sent to the Notifications list when the report is completed.
On-Demand reports can also be downloaded from this notification.

6. Click Create. A message appears that the report is in process. Once completed, the
Executive Summary report is sent to the recipient’s email address and can be downloaded
from the notification. However, when generating a report from the Hub Console, the report
is only sent to the recipient’s email address.

3.11.2 Create a New Scheduled Report

To create a new Scheduled Report:
1. Click Reports from the left pane and then click the Scheduled tab to open the Scheduled
Reports screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 101 of 303
Dashboard,
Monitoring and Reports

2. Click Scheduled Reports from the table header. The Create Schedule Reports screen opens.

3. In the Report Name box, type the name of the new report schedule. The length must be
between 3 and 200 characters.

4. When creating Scheduled Reports from the Hub Console, click the MSPs dropdown box and
select the MSPs for the report. When the reports are generated, they will be generated for
the selected MSPs.

5. When creating Scheduled Reports report from the Management Console for a specific MSP,
click the Tenants dropdown box and select the tenants for the report. When the reports are
generated, they will be generated for the selected MSP’s tenants.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 102 of 303
Dashboard,
Monitoring and Reports

6. Using the Report Period drop-down box, select the period of the Executive Summary
reports. The selected period defines the time period of the information used to generate
the report.

7. Using the Frequency drop-down box, select the frequency that Executive Summary reports
are generated. Select one of the following:

▪ Monthly – An Executive Summary report is generated every month. The day of the month
and time the report is generated is based on the Day and Time parameters.

▪ Weekly – An Executive Summary report is generated every week. The day of the week and
time the report is generated is based on the Day and Time parameters.

▪ Daily – An Executive Summary report is generated every day. The time of day the report is
generated is based on the Day parameter.

8. Using the Day drop-down box, select the day that Executive Summary reports are
generated. For monthly reports, select the day of the month. For weekly reports, select the
day of the week.

9. Using the Time drop-down box, select the time of day that Executive Summary reports are
generated.

10. In the Recipient box, type the email address to where you want the Executive Summary
reports to be sent.

11. Click Create and the new schedule is added to the Scheduled Report table.

4. Policy Configuration
Deep Instinct™ allows the security administrator to define the following policy related
configurations:

▪ Windows Policy

▪ macOS Policy

▪ Linux Policy

▪ Android Policy

▪ Chrome OS Policy

▪ iOS Policy

▪ Network Agentless Policy

▪ Allow List

▪ Deny List

▪ Exclusion List

4.1. Policy Screens

The Policy screens are used to define and deploy the policy parameters for all devices. Deep
Instinct contains the following Policy screens:

▪ Policy List Screen

▪ Windows Policy Screens

▪ macOS Policy Screens

▪ Linux Policy Screens

▪ Android Policy Screens

▪ Chrome OS Policy Screens

▪ iOS Policy Screens

▪ Network Agentless Screens

▪ Allow List Screen

▪ Deny List Screen

▪ Exclusion List Screen

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 104 of 303
Policy
Configuration

4.1.1 Policy List Screen

The Policy List screen displays information about the default and custom policies in your
organization. From this screen, you can access all the policy configuration screens to view, change
or create policies. To open the Policy List screen, select Policy > Device Policies from the left pane.

The following figure illustrates a typical Policy List screen with numbered callouts. The callouts are
described in the table below.

Policy List Screen with Callouts

Policy List Screen Components

Item Term Description

2 Create Policy Click to open the dialog box to create a new custom policy.

3 Policies Table Displays a table of the policies. The table includes the following
information:

▪ Name – Name of the policy.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 105 of 303
Policy
Configuration

▪ Platform – Type of platform (OS) on the device. Each policy is

defined based on the selected platform.
▪ Groups – Number of Device Groups associated with the policy.
▪ Devices – Number of devices associated with the policy.
▪ Automatic Upgrades – Displays whether the devices associated
with the policy receives an automatic upgrade of the D-Client.
▪ Created By – Name of the administrator that created the policy.
▪ Date Created – Date the policy was created.
▪ Last Updated – Date the policy was last modified.
▪ Updated By – Name of the administrator that last modified the
policy.
▪ Comment – Displays comments for the policy.

From this table, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The
information in the table is sorted based on the selected column.
▪ Define which columns are displayed.
▪ Define the location for each column
▪ Create, view, update and remove custom preset views of the table.
▪ Clear all filters in the table
▪ Export the data from the table to an Excel file.

4 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Edit policy – Click an entry to edit the policy. The Policy screen
opens for the selected policy. For more information, see Windows
Policy, macOS Policy, Linux Policy, Android Policy, Chrome OS
Policy, iOS Policy and Network Agentless Policy.
▪ Action Options – Right-click an entry to open the available options
that can be performed on the selected policy. The options available
vary based on whether the policy is a default policy or custom
policy. From an entry, you may perform the following tasks:
▪ Open in a new tab – Opens the selected policy details in a new
tab to view or edit the policy.
▪ Edit comment – Add or edit comments for the policy.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 106 of 303
Policy
Configuration

▪ Edit name – Edit the policy name of a custom policy.

▪ Remove policy – Remove a custom policy.

5 Edit Comment Add or edit comments for the policy. Hover over a comment to
display the Edit icon, . Then click the icon to open the Edit
Comment dialog box.

6 Clear Filter Click to clear all column filters.

7 View Click to select an option to define preset and current views of the

Configuration table. These views are defined separately for each administrator. The
options are as follows:
▪ Views – Select the preset view to define the current view and how
the table is displayed. The current view defines the column
location, width, sort, filters, and which column is displayed.
▪ Reset – Resets the table view to the default settings of the current
preset view.
▪ Update to match current view – Saves the current view as the
default of the current preset view.
▪ Rename – Opens a dialog box to change the name of the current
preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view based
on the current table settings. Once created, this view becomes the
current preset view.

8 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

9 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 107 of 303
Policy
Configuration

10 Filters Filters the data in the table by entering text in the text filters below
the table headers, in the relevant column. Text can be entered by
manually typing the text or by selection. Only entries with data that
match the text entered are displayed.

11 Items per Page Sets the number of entries per page. From the footer of the page you
may select whether 25, 50,100 or 150 entries are included per page.

12 Page View Sets the page currently viewed. From the footer of the page you can
select the page to be displayed.

4.2. Windows Policy

The Windows Policy screens define the policy parameters for Windows clients. To open a Windows
Policy screen, open the Policy List and click the Windows policy you want to open.

The following figure illustrates a Windows Policy Configuration screen.

Windows Policy Configuration Screen

From the Windows Policy screen, the following parameters can be defined:

▪ Deep Static Analysis

▪ Behavioral Analysis

▪ Suspicious Activity Monitoring

▪ Script Control

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 108 of 303
Policy
Configuration

▪ D-Client Control

▪ Scheduled Scan

4.2.1 Deep Static Analysis Configuration

Deep Static Analysis uses deep learning, which provides far greater accuracy than signature,
heuristic and classical machine learning solutions. The Deep Static Analysis configuration defines
the parameters at which the system identifies a file as malicious during static analysis, and the
action that is performed on the file. Deep Static Analysis for Windows platforms supports the
following file types:

▪ Windows Portable Executables: PE (such as .exe, .dll, .sys, .scr, .ocx)

▪ Object Linking and Embedding: OLE (such as .doc, .xls, .ppt, .jdt, .hwp)

▪ WIndows Shell Link Binary File Format (shortcut) files: .lnk

▪ Office Open XML: OOXML (such as .docx, .docm, .xlsx, .xlsm, .pptx, .pptm)

▪ Embedded Macros (in OLE and OOXML files)

▪ PDF (Portable Document Format) files: .pdf

▪ RTF (Rich Text Format) files: .rtf

▪ Adobe Flash files: .swf

▪ JAR (Java ARchive) files: .jar

▪ Image files: .tiff

▪ Font files: .ttf, .otf

▪ Archive files: .zip, .rar

The Threat protection settings parameter is based on threat severity levels. When a file is analyzed,
the threat severity is determined using the D-Brain, allow List and deny list (for example, a file in
the deny list has the highest threat severity).

When the threat severity for a file is at the level defined or higher, the file is defined as malicious
and the appropriate action is performed. There are two types of actions that can be performed on
these files, as follows:

▪ Detection – Threat is reported to your organization’s D-Appliance and can be monitored in

the Event List.

▪ Prevention – The system prevents any operations related to the malicious file (such as,
running, copying, deleting, etc.). The file is then deleted, quarantined, and reported, which
can be monitored in the Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 109 of 303
Policy
Configuration

Deep Static Analysis Configuration

Parameter Definition

Threat protection Defines the threat severity levels and actions that are performed on
settings malicious files identified during Deep Static Analysis. There are two
types of actions that are defined in this parameter:
▪ Detection – Defines the minimum detection severity level for PE files.
Move the slider to change the severity level. Click Reset to default to
reset the detection severity level to its default setting. The default
setting is Moderate.
▪ Prevention – Defines whether the Prevention action is enabled for all
files and the minimum prevention severity level for PE files.
▪ Click the toggle to enable or disable Prevention. By default,
Prevention is enabled.
▪ Move the slider to change the prevention severity level. Click Reset
to default to reset the prevention severity level to its default
setting. The default setting is High.
When Prevention is enabled, Deep Static Analysis uses two threat
severity levels and applies Detection and Prevention actions, based on
the threat level of the file.
Any file in the File Hash Allow List or placed in a path directory in the
File Path Allow List is allowed to run.

Enable D-Cloud Defines whether the use of file-based reputation D-Cloud services is
services enabled. D-Cloud includes a database of malicious and benign files. It
provides a fast and scalable infrastructure in the cloud that adds a
second layer of protection.
▪ Click the toggle to enable or disable D-Cloud services. By default, D-
Cloud services is enabled.

Known PUA Defines the action that is performed on a known potentially unwanted
application (PUA) identified by the D-Cloud. Parameter D-Cloud
services must be enabled to display and define this parameter. Select
one of the following options:
▪ Prevent – Any PUA identified by the D-Cloud is deleted, quarantined,
and reported, which can be monitored in the Event List.
▪ Detect – Any PUA identified by the D-Cloud is reported to the D-
Appliance, without preventing it from running.
▪ Allow – All PUAs are allowed to run and are not reported to the D-
Appliance.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 110 of 303
Policy
Configuration

Any PUA in the File Hash Allow List or placed in a path directory in the
File Path Allow List is allowed to run.
Prevent is the default value.

Scan files accessed Defines whether files accessed from the network folders are scanned.
from network folders When enabled, the actions performed are as defined in parameters
Threat protection settings, except the files are not deleted or
quarantined from the network folders.
▪ Click the toggle to enable or disable scanning files accessed from the
network folders. When enabled, PE files from the network folder are
scanned when executed and all other files are scanned when the
folder is opened. By default, this feature is disabled.
All files copied to the local drive is scanned regardless of this setting.

Embedded DDE Defines the action that is performed on Microsoft Office files with
object in Microsoft embedded DDE objects. Select one of the following options:
Office document ▪ Deep Static Analysis protection – The action that is performed on
Microsoft Office files with embedded DDE objects is based on the
settings for parameter Threat protection settings. (Detection/
Prevention).
If Prevention is enabled, Microsoft Office files are prevented from
opening and then reported to the D-Appliance, otherwise it is only
reported.

▪ Allow – Microsoft Office files with embedded DDE objects are

allowed to open and are not reported to the D-Appliance.

4.2.2 Behavioral Analysis Configuration

The Behavioral Analysis configuration defines the parameters for the behavioral analysis
performed on Windows devices and the actions implemented. The Behavioral Analysis feature
provides an additional layer of protection by monitoring and preventing on-execution malicious
activities. To configure the Behavioral Analysis features, define the following parameters:

Behavioral Analysis Configuration

Parameter Definition

Ransomware Defines the action that is performed on a process when a ransomware

Behavior behavior occurs. Select one of the following options:
▪ Prevent – Any process that tries to run a malicious file encryption
(ransomware) is terminated and reported to the D-Appliance.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 111 of 303
Policy
Configuration

▪ Detect – Any process that runs a malicious file encryption

(ransomware) is reported to the D-Appliance, without preventing it
from running.
▪ Allow – Processes that run malicious file encryption are not
prevented from running and are not reported to the D-Appliance.

In-Memory Protection Defines whether processes are monitored in-memory to detect

malicious behavior. Once enabled the actions performed are based on
the settings of parameters Arbitrary Shellcode, Remote Code Injection,
Credential Dumping and Known Payload Execution.
▪ Click the toggle to enable or disable In-Memory Protection. By
default, this feature is disabled.

Arbitrary Shellcode Defines the action that is performed on a process that executes an
arbitrary shellcode. Parameter In-Memory Protection must be enabled
to display and define this parameter. This feature is only available for
32-bit processes. Select one of the following options:
▪ Prevent – Any 32-bit process that tries to execute an arbitrary
shellcode is terminated and reported to the D-Appliance.
▪ Detect – Any 32-bit process that tries to execute an arbitrary
shellcode is reported to the D-Appliance, without preventing it from
running.
▪ Allow – Processes that execute an arbitrary shellcode are not
prevented from running and are not reported to the D-Appliance.

Remote Code Defines the action that is performed on a process that injects malicious
Injection code to a remote process. Parameter In-Memory Protection must be
enabled to display and define this parameter. Select one of the
following options:
▪ Prevent – Any process that tries to inject a malicious code injection
to a remote process is terminated and reported to the D-Appliance.
▪ Detect – Any process that injects a malicious code injection to a
remote process is reported to the D-Appliance, without preventing it
from running.
▪ Allow – Processes that injects malicious code injection are not
prevented from running and are not reported to the D-Appliance.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 112 of 303
Policy
Configuration

.Net Reflection Defines the action that is performed on a process that attempts to use
a reflection mechanism on a .net file. Parameter In-Memory Protection
must be enabled to display and define this parameter. Select one of
the following options:
▪ Prevent – Any process that tries to use a reflection mechanism on
a .net file is terminated and reported to the D-Appliance.
▪ Detect – Any process that to uses a reflection mechanism on a .net
file is reported to the D-Appliance, without preventing it from
running.
▪ Allow – Processes that to use a reflection mechanism on a .net file
are not prevented from running and are not reported to the D-
Appliance.

AMSI Bypass Defines the action that is performed on a process that attempts to
bypass the Windows Antimalware Scan Interface (AMSI). Parameter In-
Memory Protection must be enabled to display and define this
parameter. Select one of the following options:
▪ Prevent – Any process that tries to bypass AMSI is terminated and
reported to the D-Appliance.
▪ Detect – Any process that bypasses AMSI is reported to the D-
Appliance, without preventing it from running.
▪ Allow – Processes that bypass AMSI are not prevented from running
and are not reported to the D-Appliance.

Credential Dumping Defines the action that is performed on a process that extracts

authentication credentials. Parameter In-Memory Protection must be
enabled to display and define this parameter. Select one of the
following options:
▪ Prevent – Any process that tries to extract authentication credentials
is terminated and reported to the D-Appliance.
▪ Detect – Any process that extracts authentication credentials is
reported to the D-Appliance, without preventing it from running.
▪ Allow – Processes that extract authentication credentials are not
prevented from running and are not reported to the D-Appliance.

Known Payload Defines the action that is performed on a process that executes a
Execution known malicious payload. Parameter In-Memory Protection must be
enabled to display and define this parameter. Select one of the
following options:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 113 of 303
Policy
Configuration

▪ Prevent – Any process that tries to execute a known malicious

payload is terminated and reported to the D-Appliance.
▪ Allow – Processes that execute a known malicious payload are not
prevented from running and are not reported to the D-Appliance.

Suspicious Script Defines the action that is performed on scripts with suspicious
Execution behavior. Select one of the following options:
▪ Prevent – Suspicious scripts are prevented from running and
reported to the D-Appliance.
▪ Detect – Suspicious scripts are reported to the D-Appliance, without
preventing it from running.
▪ Allow – Suspicious scripts are allowed to run and are not reported to
the D-Appliance.
All scripts placed in a path directory in the Script Allow List are allowed
to run.

Malicious PowerShell Defines the action that is performed on PowerShell commands with
Command Execution malicious content. This feature is only available on devices with
Windows 10 and above. Select one of the following options:
▪ Prevent – Malicious PowerShell commands are prevented from
running and reported to the D-Appliance.
▪ Detect – Malicious PowerShell commands are reported to the D-
Appliance, without preventing it from running.
▪ Allow – Malicious PowerShell commands are allowed to run and are
not reported to the D-Appliance.
All PowerShell commands listed in the Script Allow List are allowed to
run.

4.2.3 Suspicious Activity Monitoring Configuration

The Suspicious Activity Monitoring configuration defines the parameters for the monitoring
suspicious activities on Windows devices and the actions implemented. The Suspicious Activity
Monitoring feature provides an additional layer of protection by monitoring, detecting, remediating
and preventing suspicious activities based on this configuration. To configure the Suspicious
Activity Monitoring features, define the following parameters:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 114 of 303
Policy
Configuration

Suspicious Activity Monitoring Configuration

Parameter Definition

Suspicious Activity Defines whether Suspicious Activity Detection feature is enabled. When
Detection enabled suspicious activities are monitored by preset rules and the
actions performed are based on the settings of parameter Suspicious
Activity.
▪ Click the toggle to enable or disable Suspicious Activity Detection. By
default, this feature is disabled.

Suspicious Activity Defines the action that Deep Instinct performs on suspicious activities.
Parameter Suspicious Activity Detection must be enabled to define this
parameter. Select one of the following options:
▪ Detect – Suspicious activities detected based on predefined rules
are reported to the D-Appliance, without any remediation.
▪ Remediate – Suspicious activities detected are remediated based on
predefined rules and responses.

Suspicious Defines the action that is performed on PowerShell commands with

PowerShell Command suspicious content. This feature is only available on devices with
Execution Windows 10 and above. Select one of the following options:
▪ Prevent – Suspicious PowerShell commands are prevented from
running and reported to the D-Appliance.
▪ Detect – Suspicious PowerShell commands are reported to the D-
Appliance, without preventing it from running.
▪ Allow – Suspicious PowerShell commands are allowed to run and are
not reported to the D-Appliance.
All PowerShell commands listed in the Script Allow List are allowed to
run.

4.2.4 Script Control Configuration

The Script Control configuration defines the parameters for handling scripts. It defines the
handling of Macro, PowerShell, HTA files, JavaScript execution via rundll32 and ActiveScript
(JavaScript and VBScript).

All scripts (except for embedded macro scripts) placed in a path directory in the Script Allow List
are are allowed to run, even when the parameter is set to Prevent. However, when ActiveScript
usage is prevented from running by the operating system (ActiveScript infrastructure set to Disable),
all scripts using ActiveScript are prevented from running, including files placed in a script path
directory in Script Allow List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 115 of 303
Policy
Configuration

To configure the handling of these scripts, define the following parameters:

Script Control Configuration

Parameter Definition

Macro execution Defines the action that is performed on files with embedded
macro scripts. Select one of the following options:
▪ Prevent All by Windows – All files with macro scripts are blocked
by the operating system. No event is generated by Deep Instinct.
▪ Deep Static Analysis protection – The action that is performed
on files with macro scripts is based on the D-Brain and the
settings in the Deep Static Analysis (Detection/Prevention).
▪ Allow all macros – All macro scripts are allowed to run and are
not reported to the D-Appliance.

PowerShell execution Defines the action that is performed on PowerShell scripts. Select
one of the following options:
▪ Prevent – All PowerShell scripts are prevented from running and
reported to the D-Appliance.
▪ Detect – All PowerShell scripts are reported to the D-Appliance,
without preventing it from running.
▪ Allow – All PowerShell scripts are allowed to run and are not
reported to the D-Appliance.
All PowerShell scripts placed in a path directory in the Script Allow
List are are allowed to run.

HTML Applications Defines the action that is performed on HTML Applications (HTA)
(HTA files) and JavaScript and JavaScript execution using rundll32. Select one of the following
via rundll32 executions options:
▪ Prevent – All HTML Applications and JavaScript via rundll32 are
prevented from running and reported to the D-Appliance.
▪ Detect – All HTML Applications and JavaScript via rundll32 are
reported to the D-Appliance, without preventing it from running.
▪ Allow – All HTML Applications and JavaScript via rundll32 are
allowed to run and are not reported to the D-Appliance.
All HTA files placed in a path directory in the Script Allow List are
are allowed to run.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 116 of 303
Policy
Configuration

ActiveScript infrastructure Defines the action that is performed on ActiveScript usage. Click
the toggle to enable or disable ActiveScript infrastructure.
▪ When disabled all ActiveScript usage are prevented from running
by the operating system. No event is generated by Deep Instinct.
▪ When enabled the ActiveScript setting by the operating system is
set to its default settings. To set an action for JavaScript and
VBScript usage, the following parameter, ActiveScript execution,
must be defined.

ActiveScript execution Defines the action that Deep Instinct performs on JavaScript and
(JavaScript & VBScript) VBScript usage. Parameter ActiveScript infrastructure must be
enabled to define this parameter. Select one of the following
options:
▪ Prevent – All JavaScript and VBScript are prevented from running
and prevention events are reported to the D-Appliance.
▪ Detect – All JavaScript and VBScript are reported to the D-
Appliance, without preventing it from running.
▪ Allow – Deep Instinct does not prevent JavaScript and VBScript
from running and are not reported to the D-Appliance.
All JavaScripts and VBScripts placed in a path directory in the Script
Allow List are are allowed to run.

4.2.5 D-Client Control

The D-Client Control configuration defines the parameters to configure basic and advanced
features in the Windows clients.

D-Client Control Configuration

Parameter Definition

Upgrade D-Client Using Windows policies, the administrator can implement upgrades in
automatically multiple stages to ramp up the upgrade process. During the upgrade,
all data is saved and a full scan is not required.
This parameter defines whether the D-Client on Windows devices are
automatically upgraded.
▪ Click the toggle to enable or disable automatic upgrades. By default,
this feature is disabled.
It is recommended that you enable this feature to take advantage of
future enhancements, as they become available.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 117 of 303
Policy
Configuration

Disable password Defines the password required to locally disable the D-Client on
Windows devices.

Uninstall password Defines the password required to locally uninstall the D-Client on
Windows devices.

Integrate D-Client Defines whether the D-Client on Windows devices are integrated with
with Windows Windows Security Center (WSC). The integration monitors the state of
Security Center the D-Client and provides information through Windows Security.
▪ Click the toggle to enable or disable to integrate with WSC. By
default, this feature is disabled.
If Windows Defender is active and the D-Client integration is enabled,
Windows Defender is disabled.

Display D-Client user Defines whether the D-Client user interface is displayed or hidden on
interface (device Windows devices. When enabled, the D-Client user interface is visible
restart required) on Windows devices. When the user interface is hidden, the D-Client
icon and notifications are also not displayed.

▪ Click the toggle to display or hide the user interface. By default, the
user interface is displayed.
Changes on Windows devices are only implemented after a reboot of
the device.

Permitted By default, communications with an isolated device is only available

connections for with the D-Appliance. This parameter allows you to add additional
network isolated connections to communicate with isolated devices.
devices

4.2.5.1 Disable and Uninstall Password Configuration

The disable and uninstall passwords were initially defined in the Startup wizard. It is
recommended that two different passwords be used. Once the passwords have been changed in
the policy, each device is only updated with the new passwords during its next connection to the
D-Appliance.

To change the disable or uninstall password:

1. From a Windows, macOS or Linux policy, go to parameter Disable password or Uninstall
password and click Change Password. The Password box replaces the button.

2. In the Password box, enter the new password. The new password must meet the following
requirements:

▪ Password length must be between 8 and 35 characters.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 118 of 303
Policy
Configuration

▪ Password must include both upper-case and lower-case letters.

▪ Password must include one or more numerical digits.

▪ Password must include one or more special characters.

▪ New password must be different from the current password.

3. As you comply with each requirement, the requirement changes to green.

4. To view and verify the new password that you entered, click the eye icon .

5. Click Save & Apply to implement the change. A message appears to confirm that the
changes were saved successfully.

6. Each device is then updated with the new password during its next connection to the D-
Appliance.

4.2.5.2 Adding Connections to Isolated Devices

By default, communications with an isolated device is only available with the D-Appliance.
However, additional connections can be created from the policy to communicate with isolated
devices.

To add a connection to isolated devices:

1. From a Windows or macOS policy, go to parameter Permitted connections for network isolated
devices and click Add Connections. The Permitted Connections dialog box opens.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 119 of 303
Policy
Configuration

2. In the Port box, type the port number for the connection or leave it empty to allow all ports.

3. In the IP Address box, type the IP address for the connection or leave it empty to allow all IP
address. An IP address or port number must be entered to create a connection.

4. In the Connection Type list, select whether the connection is incoming or outgoing.

5. Click Add and the connection is added to the Connections table.

6. Click OK to close the Allowed Connections dialog box.

7. Click Save & Apply to implement the change. A message appears to confirm that the
changes were saved successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 120 of 303
Policy
Configuration

4.2.6 Scheduled Scan Configuration

The Scheduled Scan configuration defines whether a periodic full scan is performed and the
period for the scans.

Scheduled Scan Configuration

Parameter Definition

Perform scheduled Defines whether a periodic full scan is performed on Windows devices.
full scan When enabled, full scans are performed periodically as defined in the
following parameters.
▪ Click the toggle to enable or disable scheduled full scans. By default,
this feature is disabled.

Period Defines the frequency that a full scan is performed on Windows

devices. Parameter Perform scheduled full scan must be enabled to
display and define this parameter. Select one of the following options:
▪ Monthly – Full scans are performed every month, during the first
week of every month. The day and time full scans are performed is
defined in the following parameters.
▪ Weekly – Full scans are performed every week on the day and time
defined in the following parameters.
▪ Daily – Full scans are performed every day at the time defined in the
Time parameter.

Day Defines the day that full scans are performed for Monthly or weekly
scans, as defined in parameter Period. To select the day, use the drop-
down box.

Time Defines the time that full scans are performed. To select the time, use
the drop-down box.

4.3. macOS Policy

The macOS Policy screens define the policy parameters for macOS clients. To open a macOS
Policy screen, open the Policy List and click the macOS policy you want to open.

The following figure illustrates a macOS Policy Configuration screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 121 of 303
Policy
Configuration

macOS Policy Configuration Screen

From the macOS Policy screen, the following parameters can be defined:

▪ Deep Static Analysis

▪ D-Client Control

▪ Scheduled Scan

4.3.1 Deep Static Analysis Configuration

▪ macOS Executable file: Mach-O

▪ Object Linking and Embedding: OLE (such as .doc, .xls, .ppt, .jdt, .hwp)

▪ Office Open XML: OOXML (such as .docx, .docm, .xlsx, .xlsm, .pptx, .pptm)

▪ Embedded Macros (in OLE and OOXML files)

▪ PDF (Portable Document Format) files: .pdf

▪ RTF (Rich Text Format) files: .rtf

▪ Adobe Flash files: .swf

▪ JAR (Java ARchive) files: .jar

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 122 of 303
Policy
Configuration

▪ Image files: .tiff

▪ Font files: .ttf, .otf

▪ Disk Image file: .dmg

▪ Archive files: .zip, .xar, .7z, .tar, .tar.z, .tar.gz, .tar.bz2

The Threat protection settings parameter is based on threat severity levels. When a file is
analyzed, the threat severity is determined using the D-Brain, allow list and deny list (for example,
a file in the deny list has the highest threat severity).

▪ Detection – Threat is reported to your organization’s D-Appliance and can be monitored in

the Event List.

Deep Static Analysis Configuration

Parameter Definition

Threat protection settings Defines the threat severity levels and actions that are performed
on malicious files identified during Deep Static Analysis. There are
two types of actions that are defined in this parameter:
▪ Detection – Defines the minimum detection severity level for
Mach-O files. Move the slider to change the severity level. Click
Reset to default to reset the detection severity level to its default
setting. The default setting is Moderate.
▪ Prevention – Defines whether the Prevention action is enabled
for all files and the minimum prevention severity level for Mach-
O files.
▪ Click the toggle to enable or disable Prevention. By default,
Prevention is enabled.
▪ Move the slider to change the prevention severity level. Click
Reset to default to reset the prevention severity level to its
default setting. The default setting is High.
When Prevention is enabled, Deep Static Analysis uses two threat
severity levels and applies Detection and Prevention actions, based
on the threat level of the file.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 123 of 303
Policy
Configuration

Any file in the File Hash Allow List or placed in a path directory in
the File Path Allow List is allowed to run.

Enable D-Cloud services Defines whether the use of file-based reputation D-Cloud services
is enabled. D-Cloud includes a database of malicious and benign
files. It provides a fast and scalable infrastructure in the cloud that
adds a second layer of protection.
▪ Click the toggle to enable or disable D-Cloud services. By default,
D-Cloud services is enabled.

Known PUA Defines the action that is performed on a known potentially

unwanted application (PUA) identified by the D-Cloud. Parameter
D-Cloud services must be enabled to display and define this
parameter. Select one of the following options:
▪ Prevent – Any PUA identified by the D-Cloud is deleted,
quarantined, and reported, which can be monitored in the Event
List.
▪ Detect – Any PUA identified by the D-Cloud is reported to the D-
Appliance, without preventing it from running.
▪ Allow – All PUAs are allowed to run and are not reported to the
D-Appliance.
Any PUA in the File Hash Allow List or placed in a path directory in
the File Path Allow List is allowed to run.
Prevent is the default value.

Scan files accessed from Defines whether files accessed from the network folders are
network folders scanned. When enabled, the actions performed are as defined in
parameters Threat protection settings, except the files are not
deleted or quarantined from the network folders.
▪ Click the toggle to enable or disable scanning files accessed
from the network folders. When enabled, Mach-O files from the
network folder are scanned when executed and all other files
are scanned when the folder is opened. By default, this feature
is disabled.
All files copied to the local drive are scanned regardless of this
setting.

Embedded DDE object in Defines the action that is performed on Microsoft Office files with
Microsoft Office embedded DDE objects. Select one of the following options:
document ▪ Deep Static Analysis protection – The action that is performed
on Microsoft Office files with embedded DDE objects is based

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 124 of 303
Policy
Configuration

on the settings for parameter Threat protection settings.

(Detection/Prevention).
If Prevention is enabled, Microsoft Office files are prevented
from opening and then reported to the D-Appliance, otherwise it
is only reported.

▪ Allow – Microsoft Office files with embedded DDE objects are

allowed to open and are not reported to the D-Appliance.

4.3.2 D-Client Control

The D-Client Control configuration defines the parameters to configure basic and advanced
features in the macOS clients.

D-Client Control Configuration

Parameter Definition

Upgrade D-Client Using macOS policies, the administrator can implement upgrades in
automatically multiple stages to ramp up the upgrade process. During the upgrade,
all data is saved and a full scan is not required.
This parameter defines whether the D-Client on macOS devices are
automatically upgraded.
▪ Click the toggle to enable or disable automatic upgrades. By default,
this feature is disabled.
It is recommended that you enable this feature to take advantage of
future enhancements, as they become available.

Disable password Defines the password required to locally disable the D-Client on
macOS devices.

Uninstall password Defines the password required to locally uninstall the D-Client on
macOS devices.

Display D-Client user Defines whether the D-Client user interface is displayed or hidden on
interface macOS devices. When enabled, the D-Client user interface is visible on
macOS devices. When the user interface is hidden, the D-Client icon
and notifications are also not displayed.

▪ Click the toggle to display or hide the user interface. By default, the
user interface is displayed.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 125 of 303
Policy
Configuration

Permitted By default, communications with an isolated device is only available

connections for with the D-Appliance. This parameter allows you to add additional
network isolated connections to communicate with isolated devices.
devices

4.3.3 Scheduled Scan Configuration

The Scheduled Scan configuration defines whether a periodic full scan is performed and the
period for the scans.

Scheduled Scan Configuration

Parameter Definition

Perform scheduled Defines whether a periodic full scan is performed on macOS devices.
full scan When enabled, full scans are performed periodically as defined in the
following parameters.
▪ Click the toggle to enable or disable scheduled full scans. By default,
this feature is disabled.

Period Defines the frequency that a full scan is performed on macOS devices.
Parameter Perform scheduled full scan must be enabled to display and
define this parameter. Select one of the following options:
▪ Monthly – Full scans are performed every month, during the first
week of every month. The day and time full scans are performed is
defined in the following parameters.
▪ Weekly – Full scans are performed every week on the day and time
defined in the following parameters.
▪ Daily – Full scans are performed every day at the time defined in the
Time parameter.

Day Defines the day that full scans are performed for Monthly or weekly
scans, as defined in parameter Period. To select the day, use the drop-
down box.

Time Defines the time that full scans are performed. To select the time, use
the drop-down box.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 126 of 303
Policy
Configuration

4.4. Linux Policy

The Linux Policy screens define the policy parameters for Linux clients. To open a Linux Policy
screen, open the Policy List and click the Linux policy you want to open.

The following figure illustrates a Linux Policy Configuration screen.

Linux Policy Configuration Screen

From the Linux Policy screen, the following parameters can be defined:

▪ Deep Static Analysis

▪ D-Client Control

4.4.1 Deep Static Analysis Configuration

▪ ELF (Executable and Linkable Format) files: .elf

The Threat protection settings parameter is based on threat severity levels. When a file is analyzed,
the threat severity is determined using the D-Brain, allow list and deny list (for example, a file in
the deny list has the highest threat severity).

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 127 of 303
Policy
Configuration

▪ Detection – Threat is reported to your organization’s D-Appliance and can be monitored in

the Event List.

Deep Static Analysis Configuration

Parameter Definition

Threat protection Defines the threat severity levels and actions that are performed on
settings malicious files identified during Deep Static Analysis. There are two
types of actions that are defined in this parameter:
▪ Detection – Defines the minimum detection severity level for ELF
files. Move the slider to change the severity level. Click Reset to
default to reset the detection severity level to its default setting. The
default setting is Moderate.
▪ Prevention – Defines whether the Prevention action is enabled for all
files and the minimum prevention severity level for ELF files.
▪ Click the toggle to enable or disable Prevention. By default,
Prevention is enabled.
▪ Move the slider to change the prevention severity level. Click Reset
to default to reset the prevention severity level to its default
setting. The default setting is High.
When Prevention is enabled, Deep Static Analysis uses two threat
severity levels and applies Detection and Prevention actions, based on
the threat level of the file.
Any file in the File Hash Allow List or placed in a path directory in the
File Path Allow List is allowed to run.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 128 of 303
Policy
Configuration

4.4.2 D-Client Control

The D-Client Control configuration defines the parameters to configure basic and advanced
features in the Linux clients.

D-Client Control Configuration

Parameter Definition

Upgrade D-Client Using Linux policies, the administrator can implement upgrades in
automatically multiple stages to ramp up the upgrade process. During the upgrade,
all data is saved and a full scan is not required.
This parameter defines whether the D-Client on Linux devices are
automatically upgraded.
▪ Click the toggle to enable or disable automatic upgrades. By default,
this feature is disabled.
It is recommended that you enable this feature to take advantage of
future enhancements, as they become available.

Disable password Defines the password required to locally disable the D-Client on Linux
devices.

Uninstall password Defines the password required to locally uninstall the D-Client on Linux
devices.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 129 of 303
Policy
Configuration

4.5. Android Policy

The Android Policy screens define the policy parameters for Android clients. To open an Android
Policy screen, open the Policy List and click the Android policy you want to open.

The following figure illustrates an Android Policy Configuration screen.

Android Policy Configuration Screen with Callouts

From the Android Policy screen, the following parameters can be defined:

▪ Deep Static Analysis

▪ Behavioral Analysis

▪ Compliance Monitoring

▪ Administrator Contact Details

4.5.1 Deep Static Analysis Configuration

The Deep Static Analysis configuration defines the parameters at which the system identifies an
app as malicious during static analysis, and the action that is performed on the app.

The Threat protection settings parameter is based on threat severity levels. When an app is
analyzed, the threat severity is determined using the allow list and D-Brain.

When the threat severity for an app is at the level defined or higher, the app is defined as
malicious and the appropriate action is performed. There are two types of actions that can be
performed on these apps, as follows:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 130 of 303
Policy
Configuration

▪ Detection – Threat is reported to your organization’s D-Appliance and can be monitored in

the Event List.

▪ Prevention – The system prevents running the malicious app and the app is then reported,
which can then be monitored in the Event List.

Deep Static Analysis Configuration

Parameter Definition

Threat protection Defines the threat severity levels and actions that are performed on
settings malicious apps identified during Deep Static Analysis. There are two
types of actions that are defined in this parameter:
▪ Detection – Defines the minimum detection severity level. Move the
slider to change the severity level. Click Reset to default to reset the
detection severity level to its default setting. The default setting is
Moderate.
▪ Prevention – Defines whether the Prevention action is enabled and
the minimum prevention severity level.
▪ Click the toggle to enable or disable Prevention. By default,
Prevention is enabled.
▪ Move the slider to change the prevention severity level. Click Reset
to default to reset the prevention severity level to its default
setting. The default setting is High.
When Prevention is enabled, Deep Static Analysis uses two threat
severity levels and applies Detection and Prevention actions, based on
the threat level of the app.
Any app in the File Hash Allow List is permitted to run.

Enable D-Cloud Defines whether the use of file-based reputation D-Cloud services is
services enabled. D-Cloud includes a database of malicious and benign apps. It
provides a fast and scalable infrastructure in the cloud that adds a
second layer of protection.
▪ Click the toggle to enable or disable D-Cloud services. By default, D-
Cloud services is enabled.

4.5.2 Behavioral Analysis Configuration

The Behavioral Analysis configuration defines the parameters for the behavioral analysis
performed on Android devices and the actions implemented. The Behavioral Analysis feature
provides an additional layer of protection by monitoring and preventing on-execution malicious
activities. To configure the Behavioral Analysis features, define the following parameters:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 131 of 303
Policy
Configuration

Behavioral Analysis Configuration

Parameter Definition

MitM using ARP Defines whether an Android device that encounters a Man-in-the-
Poisoning Middle (MitM) attack using ARP Poisoning, reports the event to the D-
Appliance. Select one of the following options:
▪ Detect – Monitors for MitM attacks using ARP Poisoning and sends
information when attacks occur.
▪ Allow – MitM attacks using ARP Poisoning are not monitored.
This feature is only supported by versions prior to Android 10.

SSL MitM Defines whether an Android device that encounters an SSL Man-in-the-
Middle attack, reports the event to the D-Appliance. An SSL Man-in-the-
Middle attack occurs when a different SSL certificate is received from
the one that is expected. Select one of the following options:
▪ Detect – Monitors for SSL MitM attacks and sends information when
attacks occur.
▪ Allow – SSL MitM attacks are not monitored.

HOSTS file Defines whether modifications of the HOSTS file are monitored and
modifications reported to the D-Appliance. When the HOSTS file has been modified,
a malicious traffic redirection may occur. Select one of the following
options:
▪ Detect – Monitors for modified HOSTS files and sends information
when it occurs.
▪ Allow – HOSTS file modifications are not monitored.

4.5.3 Compliance Monitoring

The Compliance Monitoring configuration defines the parameters to identify Android devices that
are not compliant to your origination requirements. Devices that are not compliant may be
susceptible to malicious activities. To configure the Compliance Monitoring features, define the
following parameters:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 132 of 303
Policy
Configuration

Compliance Monitoring Configuration

Parameter Definition

Rooted device Defines whether a rooted Android device is reported to the D-

Appliance. Select one of the following options:
▪ Detect – Sends information to the D-Appliance identifying Android
devices that are rooted.
▪ Allow – Rooted Android devices are not reported.

OS version Defines whether an Android device using a non-compliant operating

system version is reported to the D-Appliance. The minimum approved
operating system version is based on the setting of parameter
Minimum OS version. Select one of the following options:
▪ Detect – Sends information to the D-Appliance identifying Android
devices that are using non-compliant operating system versions.
▪ Allow – Android devices using non-compliant versions are not
reported.

Minimum OS version Defines the oldest operating system version approved. All devices
using older operating system versions are reported. Parameter OS
version must be set to Detect to display and define this parameter.

USB Debugging Defines whether an Android device with USB Debugging enabled is
enabled reported to the D-Appliance. When enabled, the device can be
accessed using ADB. Select one of the following options:
▪ Detect – Sends information to the D-Appliance identifying Android
devices with USB Debugging enabled. Additional action may be
performed on the reported devices, as defined by the parameter
Take additional action on device.
▪ Allow – Android devices with USB Debugging enabled are not
reported.

Unknown Sources Defines whether an Android device with Unknown Sources enabled is
enabled reported to the D-Appliance. When Unknown Sources is enabled, the
device can install Applications from other sources than the Google Play
store, which may cause the device vulnerable to attacks. Select one of
the following options:
▪ Detect – Sends information to the D-Appliance identifying Android
devices with Unknown Sources enabled.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 133 of 303
Policy
Configuration

▪ Allow – Android devices with Unknown Sources enabled are not

reported.
In Android 8 and higher, Unknown Sources are managed by
permissions and per app. This feature is only relevant for versions prior
to Android 8.

Installation of new Defines whether an Android device monitors the installation of any
certificates new system or user certificates, which may cause the device vulnerable
to attacks. Select one of the following options:
▪ Detect – Monitors for the installation of a new system or user
certificate and sends information to the D-Appliance when it occurs.
▪ Allow – Android devices do not monitor the installation of
certificates.

4.5.4 Administrator Contact Details Configuration

The Administrator Contact Details configuration defines the parameters for the contact
information displayed in the Android D-Client.

Administrator Contact Details Configuration

Parameter Definition

Name Defines the name of the administrator for the employees to contact, if
they have any questions about the deployment.

Title Defines the title of the contact administrator.

Mobile Defines the phone number of the contact administrator.

Email Defines the email address of the contact administrator.

4.6. Chrome OS Policy

The Chrome OS Policy screens define the policy parameters for Chrome OS clients. To open a
Chrome OS Policy screen, open the Policy List and click the Chrome OS policy you want to open.

The following figure illustrates a Chrome OS Policy Configuration screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 134 of 303
Policy
Configuration

Chrome OS Policy Configuration Screen with Callouts

From the Chrome OS Policy screen, the following parameters can be defined:

▪ Deep Static Analysis

▪ Behavioral Analysis

▪ Compliance Monitoring

▪ Administrator Contact Details

4.6.1 Deep Static Analysis Configuration

The Deep Static Analysis configuration defines the parameters at which the system identifies an
app as malicious during static analysis, and the action that is performed on the app.

The Threat protection settings parameter is based on threat severity levels. When an app is
analyzed, the threat severity is determined using the allow list and D-Brain.

▪ Detection – Threat is reported to your organization’s D-Appliance and can be monitored in

the Event List.

▪ Prevention – The system prevents running the malicious app and the app is then reported,
which can then be monitored in the Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 135 of 303
Policy
Configuration

Deep Static Analysis Configuration

Parameter Definition

4.6.2 Behavioral Analysis Configuration

The Behavioral Analysis configuration defines the parameters for the behavioral analysis
performed on Chrome OS devices and the actions implemented. The Behavioral Analysis feature
provides an additional layer of protection by monitoring and preventing on-execution malicious
activities. To configure the Behavioral Analysis features, define the following parameters:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 136 of 303
Policy
Configuration

Behavioral Analysis Configuration

Parameter Definition

SSL MitM Defines whether a Chrome OS device that encounters an SSL Man-in-
the-Middle attack, reports the event to the D-Appliance. An SSL Man-in-
the-Middle attack occurs when a different SSL certificate is received
from the one that is expected. Select one of the following options:
▪ Detect – Monitors for SSL MitM attacks and sends information when
attacks occur.
▪ Allow – SSL MitM attacks are not monitored.

HOSTS file Defines whether modifications of the HOSTS file is monitored and
modifications reported to the D-Appliance. When the HOSTS file has been modified,
a malicious traffic redirection may occur. Select one of the following
options:
▪ Detect – Monitors for modified HOSTS files and sends information
when it occurs.
▪ Allow – HOSTS file modifications are not monitored.

4.6.3 Compliance Monitoring

The Compliance Monitoring configuration defines the parameters to identify Chrome OS devices
that are not compliant to your origination requirements. Devices that are not compliant may be
susceptible to malicious activities. To configure the Compliance Monitoring features, define the
following parameters:

Compliance Monitoring Configuration

Parameter Definition

Rooted device Defines whether a rooted Chrome OS device is reported to the D-

Appliance. Select one of the following options:
▪ Detect – Sends information to the D-Appliance identifying Chrome
OS devices that are rooted.
▪ Allow – Rooted Chrome OS devices are not reported.

OS version Defines whether a Chrome OS device using a non-compliant operating

system version is reported to the D-Appliance. The minimum approved
operating system version is based on the setting of parameter
Minimum OS version. Select one of the following options:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 137 of 303
Policy
Configuration

▪ Detect – Sends information to the D-Appliance identifying Chrome

OS devices that are using non-compliant operating system versions.
▪ Allow – Chrome OS devices using non-compliant versions are not
reported.

USB Debugging Defines whether a Chrome OS device with USB Debugging enabled is
enabled reported to the D-Appliance. When enabled, the device can be
accessed using ADB. Select one of the following options:
▪ Detect – Sends information to the D-Appliance identifying Chrome
OS devices with USB Debugging enabled.
▪ Allow – Chrome OS devices with USB Debugging enabled are not
reported.

Installation of new Defines whether a Chrome OS device monitors the installation of any
certificates new system or user certificates, which may cause the device vulnerable
to attacks. Select one of the following options:
▪ Detect – Monitors for the installation of a new system or user
certificate and sends information to the D-Appliance when it occurs.
▪ Allow – Chrome OS devices do not monitor the installation of
certificates.

4.6.4 Administrator Contact Details Configuration

The Administrator Contact Details configuration defines the parameters for the contact
information displayed in the Chrome OS D-Client.

Administrator Contact Details Configuration

Parameter Definition

Name Defines the name of the administrator for the employees to contact, if
they have any questions about the deployment.

Title Defines the title of the contact administrator.

Mobile Defines the phone number of the contact administrator.

Email Defines the email address of the contact administrator.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 138 of 303
Policy
Configuration

4.7. iOS Policy

The iOS Policy screens define the policy parameters for iOS and iPadOS clients. To open an iOS
Policy screen, open the Policy List and click the iOS policy you want to open.

The following figure illustrates an iOS Policy Configuration screen.

iOS Policy Configuration Screen with Callouts

From the iOS Policy screen, the following parameters can be defined:

▪ Behavioral Analysis

▪ Compliance Monitoring

▪ Administrator Contact Details

4.7.1 Behavioral Analysis Configuration

The Behavioral Analysis configuration defines the parameters for the behavioral analysis
performed on iOS and iPadOS devices and the actions implemented. The Behavioral Analysis
feature provides an additional layer of protection by monitoring and preventing on-execution
malicious activities. To configure the Behavioral Analysis features, define the following parameters:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 139 of 303
Policy
Configuration

Behavioral Analysis Configuration

Parameter Definition

SSL MitM Defines whether iOS and iPadOS devices that encounters an SSL Man-
in-the-Middle attack, report the event to the D-Appliance. An SSL Man-
in-the-Middle attack occurs when a different SSL certificate is received
from the one that is expected. Select one of the following options:
▪ Detect – Monitors for SSL MitM attacks and sends information when
attacks occur.
▪ Allow – SSL MitM attacks are not monitored.

4.7.2 Compliance Monitoring

The Compliance Monitoring configuration defines the parameters to identify iOS and iPadOS
devices that are not compliant to your origination requirements. Devices that are not compliant
may be susceptible to malicious activities. To configure the Compliance Monitoring features,
define the following parameters:

Compliance Monitoring Configuration

Parameter Definition

Jailbroken device Defines whether jailbroken iOS and iPadOS devices are
reported to the D-Appliance. Select one of the following
options:
▪ Detect – Sends information to the D-Appliance identifying
iOS and iPadOS devices that are jailbroken.
▪ Allow – Jailbroken iOS and iPadOS devices are not reported.

OS version Defines whether iOS and iPadOS devices using a non-

compliant operating system version is reported to the D-
Appliance. The minimum approved operating system version is
based on the setting of parameter Minimum OS version. Select
one of the following options:
▪ Detect – Sends information to the D-Appliance identifying
iOS and iPadOS devices that are using non-compliant
operating system versions.
▪ Allow – iOS and iPadOS devices using non-compliant
versions are not reported.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 140 of 303
Policy
Configuration

Minimum OS version Defines the oldest operating system version approved. All
devices using older operating system versions are reported.
Parameter OS version must be set to Detect to display and
define this parameter.

4.7.3 Administrator Contact Details Configuration

The Administrator Contact Details configuration defines the parameters for the contact
information displayed in the D-Client for iOS and iPadOS devices.

Administrator Contact Details Configuration

Parameter Definition

Name Defines the name of the administrator for the employees to contact, if
they have any questions about the deployment.

Mobile Defines the phone number of the contact administrator.

Email Defines the email address of the contact administrator.

4.8. Network Agentless Policy

The Network Agentless Policy screens define the policy parameters for the Network Agentless D-
Client. To open a Network Agentless Policy screen, open the Policy List and click the Network
Agentless policy you want to open.

The following figure illustrates a Network Agentless Policy Configuration screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 141 of 303
Policy
Configuration

Network Agentless Policy Configuration Screen

From the Network Agentless Policy screen, the parameters for Deep Static Analysis can be
defined.

4.8.4 Deep Static Analysis Configuration

Deep Static Analysis uses deep learning, which provides far greater accuracy than signature,
heuristic and classical machine learning solutions. The Deep Static Analysis configuration defines
the parameters at which the system identifies a file as malicious during static analysis, and the
action that is performed on the file. Deep Static Analysis for Network Agentless platforms
supports the following file types:

▪ Windows Portable Executables: PE (such as .exe, .dll, .sys, .scr, .ocx)

▪ macOS Executable file: Mach-O

▪ Object Linking and Embedding: OLE (such as .doc, .xls, .ppt, .jdt, .hwp)

▪ Office Open XML: OOXML (such as .docx, .docm, .xlsx, .xlsm, .pptx, .pptm)

▪ PDF (Portable Document Format) files: .pdf

▪ RTF (Rich Text Format) files: .rtf

▪ Adobe Flash files: .swf

▪ JAR (Java ARchive) files: .jar

▪ Image files: .tiff

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 142 of 303
Policy
Configuration

▪ Font files: .ttf, .otf

▪ Archive files: .zip, .xar, .7z, .tar, .tar.z, .tar.gz, .tar.bz2

The Threat protection settings parameter is based on threat severity levels. When a file is analyzed,
the threat severity is determined using the D-Brain, allow list and deny list (for example, a file in
the deny list has the highest threat severity).

▪ Detection – Threat is reported to your organization’s D-Appliance and can be monitored in

the Event List.

Deep Static Analysis Configuration

Parameter Definition

Threat protection Defines the threat severity levels and actions that are performed on
settings malicious files identified during Deep Static Analysis. There are two
types of actions that are defined in this parameter:
▪ Detection – Defines the minimum detection severity level for PE and
Mach-O files. Move the slider to change the severity level. Click Reset
to default to reset the detection severity level to its default setting.
The default setting is Moderate.
▪ Prevention – Defines whether the Prevention action is enabled for all
files and the minimum prevention severity level for PE and Mach-O
files.
▪ Click the toggle to enable or disable Prevention. By default,
Prevention is enabled.
▪ Move the slider to change the prevention severity level. Click Reset
to default to reset the prevention severity level to its default
setting. The default setting is High.
When Prevention is enabled, Deep Static Analysis uses two threat
severity levels and applies Detection and Prevention actions, based on
the threat level of the file.
Any file in the File Hash Allow List or placed in a path directory in the
File Path Allow List is allowed to run.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 143 of 303
Policy
Configuration

Known PUA Defines the action that is performed on a known potentially unwanted
application (PUA) identified by the D-Cloud. Parameter D-Cloud services
must be enabled to display and define this parameter. Select one of
the following options:
▪ Prevent – Any PUA identified by the D-Cloud is deleted, quarantined,
and reported, which can be monitored in the Event List.
▪ Detect – Any PUA identified by the D-Cloud is reported to the D-
Appliance, without preventing it from running.
▪ Allow – All PUAs are allowed to run and are not reported to the D-
Appliance.
Any PUA in the File Hash Allow List or placed in a path directory in the
File Path Allow List is allowed to run.
Prevent is the default value.

4.9. Allow List

Deep Instinct has implemented allow lists that can be used to address possible false positives of
threats. This makes managing possible false positives efficient and avoids ongoing maintenance in
your system.

Deep Instinct provides multiple methods to add files, scripts, certificates, paths and processes to
allow lists. For more information see the following:

▪ File Hash Allow List

▪ Script Allow List

▪ File Certificate Allow List

▪ File Path Allow List

▪ Behavioral Analysis Allow List

To open an Allow List screen, select Policy > Allow List from the left pane, and then select the allow
list you wish to view.

The following figure illustrates an Allow List screen with numbered callouts. The callouts are
described in the table below.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 144 of 303
Policy
Configuration

Allow List Screen with Callouts

Allow List Screen Components

Item Term Description

2 Allow List Tables Displays the selected allow list table. Based on the allow list table
selected (File Hash, Script, File Certificate, File Path or Behavioral
Analysis), the table includes the following information:

▪ File Hash – Displays the file hash value (SHA-256) for the file in the
File Hash Allow List.
▪ File Type – Displays the type of file in the File Hash Allow List.
▪ Details – Displays the path or command for the script entry in the
Script Allow List.
▪ Type – Displays the type of script entry in the Script Allow List.
▪ Certificate Thumbprint – Displays the thumbprint of the certificate
in the File Certificate Allow List.
▪ Path – Displays the path description in the File Path Allow List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 145 of 303
Policy
Configuration

▪ Process – Displays the name of the process in the Behavioral

Analysis Allow List.
▪ Behaviors – Displays the allowed behaviors of the process in the
Behavioral Analysis Allow List.
▪ MSPs – Displays the MSPs that are relevant to the allow list entry.
This is only displayed from the Hub Console with systems
supporting MSPs.
▪ Platforms – Displays the platforms that are relevant to the allow
list entry. The allow list entry can only be applied to policies related
to these platforms.
▪ Policies – Displays the policies where the allow list entry is applied.
▪ Date Added – Displays the date that the entry was added to the
allow list.
▪ Comment – Displays the comment for the entry in the allow list.

3 Import CSV Click to select a CSV file to import a list of files to the File Hash Allow
List.

4 Add Hash/ Click to add a new entry (file hash, script, file certificate, file path, or
Script/ process) to the associated Allow List tables.
Certificate/Path/
Process

5 Clear Filter Click to clear all column filters.

6 View Click to select an option to define preset and current views of the

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 146 of 303
Policy
Configuration

▪ Create new – Opens a dialog box to create a new preset view based

on the current table settings. Once created, this view becomes the
current preset view.

7 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

8 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates aallow list allow list n Excel file that
contains all entries displayed in the table, with data from all
columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

10 Selection Checkboxes are available to allow entries to be selected. This allows

Checkbox the administrator to select multiple entries, to implement a single
action on these entries.

11 Select All / Select this checkbox to select all entries or clear all selected entries.
Clear All Select an action for all selected items using the Action Options.

14 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Edit allow list entry – Click an entry to edit it. The edit screen opens
for the selected allow list entry.
▪ Action Options – Right-click an entry to open the available options
that can be performed on the selected allow list entry. From an
entry, you may remove the entry from the list.

15 Action Options Once entries have been selected, this feature appears. Click this
drop-down menu to open the available options that can be
performed to the selected entries.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 147 of 303
Policy
Configuration

From the allow list tables, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Define the location for each column

▪ Create, view, update and remove custom preset views of the table.

▪ Clear all filters in the table

▪ Import a list of file hashes to the File Hash Allow List from a CSV file.

▪ Add file hashes, scripts, file certificates, file paths or processes to the allow lists.

▪ Edit allow list entries.

▪ Export data from any allow list table to an Excel file.

▪ Remove allow list entries.

4.9.1 File Hash Allow List

Deep Instinct provides a File Hash Allow List for Windows, macOS, Linux, Android, Chrome OS and
Network Agentless platforms. This allow list is a list of SHA-256 hash values, where all files with
these hash values are allowed automatically. File Hashes can be added to the File Hash Allow List
using any of the following methods:

▪ Upload files from the desktop of the administrator.

▪ From existing events, select files from the Management Console or Hub Console.

▪ Manually add file hashes from the File Hash Allow List screen by entering the SHA-256 hash
values.

▪ Import a list of file hashes from a CSV file

The File Hash Allow List has the following advantages and disadvantages, compared to other types
of allow lists, as follows:

▪ Direct mitigation and approval of false positives.

▪ No resilience to other versions of the file.

▪ No resilience to other modules, as part of the software may also be suspicious.

▪ Vulnerable to bypass attacks by changing the hash of the file (for example, by appending
some data to the end – overlays). Then the modified file is not included in the allow list, and
the file may be identified as malicious again.

▪ This allow list is preferred for files that cannot be changed regularly. As an example,
document files change regularly, so they would not be recommended for this allow list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 148 of 303
Policy
Configuration

Warning: Before adding a file hash to the allow list, take extra efforts to verify that the
associated file is not malicious. Use the File Analysis feature to verify that the file is
not malicious.

The File Hash Allow List screen displays a table that contains detail information for file hashes on
the list. The table includes the following information:

▪ File Hash – Displays the file hash value (SHA-256) for the file hash on the list.

▪ File Type – Displays the type of file.

▪ MSPs – Displays the MSPs that are relevant to the file hash on the list. This is only displayed
from the Hub Console with systems supporting MSPs.

▪ Platforms – Displays the platforms that are relevant to the file hash on the list. The allowed
file hash can only be applied to policies related to these platforms.

▪ Policies – Displays the policies where the allowed file hash is applied.

▪ Date Added – Displays the date that the file hash was added to the allow list.

▪ Comment – Displays the comment for the allowed file hash.

4.9.1.1 Adding File Hashes to the Allow List

To create a File Hash Allow List, file hashes must be added. Deep Instinct™ has multiple methods
to add file hashes to the allow list:

▪ Add file hashes from the File Hash Allow List screen

▪ Add file hashes from the Event List

▪ Add file hashes from the Event Details screen

▪ Add file hashes from the File List

▪ Add file hashes from the File Details screen

▪ Import a List of File Hashes from a CSV File

Add File Hashes from the File Hash Allow List Screen

To add a hash from the File Hash Allow List screen:

1. Select Policy > Allow List > File Hash from the left pane to open the File Hash Allow List
screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 149 of 303
Policy
Configuration

2. Click Add Hash from the table header. The Add File Hash to Allow List dialog box opens and
perform the following:

a. Click Select Platforms to select the platforms that are relevant. The allowed file hash can
only be applied to policies related to these platforms.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 150 of 303
Policy
Configuration

b. When adding a file hash from the Hub Console, click Select MSPs to select the MSPs that
are relevant. The allowed file hash can only be applied to policies related to these MSPs.

c. Click Select Policies to select the policies where the allowed file hash should be applied.

d. From the Hub Console, there is an option that would automatically add this allowed file
hash to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add this file hash whenever a new MSP is created.

e. Click Browse to select the file to add its hash value or type the hash value.

If you click Browse, a window opens from where you can search and select the file. The
file information (hash and type) is automatically entered in the Add File Hash to Allow
List dialog box.
f. In the Comment box, type the reason for adding the file hash.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this file hash in the allow list.

g. Click Add and the file hash is added to the allow list.

3. After D-Clients receive the updated allow list from the D-Appliance, all quarantined files with
hash values that were added to the allow list are restored.

Import a List of File Hashes from a CSV File

The File Hash Allow List screen provides a method to import a list of allowed file hashes from a
CSV file. The CSV file must be formatted as follows:

▪ Separate all data fields with a comma delimiter.

▪ Each file entry must be on a separate line.

▪ The first line may contain titles, but it is not required. The titles must also be separated with
a comma delimiter.

▪ Each file entry must start with the file hash value (SHA-256). All other data values afterwards
are ignored.

To import a list of file hashes to the allow list from the File Hash Allow List screen:
1. Select Policy > Allow List > File Hash from the left pane to open the File Hash Allow List
screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 151 of 303
Policy
Configuration

2. Click Import CSV from the table header. The Import File Hashes to Allow List dialog box
opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 152 of 303
Policy
Configuration

a. Click Select Platforms to select the platforms that are relevant. The imported file hashes
can only be applied to policies related to these platforms.

b. When importing file hashes from the Hub Console, click Select MSPs to select the MSPs
that are relevant. The imported file hashes can only be applied to policies related to
these MSPs.

c. Click Select Policies to select the policies where the imported files should be applied.

d. From the Hub Console, there is an option that would automatically add these imported
file hashes to all policies for all new MSPs. Click Also add this to all new MSPs created in
the future to automatically add these allowed file hashes whenever a new MSP is created.

e. To select a CSV file, click Browse computer. A window opens from where you can search
and select the CSV file to be imported. Alternatively, a CSV file may be dragged to the
Import hashes box.

f. The Import hashes box changes. The number of file hashes to be imported is displayed.

g. In the Comment box, type the reason for adding the allowed file hashes. This comment is
displayed for each CSV file hash imported. If no comment is entered, the comment
displayed indicates that the file hashes were imported.

h. Click Add and the file hashes are added to the allow list.

3. After D-Clients receive the updated allow list from the D-Appliance, all quarantined files with
hash values that were added to the allow list are restored.

Add File Hashes from the Event List or File List

Once a file has been identified in an event, the event is displayed in Event List and the file is
displayed in the Event List or File List. From event or file entries, file hashes can be added
individually, or a group of file hashes can be added to the allow list simultaneously.

To add a file hash to the allow list from the Event List or File List, using a single entry:
1. Select Monitor > Events or Monitor > Files from the left pane to open the Event List or File
List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 153 of 303
Policy
Configuration

2. Right-click the event where the file was identified and then select Add file to allow list. The
Add File Hash to Allow List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 154 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The allowed file
hash can only be applied to policies related to these platforms.

b. When adding a file hash from the Hub Console, the displayed MSP is the MSP managing
the device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The allowed file hash can only be applied to policies related to these
MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the allowed file hash is applied, select policies from
the Policies dropdown box.

e. In the Comment box, type the reason for adding the file hash.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this file hash in the allow list.

f. Click Add and the file hash is added to the allow list. A message appears to confirm that
the file hash was added successfully.

3. After D-Clients receive the updated allow list from the D-Appliance, all quarantined files with
hash values that were added to the allow list are restored.

To add one or more file hashes to the allow list from the Event List or File List, using multiple
entries:
1. Select Monitor > Events or Monitor > Files from the left pane to open the Event List or File
List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 155 of 303
Policy
Configuration

2. Select the file hashes to be added to the allow list, by selecting the checkboxes of the
entries where the files were identified. The Actions Icon appears in the header of
the table.

3. Click and then click Add files to allow list to add the file hashes to the allow list.
4. The Add File Hashes to Allow List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 156 of 303
Policy
Configuration

a. The displayed platforms are the platforms of the devices that triggered the events. To
change or add platforms, select platforms from the Platforms dropdown box. The
allowed file hashes can only be applied to policies related to these platforms.

b. When adding file hashes from the Hub Console, the displayed MSPs are the MSPs
managing the devices that triggered the events. To change or add MSPs, select MSPs
from the MSPs dropdown box. The allowed file hashes can only be applied to policies
related to these MSPs.

c. The displayed policies are the policies associated with the devices that triggered the
events. To change or add the policies to where the allowed file hashes are applied, select
policies from the Policies dropdown box.

d. From the Hub Console, there is an option that would automatically add these allowed file
hashes to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add these file hashes whenever a new MSP is created.

e. In the Comment box, type the reason for adding the file hashes.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed these file hashes in the allow list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 157 of 303
Policy
Configuration

f. Click Add and the file hashes are added to the allow list. A message appears to confirm
that the file hashes were added successfully.

5. After D-Clients receive the updated allow list from the D-Appliance, all quarantined files with
hash values that were added to the allow list are restored.

Add File Hashes from the Event Details or Files Details Screen

Once a file has been identified in an event, the file hash can be quickly added to the allow list
from the Event Details or Files Details screen. `

To add a file hash to the allow list from the Event Details or Files Details screen:
1. Open the Event Details or Files Details screen.

2. Click the Options Icon and then click Add file to allow list. The Add File Hash to Allow List
dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 158 of 303
Policy
Configuration

b. When adding a file hash from the Hub Console, the displayed MSP is the MSP managing
the device that triggered the event. To change or add MSPs, select MSPs from the MSP
dropdown box. The allowed file hash can only be applied to policies related to these
MSPs.

e. In the Comment box, type the reason for adding the file hash.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this file hash in the allow list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 159 of 303
Policy
Configuration

f. Click Add and the file hash is added to the allow list. A message appears to confirm that
the file hash was added successfully.

3. After D-Clients receive the updated allow list from the D-Appliance, all quarantined files with
hash values that were added to the allow list are restored.

4.9.2 Script Allow List

Deep Instinct provides a Script Allow List for Windows platform. This allow list is a list of specific
script commands and paths. When a path is specified, all scripts in the path’s directory are
allowed automatically. Script commands and paths can be added to the Script Allow List using the
following methods:

▪ From existing events, select the relevant event from the Management Console or Hub
Console.

▪ Manually enter script paths from the Script Allow List screen.

The Script Allow List has the following advantages and disadvantages, compared to the other
types of allow lists, as follows:

▪ Direct mitigation and approval of false positives.

▪ PowerShell commands that are invoked directly to the PowerShell interpreter, without using
a script file, can be allowed using this method.

▪ Using directory paths may lead to a large security hole at the endpoints, by running
malicious scripts from allowed directory.

Warning: Before adding a script to the allow list, take extra efforts to verify that the script is
not malicious.

Before adding a path to the allow list, read the following recommendations:

▪ Consider adding only read-only directories to the allow list to minimize the
opportunity for allowed directories being abused by attackers.

▪ Adding the sysvol folder of a Domain Controller to the allow list may be useful
for running admin scripts.

▪ Do not add temporary directories to the allow list. Threats tend to write modules
to such directories. This is also relevant for system directories, like Windows or
system32.

4.9.2.1 Adding Scripts to the Allow List

To create a Script Allow List, paths or script commands must be added. Deep Instinct™ has
multiple methods to add scripts to the allow list:

▪ Add script paths from the Script Allow List screen

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 160 of 303
Policy
Configuration

▪ Add script paths and commands from the Event List

▪ Add script paths and commands from the Suspicious Event List

▪ Add script paths and commands from the Event Details screen

▪ Add script paths and commands from the Suspicious Event Details screen

Add Script Paths from the Script Allow List Screen

To add a script path from the Script Allow List screen:

1. Select Policy > Allow List > Script from the left pane to open the Script Allow List screen.

2. Click Add Script from the table header. The Add Script to Allow List dialog box opens and
perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 161 of 303
Policy
Configuration

a. Click Select Platforms to select the platforms that are relevant. The allowed script path
can only be applied to policies related to these platforms.

b. When adding a script path from the Hub Console, click Select MSPs to select the MSPs
that are relevant. The allowed script path can only be applied to policies related to these
MSPs.

c. Click Select Policies to select the policies where the allowed script path should be
applied.

d. From the Hub Console, there is an option that would automatically add this allowed
script path to all policies for all new MSPs. Click Also add this to all new MSPs created in
the future to automatically add this script path whenever a new MSP is created.

e. Type the path to be added to the allow list. Paths can be entered using the * wildcard
character.

f. In the Comment box, type the reason for adding the path.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this path in the allow list.

g. Click Add and the path is added to the Script Allow List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 162 of 303
Policy
Configuration

Add Scripts from the Event List or Suspicious Event List

Once a script has been identified in an event, the event is displayed in the Event List or Suspicious
Event List. From event entries, the script command or path can be added to the Script Allow List.

To add a script to the allow list:

1. Select Monitor > Events or Monitor > Suspicious Events from the left pane to open the
Event List or Suspicious Event List.

2. Right-click the event where the script was identified and then select Add script command to
allow list or Add script path to allow list depending on the event type. The appropriate dialog
box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 163 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The allowed script
can only be applied to policies related to these platforms.

b. When adding a script from the Hub Console, the displayed MSP is the MSP managing the
device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The allowed script can only be applied to policies related to these MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the allowed script is applied, select policies from the
Policies dropdown box.

d. From the Hub Console, there is an option that would automatically add this allowed
script to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add this script whenever a new MSP is created.

e. In the Comment box, type the reason for adding the script path or command.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this entry on the allow list.

f. Click Add and the entry is added to the allow list. A message appears to confirm that the
entry was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 164 of 303
Policy
Configuration

Add Scripts from the Event Details or Suspicious Event Details Screen

The Event Details screen and Suspicious Event Details screens provide a detailed and deep view of
an event incident. Once a script has been identified in an event, the script command or path can
be quickly added to the allow list.

To add a script to the allow list from the Event Details or Suspicious Event Details screen:
1. Open the Event Details or Suspicious Event Details screen.

2. Click and then click Add script command to allow list or Add script path to allow list
depending on the event type. The appropriate dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 165 of 303
Policy
Configuration

d. From the Hub Console, there is an option that would automatically add this
allowed script to all policies for all new MSPs. Click Also add this to all new MSPs created
in the future to automatically add this script whenever a new MSP is created.

e. In the Comment box, type the reason for adding the script path or command,

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this entry on the allow list.

f. Click Add and the entry is added to the allow list. A message appears to confirm that the
entry was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 166 of 303
Policy
Configuration

4.9.3 File Certificate Allow List

Deep Instinct provides a File Certificate Allow List for Windows, macOS and Network
Agentless platforms. This allow list is a list of specific embedded certificates that are used for
signing executable files (Portable Executable (PE) or Mach-O files). Certificates can be added to the
File Certificate Allow List using the following methods:

▪ From existing events, select the relevant event from the Management Console or Hub
Console.

▪ Manually enter certificate details from the File Certificate Allow List screen.

The File Certificate Allow List has the following advantages and disadvantages, compared to the
other types of allow lists as follows:

▪ Direct mitigation and approval of false positives.

▪ Resilience to other versions of this file.

▪ Resilience to other modules, as part of the software may also be suspicious.

▪ Partially vulnerable to bypass attacks by removing the file signature. Then the modified file is
not allowed, and the file may be identified as malicious again. Then again, removing the
signature from a file may prevent the file from running, regardless if the file triggers a false
positive.

▪ Deep Instinct’s implementation of this allow list does not allow it to be bypassed (false
negatives) by using attack methods, such as Certificate Bypass concepts.

Warning: Before adding an embedded certificate to the allow list, take extra efforts to verify the
validity of the certificate, as follows:

▪ Verify that the certificate belongs to the relevant company, and ensure that its
private key was not abused or stolen.

▪ Be aware, as there were only a few cases in history where private keys were leaked,
as follows:

▪ Some malware creators stole private keys from legitimate enterprises, such as
with the Stuxnet malware case, where they used the JMicron Technology Corp
and Realtek Semiconductor Corp certificates. In another scenario, the Destover
malware (which is part of Sony’s attack) was signed with a Sony certificate.

▪ There were also cases where the Root CA was compromised. For example, the
Dutch certificate authority (DigiNotar) had a security breach and its private key
(which is used for creating certificates) was leaked for signing on the domain of
google.com by attackers.

▪ Predominantly, only trust the reliable Root CA (such as VeriSign or Microsoft) and
less on vendors that do not require much information.

▪ Use a certificate verification tools, such as the tool at https://

certificate.revocationcheck.com.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 167 of 303
Policy
Configuration

4.9.3.1 Adding File Certificates to the Allow List

To create a File Certificate Allow List, embedded certificates must be added. Deep Instinct™ has
multiple methods to add certificates to the allow list:

▪ Add certificates from the File Certificate Allow List screen

▪ Add certificates from the Event List

▪ Add certificates from the Event Details screen

▪ Add certificates from the File List

▪ Add certificates from the File Details screen

Add File Certificates from the Allow List Screen

To add a certificate from the File Certificate Allow List screen:

1. Select Policy > Allow List > File Certificate from the left pane to open the File Certificate Allow
List screen.

2. Click Add Certificate from the table header. The Add Certificate to Allow List dialog box
opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 168 of 303
Policy
Configuration

a. Click Select Platforms to select the platforms that are relevant. The allowed certificate can
only be applied to policies related to these platforms.

b. When adding a certificate from the Hub Console, click Select MSPs to select the MSPs
that are relevant. The allowed certificate can only be applied to policies related to these
MSPs.

c. Click Select Policies to select the policies where the allowed certificate should be applied.

d. From the Hub Console, there is an option that would automatically add this allowed
certificate to all policies for all new MSPs. Click Also add this to all new MSPs created in
the future to automatically add this certificate whenever a new MSP is created.

e. In the Thumbprint box, type the thumbprint for the certificate to be added.

f. In the Comment box, type the reason for adding the certificate.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this certificate in the allow list.

g. Click Add and the certificate is added to the File Certificate Allow List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 169 of 303
Policy
Configuration

Add File Certificates from the Event List or File List

Once a file with an embedded certificate has been identified in an event, the event is displayed in
the Event List. From the event or file entries, the certificate can be quickly added to the File
Certificate Allow List.

To add a certificate to the allow list from the Event List or File List, using a single event:
1. Select Monitor > Events or Monitor > Files from the left pane to open the Event List or File
List.

2. Right-click the entry where the file with an embedded certificate (signed PE files) was
identified and then select Add certificate to allow list. The Add Certificate to Allow List dialog
box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 170 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The allowed
certificate can only be applied to policies related to these platforms.

b. When adding a certificate from the Hub Console, the displayed MSP is the MSP
managing the device that triggered the event. To change or add MSPs, select MSPs from
the MSPs dropdown box. The allowed certificate can only be applied to policies related to
these MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the allowed certificate is applied, select policies from
the Policies dropdown box.

e. In the Comment box, type the reason for adding the certificate.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this certificate in the allow list.

f. Click Add and the certificate is added to the File Certificate Allow List. A message appears
to confirm that the certificate was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 171 of 303
Policy
Configuration

To add one or more certificates to the allow list from the Event List or File List, using multiple
entries:
1. Select Monitor > Events or Monitor > Files from the left pane to open the Event List or File
List.

2. Select the certificates to be added to the allow list, by selecting the checkboxes of the
entries where files with embedded certificates (signed PE files) were identified as malicious.
The Actions Icon appears in the header of the table.

3. Click and select Add certificates to allow list to add the certificates to the allow list.
4. The Add Certificates to Allow List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 172 of 303
Policy
Configuration

a. The displayed platforms are the platforms of the devices that triggered the events. To
change or add platforms, select platforms from the Platforms dropdown box. The
allowed certificates can only be applied to policies related to these platforms.

b. When adding certificates from the Hub Console, the displayed MSPs are the MSPs
managing the devices that triggered the events. To change or add MSPs, select MSPs
from the MSPs dropdown box. The allowed certificates can only be applied to policies
related to these MSPs.

c. The displayed policies are the policies associated with the devices that triggered the
events. To change or add the policies to where the allowed certificates are applied, select
policies from the Policies dropdown box.

d. From the Hub Console, there is an option that would automatically add these allowed
certificates to all policies for all new MSPs. Click Also add this to all new MSPs created in
the future to automatically add these certificates whenever a new MSP is created.

e. In the Comment box, type the reason for adding the certificates.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed these certificates in the allow list.

f. Click Add and the certificates are added to the File Certificate Allow List. A message
appears to confirm that the certificate was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 173 of 303
Policy
Configuration

Add File Certificates from the Event Details or File Details screen

The Event Details screen provides a detailed and deep view of an event incident. Once a file with
an embedded certificate has been identified in an event, the certificate can be quickly added to
the allow list.

To add a certificate to the allow list from the Event Details or Files Details screen:
1. Open the Event Details or Files Details screen.

2. Click the Options Icon and then click Add certificate to allow list. The Add Certificate to
Allow List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 174 of 303
Policy
Configuration

e. In the Comment box, type the reason for adding the certificate.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this certificate in the allow list.

f. Click Add and the certificate is added to the File Certificate Allow List. A message appears
to confirm that the certificate was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 175 of 303
Policy
Configuration

4.9.4 File Path Allow List

Deep Instinct provides a File Path Allow List for Windows, macOS and Linux platforms. This allow
list is a list of specific paths, where all files in the path’s folder and sub-folders are allowed
automatically. Paths can be added to the File Path Allow List using the following methods:

▪ From existing events, select the relevant event from the Management Console or Hub
Console.

▪ Manually enter the path of the folder from the File Path Allow List screen.

The File Path Allow List has the following advantages and disadvantages, compared to the other
types of allow lists, as follows:

▪ Direct mitigation and approval of false positives.

▪ May lead to a large security hole at the endpoints, by running malicious files from allowed
folders.

Warning: Before adding a path to the allow list, read the following recommendations:

▪ Consider adding only read-only folders to the allow list to minimize the
opportunity for allowed folders being abused by attackers.

▪ Do not add temporary folders to the allow list. Threats tend to write modules to
such folders. This is also relevant for system directories, like Windows or
system32.

▪ In case you are handling some false positives of a specific software, you can look
for some recommendations from its vendor. Most of them provide some; for
example, Microsoft ( #1, #2).

4.9.4.1 Adding File Paths to the Allow List

To create a File Path Allow List, paths must be added. Deep Instinct™ has multiple methods to add
paths to the allow list:

▪ Add paths from the File Path Allow List screen

▪ Add paths from the Event List

▪ Add paths from the Event Details screen

Add File Paths from the Allow List Screen

To add a path from the File Path Allow List screen:

1. Select Policy > Allow List > File Path from the left pane to open the File Path Allow List
screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 176 of 303
Policy
Configuration

2. Click Add Path from the table header. The Add Path to Allow List dialog box opens and
perform the following:

a. Click Select Platforms to select the platforms that are relevant. The allowed path can only
be applied to policies related to these platforms.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 177 of 303
Policy
Configuration

b. When adding a path from the Hub Console, click Select MSPs to select the MSPs that are
relevant. The allowed path can only be applied to policies related to these MSPs.

c. Click Select Policies to select the policies where the allowed path should be applied.

d. From the Hub Console, there is an option that would automatically add this allowed path
to all policies for all new MSPs. Click Also add this to all new MSPs created in the future to
automatically add this path whenever a new MSP is created.

e. Type the path to be added to the allow list. Paths can be entered using the * wildcard
character.

f. In the Comment box, type the reason for adding the path.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this path in the allow list.

g. Click Add and the path is added to the File Path Allow List.

Add File Paths from the Event List

Once a file has been identified in an event, the event is displayed in the Event List. From event
entries, the paths from where the files were located can be added to the allow list.

To add a path to a allow list from the Event List, using a single event:
1. Select Monitor > Events from the left pane to open the Event List.

2. Right-click the event where the file was identified and then select Add path to allow list. The
Add Path to Allow List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 178 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The allowed file
path can only be applied to policies related to these platforms.

b. When adding a path from the Hub Console, the displayed MSP is the MSP managing the
device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The allowed path can only be applied to policies related to these MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the allowed file path is applied, select policies from
the Policies dropdown box.

e. In the Comment box, type the reason for adding the path.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this path in the allow list.

f. Click Add and the path is added to the File Path Allow List. A message appears to confirm
that the path was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 179 of 303
Policy
Configuration

Add File Paths from the Event Details screen

The Event Details screen provides a detailed and deep view of an event incident. Once a file has
been identified in an event, the path from where the file was located can be added to the allow
list.

To add a path to the allow list from the Event Details Screen:
1. Open the Event Details screen.

2. Click the Options Icon and then click Add path to allow list. The Add Path to Allow List
dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 180 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The allowed path
can only be applied to policies related to these platforms.

e. In the Comment box, type the reason for adding the path.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this path in the allow list.

f. Click Add and the path is added to the File Path Allow List. A message appears to confirm
that the path was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 181 of 303
Policy
Configuration

4.9.5 Behavioral Analysis Allow List

Deep Instinct provides a Behavioral Analysis Allow List for Windows and Linux platforms. This
allow list is a list of processes that are detected during the behavioral analysis. Processes can be
added to the Behavioral Analysis Allow List using the following methods:

▪ From existing events, select the relevant event from the Management Console or Hub
Console.

▪ Manually enter the process and the allowed behavior from the Behavioral Analysis Allow List
screen.

Warning: Before adding a process to the allow list, take extra efforts to verify that the
process is not malicious.

4.9.5.1 Adding Processes to the Allow List

To create a Behavioral Analysis Allow List, the path and file name that initiated the process and the
allowed behavior must be added for each entry. Deep Instinct™ has multiple methods to add
processes to the allow list:

▪ Add processes from the Allow List screen

▪ Add processes from the Event List

▪ Add processes from the Suspicious Event List

▪ Add processes from the Event Details screen

▪ Add processes from the Suspicious Event Details screen

Add a Process from the Behavioral Analysis Allow List Screen

To add a process:
1. Select Policy > Allow List > Behavioral Analysis from the left pane to open the Behavioral
Analysis Allow List screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 182 of 303
Policy
Configuration

2. Click the Behavioral Analysis tab and then click Add Behavior from the table header. The
Add Process to Allow List dialog box opens and perform the following:

a. Click Select Platforms to select the platforms that are relevant. The allowed process can
only be applied to policies related to these platforms.

b. When adding a process from the Hub Console, click Select MSPs to select the MSPs that
are relevant. The allowed process can only be applied to policies related to these MSPs.

c. Click Select Policies to select the policies where the allowed process should be applied.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 183 of 303
Policy
Configuration

d. From the Hub Console, there is an option that would automatically add this allowed
process to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add this process whenever a new MSP is created.

e. In the Process box, type the path and file name (full path) that initiated the process. Full
paths can be entered using the * wildcard character.

f. Click Select Behaviors to select the behavioral analyses that are excluded for this process.

g. In the Comment box, type the reason for adding the process.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this process in the allow list.

h. Click Add and the process is added to the Behavioral Analysis Allow List. A message
appears to confirm that the process was added successfully.

Add Processes from the Event List

Once the behavioral analysis has generated an event, the event is displayed in the Event List.
From event entries, the associated process can be added individually or a group of processes can
be added to the allow list simultaneously.

To add a process to the Behavioral Analysis Allow List from the Event List, using a single event:
1. Select Monitor > Events from the left pane to open the Event List.

2. Right-click the event where the behavioral analysis has identified malicious behavior and
then select Add process to allow list. The Add Process to Allow List dialog box opens and
perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 184 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The allowed
process can only be applied to policies related to these platforms.

b. When adding a process from the Hub Console, the displayed MSP is the MSP managing
the device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The allowed process can only be applied to policies related to these
MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the allowed process is applied, select policies from
the Policies dropdown box.

e. Click Select Behaviors to select the behavioral analyses that are excluded for this
process.

f. In the Comment box, type the reason for adding the process.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 185 of 303
Policy
Configuration

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this process in the allow list.

g. Click Add and the process is added to the Behavioral Analysis Allow List. A message
appears to confirm that the process was added successfully.

To add one or more processes to the Behavioral Analysis Allow List from the Event List, using
multiple entries:
1. Select Monitor > Events from the left pane to open the Event List.

2. Select the processes to be added to the allow list, by selecting the checkboxes of the entries
where the behavioral analysis has generated events. The Actions Icon appears in
the header of the table.

3. Click and then click Add processes to allow list. The Add Processes to Allow List
dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 186 of 303
Policy
Configuration

a. The displayed platforms are the platforms of the devices that triggered the events. To
change or add platforms, select platforms from the Platforms dropdown box. The
allowed processes can only be applied to policies related to these platforms.

b. When adding processes from the Hub Console, the displayed MSPs are the MSPs
managing the devices that triggered the events. To change or add MSPs, select MSPs
from the MSPs dropdown box. The allowed processes can only be applied to policies
related to these MSPs.

c. The displayed policies are the policies associated with the devices that triggered the
events. To change or add the policies to where the allowed processes are applied, select
policies from the Policies dropdown box.

d. From the Hub Console, there is an option that would automatically add these allowed
processes to all policies for all new MSPs. Click Also add this to all new MSPs created in
the future to automatically add these processes whenever a new MSP is created.

e. Click Select Behaviors to select the behavioral analyses that are excluded for these
processes.

f. In the Comment box, type the reason for adding these processes.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 187 of 303
Policy
Configuration

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed these processes in the allow
list.

g. Click Add and the processes are added to the Behavioral Analysis Allow List. A message
appears to confirm that the processes were added successfully.

Add Processes from the Event Details Screen

The Event Details screen provides a detailed and deep view of an event incident. Once the
behavioral analysis has generated an event, the associated process can be added to the allow list.

To add a process to the Behavioral Analysis Allow List from the Event Details screen:
1. Open the Event Details screen.

2. Click and then click Add process to allow list. The Add Process to Allow List dialog box
opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 188 of 303
Policy
Configuration

e. Click Select Behaviors to the behavioral analyses that are excluded for this process.

f. In the Comment box, type the reason for adding the process.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this process in the allow list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 189 of 303
Policy
Configuration

g. Click Add and the process is added to the Behavioral Analysis Allow List. A message
appears to confirm that the process was added successfully.

4.10. File Hash Deny List

Deep Instinct provides a File Hash Deny List for Windows, macOS, Linux and Network
Agentless platforms. This deny list is a list of SHA-256 hash values that represent files assumed to
be malicious. This list provides additional protect against files with these hash values.

When a file with a hash value on this list is identified, a prevention event occurs. The system
prevents any operations related to the file (such as, running, copying, etc.). The file is then deleted,
quarantined, and reported, which can be monitored in the Event List.

File hashes can be added to the deny list using any of the following methods:

▪ Upload files from the desktop of the administrator.

▪ From existing events, select files from the Management Console or Hub Console.

▪ Manually add file hashes from the File Hash Deny List screen by entering the SHA-256 hash
values.

▪ Import a list of file hashes from a CSV file.

File Hash Deny List Screen

The File Hash Deny List screen displays a table that contains detail information for prevented file
hashes. The table includes the following information:

▪ File Hash – Displays the file hash value (SHA-256) for the file hash on the list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 190 of 303
Policy
Configuration

▪ File Type – Displays the type of file.

▪ MSPs – Displays the MSPs that are relevant to the file hash on the list. This is only displayed
from the Hub Console with systems supporting MSPs.

▪ Platforms – Displays the platforms that are relevant to the file hash on the list. The file hash
can only be applied to policies related to these platforms.

▪ Policies – Displays the policies where the file hash is applied.

▪ Date Added – Displays the date that the file hash was added to the deny list.

▪ Comment – Displays the comment for the file hash.

The File Hash Deny List screen allows you to perform the following functions:

▪ Filter the information to only display the relevant information.

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Reset columns and filters to their default settings.

▪ Import a list of file hashes to the File Hash Deny List from a CSV file.

▪ Add file hashes to the deny list.

▪ Edit existing deny list entries.

▪ Export the data from the table to an Excel file.

▪ Remove deny list entries.

4.10.1 Adding File Hashes to the Deny List

To create a File Hash Deny List, file hashes must be added. Deep Instinct™ has multiple methods
to add file hashes to the deny list:

▪ Add file hashes from the Deny List screen

▪ Add file hashes from the Event List

▪ Add file hashes from the Event Details screen

▪ Add file hashes from the File List

▪ Add file hashes from the File Details screen

▪ Import a List of File Hashes from a CSV File

4.10.1.1 Add Files from the File Hash Deny List Screen
To add a hash from the Deny List screen:
1. Select Policy > File Hash Deny List from the left pane to open the File Hash Deny List screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 191 of 303
Policy
Configuration

2. Click Add File from the table header. The Add File Hash to Deny List dialog box opens and
perform the following:

a. Click Select Platforms to select the platforms that are relevant. The added file hash can
only be applied to policies related to these platforms.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 192 of 303
Policy
Configuration

b. When adding a file hash from the Hub Console, click Select MSPs to select the MSPs that
are relevant. The added file hash can only be applied to policies related to these MSPs.

c. Click Select Policies to select the policies where the added file hash should be applied.

d. From the Hub Console, there is an option that would automatically add this file hash to
all policies for all new MSPs. Click Also add this to all new MSPs created in the future to
automatically add this file hash whenever a new MSP is created.

e. Click Browse to select the file to add its hash value or type the hash value.

If you click Browse, a window opens from where you can search and select the file. The
file information (hash and type) is automatically entered in the Add File Hash to Deny List
dialog box.
f. In the Comment box, type the reason for adding the file hash.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this file hash in the deny list.

g. Click Add and the file hash is added to the deny list.

3. After D-Clients receive the updated deny list from the D-Appliance, all existing files with hash
values listed in the deny list are quarantined.

Import a List of File Hashes from a CSV File

The File Hash Deny List screen provides a method to import a list of file hashes from a CSV file.
This allows a list of file hash values to be added. Using this feature an Indicators of Compromise
(IoC) feed can be used to acquire a list of hashes that can easily be imported into the deny list.
The CSV file must be formatted as follows:

▪ Separate all data fields with a comma delimiter.

▪ Each file entry must be on a separate line.

▪ The first line may contain titles, but it is not required. The titles must also be separated with
a comma delimiter.

▪ Each file entry must start with the file hash value (SHA-256). All other data values afterwards
are ignored.

To import a list of file hashes to the deny list from the File Hash Deny List screen:
1. Select Policy > File Hash Deny List from the left pane to open the File Hash Deny List screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 193 of 303
Policy
Configuration

2. Click Import CSV from the table header. The Import File Hashes to Deny List dialog box
opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 194 of 303
Policy
Configuration

a. Click Select Platforms to select the platforms that are relevant. The imported file hashes
can only be applied to policies related to these platforms.

b. When importing file hashes from the Hub Console, click Select MSPs to select the MSPs
that are relevant. The imported file hashes can only be applied to policies related to
these MSPs.

c. Click Select Policies to select the policies where the imported file hashes should be
applied.

e. To select a CSV file, click Browse computer. A window opens from where you can search
and select the CSV file to be imported. Alternatively, a CSV file may be dragged to the
Import hashes box.

f. The Import hashes box changes. The number of file hashes to be imported is displayed.

g. In the Comment box, type the reason for adding the file hashes. This comment is
displayed for each file hash imported. If no comment is entered, the comment displayed
indicates that the file hashes were imported.

h. Click Add and the file hashes are added to the deny list.

3. After D-Clients receive the updated deny list from the D-Appliance, all existing files with hash
values listed in the deny list are quarantined.

4.10.1.2 Add File Hashes from the Event List or File List
Once a file has been identified in an event, the event is displayed in the Event List and the file is
displayed in the Event List or File List. From event or file entries, file hashes can be added
individually, or a group of file hashes can be added to the deny list simultaneously.

To add a file hash to the deny list from the Event List or File List, using a single entry:
1. Select Monitor > Events or Monitor > Files from the left pane to open the Event List or File
List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 195 of 303
Policy
Configuration

2. Right-click the entry where the file has been identified as malicious and then select Add file
to deny list. The Add File Hash to Deny List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 196 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The file hash can
only be applied to policies related to these platforms.

b. When adding a file hash from the Hub Console, the displayed MSP is the MSP managing
the device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The file hash can only be applied to policies related to these MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the file hash is applied, select policies from the
Policies dropdown box.

e. In the Comment box, type the reason for adding the file hash.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this file hash in the deny list.

f. Click Add and the file hash is added to the deny list. A message appears to confirm that
the file hash was added successfully.

3. After D-Clients receive the updated deny list from the D-Appliance, all existing files with hash
values listed in the deny list are quarantined.

To add one or more files to the deny list from the Event List or File List, using multiple events:
1. Select Monitor > Events or Monitor > Files from the left pane to open the Event List or File
List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 197 of 303
Policy
Configuration

2. Select the file hashes to be added to the deny list, by selecting the checkboxes of the entries
where the files were identified as malicious. The Actions Icon appears in the header
of the table.

3. Click and then click Add files to deny list to add the file hashes to the deny list.
4. The Add File Hashes to Deny List dialog box opens and perform the following:

a. The displayed platforms are the platforms of the devices that triggered the events. To
change or add platforms, select platforms from the Platforms dropdown box. The file
hashes can only be applied to policies related to these platforms.

b. When adding file hashes from the Hub Console, the displayed MSPs are the MSPs
managing the devices that triggered the events. To change or add MSPs, select MSPs
from the MSPs dropdown box. The file hashes can only be applied to policies related to
these MSPs.

c. The displayed policies are the policies associated with the devices that triggered the
events. To change or add the policies to where the file hashes are applied, select policies
from the Policies dropdown box.

d. From the Hub Console, there is an option that would automatically add these file hashes
to all policies for all new MSPs. Click Also add this to all new MSPs created in the future to
automatically add these file hashes whenever a new MSP is created.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 198 of 303
Policy
Configuration

e. In the Comment box, type the reason for adding the file hashes.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed these file hashes in the deny
list.

f. Click Add and the file hashes are added to the deny list. A message appears to confirm
that the file hashes were added successfully.

5. After D-Clients receive the updated deny list from the D-Appliance, all existing files with hash
values listed in the deny list are quarantined.

4.10.1.3 Add File Hashes from the Event Details or Files Details screen
Once a file has been identified in an event, the file hash can be quickly added to the deny list from
the Event Details or Files Details screen.

To add a file hash to the deny list from the Event Details or Files Details screen:
1. Open the Event Details or Files Details screen.

2. Click the Options Icon and then click Add file to deny list. The Add File Hash to Deny List
dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 199 of 303
Policy
Configuration

b. When adding a file hash from the Hub Console, the displayed MSP is the MSP managing
the device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The file hash can only be applied to policies related to these MSPs.

e. In the Comment box, type the reason for adding the file hash.

Note: It is recommended that the reason entered is well written to inform other
administrators and to remind you why you placed this file hash in the deny list.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 200 of 303
Policy
Configuration

f. Click Add and the file hash is added to the deny list. A message appears to confirm that
the file hash was added successfully.

3. After D-Clients receive the updated deny list from the D-Appliance, all existing files with hash
values listed in the deny list are quarantined.

4.11. Exclusion Lists

Deep Instinct has implemented exclusion lists that can be used to provide compatibility between
other anti-malware software to eliminate conflicts and improve performance. The exclusion lists
include a list of excluded folders and a list of excluded processes defined by your organization.
For an excluded folder, all the files in the folder and sub-folders are excluded from being scanned.
For an excluded process, all files accessed by the process are excluded from being scanned.

Warning: Before adding a folder to the Exclusion list, read the following recommendations:

▪ Consider adding only read-only folders to minimize the opportunity for trusted
folders being abused by attackers.

▪ Do not add temporary folders. Malware tend to write modules to such folders.
This is also relevant for system folders, like Windows and System32.

▪ When a specific solution continues to cause some false positives, look for
recommendations from the vendor of the solution. Most vendors provide
assistance; for example, Microsoft (#1, #2).

Deep Instinct provides multiple methods to exclude folders and processes, as follows:

▪ Process Exclusion List

▪ Folder Exclusion List

4.11.1 Process Exclusion List

Deep Instinct provides a Process Exclusion list for Windows platform. When a process is included
in the Exclusion List, the files accessed by the process are excluded from being scanned. This
feature may be used to provide compatibility and improve performance with running other
software that accesses many files, such as other anti-malware software.

To create a Process Exclusion List, processes must be added to the list from the Process Exclusion
screen.

To add an excluded process:

1. Select Policy > Exclusion > Process Exclusions from the left pane to open the Process
Exclusion List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 201 of 303
Policy
Configuration

2. Click Add Process from the table header. The Add Process to Exclusion List dialog box
opens and perform the following:

a. Click Select Platforms to select the platforms that are relevant. The excluded process can
only be applied to policies related to these platforms.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 202 of 303
Policy
Configuration

b. When adding a process from the Hub Console, click Select MSPs to select the MSPs that
are relevant. The excluded process can only be applied to policies related to these MSPs.

c. Click Select Policies to select the policies where the excluded process should be applied.

d. From the Hub Console, there is an option that would automatically add this excluded
process to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add this process whenever a new MSP is created.

e. In the Process box, type the path and file name (full path) of the file that starts the
process. Full paths can be entered using the * wildcard character.

f. In the Comment box, type the reason for adding the process.

Note: It is recommended that the reason entered is well written, so you will remember
in the future why you excluded this process.

g. Click Add and the process is added to the Exclusion List. A message appears to confirm
that the process was added successfully.

4.11.2 Folder Exclusion List

Deep Instinct provides a Folder Exclusion list for Windows platform. When a folder is included in
the Exclusion List, all files in the folder and sub-folders are excluded from being scanned. This
feature may be used to provide compatibility and improve performance with running other
software that accesses many files, such as other anti-malware software,

To create a Folder Exclusion List, folders must be added to the list. Deep Instinct™ has multiple
methods to add folders to the Exclusion List:

▪ Add folders from the Folder Exclusion screen

▪ Add folders from the Event List

▪ Add folders from the Event Details screen

Add Folders from the Folder Exclusion Screen

To add an excluded folder from the Folder Exclusion screen:

1. Select Policy > Exclusion > Folder Exclusions from the left pane to open the Folder Exclusion
List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 203 of 303
Policy
Configuration

2. Click Add Folder from the table header. The Add Folder to Exclusion List dialog box opens
and perform the following:

a. Click Select Platforms to select the platforms that are relevant. The excluded folder can
only be applied to policies related to these platforms.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 204 of 303
Policy
Configuration

b. When adding a folder from the Hub Console, click Select MSPs to select the MSPs that
are relevant. The excluded folder can only be applied to policies related to these MSPs.

c. Click Select Policies to select the policies where the excluded folder should be applied.

d. From the Hub Console, there is an option that would automatically add this excluded
folder to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add this folder whenever a new MSP is created.

e. In the Folder box, type the path of the folder. Paths can be entered using the * wildcard
character.

f. In the Comment box, type the reason for adding the folder.

Note: It is recommended that the reason entered is well written, so you will remember
in the future why you excluded this folder.

g. Click Add and the folder is added to the Exclusion List. A message appears to confirm
that the folder was added successfully.

Add Folders from the Event List

Once a file has been identified in an event, the event is displayed in the Event List. From event
entries, the folders from where the files were located can be added to the Exclusion List.

To add an excluded folder from the Event List, using a single event:
1. Select Monitor > Events from the left pane to open the Event List.

2. Right-click the event where the file was identified and then select Add folder to exclusions.
The Add Folder to Exclusion List dialog box opens and perform the following:

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 205 of 303
Policy
Configuration

a. The displayed platform is the platform of the device that triggered the event. To change
or add platforms, select platforms from the Platforms dropdown box. The excluded
folder can only be applied to policies related to these platforms.

b. When adding a folder from the Hub Console, the displayed MSP is the MSP managing
the device that triggered the event. To change or add MSPs, select MSPs from the MSPs
dropdown box. The excluded folder can only be applied to policies related to these
MSPs.

c. The displayed policy is the policy associated with the device that triggered the event. To
change or add the policies to where the excluded folder is applied, select policies from
the Policies dropdown box.

e. In the Comment box, type the reason for adding the folder.

Note: It is recommended that the reason entered is well written, so you will remember
in the future why you excluded this folder.

f. Click Add and the folder is added to the Exclusion List. A message appears to confirm that
the folder was added successfully.

To add one or more excluded folders from the Event List, using multiple entries:
1. Select Monitor > Events from the left pane to open the Event List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 206 of 303
Policy
Configuration

2. Select the folders to be added to the Exclusion List, by selecting the checkboxes of the
entries where files have been identified as malicious. The Actions Icon appears in
the header of the table.

3. Click and select Add folders to exclusions. The Add Folders to Exclusion List dialog
box opens and perform the following:

a. The displayed platforms are the platforms of the devices that triggered the events. To
change or add platforms, select platforms from the Platforms dropdown box. The
excluded folders can only be applied to policies related to these platforms.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 207 of 303
Policy
Configuration

b. When adding folders from the Hub Console, the displayed MSPs are the MSPs managing
the devices that triggered the events. To change or add MSPs, select MSPs from the
MSPs dropdown box. The excluded folders can only be applied to policies related to
these MSPs.

c. The displayed policies are the policies associated with the devices that triggered the
events. To change or add the policies to where the excluded folders are applied, select
policies from the Policies dropdown box.

d. From the Hub Console, there is an option that would automatically add these excluded
folders to all policies for all new MSPs. Click Also add this to all new MSPs created in the
future to automatically add these folders whenever a new MSP is created.

e. In the Comment box, type the reason for adding these folders.

Note: It is recommended that the reason entered is well written, so you will remember
in the future why you excluded these folders.

f. Click Add and the folders are added to the Exclusion List. A message appears to confirm
that the folders were added successfully.

Add Folders from the Event Details screen

The Event Details screen provides a detailed and deep view of an event incident. Once a file has
been identified in an event, the folder from where the file was located can be added to the
Exclusion List.

To add an excluded folder from the Event Details Screen:

1. Open the Event Details screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 208 of 303
Policy
Configuration

2. Click the Options Icon and then click Add folder to exclusions. The Add Folder to
Exclusion List dialog box opens and perform the following:

e. In the Comment box, type the reason for adding the folder.

Note: It is recommended that the reason entered is well written, so you will remember
in the future why you excluded this folder.

f. Click Add and the folder is added to the Exclusion List. A message appears to confirm that
the folder was added successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 209 of 303
Policy
Configuration

4.12. Editing an Allow List/Deny List/Exclusion

Entry
The method to edit existing entries from the Allow List, Deny List and Exclusion List is the same.
Only the parameters may be different between the lists. Most parameters can be changed. For
more information on the parameters, see Allow List, Deny List and Exclusion List.

To edit an entry from the Allow List, Deny List or Exclusion List:
1. Open the relevant list screen.

2. From the list, click the entry you want to edit. The relevant dialog box opens for you to edit
the entry.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 210 of 303
Policy
Configuration

3. Modify the entry and click Save. The changes are displayed in the relevant list.

4.13. Removing Allow List/Deny List/Exclusion

Entries
The method to remove existing entries from the Allow List, Deny List and Exclusion List is the
same. When entries are removed, they are removed from all relevant policies. Entries can be
removed individually or a group of entries can be removed simultaneously.

To remove an entry, using a single entry:

1. Open the relevant list screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 211 of 303
Policy
Configuration

2. From the list, right-click the entry you want to remove and then select Remove. A dialog box
opens to confirm your request.

3. Click Remove to delete the entry from all policies. The entry is removed from the relevant
list.

To remove one or more entries, using multiple entries:

1. Open the relevant list screen.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 212 of 303
Policy
Configuration

2. Select the entries to be removed, by selecting the checkboxes of the entries. The Actions
Icon appears in the header of the table.

3. Click and then click Remove. A dialog box opens to confirm your request.

4. Click Remove to delete the entries from all policies. The entries are removed from the
relevant list.

5. Managing Devices
To assist in managing the devices in your organization, Deep Instinct includes the following:

▪ Custom Policy

▪ Device Group

▪ Troubleshooting Tools

5.1. Custom Policy

Custom Policies give the security administrator the flexibility to apply different policies as required
by your organization. This provides the following benefits:

▪ Strict policies can be applied to critical devices or high risk users/devices.

▪ Less strict policies can be applied to personal devices (BYOD) or low risk users/devices.

▪ Implementation of new policies can be tested without affecting the system and then applied
in a gradual deployment.

To create and implement custom policies the following steps must be performed:

1. Create a new policy

2. Configure the policy

3. Create a new Device Group and apply the policy

After a Custom Policy has been implemented, you may perform the following:

▪ Edit the policy

▪ Edit the policy name

▪ Add or edit the Custom Policy comment

▪ Remove the policy

▪ Create new Device Groups and assign the policy

▪ Assign the policy to existing Device Groups

▪ Add or remove devices from associated Device

5.1.1 Creating a New Policy

To create a new policy:
1. Select Policy > Device Policies from the left pane to open the Policy List.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 214 of 303
Managing
Devices

2. Click Create Policy from the table header. The Create Policy dialog box opens.

3. In the Name box, type the name of the new policy. The length must be between 3 and 35
characters.

4. In the Platform list, select for which platform the new policy will be used.

5. In the Based on list, select the policy from which the new policy is based. The new policy
must be based on an existing policy, and all settings in the new policy is identical to the
selected policy.

6. Click Create. The new policy is added to list of policies.

7. Configure the new policy as need.

8. Click Save & Apply to implement the changes. A message appears to confirm that the
changes were saved successfully.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 215 of 303
Managing
Devices

5.1.2 Removing a Custom Policy

To remove a custom policy:
1. Select Policy > Device Policies from the left pane to open the Policy List.

2. Right-click the policy you want to remove and then select Remove policy. Default policies
cannot be removed.

3. The Remove Policy dialog box opens to confirm your request.

4. Click Remove. The policy is removed from the list of policies. All Device Groups related to the
removed policy are now using the default policy.

5.2. Device Group List

The Device Group List screen displays information about the default and custom Device Groups.
From this screen, you can create a new Device Group, which deploys a policy to a selected group
of devices. Each device is assigned to a Device Group based on several criteria, in the following
order:

1. Manual assignment of devices

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 216 of 303
Managing
Devices

2. Group priorities

3. Group rules

Manually assigned devices overrides group priorities and rules.

To create a Device Group with selected devices, perform the following steps:
1. Create a new Device Group and apply a Custom Policy.

2. Assign devices to be included in the Device Group. Device can be added using any of the
following methods:

▪ Define Group Rules to automatically assign devices.

▪ Manually assign devices.

3. Define the Device Group priority .

4. View the list of assigned devices to confirm the Device Group configuration.

5. Edit the Device Group as needed.

The following figure illustrates a Device Group List screen with numbered callouts. The callouts are
described in the table below.

Device Group List Screen with Callouts

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 217 of 303
Managing
Devices

Device Group List Screen Components

Item Term Description

2 Create Group Click to open the dialog box to create a new Device Group.

3 Group Priority Click to open the Group Priority screen to view or define Device
Group priorities.

4 Device Group Displays a table of Device Groups. The table includes the following
Table information:
▪ Group Name – Name of the Device Group.
▪ Devices – Number of devices associated with the group.
▪ Policy – Name of the policy associated with the group.
▪ Platform – Type of platform (OS) on the associated devices.
▪ Rules – Type of rules defined for the group.
▪ Priority – Priority level of the group.

From this table, you can do the following:

▪ Filter the information to only display the relevant information.
▪ Sort the information by clicking on column headings. The
information in the table is sorted based on the selected column.
▪ Define which columns are displayed.
▪ Reset columns and filters to their default settings.
▪ Export the data from the table to an Excel file.
▪ Create Device Groups.
▪ Edit the Group Priority.
▪ Edit Device Groups.
▪ Remove Device Groups.

5 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Open and edit Device Group – Click an entry to edit the Device
Group. Default Device Groups cannot be edited. Clicking a default
group allows you to view the group and the list of devices in the
group.
▪ Open in a new tab – Opens the selected Device Group in a new tab
to view or edit the Device Group.
▪ Remove Device Group – Right-click an entry to remove the Device
Group.

6 Clear Filter Click to clear all column filters.

7 View Click to select an option to define preset and current views of the

Configuration table. These views are defined separately for each administrator.
The options are as follows:
▪ Views – Select the preset view to define the current view and how
the table is displayed. The current view defines the column
location, width, sort, filters, and which column is displayed.
▪ Reset – Resets the table view to the default settings of the current
preset view.
▪ Update to match current view – Saves the current view as the
default of the current preset view.
▪ Rename – Opens a dialog box to change the name of the current
preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view
based on the current table settings. Once created, this view
becomes the current preset view.

8 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

▪ Export visible columns – Creates an Excel file that contains all

entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

11 Items per Page Sets the number of entries per page. From the footer of the page you
may select whether 25, 50,100 or 150 entries are included per page.

12 Page View Sets the page currently viewed. From the footer of the page you can
select the page to be displayed.

5.2.1 Create Group and Edit Group Screens

The Create Group and Edit Group screens are used to create or edit Device Groups. These
screens include the following tabs:

▪ General – Displays and defines the general information of the Device Group.

▪ Devices in this group – Displays all devices assigned to the group.

▪ Rules – Displays and defines the rules to automatically assign devices to the group, based
on device properties.

▪ Manual – Displays all devices available for manual assignment to the group.

The following figures illustrate typical Create and Edit Device Group screens with numbered
callouts. The callouts are described in the table below.

Create Device Group (General) with Callouts

Create Device Group (Rules) with Callouts

Create Device Group (Manual) with Callouts

Edit Device Group (Devices in this group) with Callouts

Create Device Group Screen Components

Item Term Description

1 Name Name of the Device Group. The name for each Device Group must
be unique.

2 Platform Type of platform (OS) associated with the group. In the Policy
parameter, all available policies listed are based on the defined
platform.

3 Policy Name of the policy associated with the group. The drop-down box
lists all available policies for the selected platform.

4 Device Group These tabs switch the information displayed and the available actions
Tabs for the Device Group. The tabs are as follows:
▪ General – Displays and defines the general information of the
group.
▪ Devices in this group – Displays all devices assigned to this Device
Group. Rules must be saved before ruled based device
assignments are displayed.
▪ Rules – Displays and defines the group rules to automatically
assign devices to the Device Group.
▪ Manual – Displays all devices available for manual assignment.
Devices can be manually assigned from this tab.

5 Add Condition In the Rules tab, this section defines new rules and conditions to be
added to the Device Group. After selecting a rule attribute, this
section changes for you to enter the appropriate condition for each
attribute.

6 Rules Panel In the Rules tab, this section displays the rules defined for the Device
Group. From this section, you can view and delete the existing rules
and conditions for the Device Group.

7 Manual In the Manual tab, a table displays all devices available for manual
selection and allows the administrator to manually select devices.

8 Filters Filters the data in the table by entering text in the text filters below
the table headers, in the relevant column. Text can be entered by
manually typing the text or by selection. Only entries with data that
match the text entered are displayed.

9 Select all visible Click to select all the filtered devices in the table.
devices To quickly select multiple devices, use the column filters to include
only the devices you want selected. Then click Select all visible
devices. All filtered devices in the table from all the pages are then
selected.

10 Devices in this In the Devices in this group tab, a table displays all assigned devices
group to the Device Group. Rules must be saved before ruled based device
assignments are displayed.

5.2.1.1 Rules Tab

The Rules tab displays and defines the rules and conditions to automatically assign devices to the
Device Group. This tab is accessible from the Create Group and Edit Group screens. The Rules tab
contains two sections:

▪ Add Conditions – This section defines new conditions for the rules in the Device Group.

▪ Rules Panel – This section displays all the rules and conditions defined for the Device
Group.

Rules Tab in Device Group

Add Conditions

This section defines new conditions for rules to be added to the Device Group. After selecting a
rule attribute, this section changes for you to enter the conditions, where the appropriate

definition for each attribute is displayed. Rules and conditions can be generated using any of the
following attributes:

▪ Tenant – Rule assigns devices based on the name of an existing tenant.

▪ Device Name – Rule assigns devices based on the name of the device. Type text related to
device names and define how the text is used in the rule.

▪ OU – When integrated with your Active Directory, this rule assigns devices based on its
association with an Organization Unit. Select an existing OU.

▪ Domain Name – When integrated with your Active Directory, this rule assigns devices based
on its association with a domain name. Select an existing domain name.

▪ Device Tag – Rule assigns devices based on the name of the device tags. Type text related to
device tags and define how the text is used in the rule. Device tags are defined during
device deployment.

▪ D-Client Version – Rule assigns devices based on the version of the D-Client installed on the
device. Type text related to version number and define how the text is used in the rule.

▪ IP Range – Rule assigns devices based on the IP address of the device. Enter the range of IP
addresses by typing the first and last IP addresses in the range.

▪ OS Version – Rule assigns devices based on the operating system installed on the device.
Type text related to the operating system and define how the text is used in the rule.

Rules Panel

This section displays the rules and conditions defined for the Device Group. From this section, you
can view and delete existing rules and conditions. The Rules Panel groups each attribute
separately, where the conditions for all the rules are listed below each attribute.

Based on these rules, devices are automatically assigned using the following logic:

▪ When multiple values are added for the same attribute, this results with an attribute with
multiple conditions. When a device complies with any of these conditions, the device
complies with that attribute.

▪ When a Device Group includes multiple rules with multiple attributes, devices must comply
with all attributes to be assigned to the Device Group.

▪ When a device complies with the rules from multiple Device Groups, the device is assigned
based on the defined group priority.

▪ When a device is manually assigned to a Device Group, the device is assigned to this Device
Group regardless of the defined rules.

5.2.1.2 Manual Tab

The Manual tab displays all devices available for manual selection. Using the checkboxes, devices
can be manually assigned to the Device Group. Manually assigned devices ignore group rules.
Once a device has been manually assigned, it can be automatically assigned again, using group
rules, by clearing the checkbox. The Manual tab contains a table that includes the following
information:
▪ Name – Name of the device.

▪ Alias – Displays additional identifier for the device, as follows:

▪ For Active Directory (AD) objects, displays the name of the object.

▪ For mobile devices, displays the associated email address.

▪ D-Client Version – Installed D-Client version on the device. This information can be used for
ramping up with a new version.

▪ IP Address – IP address of the device.

▪ Group – Name of the Device Group of which the device is currently a member. This is only
displayed in the table for manual selection.

▪ Tenant – Name of the tenant that owns the device. This information is only displayed on
systems with MSP support.

▪ Tag – Displays the Device Tag of the device.

From this table, you can do the following:

▪ Filter the information to only display the relevant information.

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Reset columns and filters to their default settings.

▪ Export the data from the table to an Excel file.

▪ Manually select and deselect devices to the Device Group.

5.2.1.3 Devices in This Group Tab

The Devices in this group tab displays all assigned devices to the Device Group. Rules must be
saved before ruled based device assignments are displayed. This tab contains a table that
includes the following information:
▪ Name – Name of the device.

▪ Alias – Displays additional identifier for the device, as follows:

▪ For Active Directory (AD) objects, displays the name of the object.

▪ For mobile devices, displays the associated email address.

▪ D-Client Version – Installed D-Client version on the device. This information can be used for
ramping up with a new version.

▪ IP Address – IP address of the device.

▪ Tenant – Name of the tenant that owns the device. This information is only displayed on
systems with MSP support.

▪ Tag – Displays the Device Tag of the device.

▪ Source – Displays whether the device was assigned by group rules or manually assigned.
This is only displayed in the table of the devices in the group.

From this table, you can do the following:

▪ Filter the information to only display the relevant information.

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Reset columns and filters to their default settings.

▪ Export the data from the table to an Excel file.

5.2.2 Group Priority

The Group Priority screen defines to which Device Group a device is selected when a device
complies with rules from multiple Device Groups. This screen displays a table for each platform
and contains information for the relevant Device Groups.

-
The table includes the following columns:

▪ Priority – Defines the priority for determining to which Device Group a device is selected.
The top row is the first priority, and the bottom row is the last priority.

▪ Name – Displays the name of the Device Group.

▪ Rules – Displays the number of rules defined for the Device Group.
▪ Ú Ù – Changes the priority for Device Group. Click Ù to move the Device Group to a higher
priority and click Ú to move the Device Group to a lower priority. When changing priorities,
the table changes accordingly.

5.2.3 Creating a New Device Group

To create a new Device Group:
1. Select Policy > Device Groups from the left pane to open the Device Group List.

2. Click Create Group from the table header. The Create Device Group screen opens.

3. In the Name box, type the name of the new group. The name must be a unique name with a
length between 3 and 35 characters.

4. From the Platform drop-down list, select for which platform the new group will be applied.

5. From the Policy drop-down list, select an existing policy to apply to the group. If the policy
does not exist, create the policy before creating the group.

6. For Device Groups that automatically assign devices, click the Rules tab and define the
group rules.

7. For Device Groups where devices are assigned manually, click the Manual tab and select the
checkboxes for the devices to be assigned to the group. Each device can only be assigned to
one group.

You may use the sort and filter options to assist with finding and selecting devices. The
following includes some of the ways the filter option may be used:

▪ Enter a partial IP address to find all devices in a specific subnet.

▪ Filter by Group name to move devices between Groups.

▪ Filter by the D-Client Version to implement new versions.

8. To select all filtered devices, click Select all visible devices.

9. Click Create. Each device in the group is then updated with the selected policy during its
next connection to the D-Appliance. The new group is added to the Groups table and the
Group Priority table.

10. Open Group Priority and view the priority of the new group. To change the priority, see
Group Priority.

5.2.4 Edit a Device Group

To edit a Device Group, including adding or removing devices:
1. Select Policy > Device Groups from the left pane to open the Device Group List.

2. Click the Device Group you want to edit. The Edit Group screen opens.

3. Edit the Device Group as needed. The following parameters can be edited:

▪ Group Name

▪ Attached Policy

▪ Add or remove group rules

▪ Add or remove devices from the group

4. To add or remove rules from the group, click the Rules tab.

5. To add a device to the group, click the Manual tab and select the checkboxes for the devices
to be added to the group. Each device can only be a member of one group. To remove a
device from the group, clear the checkbox for the device.

6. To view all the devices in the group, click the Devices in this group tab. Rules must be saved
before ruled based device assignments are displayed.

7. Click Save & Apply. Each device in the group is then updated with the selected policy during
its next connection to the D-Appliance. The changes to the group are displayed in the
Groups table.

5.2.5 Removing a Device Group

To remove a group:
1. Select Policy > Device Groups from the left pane to open the Device Group List.

2. From the list, right-click the group you want to delete and then select Remove group. A
dialog box opens to confirm your request.

3. Click Remove. The group is removed from the Groups table. All devices associated to the
removed group, are now reassigned to another group based on the group priorities.

5.3. Troubleshooting Tools

Deep Instinct includes tools to assist the administrator in resolving problems with the D-Client.
After a D-Client has been installed, the administrator may use the following tools:

▪ Debug Log Collection

▪ Disable and Enable the D-Client

▪ Create a Memory Dump File

▪ Change the D-Appliance Address

5.3.1 Debug Log Collection

The administrator has an option to collect and download D-Client Debug logs for Deep Instinct to
assist in troubleshooting your devices. Once the Debug log has been downloaded, it can be
viewed by the administrator or sent to Deep Instinct for debugging.

Downloading the debug file can be performed remotely from the Device List or locally from the
device. Deep Instinct™ has several methods to remotely collect and download the D-Client Debug
logs from devices:

▪ Collect and download Debug logs from a single device.

▪ Collect and download Debug logs from multiple devices.

▪ Collect and download Debug logs directly from a device.

To remotely collect and download the D-Client Debug log from a device:
1. Select Devices > Device List from the left pane to open the Device List.

2. Right-click the device from where you want to collect the Debug log and then select Collect
logs. A message appears that the logs are being collected and the Log Status changes to
Pending.

3. After the request to collect the logs is sent to the D-Client, the Log Status changes to Sent to
Client.

4. Once the logs have been collected, the Log Status changes to Ready. To see the status
change, you may need to refresh the screen.

5. Right-click the device and then select Download logs. The zip file is downloaded containing
the log file and a notification is sent.

6. To view the log file from a Windows device, open the zip file and view ui.log file. You may also
send the zip file to Deep Instinct for troubleshooting.

To remotely collect and download the D-Client Debug log from multiple devices:
1. Select Devices > Device List from the left pane to open the Device List.

2. Select the devices from where you want to collect the Debug logs, by selecting the
checkboxes of the entries for the devices. The Actions Icon appears in the header
of the table.

3. Click and select Collect logs. A message appears that the logs are being collected.
4. Once the logs have been collected, the Log Status changes to Ready for each device. To see
the change of status you may need to refresh the screen. The logs can then be downloaded
for each device separately.

5. Right-click the device from where you want to download the log and then select Download
logs. The zip file is downloaded containing the log file and a notification is sent.

6. To view the log file from Windows devices, open the zip file and view ui.log file. You may also
send the zip file to Deep Instinct for troubleshooting.

To locally collect the D-Client Debug log from a Windows device:

1. From the notification area, right-click the Deep Instinct icon and click Collect Logs.

2. While collecting logs, an empty zip file is created and saved to directory C:
\ProgramData\DeepInstinct\logs\, and the folder opens. The zip file size increases as the

logs are collected. When the zip file size stops increasing, the log collection is complete and
the zip file is ready.

3. To view the log file, open the zip file and view ui.log file. You may also send the zip file to
Deep Instinct for troubleshooting.

To locally collect the D-Client Debug log from a macOS device:

1. From the menu bar, click the Deep Instinct icon and click Collect Logs.

2. While collecting logs, the first zip file is created and saved to folder /private/var/log/
DeepInstinct/, and the folder opens. When the second zip file is created, the log collection is
complete.

3. The zip file can now be sent to Deep Instinct for troubleshooting.

To locally collect the D-Client Debug log from a Linux device:

1. Open a Terminal window.

2. At the command prompt, type the following command:

sudo /opt/deepinstinct/bin/DeepCLI --cl

3. A zip file is created and saved to directory /tmp/.

4. The zip file can now be sent to Deep Instinct for troubleshooting.

5.3.2 Disable/Enable D-Client

After the D-Client has been installed, the D-Client may be disabled to eliminate its influence, while
troubleshooting a problem on a Windows, macOS or Linux device. This can be performed
remotely from the Device List or locally from the device. The Disable feature requires a password
to disable the D-Client locally, which is defined through the policy. Once the problem is resolved,
the D-Client can be enabled again.

Note: When a device is disabled, the D-Client stops scanning files and files are not
checked by the D-Cloud. All services will return when enabled, but all files
written to the disk while disabled will not be scanned.

Deep Instinct™ has several methods to disable or enable devices from the system:

▪ Disable or enable the D-Client on a device using a single entry

▪ Disable or enable the D-Client on devices using multiple entries

▪ Disable or enable the D-Client on a device locally

Note: Only use one of the above methods to disable or enable the D-Client on a
device.

To remotely disable or enable the D-Client on a device:

1. Select Devices > Device List from the left pane to open the Device List.

2. Right-click the device from where you want to disable/enable the D-Client and then select
Disable D-Client or Enable D-Client. A dialog box opens to confirm your request.

3. Click Disable/Enable to disable/enable the D-Client from the device.

4. During the next communication from the device, the D-Client is disabled/enabled and the
status changes to Disabled/Registered. You may need to refresh the screen to display the
change.

To remotely disable or enable the D-Client on multiple devices:

1. Select Devices > Device List from the left pane to open the Device List screen.

2. Select the devices from where you want to disable/enable the D-Client, by selecting the
checkboxes of the entries for the devices. The Actions Icon appears in the header
of the table.

3. Click and select Disable D-Client or Enable D-Client. A dialog box opens to confirm
your request.

4. Click Disable/Enable to disable/enable the D-Clients from the selected devices.

5. During the next communication from each device, the D-Client is disabled/enabled and the
status changes to Disabled/Registered. You may need to refresh the screen to display the
change.

To locally disable or enable the D-Client on a Windows device:

1. Save the installation file to a location where the Windows device has access.

2. Open the Command Prompt window as an administrator.

3. At the command prompt, type the relevant command, as follows:

▪ To disable the D-Client: <exe path><installation file> /d <password>

Where:
• exe path – Path for the installation file.

• installation file – File name for the appropriate installation file.

• password – Disable password, as defined in the relevant Windows Policy.

▪ To enable the D-Client: <exe path><installation file> /e

To locally disable or enable the D-Client on a macOS device:

1. Open a Terminal window.

2. At the command prompt, type the relevant command, as follows:

▪ To disable the D-Client:

sudo '/Volumes/Deep Instinct/installer.sh' -d '<password>'

Where:
• password – Disable password, as defined in the relevant macOS Policy.

▪ To enable the D-Client:

sudo '/Volumes/Deep Instinct/installer.sh' -e

To locally disable or enable the D-Client on a Linux device:

1. Open a Terminal window.

2. At the command prompt, type the relevant command, as follows:

▪ To disable the D-Client:

sudo /opt/deepinstinct/bin/DeepCLI --disable '<password>'

Where:
• password – Disable password, as defined in the relevant Linux Policy.

▪ To enable the D-Client:

sudo /opt/deepinstinct/bin/DeepCLI --enable

5.3.3 Create a Memory Dump File

The administrator has an option to create a memory dump file for Deep Instinct to assist in
troubleshooting on Windows devices. As an example, a dump file may be created to help resolve a
performance issue with a Windows device. Once the memory dump file has been created, it can
be view by the administrator or sent to Deep Instinct for debugging.

To create a memory dump file for debugging, hold down the rightmost Ctrl key, and press the
Scroll Lock key twice. This initiates a manual crash and creates a memory dump file,
MEMORY.DMP in directory C:\Windows.

5.3.4 Change the D-Appliance Address

The D-Appliance assigned to a D-Client is defined by the D-Appliance address. The assigned D-
Appliance may be changed locally on Windows or macOS devices for troubleshooting. For more
information, see the Deployment Guide.

6. D-Appliance Management
This chapter includes information on procedures and features related to managing the access
and use of the Management Console. It includes the following:

▪ Signing into the Deep Instinct™ Management Console

▪ Signing out of the Management Console

▪ General Settings

▪ Integration and Notification

▪ Administrator Accounts

▪ Release Notes

▪ My Profile

▪ Audit Logs

6.1. Signing In
To sign into Deep Instinct™ Management Console:
1. To open Deep Instinct, enter the FQDN of the D-Appliance in the Address bar of the browser
(for example, https://customer.deepinstinctweb.com).

The following Administrator Sign In dialog box appears:

2. If Single Sign-On (SSO) has been configured, you may sign in using SSO Authentication, as
follows:

a. When the regular Sign In dialog box is displayed, click Sign in with SSO and the following
screen appears:

b. Enter your username and click Sign In.

3. If you do not use Single Sign-On (SSO) to sign in, perform the following:

a. When the Sign in with SSO dialog box is displayed, click Sign in with password and the
following screen appears:

b. Enter your username and password and click Sign In.

Deep Instinct provides a Retry Lockout feature that prevents brute force sign in attacks. It
locks the user account after five failed sign in attempts and releases the locked account
after one hour.
If this is the first time signing in after the initial installation, you must change your
password. For more information, see Getting Started.
4. If Multi-Factor Authentication is enabled with Google Authenticator and this is the first time
signing in with this username, the following screen appears:

a. To proceed, a Google Authenticator account needs to be created for Deep Instinct. After
Google Authenticator has been installed on your mobile device, click Next to proceed.
The Google Authenticator Setup dialog box appears and perform the following:

b. If Google Authenticator has not been installed on your mobile device, download the app
and install it now.

c. Open Google Authenticator and scan the QR code from the Google Authenticator Setup
dialog box.

d. Click Next and the Verification Code Required dialog box appears.

e. Enter the verification code displayed in Google Authenticator and click Verify.

5. If Multi-Factor Authentication is enabled with Google Authenticator and this is not the first
time logging on with this username, the Verification Code Required dialog box appears and
perform the following:

a. Open Google Authenticator to display the verification code for Deep Instinct.

b. Enter the verification code and click Sign In.

c. As an alternative method, you can authenticate using email verification by clicking Use
Email Verification. See the following step for more information.

6. If Multi-Factor Authentication is enabled with Email Verification or Use Email Verification was
clicked from the step above, an email is sent to you. The Email Verification dialog box
appears and perform the following:

a. Open the verification email and enter verification code in the dialog box.

b. The Verification code expires after 120 seconds. If expired, click Resend Email and enter
the new code.

c. Click Sign In.

6.2. Signing out

To close a session or change administrators, the current administrator must first sign out.
Whenever a session is inactive for a period of time, as defined in the General Settings, the system
automatically signs out the administrator.

To sign out:

1. Click the Administrator icon at the top right corner of the screen and then click Sign Out.
A dialog box opens to confirm your request.

2. Click OK to sign out. The Administrator Sign In screen opens for a new administrator to sign
in.

6.3. Settings
The Settings screens are used to define the general settings for the system and define the
administrator users of the Management Console. Based on the permissions of the administrator,
some screens may not be displayed. Deep Instinct contains the following Settings screens:

▪ General Settings

▪ Integration and Notification

▪ Administrator Accounts

6.3.1 General Settings

The General Settings defines the parameters for the system and applies to all devices. To open
the General Settings screen, select Settings > General Settings from the left pane.

The following figure illustrates the General Settings screen.

General Settings Screen

From the General Settings screen, the following parameters can be defined:

▪ Session Setting

▪ Sign-in Authentication

▪ Email Notifications

▪ Administrator Contact Details

▪ Statistical Information

▪ Monitor

6.3.1.4 Session Setting

The Session setting defines the parameter for closing the Management Console after the session
is inactive for a period of time.

Session Setting

Parameter Definition

Session idle time limit Defines the idle time interval (in minutes) before the system
(minutes) automatically signs out the administrator.
The default value is 30 minutes.

6.3.1.5 Sign-in Authentication Configuration

The Sign-in Authentication configuration defines the parameter for authentication requirements
for signing into the Management Console.

Sign-in Authentication Configuration

Parameter Definition

Multi-Factor Authentication Defines whether multi-factor authentication (MFA) is required

to log on to the Management Console and Hub Console. It also
defines the type of authentication required.
To enable Email / Google Authentication, the SMTP Server
settings must be defined.
In systems with MSP support, multi-factor authentication can
be defined for the Hub Console and for each MSP
Management Console separately.
Select one of the following options in the appropriate console:
▪ None – Multi-factor authentication is not enabled.
▪ Email – Enables email authentication, where an email is sent
with a verification code that must be used to sign in to the
console.
▪ Google Authenticator – Enables authentication using the
Google Authenticator app, which gives you a verification
code that must be used to sign in to the console. For more
information, go to https://support.google.com/accounts/
answer/1066447?hl=en&ref_topic=2954345
None is the default value.

6.3.1.6 Email Notifications Configuration

The Email Notifications configuration defines whether notifications of events are sent by email to
the people that need to be notified. It also defines the email addresses to where the notifications
are sent. By default, parameter Recipients' Email Addresses is not defined and must be set to send
notifications by email.

To send email notifications, the following steps must be completed:

1. Define the parameters for communicating with your SMTP server, as defined in the Startup
Wizard or SMTP Server Configuration.

2. Enable the D-Appliance to send notifications by email, as defined in this section.

3. Define the email addresses of the people to receive the email notifications, as defined in
this section.

4. Select which events triggers an email from the Email Notifications screen.

Email Notifications Configuration

Parameter Definition

Send notifications by Email Defines whether email notifications are sent when events
occur. To define which events trigger notifications, select
the events from the Email Notifications screen.
▪ Click the toggle to enable or disable email notifications.
By default, an email notification is sent each time a
selected event occurs.
SMTP server settings and recipients’ email addresses
must be defined to send email notifications.

Recipients Defines the email addresses of the people that will

receive the notifications. By default, this parameter is not
defined and must be set to send email notifications. See
the procedure below.

To configure the Email Notifications parameters:

1. Click the Recipients’ Email Addresses button. The Recipients’ Email Addresses dialog box
opens.

2. In the Emails box, enter the email addresses. To enter multiple email addresses, separate
the addresses with commas.

3. Click OK. The Recipients’ Email Addresses dialog box closes.

4. The email addresses are now displayed in the Email Addresses button.

5. Click Save & Apply to implement the change. A message appears to confirm that the
changes were saved successfully.

6. To define for which event an email notification is sent, open the Email Notification screen
and select the events.

6.3.1.7 Administrator Contact Details Configuration

The Administrator Contact Details configuration defines the parameters for the contact
information displayed in the deployment emails.

Administrator Contact Details Configuration

Parameter Definition

Name Defines the name of the administrator for the employees to contact, if
they have any questions about the deployment.

Title Defines the title of the contact administrator.

Phone number Defines the phone number of the contact administrator.

Email address Defines the email address of the contact administrator.

6.3.1.8 Statistical Information Configuration

The Statistical Information configuration defines the parameter for handling statistical
information.

Logs Configuration

Parameter Definition

Send statistical information to Defines whether statistical information is sent to Deep

Deep Instinct servers Instinct servers for further analysis.
▪ Click the toggle to enable or disable sending the
relevant information to the Deep Instinct servers.
By default, this feature is enabled.

6.3.1.9 Monitor Configuration

The Monitor configuration defines the parameter related to monitoring closed events, which were
closed based on the information received from the D-Cloud. By default, these closed events are

not displayed in the Management Console. When the parameter Show events that were closed by D-
Cloud is enabled, the following is added to the Management Console:

▪ All counters, widgets, panels and tables that include closed events, will include these closed
events.

▪ The option in the Event List to display column Closed by D-Cloud, which indicates these
closed events.

Monitor Configuration

Parameter Definition

Show events that were closed Defines whether closed events, based on D-Cloud information,
by D-Cloud is shown in the Management Console. Select one of the
following options:
▪ Click the toggle to enable or disable showing events that
were closed based on D-Cloud information.
By default, this feature is disabled.

6.3.2 Integration and Notification

The Integration and Notification screens defines the parameters necessary to integrate with
external systems and to send notifications. To open the Integration & Notification screen, select
Settings > Integration & Notification from the left pane.

The following figure illustrates the Integration & Notification screen.

Integration & Notification Screen

From the Integration & Notification screens, the following can be defined:

▪ SMTP Server

▪ Email Notifications

▪ Syslog Server

▪ Syslog Notifications

▪ MDM

▪ Active Directory

▪ API Connectors

▪ Single Sign-On (SSO)

6.3.2.1 SMTP Server Configuration

The SMTP Server screen defines the parameters for communicating with the SMTP server. This is
required to send emails for deployment of mobile devices and email notifications. To open the
SMTP Server Configuration screen, select Settings > Integration & Notification from the left pane
and then click SMTP Server from the right pane.

To define and enable the use of your SMTP server to send email notifications to your
administrator, the following steps must be performed:

1. Define the parameters for communicating with your SMTP server, as defined in the Startup
Wizard or this section.

2. Enable the D-Appliance to send notifications by email to your administrator.

3. Define the email addresses of the administrators to receive email notifications.

4. Select which events trigger an email to your administrator.

The following figure illustrates the SMTP Server Configuration screen and the parameters are
described in the table below.

SMTP Server Configuration Screen

SMTP Server Parameters

Parameter Definition

Hostname / IP address Defines the SMTP Server address. Enter server’s

hostname or IP address.

Port Defines the SMTP Server port number.

Enable secure SMTP Defines whether communications with the SMTP server
uses a security protocol.
Click the toggle to enable or disable secure SMTP. By
default, secure SMTP is enabled.
▪ When enabled, it defines the D-Appliance to use TLS
(Transport Layer Security) protocol to communicate
with the SMTP server. This must be selected when
your organization uses an SMTP server with TLS.
▪ When disabled, it defines the D-Appliance to
communicate with the SMTP sever without any
additional security protocols.

Sender email address Defines the email address displayed in the From box of
the deployment emails.

Username Defines the username to access the SMTP server.

Password Defines the password associated with the Username to

access the SMTP server.

Test server settings Tests the SMTP Server settings by send an email.
The password must be entered to perform the test, even
when the password is not changing.
To perform the test, enter your email address to receive
the test email and click Send Test Email.
A message appears when the test completes
successfully, and an email is sent.
After verifying the settings, click Save & Apply to
implement the change.

6.3.2.2 Email Notifications Configuration

The Email Notifications screen is used to define which events trigger email notifications. To open
the Email Notifications screen, select Settings > Integration & Notification from the left pane and
then click Email Notifications from the right pane.

This screen includes an extensive list of events, which can be configured to trigger notifications
that are sent to defined emails. The list of events includes events for the following categories:

▪ Security Events

▪ Audit Log Events

▪ Health Check Events

▪ Client Lifecycle

This screen defines which events trigger notifications. However, Email Notifications parameters in
the General Configuration screen must be set to define the destinations of the notifications.

The following figure illustrates the Email Notifications screen.

Email Notifications Screen

6.3.2.3 Syslog Server Configuration

The Syslog Server configuration defines the parameters for enabling and communicating with the
Syslog server. When enabled, all selected events are sent to the Syslog server. Deep Instinct
supports Security Information and Event Management (SIEM) using multiple protocols and
formats. To open the Syslog Server Configuration screen, select Settings > Integration &
Notification from the left pane and then click Syslog Server from the right pane.

To define and enable the use of your Syslog server, the following steps must be performed:

1. Enable the D-Appliance to send events to your Syslog server, as defined in this section.

2. Define the parameters for communicating with your Syslog server, as defined in this section.

3. Select which events are sent to your Syslog server.

The following figure illustrates the Syslog Server Configuration screen and the parameters are
described in the table below.

Syslog Server Configuration Screen

Syslog Server Parameters

Parameter Definition

Enable Syslog server Defines whether the logs are sent to a Syslog server. To
define which events trigger notifications, select the
events from the Syslog Notifications screen.
▪ Click the toggle to enable or disable notifications to the
Syslog server. By default, this is disabled.
When enabled the following parameters are displayed.
Syslog server settings must be defined to send
notifications.

Hostname / IP address Defines the Syslog Server address. Enter server’s

hostname or IP address.

Port Defines the Syslog Server port number.

Protocol Defines the protocol used to send messages to the

Syslog Server. Select one of the following protocols:
▪ UDP – Defines the log messages to use UDP (User
Datagram Protocol) to send information across the
network.

▪ TCP – Defines the log messages to use TCP

(Transmission Control Protocol) to send information
across the network.
▪ TLS over TCP – Defines the log messages to use TLS
(Transport Layer Security) over TCP to send
information across the network.

Format Defines the Syslog format. Select one of the following

formats:
▪ CEF – Sets the log message format to CEF (Common
Event Format). This format is typically used for Micro
Focus ArcSight.
▪ LEEF – Sets the log message format to LEEF (Log Event
Extended Format), which is a customized event format
typically used for IBM QRadar.
▪ RFC 5424 – Sets the log message format to comply
with Syslog protocol RFC 5424.

Enable NXLog Defines whether the log messages are NXLog

compatibility mode compatibility.
(LineBased messages) ▪ Click the toggle to enable or disable NXLog
compatibility mode. When enabled, the log message
format is NXLog compatible and all event records are
separated by newlines.
By default, NXLog compatibility mode is disabled.

Test server settings Tests the Syslog Server settings. Click Test and a message
appears when the test completes successfully.
After verifying the settings, click Save & Apply to
implement the change.

6.3.2.4 Syslog Notifications Configuration

The Syslog Notifications screen is used to define which events trigger notifications to a Syslog
server. To open the Syslog Notifications screen, select Settings > Integration & Notification from
the left pane and then click Syslog Notifications from the right pane.

This screen includes an extensive list of events, which can be configured to trigger notifications to
a Syslog server. The list of events includes events for the following categories:

▪ Security Events

▪ Audit Log Events

▪ Health Check Events

▪ Client Lifecycle

This screen defines which events trigger notifications. However, Syslog Server parameters in the
Syslog Server screen must be set to define the destinations of the notifications.

The following figure illustrates the Syslog Notifications screen.

Syslog Notifications Screen

6.3.2.5 MDM Configuration

The MDM screen defines the parameters for selecting and communicating with a Mobile Device
Management (MDM) system. When enabled the selected MDM system is integrated with Deep
Instinct and the mobile devices are synced with the MDM and Deep instinct.

Deep Instinct reports the status and risk level for each mobile device. Based on this information,
the MDM system can then identify risky devices and enforce the appropriate compliance policies.

To integrate with VMware Workspace ONE UEM, the following is required:

▪ VMware Workspace ONE Unified Endpoint Management (UEM) version 19 or later

▪ VMware Workspace ONE UEM configured as follows:

▪ REST API enabled

▪ Status and Risk Level tags defined to accept Deep Instinct’s tags. Tags are as follows:

• DI_STATUS_REGISTERED – Device registered

• DI_STATUS_PENDING_DEACTIVATION – Device is pending deactivation

• DI_STATUS_DEACTIVATION – Device is deactivated

• DI_STATUS_NA – Device status is not available

• DI_MTD_LOW_RISK – Device risk level is low. Device has compliance issues.

• DI_MTD_MEDIUM_RISK – Device risk level is medium. Device has an open OS issue.

• DI_MTD_HIGH_RISK – Device risk level is high. Device has malicious apps and/or is
experiencing a network attack.

• DI_MTD_NO_RISK – Device is not at risk.

▪ VMware Workspace ONE UEM API Authentication Parameters:

▪ API key

▪ API account username and password

▪ REST API URL

To open the MDM screen, select Settings > Integration & Notification from the left pane and then
click MDM from the right pane.

The following figure illustrates the MDM screen.

MDM Configuration Screen

From the MDM screen , the following parameters can be defined:

▪ MDM Vendor

▪ MDM Server Settings

▪ Device Notifications

MDM Vendor Configuration

The MDM Vendor parameter defines whether Deep Instinct is integrated with an MDM and allows
you to select the MDM vendor. In this version, only VMware Workspace ONE UEM can be selected.
Once selected, the appropriate parameters required to integrate with the MDM is displayed.

MDM Vendor Configuration

Parameter Definition

MDM vendor Defines whether Deep Instinct is integrated with an MDM

and defines which MDM software. Select one of the
following options:
▪ None – Deep Instinct is not integrated with an MDM.
▪ VMware – Deep Instinct is integrated with VMware
Workspace ONE UEM and the appropriate parameters
for the integration is display. These parameters must
be defined to complete the integration.
None is the default value.

Workspace ONE UEM Server Settings

The Workspace ONE UEM Server settings defines the parameters for communicating with the
Workspace ONE UEM server and its API account. This is required to integrate Deep Instinct with
Workspace ONE UEM server to manage your mobile devices.

Workspace ONE UEM Server Settings

Parameter Definition

Workspace ONE URL Defines the URL to send REST API commands to
Workspace ONE UEM server.

Username Defines the username of the API Admin account.

Password Defines the password associated with the Username to

access the API Admin account.

API key Defines the API key to access the API Admin account and
send REST API commands.

Organization groups Defines all the organization groups (OG) associated with
the mobile devices. To enter multiple groups, separate
the groups with commas.

Test server settings Tests the Workspace ONE UEM Server settings.
The password must be entered to perform the test
successfully, even when the password is not changing.
Click Test and a message appears when the test
completes successfully.
After verifying the settings, click Save & Apply to
implement the change.

Device Notifications Configuration

The Device Notifications configuration defines the parameters that define whether Device Status
and Device Risk Level tags are send to the MDM.

Device Notifications Configuration

Parameter Definition

Send status tags to MDM Defines whether the Device Status tags are sent to the
MDM server.
▪ Click the toggle to enable or disable sending Device
Status tags to the MDM server.
By default, this feature is disabled.

Send risk level tags to Defines whether the Device Risk Level tags are sent to
MDM the MDM server.
▪ Click the toggle to enable or disable sending Device
Risk Level tags to the MDM server.
By default, this feature is disabled.

6.3.2.6 Active Directory Configuration

The Active Directory configuration defines the parameters for communicating with the Active
Directory server. The Active Directory can be used to validate administrator users and to acquire
other information that can be used in defining Device Groups. To open the Active Directory
Configuration screen, select Settings > Integration & Notification from the left pane and then click
Active Directory from the right pane.

The following figure illustrates the Active Directory Configuration screen and the parameters are
described in the table below.

Active Directory Configuration Screen

Active Directory Parameters

Parameter Definition

Hostname / IP address Defines the Active Directory Server address. Enter

server’s hostname or IP address.

Port Defines the Active Directory Server port number.

Typically, the port is 389, and for secure LDAP the port is
636.

Username Defines the username to access the Active Directory

server with read-only privileges. Use the down-level
logon name format (DOMAIN\UserName) to enter the
username.

Password Defines the password associated with the Username to

access the Active Directory server with read-only
privileges.

Enable secure LDAP Defines whether secure LDAP (Lightweight Directory

Access Protocol) communication is used.
Click the toggle to enable or disable secure LDAP. By
default, secure LDAP is disabled.

▪ When enabled, it defines the D-Appliance to use

secure LDAP communications. This must be selected
when your organization uses secure LDAP.
▪ When disabled, it defines the D-Appliance to use
regular LDAP communications.

Search base Define the Search Base, to focus on the relevant data in
the Active Directory. For example, DC=domain,DC=local.

Query filter Defines the search filter within Search Base, to focus on
the relevant data in the Active Directory. For example,
(objectCategory=Computer)

Test server settings Tests the Active Directory settings.

The password must be entered to perform the test
successfully, even when the password is not changing.
Click Test and a message appears when the test
completes successfully.
After verifying the settings, click Save & Apply to
implement the change.

6.3.2.7 API Connectors

Deep instinct has implemented RESTful API to permit the integration with third party software to
monitor and respond to security events in real-time. To access Deep instinct’s RESTful API an API
Connector is used. From the API Connectors screen you can view, change and create API
Connectors.

To open the API Connectors screen, select Settings > Integration & Notification from the left pane
and then click API Connectors from the right pane.

The following figure illustrates the API Connectors screen with numbered callouts. The callouts are
described in the table below.

API Connectors Screen with Callouts

API Connectors Screen Components

Item Term Description

2 Add Connector Click to open the dialog box to add a new API connector.

3 API Connectors Table that displays all the API connectors. The table includes the
Table following information:
▪ Name – Name of the API connector.
▪ Permission – Defined permission level for the API connector. The
following permissions are available:
▪ Read Only – Permission to receive information about events and
devices.
▪ Read and Remediation – Permission to receive information and
perform actions on events, files and allow lists/deny lists. Can
also receive information about devices.

▪ Full Access – Permission to receive information and perform

actions on events, files, devices and allow lists/deny lists.
▪ API Key – Authentication key assigned to the API Connector. The
API key is generated by the system and is required to use the
RESTful APIs.
▪ MSP – Name of the MSP associated with the API connector. This is
only available when displaying the API Connectors from the Hub
Console.
▪ Tenants – Name of the tenants associated with the API connector.
This is only available when displaying the API Connectors from the
Hub Console or an MSP Management Console.
▪ Last Updated – Date the API connector was last modified.

4 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Edit API connector – Click an entry to edit the API connector. The
Edit Connector screen opens for the selected API connector.
▪ Action Options – Right-click an entry to open the available options
that can be performed on the API connector. From an entry, you
may perform the following tasks:
▪ Copy the API key to the clipboard.
▪ Regenerate the API key to create a new key.
▪ Remove an API connector.

5 Clear Filter Click to clear all column filters.

6 View Click to select an option to define preset and current views of the

▪ Remove – Removes the current preset view from the list and

changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view
based on the current table settings. Once created, this view
becomes the current preset view.

7 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

8 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

Add API Connector

To use Deep Instinct’s RESTful APIs, API connectors must first be created.

To add a new API connector:

1. Open the API Connectors screen.

2. Click Add Connector from the table header. The Add Connector dialog box opens.

3. In the Name box, type the username of the new API connector. The length must be between
3 and 50 characters.

4. When adding an API connector from the Hub Console, click the MSP dropdown box and
select the MSP associated with this connector. The available tenants are determined based
on the selected MSP.

5. When adding an API connector from the Management Console with MSP support, click the
Tenants dropdown box and select the tenants associated with this connector. This API
connector only allows access to these selected tenants.

6. In the Permission box, select the permission level for this API connector. Select one of the
following to define the allowable permissions for this API connector:

▪ Read Only – Only permitted to receive information about events and devices.

▪ Read and Remediation – Permitted to receive information and perform actions on

events, files and allow lists/deny lists. Permitted to receive information about devices.

▪ Full Access – Permitted to receive information and perform actions on events, files,
devices and allow lists/deny lists.

7. Click Create. The new API connector is added to the list.

6.3.2.8 Single Sign-On (SSO) Configuration

The Single Sign-On (SSO) configuration defines the parameter signing into the Management
Console using SSO authentication. Deep Instinct supports SAML 2.0 protocol to establish the trust
between the D-Appliance (as the Service Provider) and any Identity Provider that supports SAML
2.0 protocol.

To integrate with an SSO identity Provider, the following is required:

▪ The identity Provider must support SAML 2.0 protocol.

▪ Your identity Provider requires the values of several parameters from Deep Instinct to be
integrated. These parameters are displayed from the Single Sign-On (SSO) Configuration
Screen, as follows:

▪ Single Sign-On URL (ACS)

▪ Entity ID

▪ RelayState

To open the Single Sign-On (SSO) Configuration screen, select Settings > Integration & Notification
from the left pane and then click Single Sign-On (SSO) from the right pane.

The following figure illustrates the Single Sign-On (SSO) Configuration screen and the parameters
are described in the table below.

Single Sign-On (SSO) Configuration Screen

Single Sign-On (SSO) Parameters

Parameter Definition

Single Sign-On URL (ACS) Displays the Service Provider's (D-Appliance) Assertion

Consumer Service (ACS) URL. This URL is used to verify
all SAML messages from the D-Appliance.
This parameter is required to configure your SSO identity
Provider. Click Copy ACS URL to copy the URL to your
clipboard.

Entity ID Displays the ID of the Service Provider (D-Appliance). This

is also known as the Audience Restriction and is typically
a URL.
This parameter is required to configure your SSO Identity
Provider. Click Copy Entity ID to copy the URL to your
clipboard.

RelayState Displays the destination URL after a successful

authentication through SAML.
This parameter is required to configure your SSO Identity
Provider. Click Copy RelayState to copy the URL to your
clipboard.

Identity Provider URL Defines the URL of the Identity Provider (IdP) that
handles sign-in requests.

Identity Provider Issuer Defines the Service Provider's identification provided by

the Identity Provider. This URL is used by the D-Appliance
for verification.

X.509 Certificate The X.509 certificate is used to verify sign-in requests

from your Identity Provider. This certificate, received
from your identity provider, must be entered to configure
SSO.
Click Upload Certificate to select the certificate file to add
the required text from the certificate, or enter the text of
the certificate in the text box.

6.3.3 Managing Administrator Accounts

The Administrator Accounts screen defines and displays the administrator accounts to access the
Management Console. This feature is only available to Master Administrators and Hub
Administrators. It is used to create different administrator accounts for different roles in the
organization. Based on the roles of the administrators, the permissions allowed are defined. The
following roles are available:

▪ Hub Administrator – This role is only available in systems with MSP support and from the
Hub Console’s Settings screen. The administrator with the highest level of permissions and
access to the Hub Console and MSP Management Consoles. This role is typically given to
administrators that manages all MSPs. In addition to managing the complete system, this
administrator has the permissions to also manage all administrator accounts.

▪ Master Administrator – The administrator with the highest level of permissions and access
in the Management Console for a system. The system can be without MSP support or for a
specific MSP. In addition to managing the system, this administrator has the permissions to
also manage all administrators within the system. This role is typically reserved for a limited
number of administrators that need to create, edit or remove administrator accounts.

▪ Administrator – A general administrator with typical permissions required to manage a

system. The system can be without MSP support or for a specific MSP. This role is typically
given to administrators that monitor the system. It has the same permissions as the Master
Administrator, but without access to create, edit or remove administrator accounts.

▪ SOC Administrator – An administrator with permissions that focuses on managing and

monitoring the security of a system without MSP support or for a specific MSP.

▪ Read Only – An administrator that only needs read only permissions to monitor a system
without MSP support or for a specific MSP. This role is typically given to managers that want
to see the status, but are not active users.

▪ IT Administrator – An administrator with permissions that focuses on the deployment of the

D-Client on the endpoint devices within a system without MSP support or for a specific MSP.
This role is typically given to the IT team that is responsible for deployment.

▪ Tenant Viewer – This role is only available in systems with MSP support and not available
from the Hub Console’s Settings screen. An administrator that only needs to monitor the
system for a specific tenant. This role is typically given to a manager or administrator that
works for a tenant.

To access the Administrator Accounts screens, select Settings > Administrator Accounts from the
left pane and then select the screen you want to display from the right pane. To manage Hub
Administrator accounts, the Hub Console must be used.

The following figures illustrate the Administrator Accounts screens with numbered callouts. The
callouts are described in the table below.

Administrator Accounts Screens with Callouts

Administrator Accounts Screen Components

Item Term Description

2 Add Account Click to open the dialog box to add a new administrator account.

3 Administrator Table that displays all the administrator accounts. The table includes
Accounts Table the following information:
▪ Role – The role of the administrator. The permissions allowed for
each administrator is based on the defined role of the
administrator. See Display Administrator Permissions for more
information about permissions per role.
▪ First Name – The first name of the administrator.
▪ Last Name – The last name of the administrator.
▪ Username – The username of the administrator.
▪ Email Address – Email address of the administrator.

▪ Type – Displays whether the Administrator User is an Active

Directory user or was created locally.
▪ Last Sign In – Date and time of the last time the administrator
signed into the Management Console.

From this table, you can do the following:
▪ Filter the information to only display the relevant information).
▪ Sort the information by clicking on column headings. The
information in the table is sorted based on the selected column.
▪ Define which columns are displayed.
▪ Define the location for each column
▪ Create, view, update and remove custom preset views of the table.
▪ Clear all filters in the table
▪ Export the data from the table to an Excel file.
▪ Edit the details and password of an existing administrator account.
▪ Remove an existing administrator from the Management Console.

4 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Edit account – Click an entry to edit the administrator account. The
Edit Administrator Accounts screen opens for the selected
account.
▪ Remove account – Right-click an entry to remove the administrator
account.

5 Clear Filter Click to clear all column filters.

6 View Click to select an option to define preset and current views of the

▪ Rename – Opens a dialog box to change the name of the current

preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view
based on the current table settings. Once created, this view
becomes the current preset view.

7 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

8 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

10 Administrator Select the role of the administrator to display the associated

Roles Permissions table. The following roles are available:
▪ Hub Administrator
▪ Master Administrator
▪ Administrator
▪ SOC Administrator
▪ Read Only
▪ IT Administrator
▪ Tenant Viewer
Descriptions for these roles are described above.

11 Administrator Table that illustrates the permissions allowed for the administrator
Permissions selected. The table indicates which sections are accessible to the
Table administrator, and whether the administrator has read only or read/
write permissions. The indicators are as follows:

– Permission allowed
– Permission denied
VIEW – Read permission
EDIT – Write permission

From the Administrator Accounts screens, you can perform the following administrative functions:

▪ Add new administrator accounts

▪ Display administrator accounts

▪ Edit administrator accounts

▪ Display administrator permissions

▪ Remove an administrator

Initially, the system is configured with one administrator. Once multiple administrators have been
defined, the system implements a locking mechanism to prevent multiple administrators from
modifying the same screen.

6.3.3.9 Add Administrator Accounts

This feature allows a Hub Administrator or Master Administrator to add new administrator
accounts.

To add a new administrator account:

1. Select Settings > Administrator Accounts from the left pane and then click Administrator
Accounts from the right pane to open the Administrator Accounts screen.

2. Click Add Account from the table header. The Add Administrator Account screen opens.

3. In the Role list, select the role of the new administrator. Depending on the environment and
the role selected, parameter MSP or Tenant may appear. If it appears, select the appropriate
MSP or tenant from the list.

The permissions set for each administrator is based on the selected role, MSP and tenant.
See Display Administrator Permissions for more information about permissions per role.

4. For an Administrator User not listed in the Active Directory, perform the following:

a. In the Username box, type the username of the new administrator. The length must be
between 3 and 35 characters.

b. In the Password box, type the new password. The password must meet the following
requirements:

• Password length must be between 8 and 35 characters.

• Password must include both upper-case and lower-case letters.

• Password must include one or more numerical digits.

• Password must include one or more special characters.

As you comply with each requirement, the requirement changes to green. Retype the
new password in the Confirm Password box.
c. In the First Name box, type the first name of the new administrator. The length must be
between 3 and 35 characters.

d. In the Last Name box, type the last name of the new administrator. The length must be
between 3 and 35 characters.

e. In the Email address box, type the email of the new administrator.

5. For an Administrator User from the Active Directory, perform the following:

a. Select the Active Directory User checkbox. The screen changes.

b. In the Username box, type the Active Directory username of the new administrator
account.

c. Click Match and the information from the Active Directory is used to complete the
screen.

6. Click Save & Apply and the screen closes. The new administrator is now displayed in the
Administrator Accounts table.

6.3.3.10 Display Administrator Accounts

The Administrator Accounts screen displays a table that contains account information for all
relevant administrators. To display the Administrator Accounts table, select Settings >
Administrator Accounts from the left pane and then click Administrator Accounts from the right
pane. The table includes the following information:

▪ Role – The role of the administrator. The permissions allowed for each administrator is
based on the defined role. See Display Administrator Permissions for more information
about permissions per role.

▪ MSP – The MSP with which the administrator is associated. When All is displayed, this
administrator has access to all MSP accounts. This is only available when displaying the
administrator accounts from the Hub Console.

▪ Tenant – The tenant with which the administrator is associated. Typically, the value is All,
which indicates that the administrator has access to all Tenant accounts within the MSP. The
Tenant Viewer only has access to one tenant and the name of the tenant is displayed. This is
only available when displaying the administrator accounts from an MSP Management
Console.

▪ First Name – The first name of the administrator.

▪ Last Name – The last name of the administrator.

▪ Username – The username of the administrator.

▪ Email Address – Email address of the administrator.

▪ Type – Displays whether the Administrator User is an Active Directory user or was created
locally.

▪ Last Sign In – Date and time of the last time the administrator signed into the Management
Console.

Administrator Accounts screen

From this screen, you can do the following:

▪ Filter the information to only display the relevant information.

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Reset columns and filters to their default settings.

▪ Export the data from the table to an Excel file.

▪ Add a new administrator account.

▪ Edit the details and password of an existing administrator account.

▪ Remove an existing administrator account from the Management Console.

6.3.3.1 Editing an Administrator Account

To edit an administrator account:
1. Select Settings > Administrator Accounts from the left pane and then click Administrator
Accounts from the right pane to open the Administrator Accounts screen.

2. Click the administrator account you want to edit. The Edit Administrator Account screen
opens.

3. All parameters related to the administrator account can be modified, except for the user
type and username. If the user type or username needs to be modified, a new administrator
account must be created. Modify the administrator account as need.

4. If the password needs to be modified, click Change Password and the Password parameters
appear. Type the new password and then retype the password. The new password must
meet the following requirements:

▪ Password length must be between 8 and 35 characters.

▪ Password must include both upper-case and lower-case letters.

▪ Password must include one or more numerical digits.

▪ Password must include one or more special characters.

5. Click Save & Apply and all the changes, except for the password, are displayed in the table.

6.3.3.2 Display Administrator Permissions

The permissions allowed for each administrator is based on the defined role. The following roles
are available:
▪ Hub Administrator

▪ Master Administrator

▪ Administrator

▪ SOC Administrator

▪ Read Only

▪ IT Administrator

▪ Tenant Viewer

See Managing Administrator Accounts for descriptions of these roles.

The Administrator Permissions screen displays the permissions allowed for each of the
administrator accounts listed above. The tables in this screen display which sections are
accessible to the administrator, and whether the administrator has read only or read/write
permissions.

To display the administrator’s permissions:

1. Select Settings > Administrator Accounts from the left pane and then click Administrator
Roles and Permissions from the right pane to open the Administrator Roles and
Permissions screen.

2. From the left of the Permissions table, click an administrator role to display the associated
Permissions table.

6.3.3.3 Removing an Administrator Account

When an administrator account is removed, the administrator no longer has access to the
Management Console. However, all entries in the Audit log for the administrator are not deleted
and the administrator is not removed from the Active Directory.

To removing an administrator account:

1. Select Settings > Administrator Accounts from the left pane and then click Administrator
Accounts from the right pane to open the Administrator Accounts screen.

2. From the list, right-click the account you want to remove and then select Remove account.

3. The Remove Administrator Account dialog box opens to confirm your request.

4. Click Remove to remove the administrator account from the Management Console.

6.4. Release Notes Screen

The Release Notes screen displays all the D-Client versions available for use. It includes detail
information for each version. When an existing version of the D-Client can be automatically
upgraded, the version descriptions also displays to which new version the D-Client will be
upgraded. For more information on upgrading the D-Client, see the Deployment Guide.

To open the Release Notes screen, click the Help icon near the top right corner of the screen
and then click Release Notes.

The following figure illustrates the Release Notes screen with numbered callouts. The callouts are
described in the table below.

Release Notes Screen with Callouts

Release Notes Screen Components

Item Term Description

1 Help Icon Click the Help icon near the top right corner of the screen and
then click Release Notes to open the Release Notes screen.

2 Release Notes Displays the D-Client categories. Select a category to display addition
information. This information includes all available versions for the
selected category. When a D-Client is selected, it also includes a links
to download the installation packages for all relevant D-Client
versions.

3 Selection When a D-Client category is clicked, the Selection Indicator changes.

Indicator – Indicates the category is closed. Click to display more
information.
– Indicates the category is opened. If no additional information is
displayed, there are no versions available for your organization. This
occurs when no licenses have been purchased for a specific D-Client.

6.5. My Profile
The My Profile screen displays the account details for the administrator that is currently signed in.
It also allows the administrator to change his password. To open the My Profile screen, click the
Administrator icon at the top right corner of the screen and then click My Profile.
The following figure illustrates the My Profile screen and the table below describes the parameters
in the screen.

My Profile Screen

My Profile Screen Parameters

Parameter Definition

Username Displays the username for the administrator that is

currently signed in.

Email Address Displays the email address for the administrator that is
currently signed in.

Password Defines the sign in password for the administrator that is

currently signed in. See the procedure below.

To change the sign in password:

1. Click the Change Password button and the Password parameters appear.

2. In the Current Password box, type your current password.

3. In the New Password box, type the new password. The new password must meet the
following requirements:

▪ Password length must be between 8 and 35 characters.

▪ Password must include both upper-case and lower-case letters.

▪ Password must include one or more numerical digits.

▪ Password must include one or more special characters.

▪ New password must be different from the current password.

4. As you comply with each requirement, the requirement changes to green. Retype the new
password in the Confirm Password box and click Save & Apply.

6.6. Audit Log

The Audit Log displays a table that contains detail information for all administrative activities with
Deep Instinct. To display the Audit Log table, click the Administrator icon at the top right
corner of the screen and then click Audit Log. The table includes the following information:

▪ Date – Date and time that the administrative activity occurred.

▪ ID – A unique identification number assigned by Deep Instinct™ for each administrative

activity.

▪ Administrator – Username of the administrator that initiated the activity.

▪ Category – This identifies the type of activity that occurred.

▪ Details – Detail information about the activity.

Audit Log Screen

From this screen, you can do the following:

▪ Filter the information to only display the relevant information).

▪ Sort the information by clicking on column headings. The information in the table is sorted
based on the selected column.

▪ Define which columns are displayed.

▪ Define the location for each column

▪ Create, view, update and remove custom preset views of the table.

▪ Clear all filters in the table

▪ Export the data from the table to create an Excel file that contains all data displayed in the
table.

6.7. D-Appliance Support

This guide provides information for using and supporting the D-Appliance via the Management
Console. Deep Instinct Support will provide all services to assist the administrator with the
information described in this manual, as well as full support for all other issues related to the D-
Appliance. The level and priority of the support provided is based on the Severity Level of the
problem and Service Level Agreement, as described in the Support and Maintenance Services
Agreement.

7. MSP and Tenant Management

7.1. MSP List Screen
The MSP List screen is the home page for integrators. It is used by the integrator to monitor and
define MSP accounts. From this screen, all other operational screens for all MSP accounts can be
accessed. This screen is only available in systems with MSP support.

The following figure illustrates an MSP List screen with numbered callouts. The callouts are
described in the table below.

MSP List Screen with Callouts

MSP List Screen Components

Item Term Description

2 Create MSP Click to open the dialog box to create a new MSP account.

3 MSP List Table that displays all the MSP accounts within the system. The table
includes the following information:
▪ Name – The name of the MSP account.
▪ Tenants – Displays all the tenants associated with the MSP account.
By default, this information is not displayed.
▪ Licenses Used – Number of licenses currently used by the MSP
account.
▪ Assigned Licenses – Number of licenses allocated to the MSP
account.
▪ Last Sign In – Displays the date and time when the last
administrator signed in.
▪ Last Sign In By – Displays the name of the last administrator that
signed in.

From this table, you can do the following:
▪ Filter the information to only display the relevant information).
▪ Sort the information by clicking on column headings. The
information in the table is sorted based on the selected column.
▪ Define which columns are displayed.
▪ Define the location for each column
▪ Create, view, update and remove custom preset views of the table.
▪ Clear all filters in the table.
▪ Export the data from the table to an Excel file.
▪ Create a new MSP account.
▪ Edit an existing MSP account.
▪ Remove an existing MSP account).
▪ Open the dashboard for a selected MSP account.

4 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ MSP Dashboard – Click an entry to open the associated Dashboard
in a separate tab for the selected MSP account.
▪ Action Options – Right-click an entry to open the available options
that can be performed with the selected entry, as follows:
▪ Edit MSP – Opens a dialog box to edit the selected MSP account
and display the number of licenses used by the MSP.

▪ Remove MSP – Removes the selected MSP account.

5 Clear Filter Click to clear all column filters.

6 View Click to select an option to define preset and current views of the

Configuration table. These views are defined separately for each administrator. The
options are as follows:
▪ Views – Select the preset view to define the current view and how
the table is displayed. The current view defines the column location,
width, sort, filters, and which column is displayed.
▪ Reset – Resets the table view to the default settings of the current
preset view.
▪ Update to match current view – Saves the current view as the
default of the current preset view.
▪ Rename – Opens a dialog box to change the name of the current
preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view based
on the current table settings. Once created, this view becomes the
current preset view.

7 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

8 Export Click to select an option to export the data from the table. The
options are as follows:
▪ Export all columns – Creates an Excel file that contains all entries
displayed in the table, with data from all columns available.
▪ Export visible columns – Creates an Excel file that contains all
entries displayed in the table, with data from all columns displayed.
To define what is displayed in the table, use Filters to define which
entries are displayed and Column Selector to define which columns
are displayed.

10 Help Icon Click the Help icon and a list of help options is displayed, as
follows:
▪ About Deep Instinct – Opens the About screen. It displays the
current version of the Management Console and allows you to
download the user manuals.
▪ Release Notes – Opens the Release Notes screen. From this screen
you can display all the D-Client versions available for use. It includes
detail information for each version and permits you to download
the installation package for each D-Client version.
▪ Deep Instinct Portal – Opens the Deep Instinct portal to give access
to training, support tickets and other useful information.

11 Administration Click the Administration icon and a list of options is displayed to

Icon permit the administrator to access miscellaneous administrative tasks
and information, as follows:
▪ My Profile – Opens My Profile screen and displays the account
details for the administrator that is currently signed in. It also allows
the administrator to change his password.
▪ Audit Log – Opens the Audit Log screen, which displays a log of all
administrative activities.
▪ Sign Out – Click to sign out from Deep Instinct.

From the MSP List, you can perform the following:

▪ Display all MSP accounts

▪ Create a new MSP account

▪ Edit an MSP account

▪ Remove an MSP account

▪ Access the Monitor screens with data for all MSP accounts

▪ Access the Policy screens for all MSP accounts

▪ Access the Hub Console’s Settings screen

▪ Access the Dashboard for a selected MSP

▪ Access the signed in administrator’s profile

▪ Sign out

7.1.1 Creating a New MSP Account

To create a new MSP account:
1. From the Hub Console, click MSPs from the left pane. The MSP List opens.

2. Click Create MSP from the table header. The Create MSP dialog box opens.

3. In the Name box, type the name of the new MSP account. The length must be between 2
and 50 characters.

4. In the Assigned Licenses box, type the number of licenses to be allocated to this MSP
account. The amount defined cannot be higher than the Available licenses.

5. Click Create. The new MSP account is added to the MSPs table.

7.1.2 Removing an MSP Account

Before removing an MSP account, uninstall the D-Client from all associated device.

To remove an MSP Account:

1. From the Hub Console, click MSPs from the left pane. The MSP List opens.

2. From the list in the table, right-click the MSP account you want to remove and then select
Remove MSP. The Remove MSP dialog box opens to confirm your request.

3. If the MSP account contains any devices, a message appears that the MSP could not be
removed. Uninstall the D-Client from all associated device and then remove the MSP
account.

4. Click Remove. The MSP account is removed from the MSPs table.

7.2. Tenant List Screen

The Tenant List screen is used to monitor and define the Tenant accounts within an MSP. All
devices in a system with MSP support must be assigned to a tenant and the tenant must be
created prior to deploying its devices. This screen is only available in systems with MSP support.

The following figure illustrates a Tenants screen with numbered callouts. The callouts are
described in the table below.

Tenant List Screen with Callouts

Tenant List Screen Components

Item Term Description

2 Tenants Table Table that displays all the Tenant accounts within an MSP. The table
includes the following information:
▪ Name – The name of the tenant.
▪ Licenses Used – Number of licenses currently used by the tenant.
▪ Assigned Licenses – Number of licenses allocated to the tenant.

▪ Endpoint Installation Token – A unique number assigned to the

tenant to install the D-Client on Windows and macOS devices.
▪ Mobile Installation Token – A unique number assigned to the
tenant to install the D-Client on Android, Chrome OS, iOS and
iPadOS devices.

From this table, you can do the following:
▪ Filter the information to only display the relevant information).
▪ Sort the information by clicking on column headings. The
information in the table is sorted based on the selected column.
▪ Define which columns are displayed.
▪ Define the location for each column
▪ Create, view, update and remove custom preset views of the table.
▪ Clear all filters in the table..
▪ Export the data from the table to an Excel file.
▪ Create a new tenant account.
▪ Edit an existing tenant account.
▪ Remove an existing tenant account.
▪ Copy to the clipboard the Endpoint Installation Token or Mobile
Installation Token to be pasted during the device deployment
process. For more information, see the Deployment Guide.
▪ Regenerate a new Endpoint Installation Token or Mobile Installation
Token.

3 Create Tenant Click to open the dialog box to create a new tenant account.

4 Entry Selection Selecting an entry in this table provides you with several features, as
follows:
▪ Edit Tenant – Click an entry to edit the selected tenant account.
▪ Action Options – Right-click an entry to open the available options
that can be performed with the selected entry, as follows:
▪ Copy Endpoint Installation Token – Copies to the clipboard the
installation token used to install Windows and macOS devices,
for the selected tenant account.
▪ Copy Mobile Installation Token – Copies to the clipboard the
installation token used to install Android, Chrome OS, iOS and
iPadOS devices, for the selected tenant account.

▪ Regenerate Endpoint Installation Token – Regenerates and

replaces the installation token used to install Windows and
macOS devices, for the selected tenant account.
▪ Regenerate Mobile Installation Token – Regenerates and
replaces the installation token used to install Android, Chrome
OS, iOS and iPadOS devices, for the selected tenant account.
▪ Remove Tenant – Removes the selected tenant account.

5 Clear Filter Click to clear all column filters.

6 View Click to select an option to define preset and current views of the

Configuration table. These views are defined separately for each administrator. The
options are as follows:
▪ Views – Select the preset view to define the current view and how
the table is displayed. The current view defines the column
location, width, sort, filters, and which column is displayed.
▪ Reset – Resets the table view to the default settings of the current
preset view.
▪ Update to match current view – Saves the current view as the
default of the current preset view.
▪ Rename – Opens a dialog box to change the name of the current
preset view.
▪ Remove – Removes the current preset view from the list and
changes the current preset view to Default View. Default View
cannot be removed.
▪ Create new – Opens a dialog box to create a new preset view
based on the current table settings. Once created, this view
becomes the current preset view.

7 Column Selector Defines which columns are displayed in the table. Clear or select the
checkbox to define which columns are display.

To define what is displayed in the table, use Filters to define which

entries are displayed and Column Selector to define which columns
are displayed.

From the Tenants screens, you can perform the following:

▪ Display all Tenant accounts for the associated MSP

▪ Create a new Tenant account

▪ Edit a Tenant account

▪ Remove a Tenant account

▪ Copy the Endpoint Installation Token or Mobile Installation Token for a selected Tenant
account to the clipboard

▪ Regenerate the Endpoint Installation Token or Mobile Installation Token for a selected Tenant
account

7.2.1 Creating a New Tenant Account

Each Tenant account can only be assigned to one MSP. Therefore, the Tenant account can only be
created from the appropriate MSP Management Console.

To create a new Tenant account:

1. From the appropriate MSP Management Console, click Tenants from the left pane. The
Tenant List screen opens.

2. Click Create Tenant in the header of the table. The Create Tenant dialog box opens.

3. In the Name box, type the name of the new Tenant account. The length must be between 2
and 50 characters.

4. In the Assigned Licenses box, type the number of licenses to be allocated to this Tenant
account. The amount defined cannot be higher than the Available licenses.

5. Click Create. The new Tenant account is added to the Tenants table.

7.2.2 Removing a Tenant Account

Each Tenant account can only be assigned to one MSP. Therefore, the Tenant account can only be
removed from the appropriate MSP Management Console. Before removing a Tenant account,
uninstall the D-Client from all associated device.

To remove a Tenant Account:

1. From the appropriate MSP Management Console, click Tenants from the left pane. The
Tenant List screen opens.

2. From the list in the table, right-click the Tenant account you want to remove and then select
Remove Tenant. The Remove Tenant dialog box opens to confirm your request.

3. If the Tenant account contains any devices, a message appears that the Tenant could not be
removed. Uninstall the D-Client from all associated device and then remove the Tenant
account.

4. Click Remove. The Tenant account is removed from the Tenants table.

8. Glossary
Glossary

Term Description

APT Advanced Persistent Threat – A sophisticated method of attack used to avoid

detection that leverages the attack to new heights. This method of attack may
also be split into several modules to further avoid detection. In some cases, it is
a targeted attack to a specific entity.

ATA Advanced Threat Analysis – An additional threat analysis that can be initiated by
the administrator on any PE file identified. It produces a report that displays a
wide range of information to assist you in further analyzing malicious files. The
analysis is performed on an isolated virtual machine and are performed on
demand.

D-Appliance Management and monitoring server, hosted on-premises at the organization's

headquarters data center or in the cloud.

D-Brain The prediction model (D-Brain) is the result of the deep learning in the D-Lab,
which detects the cyber threats on the devices.

D-Client A lightweight client software installed on the device according to its platform
(Windows, macOS, Linux, Android, Chrome OS, iOS or iPadOS).

Endpoint Computerized equipment that is connecting to an organizational network and

functions as part of this network, usually resides in the low end of the network
tree (Smartphone, tablet, PC, laptop, etc.).

FQDN Fully Qualified Domain Name – A complete and unique address for a specific
host or computer. The FQDN usually consists of the hostname and the domain
name (all domain levels).

GPO Group Policy Object – A collection of settings for a defined group of users that is
used with Microsoft’s Group Policy feature. This feature provides the centralized
management and configuration for the Windows operating systems,
applications, and users' settings in an Active Directory environment.

iDRAC integrated Dell Remote Access Controller – Integrated controller used to

manage and monitor the D-Appliance hardware.

Malware An abbreviation for malicious software, which is any software/application used

to disrupt a computer or a mobile device’s operation, gather sensitive
information, or gain access to private data.

MitM Man-in-the-Middle – An attack where the attacker secretly relays and possibly
alters the communication between two parties who believe they are directly
communicating with each other.

MSP Managed Service Provider – A service provider that delivers managed services.
The MSP has direct oversight of the organization or system being managed.

Prediction The prediction model (D-Brain) is the result of the deep learning in the Deep
Model Instinct Neural Network, which detects the cyber threats on the devices.
(D-Brain)

SCCM System Center Configuration Manager – A systems management software

product developed by Microsoft for managing large groups of computers. It
provides remote control, patch management, software distribution, operating
system deployment, network access protection and hardware and software
inventory.

Zero-Day A threat that exploits an unknown computer security vulnerability. It is known as

Threat a "zero-day" because it is not publicly reported or announced before becoming
active, leaving the software's author with zero days in which to create patches or
advise workarounds to mitigate against its actions.

Administrator Guide Copyright © 2021 Deep Instinct. All rights reserved. Page 303 of 303
New York Tel Aviv United Kingdom
Global Headquarters
501 Madison Ave Levinstein Tower 5 Ribbon Pond Drive
Suite 1202 23 Menachem Begin Rd Newark on Trent
NYC, NY, 10022 Tel Aviv, 6618356 Nottinghamshire
USA Israel NG24 3WW
United Kingdom
Phone: 212-981-2703 Phone: +972 3545-6600 Phone: +44 7810-553692

DI-AG-CA-3.1-A01 www.deepinstinct.com | [email protected]

Cyber-Physical Threat Intelligence For Critical Infrastructures Security
No ratings yet
Cyber-Physical Threat Intelligence For Critical Infrastructures Security
486 pages
Jetstream Upper Intermediate
No ratings yet
Jetstream Upper Intermediate
142 pages
Fireware Essentials - Student Guide - (En US) - v12 1 PDF
No ratings yet
Fireware Essentials - Student Guide - (En US) - v12 1 PDF
479 pages
Strategic - Cyberspace - Operations - Guide 2022
No ratings yet
Strategic - Cyberspace - Operations - Guide 2022
162 pages
GRB Sameer Bansal Calculus
83% (6)
GRB Sameer Bansal Calculus
270 pages
Manual 3UG4 - 3RR - EN 09.2014
No ratings yet
Manual 3UG4 - 3RR - EN 09.2014
410 pages
Endpoint Security Guide Beginners
No ratings yet
Endpoint Security Guide Beginners
21 pages
2023-03-17 Report Radicati Endpoint Security Market Quadrant - 2023
100% (1)
2023-03-17 Report Radicati Endpoint Security Market Quadrant - 2023
65 pages
Apprentice Datasheet
No ratings yet
Apprentice Datasheet
7 pages
Epicor Mobile Warehouse: Installation and Configuration Guide
100% (2)
Epicor Mobile Warehouse: Installation and Configuration Guide
57 pages
IT Preventive Maintenance Checklist
No ratings yet
IT Preventive Maintenance Checklist
4 pages
F5 ASM Course Content
No ratings yet
F5 ASM Course Content
20 pages
Cybersecurity Risks in Robotics
No ratings yet
Cybersecurity Risks in Robotics
19 pages
SY0-071-Module 5 Powerpoint Slides
No ratings yet
SY0-071-Module 5 Powerpoint Slides
113 pages
Vsphere Esxi Vcenter Server 51 Security Guide
No ratings yet
Vsphere Esxi Vcenter Server 51 Security Guide
194 pages
Entrust IdentityGuard 8.1 Directory Configuration Guide
100% (1)
Entrust IdentityGuard 8.1 Directory Configuration Guide
62 pages
Virtualization Group Presentation
No ratings yet
Virtualization Group Presentation
10 pages
003 Hyper-V
No ratings yet
003 Hyper-V
31 pages
789 3090 2 PB
No ratings yet
789 3090 2 PB
18 pages
Industrial Control Systems Vulnerabilities Statistics
No ratings yet
Industrial Control Systems Vulnerabilities Statistics
19 pages
Device 4388307809266626634
100% (1)
Device 4388307809266626634
15 pages
Firewall in Ics
No ratings yet
Firewall in Ics
7 pages
NCP Core Prep Guide
No ratings yet
NCP Core Prep Guide
151 pages
ELAN Catalog 2019
No ratings yet
ELAN Catalog 2019
124 pages
Take Back Control of Cybersecurity
No ratings yet
Take Back Control of Cybersecurity
156 pages
Tata Aia Advisor Guide
No ratings yet
Tata Aia Advisor Guide
2 pages
Content Analysis Admin Guide v22
No ratings yet
Content Analysis Admin Guide v22
157 pages
EPO 5 3 Best Practices En-Us
No ratings yet
EPO 5 3 Best Practices En-Us
240 pages
JCE-Developer - Guide-4 6 0
0% (1)
JCE-Developer - Guide-4 6 0
108 pages
Common Network Attacks: David J. Marchette
No ratings yet
Common Network Attacks: David J. Marchette
107 pages
Securebasebook PDF
No ratings yet
Securebasebook PDF
184 pages
DMH Z6350BT Operation Manual
No ratings yet
DMH Z6350BT Operation Manual
124 pages
Submission of Report - 7376211mc146
No ratings yet
Submission of Report - 7376211mc146
54 pages
Tech Advisor - Dec 2023
No ratings yet
Tech Advisor - Dec 2023
100 pages
SCH M828 English User Manual
No ratings yet
SCH M828 English User Manual
149 pages
VM Labs V42 PDF
No ratings yet
VM Labs V42 PDF
125 pages
Fitness Centre Management System (Final)
No ratings yet
Fitness Centre Management System (Final)
38 pages
Generic GTVHacker DEFCON21
No ratings yet
Generic GTVHacker DEFCON21
59 pages
Experiment No 2: Buttons, and Toggle Buttons With Their Events Handler
No ratings yet
Experiment No 2: Buttons, and Toggle Buttons With Their Events Handler
4 pages
McAfee Solidcore Reviewers Guide
No ratings yet
McAfee Solidcore Reviewers Guide
70 pages
AGM BitLocker Administration and Monitoring 1.0 PDF
No ratings yet
AGM BitLocker Administration and Monitoring 1.0 PDF
110 pages
Acronis True Image 2016
No ratings yet
Acronis True Image 2016
161 pages
VMware VMware Vsphere Operate Scale and Secure V8 - BETA
No ratings yet
VMware VMware Vsphere Operate Scale and Secure V8 - BETA
3 pages
Mobile Application Laboratory Manual (Vtu)
No ratings yet
Mobile Application Laboratory Manual (Vtu)
51 pages
Azure Sentinel Pricing
No ratings yet
Azure Sentinel Pricing
2 pages
TSC Utilities
No ratings yet
TSC Utilities
31 pages
Forensic Analysis of Whatsapp Messenger On Android Smartphones
No ratings yet
Forensic Analysis of Whatsapp Messenger On Android Smartphones
32 pages
Portnox Deployment - Prerequisites List
No ratings yet
Portnox Deployment - Prerequisites List
1 page
MC Unit 3 Notes
No ratings yet
MC Unit 3 Notes
6 pages
S22 Ultra
No ratings yet
S22 Ultra
35 pages
File Transfer Protocols
No ratings yet
File Transfer Protocols
24 pages
Motadata Sales
No ratings yet
Motadata Sales
28 pages
Hs Security Solutions Booklet Layout Web
No ratings yet
Hs Security Solutions Booklet Layout Web
24 pages
Yozolog
No ratings yet
Yozolog
4 pages
Deployment Guide: Forcepoint DLP
No ratings yet
Deployment Guide: Forcepoint DLP
46 pages
BitLocker Drive Encryption Flow
No ratings yet
BitLocker Drive Encryption Flow
36 pages
Oe-It-25 11 2021 PDF
No ratings yet
Oe-It-25 11 2021 PDF
10 pages
Product List
No ratings yet
Product List
4 pages
Systems Analysis and Design - Workshop 5 Questions
No ratings yet
Systems Analysis and Design - Workshop 5 Questions
8 pages
1759 - MODAS 2 1pager - Monitoring A4
No ratings yet
1759 - MODAS 2 1pager - Monitoring A4
3 pages
Sample
No ratings yet
Sample
46 pages
AMAN SUTHAR RESUME - Compressed (1) - Compressed
No ratings yet
AMAN SUTHAR RESUME - Compressed (1) - Compressed
2 pages
Gary Dimesky, Mba, Cissp, Cisa, NQV LVL Ii: Professional Experience
No ratings yet
Gary Dimesky, Mba, Cissp, Cisa, NQV LVL Ii: Professional Experience
4 pages
(ISC) Career Guide: Decoding The Information Security Profession
No ratings yet
(ISC) Career Guide: Decoding The Information Security Profession
40 pages
The CIS Community Attack Model
No ratings yet
The CIS Community Attack Model
13 pages
2018-04-16 Framework v1.1 Core1
No ratings yet
2018-04-16 Framework v1.1 Core1
24 pages
DON DIACAP Handbook V1 0 Final - 15 July08 V
No ratings yet
DON DIACAP Handbook V1 0 Final - 15 July08 V
169 pages
Design Principles and Common Security Related Programming Problems
No ratings yet
Design Principles and Common Security Related Programming Problems
22 pages
Assessment Frameworks Methodologies
No ratings yet
Assessment Frameworks Methodologies
31 pages
Mad Importamt Questions
No ratings yet
Mad Importamt Questions
3 pages
St. Teresita's Academy of Aritao, Inc
No ratings yet
St. Teresita's Academy of Aritao, Inc
3 pages
GPS/GIS Mapping of Farmer Land Records
No ratings yet
GPS/GIS Mapping of Farmer Land Records
5 pages
Nokia Love Letter
No ratings yet
Nokia Love Letter
3 pages
Portnox™ Core POC Scope: For (Prospect)
No ratings yet
Portnox™ Core POC Scope: For (Prospect)
9 pages
Best Practices When Deploying VMware Vspehre 5.0 HP SWITCHES
No ratings yet
Best Practices When Deploying VMware Vspehre 5.0 HP SWITCHES
21 pages
Similarities and Differences of Apple and Google Operating System
No ratings yet
Similarities and Differences of Apple and Google Operating System
2 pages
2008031-gpg Scada Security Good Practice
No ratings yet
2008031-gpg Scada Security Good Practice
26 pages
Netvault Backup A Technical Overview Whitepaper
No ratings yet
Netvault Backup A Technical Overview Whitepaper
16 pages
FTP
No ratings yet
FTP
31 pages
IBet Features v2
No ratings yet
IBet Features v2
10 pages
3 Working of Tripwire
No ratings yet
3 Working of Tripwire
2 pages
Icacls
No ratings yet
Icacls
4 pages
Drew Tadgerson Networking Concepts & Apps Mini Cases - Chapter 11 & 12 MIS589 February 24, 2013 Shaun Gray
No ratings yet
Drew Tadgerson Networking Concepts & Apps Mini Cases - Chapter 11 & 12 MIS589 February 24, 2013 Shaun Gray
5 pages
Threat Modeling in Security Architecture - The Nature of Threats
No ratings yet
Threat Modeling in Security Architecture - The Nature of Threats
4 pages
Securing Industrial Control Systems and Safety Instrumented Systems: A practical guide for safeguarding mission and safety critical systems
From Everand
Securing Industrial Control Systems and Safety Instrumented Systems: A practical guide for safeguarding mission and safety critical systems
Jalal Bouhdada
No ratings yet
Handbook on the Design of Physical Protection Systems for Nuclear Material and Nuclear Facilities: Technical Guidence
From Everand
Handbook on the Design of Physical Protection Systems for Nuclear Material and Nuclear Facilities: Technical Guidence
IAEA
No ratings yet
Nuclear Reactor Technology Assessment for Near Term Deployment
From Everand
Nuclear Reactor Technology Assessment for Near Term Deployment
IAEA
No ratings yet
VMware Horizon View High Availability: Design, develop and deploy a highly available vSphere environment for VMware Horizon View
From Everand
VMware Horizon View High Availability: Design, develop and deploy a highly available vSphere environment for VMware Horizon View
Andrew Alloway
No ratings yet
26 Ways to Save on Your Utility Bills!: 26 Ways, #1
From Everand
26 Ways to Save on Your Utility Bills!: 26 Ways, #1
Kimberly Peters
No ratings yet
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet