How to Manage Tailored Behaviors
The Tailored Behaviors page can be found under the Operations tab in the sidebar. Note that users must have the “View Tailored Behaviors” permission for a group to be able to see the group’s tailored behaviors on this page
How to Create a Tailored Behavior
After navigating to the Tailored Behaviors page, click the exclude process icon above this grid.
Clicking this icon will popup a modal to create the tailored behavior.
Users have the option to specify a parent program with the exception
Enter additional restrictions to apply
Users now have the option to limit the exception to specific file access triggers, all file access triggers are included by default. Note that only agents on version 4.4.6.2 and up have this file access trigger capability.
User also have the ability to create temporary behaviors, see more in the next section
How to Create and Edit Temporary Tailored Behaviors
Users can create a temporary tailored behavior by following the normal process to create a behavior as explained above, and then turning the “Make This Tailored Behavior Temporary” toggle on. Users are then able to enter the hours until the temporary behavior should expire (up to a week max).
The Behavior’s expiration date can be seen in the Expiration Date column on the grid.
To edit a temporary behavior to extend the expiration date, make a temporary behavior permanent, or make a permanent behavior temporary, click the edit icon on the desired behavior in the Expiration Date column.
Clicking this icon will open a modal where users can edit the expiration date of the behavior as desired
How to Delete Tailored Behaviors
To delete a behavior, or multiple behaviors at the same time, first select the behavior(s) to delete on the grid and click the trash icon above the grid.
Second, type “delete” and click the Delete button.
How to Copy Tailored Behaviors to a Different Group
To copy a behavior (or multiple behavior at the same time) to another group, select the behavior(s) to copy on the grid and click the copy icon above the grid.
Clicking this icon will popup a modal where you can select the group the behavior(s) should be copied to.
This modal also has an option to delete the existing behaviors in the selected group (except auto generated behaviors), and only contain the copied behaviors in the selected group after submitting the request.
After submitting the request, the copied behaviors will now appear for the selected group.
Creating a Tailored Behavior from the Extortion Response Page
Users have the ability to create tailored behaviors from the Extortion Responses page.
First, click the arrow on the desired extortion response row in the Number of Incidents column to reveal the inner grid.
Second, click the exclude response icon in the Response Name column, which will popup a modal to create the tailored behavior.
On this modal, you may create behaviors using the suggested executable paths or submit the response for review if you are not seeing what you need from the suggested paths.
You may also click the Take me to Tailored Behaviors Page button, which will redirect you to the Tailored Behaviors page and automatically prefill the create behavior modal with the same group, path, and program arguments from the response.
Note that by default the Limit Exception to Program + Parent Program is toggled off. The parent program path and arguments from the extortion response will also be filled out automatically if you toggle this setting on.
The Tailored Behavior Exclusion after clicking Create with the Limit Exception to Program + Parent Program setting toggled on: