Policy: File Access Justification Policy for Living Off the Land Process
This example shows a File Access policy designed for a “living off the land” scenario: it targets a specific built-in or commonly abused process and requires the user to provide a justification before the action is allowed. It’s useful for demonstrating how to add friction and auditing around high-risk tools without blocking them outright.
What This Policy Does
Applies a File Access rule in enforce mode.
Targets:
Any user (
*)One specific application (a single App ID)
One specific endpoint (a single Machine ID)
On a match, it requires JUSTIFY (the user must enter a justification) before proceeding.
Requires the user to acknowledge the notification (
NotificationRequiresAcknowledge: true).Assigns a Risk Level of 50.
Why It Behaves This Way
Application-Scoped Control: The policy is tied to one specific application identifier, so it only triggers for that tool/process rather than everything on the endpoint.
Broad User Coverage: With a wildcard user scope, anyone on the targeted endpoint is subject to the same justification requirement.
Justification As A Control: Using JUSTIFY adds accountability and audit context while still allowing the action to proceed when there’s a legitimate need.
Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restriction lists are empty, so the match is primarily driven by user + machine + application targeting.
What The User Experiences
When a user triggers the covered process on an in-scope endpoint, they’ll be prompted to provide a justification.
They’ll also be required to acknowledge the notification before continuing.
After justification is provided, the action proceeds (this policy is “prompt and record,” not “block”).
Important Notes And Common Adjustments
Fix The Notification Message: The current message references “monitor mode” and talks about running a process “as an administrator,” which doesn’t match a File Access policy requiring JUSTIFY. Update the message so it clearly explains that a justification is required for this process and why.
Reduce Prompt Fatigue: If this process is used frequently for legitimate reasons, consider narrowing scope (specific users/groups, specific endpoints, or tighter application targeting) to avoid excessive prompts.
Choose Justify vs Deny vs Approval:
Use JUSTIFY when you want accountability without stopping work.
Use DENY when the tool should never be used.
Use APPROVAL when usage should be permitted only with explicit authorization.
Keep Risk Level Meaningful: If you’re using risk scoring for reporting or prioritization, align the Risk Level value with the severity of the tool/use case in your environment.
Example JSON
Last updated
Was this helpful?