Skip to main content
Rules Guide
A
Written by Arick Disilva
Updated over a month ago

Rules Guide Overview

This guide explains how to utilize Teramind’s behavioral rules to detect insider threats, protect your organization from malicious or accidental security incidents, prevent data loss, conform with regulatory compliances or improve the productivity of your team. The guide explains rule structures, conditions, logic, data types etc. It shows you the steps for creating a rule, their uses cases, best practices and advanced capabilities.

The guide is designed for the managers, administrators and security personnel who are responsible for configuring and maintaining the Teramind solution in your organization.

You can download a PDF version of the guide by clicking the button below.

Introduction to Rules

Behavioral rules are a core part of Teramind’s automated insider threats detection and data loss prevention capabilities. They allow you to identify unproductive, harmful or dangerous activity in real-time and optionally, act on your behalf to thwart such threats. The Intelligent Rules Engine is tightly integrated throughout Teramind platform:

  • The Rules Engine utilizes Teramind’s granular Activity Monitoring (using the BI Reports) capabilities, such as: apps, websites, emails etc. to determine what activity or content the rule should detect.

  • It uses the User Profiles to determine whom the rule will apply to.

  • You can use the Configurations settings to supply additional inputs such as employee Schedule, Shared List etc. for use with the Rules Editor to speedup the rule creation process and to share parameters across different rules.

  • You can use the Monitoring Settings to control when and how the rule should work, minimizing privacy concerns.

  • You can get detailed report of the rule violation incidents and associated risks on the BI Reports > Behavior Alerts, view recordings and gather evidence from the Session Player and get notified with the Rule Notification Emails.

  • Teramind Agent enforces the rules you create from the Teramind Dashboard on the user’s computer.

With hundreds of pre-built rule templates, pre-defined data categories and sample rules, you can get started with Teramind right away. You can create your own rules very easily with an intuitive, visual Rules Editor. The editor allows you to use natural language, regular expressions, shared list and pre-built data classifications to define what makes an activity or data sensitive and use simple conditions that will trigger a rule violation incident. When a rule is violated, you can be notified about the incident and optionally, the system can take actions automatically in different ways, such as: warning the user, blocking the activity etc.

Teramind keeps detailed records of each rule violation incident complete with detailed information and relevant metadata. You can see the rule violations report from the Alerts screen and quickly search for an incident.

Teramind also captures video and optionally, audio for a rule violation incident. You can view the recordings with the Session Player. The player allows you to see what rule notifications the user received and the trail of activities leading up to the incident. You can also export recordings for evidence or forensic investigation purposes. These recordings are automatically analyzed and index by Teramind’s advanced OCR-engine. You can conduct high-speed OCR search for on-screen content or create OCR rules that will activate whenever certain text is detected on the screen, in real-time.

You can conduct risk analysis and identify high risk rules, users or objects from the Risk report. This also gives you ideas on how to adjust your rules’ detection settings to focus on key areas of vulnerabilities or reduce false positives.

Finally, you can get scheduled delivery of rule violation reports or ‘just-in-time’ notifications in your inbox with the Email Notifications feature.

Common Use Cases

You can create powerful rules to prevent data loss, detect insider threats, identify abusive behavior and accidental threats, improve employee productivity and conform with regulatory compliance.

Preventing Data Loss

Uploading documents that contain sensitive data to personal Cloud drives.

Sharing documents outside the organization that has a confidential watermark.

Sending out emails with sensitive files to non-corporate emails.

Sending out emails with large attachments, too many attachments or zipped files.

Printing during irregular hours.

Printing a large number of sensitive documents.

Taking screenshots, using screen capture or snipping tools.

Copying CRM data and pasting it in emails, an external site or in an unauthorized application.

Non-authorized use of Cloud sharing drives as an attempt to exfiltrate data.

Saving files on a removable media.

Sharing files with protected properties such as Tags, Attribute, Document Category etc.

Employees communicating with competitors.

Detecting Insider Threats

Sign of discontent, harassment, legal threats or other sentiment in emails or IM chats indicating underlying issues.

Development team using production data for testing and development.

IT department storing authentication information such as credit card magnetic data which is prohibited under compliance laws.

Accessing internet from restricted servers.

Installing RDP clients or opening ports.

User entering sensitive data such as passwords or personal details on potentially harmful or phishing sites.

Employee using the browser’s incognito/private mode frequently.

Clearing browser history or deleting cache files.

Sudden change in schedules or work pattern.

Using code snippets in database queries.

A vendor attempting to bypass security clearances and gain additional access by exploiting a bug, design flaw or configuration oversight in an operating system or software application.

Contractor attempting to log in to database servers during off-hours or after the completion of a project.

External user or freelancer accessing confidential customer and employee records.

Identifying Abusive Behavior and Accidental Threats

Employees looking at materials online that are questionable, suspicious or otherwise dangerous. For example, hacking sites, pornography or piracy content.

Abusing company resources, such as, printing unnecessary copies of documents, throttling the network etc.

Customer agent asking for credit card numbers in unsecure email or support chat without using the proper communications channel.

Sharing ‘not for the public’ files on social media or IMs.

Employee opening emails that contain phishing links, viruses or malwares.

Installing browser plugins that aren’t secure or known to be problematic.

Entering passwords or personal details in unsecure websites.

Detecting Malicious Intent

Unauthorized user reading a document they should not have access to.

User trying to hide information in an image.

Employee participating in insider trading by sharing embargoed information such as M&A documents.

Searching the internet for suspicious keywords and phrases, such as: ‘how to disable firewall’, ’recover password’, ’steganography’ etc.

Running the Tor browser or accessing the darknet sites.

Attempting to bypass the proxy server.

Installing VPN client.

Running network snooper, registry editor or other dangerous applications.

Running password crackers, keyloggers or other malicious tools.

Running software from external media or Cloud services.

Changing the configuration of the network or system settings.

Opening up blocked ports in the router settings.

Improving Productivity and HR Management

Get notified when workers spending too much time on Facebook, watching YouTube videos or surfing online shopping sites.

Warn employees when they are spending excess time on personal tasks such as applying for jobs.

Using applications or sites that are unproductive.

Not following prescribed policy when dealing with customers.

Not following corporate etiquette policy, for example, visiting gambling sites.

Contractor submitting invoices that do not match work hours or task completion status.

Conforming with Regulatory Compliance

Prevent exfiltration of PHI (Protected Health Information) such as EHR, FDA recognized drug names, ICD codes, NHS numbers etc. to comply with HIPAA and HITECH policies (HIPAA 164.500 – 164.532).

Automatically log-out user when inactive for certain time (HIPAA 174.312).

Block unauthorized traffic from EHR/EMR and clinical applications (HIPAA 164.306).

Restrict access based on a user’s ‘need to know’ clearance. For example, block IT admins from accessing cardholder data while performing support tasks (PCI-DSS 10.1).

Use OCR-based rules to detect when user has access to full view of a PAN (Personal Account Number) violating PAN-masking or PAN-unreadable rules (PCI-DSS 3.4/3.5).

Block file-write operation when credit card numbers or magnetic track data is detected that would violate the storing of authentication data rule (PCI-DSS 3.2).

Prevent sharing of contact list containing EU PII (personally identifiable information) such as English names, EU addresses or EU phone numbers (GDPR 5).

Warn user when sharing files containing data such as DNA profile, NHS/NI number and sexual orientation data, hence preventing the violation of processing of special categories of personal data rule (GDPR 9).

Ensure that non-EU admins cannot access the records of EU employees preventing the violation of transfers of personal data to third countries rule (GDPR 44).

Enforce security-compliant behavior and take immediate action on detection of anomalies or rule violations and train employees with detailed rule-alerts (ISO 27001, Standard Enforcement).

Implementing the MITRE ATT&CK™ Framework

Teramind MITRE ATT&CK Detection & Prevention Library has over 350 sample behavior policies and rules under 13 MITRE Tactics covering the Enterprise Attack Matrix. The rules are designed to detect threat-specific activity, content classification, pre-defined alerts and automated actions and a documented response playbook tailored to each defined scenario.

For more information about the Teramind MITRE ATT&CK Detection & Prevention Library please contact [email protected].

Steps for Creating a Rule

Why are You Creating the Rule?

Consider what you are trying to achieve. Do you want to monitor users’ activities to prevent insider threats? Suspicious that an employee is committing a crime or colluding with an outsider? Or, are you trying to prevent IP leaks through external vendors? Do you need to comply with regulations, such as: HIPAA, GDPR etc.?

Create a new policy or assign it under an existing policy that fits the rule’s purpose.

What Activity, Content or Behavioral Anomaly Do You Want to Detect?

Are you trying to detect discrepancies in employees’ schedule? Does it involve an ‘activity’ such as, uploading a document? Or do you need to protect some ‘content’ such as, sensitive information inside a document?

Select a Rule Type from the Rules Editor’s General tab.

If you are trying to detect behavioral anomalies such as an employee sending abnormal amount of emails than normal, then you should consider creating an anomaly rule.

Create an anomaly rule.

Where is the Activity Performed or Content Located?

Next you need to figure out where the activity or content sharing takes place. Does it involve emails? Transfer of files? Or, are there multiple ingress/egress points that you need to monitor, for example, emails + IM + website uploads?

Select Types of Activities or Types of Contents from the Rules Editor’s General tab.

When Should the Rule be Active?

Do you want the rule to run 24/7 or follow a schedule? For example, do you want the rule active during work hours but disable it during the employee lunch breaks?

You can turn rules on/off, or schedule when they will be active from the Behavior menu. Or, you can select a schedule under When is this rule active? from the Rules Editor’s General tab.

Whom Should it Apply to?

Do you need the rule for everyone? Certain users, groups or departments? How about setting up a terminal server to monitor all your vendors or external partners? Do you need to exclude anyone from the rule’s enforcement?

You can choose all these from the User tab on the Rules Editor. You can also select users on a policy basis by turning on the INHERIT POLICY SETTINGS.

What Makes the Data Sensitive?

If you are trying to detect Content, can you describe how the data looks? Does it have a clear structure such as a credit card number? Or, do you need to detect information that are unstructured or dynamic in nature?

Use the Content tab on the Rules Editor to define your content. You can choose from a Predefined Classified Data or create your own custom data types by selection other options from the list.

What Scenarios Violate the Rule?

Now, you have to think about scenarios that will trigger the rule. You might need multiple conditions and logics to detect the rule violation. Remember, there are also multiple ways of achieving the same result.

For example, if you wanted to prevent uploading of files to a personal Cloud drive, you could use a condition to detect file operation ‘upload’. And use a second condition, ‘upload URL’ and specify website addresses such as ‘google.drive.com, dropbox.com’ etc. Or, you could just select file operations for ‘write’ and select the ‘Cloud providers’ from the built-in list.

Use rule logics on the Rules Editor to define condition or content logics for the activity or content.

What Action(s) Do You Want to Take?

What should the system do when a rule is broken? Do you want it to notify you immediately? Or, do you want it to take some preventive actions too? For example, block the action? Or do you need to take a sequence of actions? For example, block the action but also record the incident? Or, take different action depending on how often they broke the rule? Assign a risk level to the action?

Use the Actions tab on the Rules Editor to define the action(s). Use the Advanced Mode to assign multi-level thresholds and risks.

Understanding Common Rule Elements

Rule Name and Description

image__5_.png

Each rule lets you specify a name and optionally, a description for the rule.

Rule Template

image-117.png

1. When creating a new rule, you can choose from a list of pre-built templates. Click the CHOOSE A TEMPLATE field to choose a template on the General tab. Teramind has many templates for Data Loss Prevention, Email, Applications, Websites, File Operations etc. Once you select a template, the rest of the rule’s tabs will be automatically populated with pre-configured settings and sample data. You can, of course, change the settings.

Displaying the Rule in OMNI

Just under the rule templates selection, you will notice an option, “Display in OMNI feed”. If enabled, the rule will show up on the OMNI dashboard.

Tags

Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (i.e. on the Risk or Alerts report).

You might also see some built-in tags such as Data Loss, Malicious Incident, Negligence, etc. that you can assign to the rule. These special tags are used with OMNI to categorize different types of risks.

Note that the built-in special tags are currently a request only features. Please contact your customer service representative to activate the feature on your instance.

Schedule

image-2__4_.png

By default, the rule stays active for 24 hours. However, you can adjust it to match your employee work schedule. For example, you can have the rule active during work hours but disable it during the employee lunch breaks. To change when the rule is active, drag the two Circles to adjust the time. You can click the Plus (+) and Minus () buttons to add/remove additional time slots.

The rule schedule is based on the users’ local time zones. It does not use the server time zone (Settings > Localization).

Agent Schedule rules and Anomaly rules do not have this scheduling module. Their scheduling is done in a different way.

Rule Violation Severity

The Rule Violation Severity allows you to specify a risk level for the rule. You can either drag the slider or use the number field to enter a number between 0-100. This value is then used in places like the OMNI to measure the overall risk score.

Rule Conditions

You use the CONDITION fields in a rule to specify what values to compare the rule parameters with. To specify a rule condition, start typing in the relevant CONDITION field, then select an option from the pop-up to tell Teramind what type of value it is.

image-3__3_.png

You can use multiple values in a CONDITION field by clicking on a blank space in the field.

There are several conditions you can use. For example:

Contains

Use the Contains conditions for a partial text match. So, say you were searching for you then the Contains condition will detect any of these texts: YouTube, youtube.com, youth, layout since they all contain the text you.

An example use of this condition can be to block certain applications from running, you can type them in the CONDITION field and choose one of these conditions.

Note that, this condition isn’t case-sensitive. So, words like You, YOU, you – will have the same result.

Equals

Similar to the Contains condition but in this case, the text has to be an exact match. So, say you were searching for you then the Equals condition will NOT detect any of these texts: YouTube, youtube.com, youth, layout. However, it will detect You, YOU, you since they are exact matches even though the cases don’t match, and that doesn’t matter because the Equals condition isn’t case sensitive.

Match RegExp

For complex matches, such as Credit Card Numbers, Social Security Numbers, etc., you can use the Match RegExp option. For example, the regular expression [a-zA-Z]{2}[0-9]{12} will detect any text that starts with 2 alphabet characters and ends with 12 digits such as, PO123456789123 or, ab123456789012.

Teramind supports the standard Regular Expression library available in C++. Check out this article to learn more about Regular Expressions.

Match Glob

This condition can be used in some specific cases, e.g., in File-based rules. It finds texts which follow a specific pattern or 'glob'.

The * glob will match zero or more characters. For example, the pattern, glob match *.exe in the File path criteria of a File-based rule will match all the executable files.

The ? glob will match exactly one character but you can also use more than one together. For example, glob match Sales????.doc will match “Sales2022.doc”, “SalesACME.doc”, “Sales23NA”, etc.

The special ** glob (called "globstar") can be used to detect any directories and subdirectories. This allows for recursive directory searching easily. Here’s an example:

The above rule with the glob match \Users\**\Documents\*.docx condition will detect any word document in paths like:

  • \Users\Danny\Documents

  • \Users\Brian\Documents

  • \Users\Public\Documents\Jason\Sales\Documents

  • \Users\Joe\Sensitive\Proposals\Documents

  • etc…

Match List

This is similar to the Contains condition but matches with any item on a Shared List. So, for example, if you had a shared list containing YouTube, youtube.com, youth, layout etc., then any text like, you, tube, You, Out, etc. will be detected.

Check out the Shared List section on the Teramind User Guide to learn more about Shared Lists.

Equals List

This is similar to the Equals condition but will check for an exact match with any item on a Shared List. So, for example, if you had a shared list containing YouTube, youtube.com, youth, layout etc., then any text like, youtube, Youtube, YouTube will be detected. However, you, or tube, etc. will NOT be detected.

Check out the Shared List section on the Teramind User Guide to learn more about Shared Lists.

Rule Logic

Rule logic binds two or more Conditions or Content Definitions together. So, they can be applied to both the rule Conditions and the Content Definitions.

Condition Logic

image-4__3_.png

Rule conditions can either have a ‘OR’ logic or an ‘AND’ logic.

  • Each value in a rule condition is considered as an ‘OR’ logic. In the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit.exe’ or ‘pseditor.exe’.

  • Each condition parameter is considered as an ‘AND’ logic. In the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meets the condition.

  • If you have multiple condition blocks, each new condition is considered as an ‘OR’ logic. In the above example, if either the Condition 1 or Condition 2 meets the criterion, the rule will be triggered.

You can see how the rule condition logics relate to each other on the Rule’s Summary panel.

Content Logic

When creating a Content Sharing rule and you have multiple content definitions, you can use logics to bind the definitions together. You can do so under the Advanced: Setup Logics section of the Content tab. Click on the logic between two conditions, a pop-up menu will appear where you can select a logic out of four options.

mceclip0.png

You can see how the content definition logics relate to each other on the Rule’s Summary panel:

image-6-1024x374.png

The table below explains each type of logic and how they are evaluated:

Logic

Evaluates true if:

Example

AND

BOTH of the definitions are met.

In the above example, we are using the tags field from the File Properties in Definition 1 and the title field in Definition 2. The logic will return true if file tags equals the text ‘CONFIDENTIAL’ and the title contains ‘PRIVATE’. So, basically, it will process the files that are both confidential and private.

OR

EITHER of the definitions is met.

Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ or the title contains the text ‘PRIVATE’. So, basically, it will process the files that are either confidential or private.

AND NOT

the first definition is met AND the second definition is NOT met.

Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ and the title does not contain the text ‘PRIVATE’. So, basically, it will process the files that are confidential and not private.

OR NOT

the first definition is met OR the second definition is NOT met.

Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ or the title does not contain the text ‘PRIVATE’. So, basically, it will process all files except the private ones.

Risk Level

Note that each rule also contains a Rule Violation Severity which is also treated like a risk and used in OMNI. Check out the User Guide to learn more.

On Teramind, you can assign risk levels to the rules. While optional, assigning risk levels has some advantages. It will let you analyze risk on the Risk Report, view risk trend and identify high risk users and rules.

There are two places you can assign risks:

Setting the Risk Levels in a Regular Rule

image-7__3_.png

You assign risk level to a regular rule from the Advanced Mode of the Rule Editor’s Actions tab. You can choose from: No Risk, Low, Moderate, High and Critical.

You can assign risk levels to each action block separately (you create action blocks by clicking the ADD THRESHOLD button).

Check out the Advanced Mode Actions section to learn more.

Setting the Risk Level in an Anomaly Rule

image-8__3_.png

You assign risk level to an Anomaly rule Under its RULE RISK LEVEL section. You can choose from: No Risk, Low, Moderate, High and Critical. You can also turn on its ACCUMULATES RISK option on. If turned on, the risk associated with the rule will be counted multiple times for multiple violations. Otherwise it will be counted once for all violations.

Unlike the regular rules which support multilevel risk assignments, you can assign only one risk level per anomaly rule.

Rule Summary

The right-most panel of the Rules Editor shows a summary of the rule in easy to follow language. You can see the values used in different tabs; what conditions are used and the logical connection among them; rule actions etc.

image-9__2_.png

Anomaly Rules editor does not have a Summary panel.

Creating Regular Rules

The Rules Editor is an intuitive, visual editor where you can create sophisticated threat detection, productivity optimization or data loss prevention rules easily without going through multiple screens or coding.

To access the Rules Editor, create a new rule or edit an existing rule from the Behavior > Policies menu.

Check out the Behavior section on the Teramind User Guide to learn more about creating / editing rules, managing policies etc.

Setting Up the Rule Basics

You specify the basic settings for the rule on the Rules Editor’s General tab.

image-11__1_.png

On the top fields, specify a Name and optionally, a Description for the rule.

image-12.png

You can also specify the rule’s Tags on this tab. Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (i.e. on the Risk or Alerts report).

Selecting Rule Categories and Types

You can select the Rule Category and Types of Activities (for Activity-based rules) or the Types of Content (for Content Sharing rules) from the Rules Editor’s General tab.

There are three types of rule categories you can choose from: Agent Schedule, Activity and Content Sharing. Each category further supports different activities or content types. The table below shows which categories supports which activity/content types and their use cases:

Agent Schedule

Activity

Content Sharing

Use Cases

Useful for detecting discrepancies in employee schedules or workflow. For example, receive notification when an employee is late. Or, block remote login during odd-hours or from unrecognized IPs.

Useful for detecting and controlling user activities for a range of monitored objects. For example, restricting app/website usage. Or, preventing file transfer operations (copy, upload, download etc.) on a folder/app/URL.

Useful for protecting sensitive data. For example, block and email that contains personally identifiable information. Or, preventing file transfer operations when certain content is detected in the file.

Type of Activity / Content

Notes:

  • Content Sharing rules are only available on Teramind DLP

  • OCR rule is only available on Teramind Enterprise

  • Teramind Starter only has these rules available: Agent Schedule, Webpages, Applications, IM, Browser Plugins, Registry, Windows Log Event

Defining Users

You specify the users for the rules on the Rules Editor’s User tab.

Here you specify which users, groups, departments or computers the rule will apply to. If you select a computer, the rule will apply to all the users on that computer.

image-13__1_.png

By default, the rule will inherit the user settings from the policy the rule is a part of. However, you can turn off the INHERIT POLICY SETTINGS to select users manually.

You can specify who the rule will apply to and optionally, exclude anyone you don’t want to be included using the EXCLUDE FROM RULE field.

Check out the the Knowledge Base to learn how to add users/computers or add groups/departments.

Defining Detection Criteria

After you have decided what type of rule you need and which users the rule will apply to, the next part is defining the detection criteria and scope. You will specify what, how or when the rule will be activated. You do this by selecting different parts of the selected Activity Type or Content Type. For example, the URL of the Webpage activity or the Application Name of the Clipboard content etc. You can then specify Condition Logics against the part(s) and the values you want to detect. Here’s how a detection criterion may look like:

image-10__1_.png

Agent Schedule Rules: What Schedule Violations Can You Detect (Windows)?

You can specify the detection criteria for the Agent Schedule-based rules from the Schedule tab. Agent Schedule-based rules are the easiest to define as most of it deals with only one detection criterion, schedule/time.

Agent Schedule-based rules use the employee schedules to determine their detection criteria. Check out the Schedules section on the Teramind User Guide to learn how to configure schedules for employees.

Agent Schedule Rule Examples

  • Get notified when a user attempts to login during abnormal hours or on off days.

  • Warns user or automatically locks out their computer if they are idling for too long.

  • Notify supervisor automatically when an employee is absent or late.

  • Notify HR and/or payroll if employee’s work time or scheduled work hours change.

  • Create a list or range of restricted IPs and disallow login from those IPs.

Agent Schedule Rule Criteria

The table below explains what criteria or schedule violation incidents the Agent Schedules supports and what conditions you can use with them.

Daily Work Time

image-15__1_.png

Used to detect if there are any discrepancies in the employee’s daily work time. You can detect if their work hour is less than or more than specified hour(s).

Select either IS LESS THAN or IS GREATER THAN and enter an hour value in the SPECIFY VALUE field.

Scheduled Work Time

image-16.png

Used to detect if the employee is working longer or shorted than scheduled.

Select either IS SHORT BY or IS OVER BY and enter a minute value in the SPECIFY VALUE field.

Starts Early

image-17__1_.png

Detects if the employee started their work earlier than scheduled, by specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Ends Early

image-18__1_.png

Detects if the employee ends their work earlier than scheduled, by specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Ends Late

image-19__1_.png

Detects if the employee ends their work later than scheduled, by specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Arrives Late

image-20__1_.png

Detects if the employee starts their work later than scheduled, by specified minutes. Note that, unlike the ‘Is Late’ condition, this will trigger the rule after the employee has logged in.

Enter a minute value in the DEFINE THE TIME RANGE field.

Is Absent

image-21.png

Detects if the employee is absent.

No value is required.

Is Late

image-22__1_.png

Detects if the employee is late in logging in to their computer according to their scheduled start time. Note that, unlike the ‘Arrives Late’ condition, this will trigger the rule before the employee has logged in.

Enter a minute value in the DEFINE THE TIME RANGE field.

Works on Day-Off

image-23__2_.png

Detects if the employee is working on their day off.

No value is required.

Login (Hidden Agent)

image-24__2_.png

Detects if the employee logs in during off hours and optionally also detects if they are trying to login from a restricted IP.

Set the off-hour range on the SETUP THE OFF-HOURS slider. You can click the + / buttons to add/remove hours. Drag the slider Circles to adjust the hours.

You can restrict IPs from where the login is not permitted in the RESTRICTED IPS field. You can enter any text in the IPv4 format, i.e.: 101.10.2.1/32 and choose a ‘Equals’ or ‘Not Equals’ conditions. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ or ‘Does Not Match’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

If you check the ‘Apply on screen unlock’ box, then the login event will be triggered when the user unlocks their screen. Click on the days under the EXCLUDE DAYS section to include/exclude days in the detection criterion.

This criterion works for Hidden/Silent Agent only.

Idle

mceclip0.png

Detects if the employee is idling (no keyboard or mouse activity) for more than specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

You can also set off-hours (breaks) by dragging the sliders under SETUP OFF-HOURS. The rule will be suspended during the off hours. Click the small or + buttons to add as many breaks as you want.

  • The Idle criterion will generate a single alert - when the rule is violated. This means, the rule will trigger when the user becomes idle for the duration specified in the rule's threshold (DEFINE THE TIME RANGE field). In the above case, the user will get a warning at the 30 minute mark. If the user continues to stay idle, they will not receive any more warnings. However, if the user becomes active and then goes to idling again, the rule will reset and issue a warning after another 30 minutes.

Activity Rules: What Activities Can You Detect (Windows & Mac)?

You can specify the detection criteria for the Activity-based rules from their respective activity tab(s). For example, if you selected Webpages and Emails from the Type of Activity section (in the General tab), you will have two tabs called ‘Webpages’ and ‘Emails’ where you can add the rule conditions and values.

Webpages (Windows & Mac)

Webpages activity allows you to detect web browsing activities through URL, title and query arguments and browsing-related timing (i.e. idle/active).

Webpages Rule Examples

  • Warn users when spending excessive time on social media or entertainment sites such as YouTube.

  • Restrict access to non-whitelisted/unauthorized websites but allow managers to override if needed.

  • Find out potential turnover by checking if employees are searching on jobsites. Get notified if the time spent on such sites exceeds a threshold.

Webpages Rule Criteria

The table below shows what criteria the Webpages activity supports and what conditions you can use with them.

On Mac, only the following criteria are supported: Webpage Url, Webpage Title, Request type and Query argument name, Private Mode (Safari only).

Webpage URL

Any

image-26__1_.png

Lets you detect if a webpage is visited.

If you use this option without any other criteria, Teramind will trigger the rule anytime a webpage is visited.

Webpage URL

image-27__2_.png

Used to detect an URL (webpage address) or part of an URL.

You can enter some text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

To avoid false positives, we recommend using most of the URL or the full URL if possible, when using any of the conditions. For example, use “https://www.facebook.com” instead of “facebook”.

Webpage Title

image-28__1_.png

Similar to the Webpage URL criterion, just use the webpage title instead.

Browser

Allows you to specify one or more browsers to detect. You can choose from the list of predefined browsers. You can also enter the browser’s process name (for example, enter msedge.exe for Microsoft Edge browser). See the notes* below for more information.

If you typed a browser name, you can enter some text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

You can exclude any browser(s) from the condition in the EXCEPT field.

*Tracking Browsers not in the Predefined List

If you want to use the Browser criterion with a browser not in the predefined list, you will need to include it in the TRACK PROCESSES field (Monitoring Settings > select a monitoring profile > Network). For example, if you want to detect if the user is browsing a particular site (e.g., teramind.co) on the Epic Privacy Browser, you will need to specify it in the TRACK PROCESSES field and then use a rule like this:

If you don’t include the process name in the TRACK PROCESSES field, the rule might not work.

Query Argument Name

image-29__2_.png

A query argument name is the portion of a URL where data is passed to a website. It usually starts with a ‘?’ or ‘&’. For example: www.contacts.com/saved?company=teramind. Here, company is the query argument name.

Using this criterion, you can create interesting detection rules. For example, by checking for the composeargument in the Gmail website, you can detect if the user is composing an email. Combining this with the Webpage URL or Webpage Title criterion, you can detect more granular activities. For example, using the text new in the Webpage URL and specifying compose in the Query Argument Name, you can tell if a user is composing a new mail or editing an existing draft.

Private Mode

This criterion can be used to detect private/incognito/anonymous browsing.

  • Windows: this criterion isn't supported on Firefox at the moment.

  • Mac: only Safari is supported at the moment.

Request Type*

mceclip0.png

This criterion allows you to further finetune when the rule action will trigger when the user visits an URL specified in the Webpage URL condition. It has two options:

  • Webpage Visited: detects visited pages, downloaded files, etc. When you select this option, the rule will trigger only when the user visits the webpage specified in the Webpage URL condition and not any automated/background browser request. Previously, there was no way to distinguish user-initiated queries from secondary resource queries, therefore triggering false positives.

    Consider this scenario:

    1. You have a rule that blocks a Webpage URL, twitter.com.

    2. User visits some unrelated website, such as news.com.

    3. The user is blocked from visiting news.com because that website made a query to get some ads from twitter.com.

    If you enable the Request Type > Webpage Visited option, the user can now visit news.com without the rule getting triggered.

  • Requested Resource: detects browser requests for static content, e.g., JS, CSS, images, etc., pages opened through an iframe, as well as API requests.

    Consider this scenario:

    1. You have a rule that blocks a Webpage URL, facebook.com.

    2. User visits some unrelated website, such as news.com which has some Facebook ads.

    If you enable the Request Type > Requested Resource option, the user will be allowed to visit news.com freely but the ads from Facebook will not load (404 error).

The Request Type criterion is only shown when you have already selected a Website URL criterion.

* This feature may not work properly on older browsers. You need at least Chrome version 79, Edge version 79, Firefox version 89, Opera version 66, etc.

Time Active

mceclip0.png

Used to detect how long the user has been active on the website.

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Time Idle

mceclip1.png

Similar to the Time Active criterion but detects how long the user has been idle/inactive on the site.

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

  • The Time Idle criterion is only shown when you have already selected a Website Title or a Website URL criterion.

  • This criterion works independently of the IDLE TIME THRESHOLD value on the Monitoring Settings > Applications window.

Time Focused

mceclip1.png

Time Focused = Time Active + Time Idle.

It detects if the user stayed on a webpage for the specified duration. It doesn’t matter whether the user was active (e.g., keyboard/mouse is used) or idle (no keyboard/mouse activity); as long as they stayed on the webpage without switching to other webpages/tabs/windows, the condition will be triggered.

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Time Focused criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Total Time Active

mceclip2.png

Similar to the Time Active criterion but detects the total time active (Total active time accumulated in a day. The time will reset the next day.).

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Total Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Total Time Idle

mceclip3.png

Similar to the Time Idle criterion but detects the total time idle (Total idle time accumulated in a day. The time will reset the next day.).

You can enter a minute value in the CONDITION field and the ‘>=’ logic.

  • The Total Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Total Time Focused

mceclip8.png

Similar to the Time Focused criterion but detects the total time focused (Total focused time accumulated in a day. The time will reset the next day.).

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Total Time Focused criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Applications (Windows & Mac)

Applications activity allows you to detect the launch of any application including the ones run from the command line interface or through the Windows Run command.

Applications Rule Examples

  • Detect and block when a dangerous application (i.e. Windows Registry Editor) or an unauthorized application is launched.

  • Warn users when spending time on unproductive applications such as games, music/video player etc.

  • Detect when anonymous browsers, such as, ‘Tor’ is used.

  • Detect when screen sharing applications, snipping tools or peer-to-peer file sharing/torrent software are used.

Applications Rule Criteria

The table below explains what criteria the Applications activity supports and what conditions you can use with them.

On Mac, only the Application Name, Application Caption and the Time Active (min), Time Idle (min), Time Focused (min), Total Time Active (min), Total Time Idle (min), Total Time Focused (min) criteria are supported at the moment.

Any

image-34__1_.png

Lets you detect if an application is launched.

If you use this option without any other criteria, Teramind will trigger the rule anytime, any application is launched.

Application Name

image-35.png

Used to detect the name or part of the name of an application. For example: ‘regedit.exe’.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Application Caption

image-36.png

Similar to the Application Name criterion, just use the application caption instead. For example: ‘Registry Editor’.

Launched from CLI

image-37.png

Detects if an application is launched from the CLI (Command Line Interface).

Select YES or NO.

Running elevated

Detects if an application is launched with elevated permission using Windows User Account Control (UAC).

An app is usually run as elevated when you launch it from the Windows Start menu while holding down the SHIFT+CTRL keys. Or, when you run it from the Windows Explorer with the right-click and then select the Run as administrator option. An application is also run elevated when it might make changes to the system (e.g., a software being installed for all users instead of just the current user). In such cases, Windows will invoke the UAC and the application will be considered as running elevated.

This criterion will help enhance the security of your system as software that usually requires admin permission might make changes to your system. It can also help you mitigate the impact of malware and prevent unauthorized privilege escalation, etc.

Select YES or NO.

Command Line Arguments

image-38.png

Command line arguments are additional parameters, options or values passed to an application when launching it from the CLI. They usually start with a ‘/’, ‘-‘ or a space after the application name. For example:

c:\ipconfig /renew. Here, renew is an argument.

Using this criterion, you can, for example, disable certain functions of an application. For example, in the second screenshot on the left, we blocked the launch of the ipconfig application when the release or renew arguments are used. Otherwise, it will run as usual. You can only use text value with the ‘Contains’, ‘RegExp’ or exact text match conditions for the CONDITION field.

The Command Line Arguments criterion is only shown when you have already selected YES for the Launched from CLI criterion.

Time Active

mceclip4.png

Used to detect how long the user has been active on an application.

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

Time Idle

mceclip5.png

Similar to the Time Active criterion but detects how long the user has been idle/inactive on an application.

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

  • The Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

  • This criterion works independently of the IDLE TIME THRESHOLD value on the Monitoring Settings > Applications window.

Time Focused

mceclip10.png

Time Focused = Time Active + Time Idle.

It detects if the user stayed on an application for the specified duration. It doesn’t matter whether the user was active (e.g., keyboard/mouse is used) or idle (no keyboard/mouse activity); as long as they stayed on the app without switching to other apps, the condition will be triggered

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Time Focused criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

Total Time Active

mceclip6.png

Similar to the Time Active criterion but detects the total time active (Total active time accumulated in a day. The time will reset the next day.).

You can enter a minute value in the CONDITION field and use ‘>=’ logic.

The Total Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

Total Time Idle

mceclip7.png

Similar to the Time Idle criterion but detects the total time idle (Total idle time accumulated in a day. The time will reset the next day.).

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

  • The Total Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

  • This criterion works independently of the IDLE TIME THRESHOLD value on the Monitoring Settings > Applications window.

Total Time Focused

mceclip9.png

Similar to the Time Focused criterion but detects the total time focused (Total focused time accumulated in a day. The time will reset the next day.).

You can enter a minute value in the CONDITION field and use the ‘>=’ logic.

The Total Time Focused criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

OS Version

Can be used to detect the name or part of the name of the operating system installed on the user's computer. For example: ‘Windows 10’, ‘Windows 11’, etc. As an example, you can use this criterion to block certain apps on Windows 10 but not on Windows 11.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any operating systems you do not want to track in the EXCEPT field.

Notes:

  1. This feature is available on request. Please contact your customer service representative to activate this feature on your instance.

  2. Minimum Windows Agent 24.35.1996 and Server 24.35.5836 are required to use this feature.

OCR (Windows & Mac)

The OCR detects on-screen text in real-time, even inside images or videos. It works with multi-screen setups, virtual desktops and terminal servers. By default, OCR detects English text. But you can also use few other languages (check out the Teramind Agent specifications and supported platforms article to learn which languages are supported).

You can change the OCR language from Monitoring Settings > OCR.

OCR Rule Examples

  • Generate an alert when a user sees a full credit card number on the screen violating the PCI DSS compliance requirements.

  • Get notified when your employees visit sites that contain illegal or questionable content, such as: hacking, pornographic or piracy related content.

  • Detect if an unauthorized user is viewing a document that contains sensitive words.

  • Prevent steganographic data exfiltration by detecting information hidden inside images or videos.

OCR Rule Criteria

The table below shows what criteria the OCR supports and what conditions you can use with them.

On-Screen Text

image-231__1_.png

Used to specify the text to detect on-screen.

You can choose from ‘Contains’, ‘Match regexp’, ‘Match list’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can use the EXCEPT field to do detect any text except for the ones defined in this field.

Be careful while using the EXCEPT field as it will detect all text on the screen except the ones you exclude, triggering the rule every time!

If you are using any regular expressions (e.g., Match regexp, Match list with a regular expression based shared list) in the On-Screen Text field, please remember that Teramind supports the Elasticsearch regular expression syntax for OCR rules. More information can be found about it in Elastic documentation.

Application Name

image-92.png

Used to specify the applications in which the OCR content will be detect.

You can choose from ‘Contains’, ‘Equals’ or ‘Equals List’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Keystrokes (Windows & Mac)

Keystrokes activity is used to detect keystrokes entered by the users in applications or websites. In addition to regular keys, you can also detect the clipboard operations (copy/paste commands), use of special keys such as the Print Screen or multiple simultaneous keypress or combo keys such as CTRL+C.

Keystrokes Rule Examples

  • Detect if someone is taking screenshots with the likely intention of stealing information.

  • Detect if an employee is using unprofessional language with a customer on live chat.

  • A user repeating easy to guess passwords, hence, creating a security risk.

  • Disable keyboard macros or select combo keys in certain applications or for some users.

Keystrokes Rule Criteria

The table below shows what criteria the Keystrokes activity supports and what conditions you can use with them.

On Mac, only the following criteria are supported: Text Typed, Word Typed, and Application Name.

Text Typed

image-43__1_.png

Used to detect continuous text without any word break. For example, if text typed = “password”, the rule will be triggered when the last letter ‘d’ is typed.

You can enter any text in the CONDITION field and choose the ‘Contains’ or ‘Match RegExp’ option. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text you do not want to detect in the EXCEPT field.

Word Typed

image-44__1_.png

Used to detect word typed with breaks. For example, if word typed = “password” the rule will be triggered when you finish typing the word and then type separation key, such as: <Space> or ‘!’ or ‘.’ (dot).

You can enter any text in the CONDITION field and choose the ‘Contains’, ‘Equals’ or ‘Match RegExp’ option. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any word you do not want to detect in the EXCEPT field.

Difference Between Text Typed and Word Typed

Text Typed will detect any partial text while Word Typed will detect only full words. For example, if you are looking to detect club, and the user typed golfclub, Text Type will detect it but Word Typed will not. If the user typed golf club, then both the Text Typed and Word Typed criteria will detect the keystrokes.

Special Key Typed

mceclip0.png

You can detect special keys such as the function keys, (i.e. F1), PrtScr or key combinations such as <Shift+P>. When you select the Special Key Typed criteria and click on the CONDITION field, Teramind will pop-up a virtual keyboard where you can select the special keys.

Application Name

image-45__1_.png

Specifies which applications will be tracked.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

The Application Name criterion is only shown when you have already selected a Text Typed or Word Typed criterion. Also, if you use this criterion, you cannot use the Webpage URL criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e. Condition 1 and Condition 2).

Webpage URL

image-46.png

Used to detect an URL (webpage address) or part of an URL.

You can enter some text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

The Webpage URL criterion is only shown when you have already selected a Text Typed or Word Typed criterion. Also, if you use this criterion, you cannot use the Application Name criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e. Condition 1 and Condition 2).

Files (Windows & Mac)

Files activity lets you detect file operations such as access, read, write, upload, download, create folder, rename folder, etc. Each operation allows you to further specify additional detection criteria. For example, the Download operation lets you detect the program, file name, URL and file size.

Note that Teramind cannot track the copy operation for a file from one network server to the same network server (e.g. source and destination is the same). For example, copying of a file from \\103.247.55.101\source_folder to \\103.247.55.101\destination_folder cannot be tracked. Copy to and from same local drives is detected as usual.

Also copying of an empty file cannot be tracked since it will be impossible for the system to distinguish between the file create and copy operations due to the zero size of the file.

Note that not all criteria are available for all file operations. Teramind will automatically show or hide the criteria based on which file operation you select. For example, if you select the Insert or the Eject operation, you will only see the Program and Drive criterion. Or, when you select the Copy or Move operation, you will see options to specify the source (e.g., Source file path, Source network host, Source drive, etc.).

image-47__1_.png

Select a file operation by clicking the CONDITION filed. Click the Plus (+) button to add a criterion to the operation.

If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operations.

Files Rule Examples

  • Detect/block access to sensitive folders.

  • Turn a folder or drive write proof, preventing any changes to the files in that folder.

  • Get notified when files are uploaded to Cloud sharing sites, such as, Dropbox, Google Drive etc.

  • Block files from being copied to/from removable media, such as, USB drives.

  • Prevent changes of program settings or tampering of configuration files.

  • Block certain file transfer protocols, such as, FTP.

  • Restrict the transfer of large files.

Files Rule Criteria

On Mac, only the following criteria and conditions are supported:

  • File Operation conditions: Access, Copy, Write, Rename, and Delete).

  • Program conditions: Contains and Equals.

  • File Path conditions: Contains and Equals.

  • Drive conditions: All drives and All external drives.

The table below describes the criteria you can use for the Files activity, and which file operations are supported for each criterion.

Program

image-48.png

Lets you specify in which program/app the file operation took place.

You can choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’.

Similarly, you can exclude any programs you do not want to track in the EXCEPT field.

Network Host

image-49.png

Used for network-based file operations. It detects the host name of the file operation. For example: http://sharepoint.com, ftp://filevault.net etc.

You can choose from ‘Contains’, ‘Equals’, ‘All Shares’. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any hosts you do not want to track in the EXCEPT field.

This criterion is not supported in: Insert, Eject, Download and Upload operations.

Source Network Host

mceclip1.png

Similar to the Network Host criteria but detects the source network host of a Copy or Move operation.

This criterion is only available with the Any, Copy, Move and Rename operations.

File Path

mceclip0.png

Used to detect a parent folder or file extensions. For example: document, c:\windows etc. File extension are used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from various ‘Contains’, ‘Equals’, ‘Match’ conditions. When using one of the ‘match’ options, you can use a wildcard such as *, ?, [abc], [a-z], etc. For example, ?at will match Cat, cat, Bat or bat.

This criterion is not supported in: Insert, Eject, Download and Upload operations.

Source File Path

mceclip1.png

Similar to the File Path criteria but detects the source folder, file name or extension of a Copy or Move operation.

This criterion is only available with the Any, Copy, Move and Rename operations.

Drive

mceclip2.png

Detects the local, network or external drives.

You can enter a drive name (e.g., ‘c’) and select that particular drive or choose from ‘All Drives’ or ‘All External Drives’ conditions.

This criterion is not supported in: Download and Upload operations.

Source Drive

mceclip3.png

Similar to the Drive criteria but detects the source drive of a Copy or Move operation.

This criterion is only available with the Any, Copy, Move and Rename operations.

Cloud Provider

image-52__1_.png

Used to detect the cloud provider.

You can choose from ‘All Cloud Providers’, ‘Dropbox’, ‘Google Drive’, ‘OneDrive’ or ‘Box’.

Similarly, you can exclude any providers you do not want to track in the EXCEPT field.

This criterion is not supported in: Insert, Eject, Download and Upload operations.

Source Cloud Provider

mceclip4.png

Similar to the Cloud Provider criteria but detects the source cloud provider of a Copy or Move operation.

This criterion is only available with the Any, Copy, Move and Rename operations.

RDP File Transfer

image-53__1_.png

Detects if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.

You can select either YES or NO.

This criterion is only supported in the Copy operation.

Download File Name

image-54__1_.png

Lets you detect the download file name.

You can choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’.

Similarly, you can exclude any files you do not want to track in the EXCEPT field.

This criterion is only supported in the Download operation.

Download URL

image-55__1_.png

Similar to the Download File Name criterion but used to detect the download URL instead.

This criterion is only supported in the Download operation.

Download File Size

image-56__1_.png

Used to detect the size (in bytes) of the file being downloaded.

You can enter a byte value in the CONDITION field and use ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

This criterion is only supported in the Download operation.

Upload File Name

image-57__1_.png

Similar to the Download File Name criterion but used for Upload operation instead.

This criterion is only supported in the Upload operation.

Upload URL

image-58__1_.png

Similar to the Download URL criterion but used for the Upload operation instead.

This criterion is only supported in the Upload operation.

Upload File Size

image-59__1_.png

Similar to the Download File Size criterion but used for the Upload operation instead.

This criterion is only supported in the Upload operation.

Upload Via

image-60__1_.png

Lets you detect what kind of application or protocol is used for the upload operation.

You can choose from ‘FTP’, ’SMTP’, ‘Outlook’ or ‘Browser’.

Similarly, you can use the EXCEPT field to ignore any protocol/application you do not want to track.

This criterion is only supported in the Upload operation.

Emails (Windows)

Emails activity lets you detect outgoing and incoming emails including any email attachments.

Emails Rule Examples

  • Prevent attaching files from certain location(s) such as, a folder, a network path or a Cloud drive.

  • Restrict sending of work emails from personal email accounts.

  • Prevent sending of attachments to non-business addresses.

  • Detect if a competitor is contacting your employees or vice versa.

  • Get notified if a user is sending emails with large attachments.

Emails Rule Criteria

The table below shows what criteria the Email activity supports and what conditions you can use with them.

Any

image-61__1_.png

Lets you detect if an email is sent or received. If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received.

If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received.

Mail Body

image-62__1_.png

Used for detecting text inside the mail body.

You can choose from ‘Contains’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail Subject

image-63__1_.png

Used for detecting text inside the mail subject.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail CC

image-64__1_.png

Detects the CC addresses in an email.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail To

image-65__1_.png

Similar to Mail CC criterion but used to detect the Mail To addresses instead.

Mail From

image-66__1_.png

Similar to Mail CC and Mail To criterion but used to detect the Mail From addresses instead.

Mail Direction

image-67__1_.png

Lets you detect if the mail is being sent or received.

Select either the INCOMING or OUTGOING option.

Mail Client

image-68__1_.png

Used to specify the mail client you want to detect.

You can choose from ‘Gmail’, ‘Outlook Client’, ‘Outlook Web Client’, ‘Live.com’, ‘Yahoo Mail’, and ‘Yandex Mail’. Teramind keeps adding support for new clients so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Has Attachments

image-69__1_.png

Used to detect if the mail has any attachment.

Select either the YES or NO option.

Attachment Name

image-70__1_.png

Used to detect the names or extensions for the attached files. A file extension is used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can check for file extensions using one of the ‘Extension Contains’, ‘Extension Equals’, ‘Extension Does Not Contain’ options.

The Attachment Name criterion is only shown when you have already selected YES for the Has Attachment criterion.

Mail Size

image-71__1_.png

Used to detect the size (in bytes) of the mail.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

IM – Instant Messaging (Windows)

IM activity lets you detect instant messaging conversations and group chats for popular IMs such as: Skype, Slack etc. You can detect both incoming and outgoing messages, detect the participants and search the message body for keywords or text.

IM Rule Examples

  • Restrict messages to/from select contacts.

  • Detect if a user is in contact with suspicious people or criminal groups.

  • Monitor support chat conversations to improve quality of customer service and SLA.

  • Get notified if the chat body contains specific keywords or sensitive phrases such as lawsuit threats, angry sentiments, sexual harassment etc.

IM Rule Criteria

The table below shows what criteria the IM activity supports and what conditions you can use with them.

Any

image-72__1_.png

Lets you detect if an IM is sent or received.

If you use this option without any other criteria, Teramind will trigger the rule anytime an IM is sent or received.

Message Body

image-73__1_.png

Used for detecting text inside the message body.

You can choose from ‘Contains’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Message Direction

image-74__1_.png

Lets you detect if the message is being sent or received.

Select either the INCOMING or OUTGOING option.

Messaging App

image-75__1_.png

Used to specify the messaging app you want to detect.

You can choose from ‘Facebook, ‘Skype Web’, ‘Skype for Business’, ‘LinkedIn’, ‘Google Hangouts’, ‘WhatsApp Web’, ‘Slack Web’, ‘Slack’, ‘Microsoft Team Web’ and ‘Microsoft Team’. Teramind keeps adding support for new apps so you might see more clients than mentioned here.

Similarly, you can exclude any app(s) you do not want to track in the EXCEPT field.

Contact Name

image-76__1_.png

Used to detect the contacts/participants of the IM conversation.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any contacts you do not want to track in the EXCEPT field.

Browser Plugins (Windows)

Browser Plugins activity lets you detect any installed browser, plugins or extensions, what they are doing or what data they are accessing.

Browser Plugins Rule Examples

  • Restrict the use of a browser such as an older version of a browser that has security flaws.

  • Block user installation browser plugins and extensions by regular users to prevent malware infection and prevent security or privacy breaches.

  • Prevent a plugin from utilizing certain permissions such as the ability to access critical proxy settings or user data.

Browser Plugins Rule Criteria

The table below shows what criteria the Browser Plugins activity supports and what conditions you can use with them.

Any

image-77__1_.png

Lets you detect if a browser is launched/activated.

If you use this option without any other criteria, Teramind will trigger the rule anytime a browser is launched or activated.

Browser

image-78__1_.png

Used to specify the browser you want to detect.

You can choose from ‘Chrome’, ‘Opera’, ‘Firefox’, ‘Internet Explorer’ or ‘All Browsers’. Teramind keeps adding support for new browsers so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Plugin Permissions

image-79__1_.png

You can detect what permissions the plugin is using.

You can choose from any of these conditions:

  • Proxy VPN – detects if the plugin is accessing the browser’s proxy settings.

  • Request – detects if the plugin is making a web request. This permission allows a plugin to observe and analyze traffic and intercept, block, or modify web requests.

  • User Data – detects if the plugin is accessing any user data such as cookies.

Similarly, you can exclude any permission you do not want to track in the EXCEPT field.

Printing (Windows & Mac)

The Printing activity lets you detect print jobs across local or network printers. You can use criteria, such as: the document and printer and number of pages being printed.

Printing Rule Examples

  • Prevent data leaks over hard copies by restricting what documents can be printed.

  • Warn the user about large print jobs to reduce waste.

  • Restrict how many pages can be printed in a certain printer to reduce expense when taking an expensive/color print.

  • Implement printer use policies by users/departments. For example, which departments/users can use which printer, how much or what they can print.

Printing Rule Criteria

On Mac, only the following criteria are supported: Number of Pages, Document Name, and Printer Name.

The table below shows what criteria the Printing activity supports and what conditions you can use with them.

Any

image-80__1_.png

Lets you detect if any print job is sent to the printer.

If you use this option without any other criteria, Teramind will trigger the rule anytime a print job is sent to the printer.

Document Name

image-81__1_.png

Used to specify the document names you want to detect.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any plugins you do not want to track in the EXCEPT field.

Printer Name

image-81__1_.png

Used to specify the printers you want to track.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any plugins you do not want to track in the EXCEPT field.

Number of Pages

image-83__1_.png

Used to detect the number of pages of the document being printed.

You can enter a page value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Networking (Windows & Mac)

The Network activity lets you detect network activities using criteria such as the applications using the network, byte sent/received, remote host etc..

Networking Rule Examples

  • Implement network security related rules, for example, restrict outgoing internet traffic from the payment server (to comply with PCI DSS regulation).

  • Limit network access such as, disable login via RDP (Remote Desktop Protocol).

  • Implement geofencing, for example, restrict access to your EU server from the US users.

  • Get notified when abnormal network activity (i.e. sudden spike in network traffic) is detected which might indicate an intrusion.

  • Using the Local IP criterion, you can detect if a user has established a connection to a peripheral local or VPN network or has changed the network route to bypass your corporate VPN. This might indicate a serious security threat.

Networking Rule Criteria

On Mac, only the following criteria are supported: Application Name, Remote Host, Remote Port, Bytes Sent and Bytes Received.

The table below explains what criteria the Network activity supports and what conditions you can use with them.

Application Name

image-84__1_.png

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Remote Host

image-85__1_.png

Used to specify the network the remote host is connected to.

You can enter a host address (such as: google.com) or an IP address (such as: 10.52.22.1/32) in the CONDITION field or you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any host you do not want to track in the EXCEPT field.

Remote Port

image-86__1_.png

Used to detect the port of the network connection.

You can enter a port value in the CONDITION field and use the ‘=’ logic.

Similarly, you can use the EXCEPT field to specify an exception.

Bytes Sent

image-87__1_.png

Used to specify the number of bytes sent over the network connection.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’ or the ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Bytes Received

image-88__1_.png

Used to specify the number of bytes received over the network connection.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’ or the ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Local IP

Used to detect local IP addresses.

You can enter an IP address (such as: 182.178.1.2/32) in the CONDITION field or you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any IP you do not want to track in the EXCEPT field.

Registry (Windows)

The Registry-based activity rules let you detect changes to the registry. You can detect registry key, name, value/data and program.

mceclip2.png

Windows Registry Editor

Registry Rule Examples

  • Prevent changes to sensitive keys/programs or other items in the registry. For example, network or internet settings, security policies, etc.

  • Detect/prevent unauthorized changes of permissions or privileges of files, folders, drives or applications. For example, a malicious user or intruder can change the USBSTOR values to enable the use of external drives compromising security. By monitoring the registry key, you can prevent such changes.

  • Detect if a user is trying to install a dangerous or problematic software by monitoring what changes the software is making to the system.

Registry Rule Criteria

The table below explains what criteria the Registry activity supports and what conditions you can use with them.

Key

mceclip3.png

You can enter any text in the CONDITION field and choose from ‘Contains’ or ‘Equals’ conditions. Or, you can select the ‘Match glob’ condition and use wildcards such as *, ?, [abc], [a-z], etc. For example, ?at will match Cat, cat, Bat or bat.

Similarly, you can exclude any key you do not want to track in the EXCEPT field.

Note that actual registry keys differ from what it looks like in the Windows Registry Editor.

For example, \registry\machine key is represented as Computer\HKEY_LOCAL_MACHINE on the Registry Editor. Or, the \registry\users represented as Computer\HKEY_USERS.

Teramind will use the actual keys to match the conditions instead of what’s shown on the Windows Registry. For convenience if string condition for the key starts with one of the following, it will be recoded for the actual search accordingly:

  • hkey_current_user\

  • hkcu\

  • hkey_local_machine\

  • hklm\

  • hkey_users\

Name

mceclip4.png

Used to specify the name of a registry value. For example, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR key may contain a value called “Start”.

You can enter any text in the CONDITION field and choose from ‘Contains’ or ‘Equals’ conditions. Or, you can select the ‘Match glob’ condition and use wildcards such as *, ?, [abc], [a-z], etc. For example, ?at will match Cat, cat, Bat or bat.

Similarly, you can exclude any name you do not want to track in the EXCEPT field.

Value

mceclip5.png

Used to detect the value of a registry name. Windows registry value can contain a String, Multi-String, Binary, etc. So, enter a value accordingly.

You can enter any text in the CONDITION field and choose from ‘Contains’ or ‘Equals’ conditions. Or, you can select the ‘Match glob’ condition and use wildcards such as *, ?, [abc], [a-z], etc. For example, ?at will match Cat, cat, Bat or bat.

Similarly, you can exclude any name you do not want to track in the EXCEPT field.

Program

mceclip6.png

Can help identify which application or service is responsible for making the registry changes.

You can enter any text in the CONDITION field and choose from ‘Contains’ or ‘Equals’ conditions. Or, you can select the ‘Match glob’ condition and use wildcards such as *, ?, [abc], [a-z], etc. For example, ?at will match Cat, cat, Bat or bat.

Similarly, you can exclude any name you do not want to track in the EXCEPT field.

Camera Usage (Windows)

The Camera Usage-based activity rule lets you detect when a camera/webcam is used. You can detect the camera name and the application in which the camera is being used.

Camera Usage Rule Examples

  • Implement privacy-friendly Webcam recording feature without actually interfering with an employee’s camera. For example, create a Camera Usage rule with the RECORD VIDEO action to automatically start recording the screen when camera use is detected so that you can, for example, record meeting sessions.

  • Allow webcam usage only in your company’s approved apps such as Webex and lock out the user when other apps try to use the camera to reduce security and privacy risks.

  • Respect user privacy by only recording a specific camera. For example, record screen sessions of remote users by tracking the camera supplied by the company and not record when the user is using their personal/built-in webcam.

Camera Usage Rule Criteria

The table below explains what criteria the Camera Usage activity supports and what conditions you can use with them.

Any

image-80__1_.png

Lets you detect if any camera is turned on in any application.

If you use this option without any other criteria, Teramind will trigger the rule for any camera in any application.

Camera Name

Used to specify the camera you want to detect. Note: you can find the name of all the available cameras (built-in or external) on the Windows Device Manager, under Cameras.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any camera you do not want to track in the EXCEPT field.

Camera Application Name

Used to specify the application using the camera.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Windows Log Event (Windows)

This is a preview feature and might not always produce the expected results. We do not recommend using it for any critical operations.

We also do not recommend using this rule on a shared machine such as a Citrix/RDP server. There are often multiple users - all contributing to a much bigger event log. This might cause performance issues.

If you have any feedback or bug reports about this feature, please send them to [email protected].

Windows events are all the activities tracked by the OS. These include Applications, System, Security, Hardware, etc. You can see these events on the Windows Event Viewer:

The ability to detect these events is a very powerful tool, because it allows an administrator to identify issues with the computer, discover security gaps and stop potential threats.

The Windows Log Event rule allows you to detect these Windows events.

Windows Log Event Rule Examples

  • Detect if a user or an app has cleared the audit log (e.g., event ID 1102) that’s often used by attackers to cover their footprint.

  • Identify failed attempts to login (event ID 4625) by potential hackers.

  • Detect unplanned hash access (event ID 4798) that might indicate malicious activity.

  • Monitor if scheduled tasks were created (4698) because malwares often create automated tasks to provide persistent access to a compromised system.

  • Diagnose errors, system failures, performance issues and other problems.

Windows Log Event Rule Criteria

The Windows Log Event activity comes with only one criterion:

Event ID

Lets you specify one or more Windows event IDs.

You can enter numeric values in the CONDITION field and use the ‘=’, ‘>’, the ‘>=’, ‘<’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Content Sharing Rules: What Contents Trigger the Rules?

Content Sharing rules are used to detect content or text inside an object. The object can be a file, an email or IM chat, data in the clipboard or even any text displayed on the screen. You can use these powerful rules to prevent data exfiltration attempts, such as: block transferring of a file when it contains credit card numbers; warn a user when they attempt to send emails containing sensitive keywords etc.

You can specify the detection criteria for the Content Sharing rules in two places:

  • On the special Content Tab: This tab allows you to define what makes the content sensitive and specify the data values to look for. This tab is automatically added when you select the Content Sharing rule type (in the General tab).

  • On the selected Content Type Tabs: For example, if you selected Clipboard and Emails from the Type of Content section (in the General tab), you will have two tabs called ‘Clipboard’ and ‘Emails’ where you can add the rule conditions and values.

On Mac, only the Content Data content and Content Type TEXT is supported. And only the Files rules are supported.

The basic premise of the Content Sharing rule is: you describe the data in the Content tab and then you tell Teramind where to look for that data in the Content Type Tabs. You need to use both of them for creating a Content Sharing rule.

Teramind Agent will allow a maximum of 1 second to scan a file for content. If it cannot scan the file within that time (e.g., file too large, slow disk, etc.), it will discard that file. This may prevent content from being detected for larger files.

The Content Tab

This tab allows you to define what makes the content sensitive and specify the values to look for. You need to select at least one Types of Content, such as: Clipboard, File etc. to be able to use the Content tab.

image-89__1_.png

You can select from different data definitions depending on what Types of Content you have selected in the General tab (i.e. Clipboard, Files, Emails, IM).

For example, if you have selected the Clipboard content type, then you will see the ‘Clipboard Origin’ in the data definition list.

The table below shows what criteria the Content definition supports and what conditions you can use with them.

Data Content

On Mac, only the Data content and Content Type TEXT is supported.

content-tab-768x1225.png

Data Content is a generic criterion that can be used to look for any text or binary data. For example, by using it with the Clipboard, you can detect anything copied on the clipboard.

You can select TEXT, BINARY or BOTH as the CONTENT TYPE.

For SELECT MATCH TYPE, you can choose ‘Contains’, ‘Equals’ or ‘RegExp’ and specify the text or binary values in the bottom field. Use the + button to add multiple values. Or, you can choose ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Text-based or Regular Expressions-based) from the SELECT SHARED LIST drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

The Data Content criterion can be used with any content types (i.e. Files, Email etc.).

Clipboard Origin

clipboard.png

Clipboard Origin detects data pasted into the clipboard from a specific webpage or application. By using it you can, for example, build a rule that prevents copy pasting of customer data from your CRM site.

You can select WEBPAGE or APPLICATION as the source of the clipboard copy operation.

For SELECT MATCH TYPE, you can choose ‘Contains’, ‘Equals’ or ‘RegExp’ and specify the text values in the bottom field. Use the + button to add multiple values. Or, you can choose ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Text-based or Regular Expressions-based) from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

The Clipboard Origin criterion can only be used with the Clipboard content type.

File Origin

file-origin-526x1024.png

File Origin detects file sharing based on its origin or source. It supports local, Cloud and web sharing. By using it you can, for example, build a rule that prevents sharing of files to Cloud drives.

You can select from several sharing options under the SELECT FILE ORIGIN section. SHARE = any type of network shares, CLOUD = sharing over Cloud services, such as, Dropbox and URL = sharing over any websites.

Depending on which origin (SHARE / CLOUD / URL) you selected, you can choose from ‘All Share’, ‘Contains’, ‘Equals’ or ‘RegExp’ in the SELECT MATCH TYPE field and specify the text values in the bottom field. Use the + button to add multiple values. Or, if available, you can choose the ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Network-based) from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

The File Origin criterion can only be used with the Files content type.

File Properties

mceclip3.png

File Properties detect files based on their meta-tags (also know as ‘file property’ or ‘field’). By using it you can, for example, build a rule that prevents sharing of any documents outside your company that has has a specific property/field containing a specific value. For example, a 'Restricted' field/property with the string value 'Yes'.

The File Properties criterion can only be used with MS Office or Office 365 files (e.g. doc, docx, xls, xlsx etc.).

To use this criterion, first create the rule:

1. Select a FIELD TYPE such as: ANY, STRING, INTEGER or DATE.

2. Select MATCH TYPE for the condition. If you have selected the STRING field type, you can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ options. Use the + button to add multiple values. Or, you can choose the ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists. If you chose INTEGER or DATE field type, you can choose one of the ‘=’, ‘>’, ‘<’ logics.

3. Enter the name of the file property the rule will detect in the FIELD NAME field.

4. Specify the value the file property should contain in the SPECIFY VALUE field.

After you have created the rule, you can now add Custom tag(s) in the file(s) you want the rule to detect. You can create a custom tag from the Office apps such as Word, Excel, PowerPoint etc. Here's an example showing how to create a custom tag in Microsoft Word:

1. Click File > Info

2. Click on Properties on the right-panel and select Advanced Properties:

mceclip2.png

3. Click the Custom tab and enter a Name, Type and Value for the property. Click the Add button when done:

mceclip4.png

4. Save the document.

The File Properties criterion can only be used with the Files content type.

Predefined Classified Data

Predefined Classified Data detects content based on predefined data categories.

There are several types of data categories you can choose from: Financial Data, Health Data, Personally Identifiable Data etc.

The SENSITIVE DATA TO DETECT field will have different menu options depending on what you choose in the SELECT SENSITIVE DATA CATEGORY field. For example, if you choose Financial Data in the previous field, you can choose from ‘All credit card numbers’, ‘SWIFT code’ etc. Or, if you choose the Health Data, you can choose from ‘Common drug names’, ’DNA profile’ etc.

If you choose the Financial Data from the SELECT SENSITIVE DATA CATEGORY field, then you will see an option: CREDIT CARD DETECTION MODE. This option will let you select the sensitivity of the algorithm to detect credit card numbers. For more information, see the notes under Adjust the Sensitivity of Credit Card Detection below.

Finally, you can specify how often a data pattern can appear in the content before the rule is triggered in the TRIGGER ON PATTERN… field.

Check out the List of Predefined Classified Data article for a list of all the predefined classified data supported in Teramind.

Adjusting the Sensitivity of Credit Card Detection

You can detect credit card numbers using the built-in Predefined Classified Data. However, the way the algorithm works, it might incorrectly detect specially formatted strings as credit card numbers. For example, it might detect this URL sting, 4.574%201.252.695%202 as a credit card number (e.g., 4574201252695202).

To avoid such false positives, you can adjust the sensitivity of the algorithm using the CREDIT CARD DETECTION MODE option. The option supports three detection modes:

  • Loose: This is how the algorithm works currently and is the default mode. In this mode, Teramind will detect credit card numbers in text sequences, even if the number is broken up by other characters. For example:

    4* 4*4*4-44&4% %4-44%44- 4&444
    ABcdef44*444*444 444_444&44Xyz
    abcdef4%4*4%4#4*4!!4##4_ 4#44_4%4%4&44Xyz
  • Medium: In this mode, Teramind will check sequences with the same delimiter/separator character. Any spaces will be ignored, and several consecutive delimiters will be included in the detection. For example:

    4%444%%44%44%4444%44%44ABcdef4
    %%4444%444%4444%%444%4Xyzabcdef4_4444_44_44_4_4_4_4444Xyz
  • Strict: Only standalone credit card expressions will be included. Delimiters must be the same per expression and one of NONE/SPACES/HYPENS delimiters will be allowed. Several consecutive delimiters will not be allowed. For example:

    444444444444444444-44-4444-444-4-44-4444 44 4444 444 4 44 44ABcde
    4444444444444444 Xyz

Clipboard

The Clipboard-based behavior rules may not work as expected if you have some other software installed that also tracks clipboard operations.

The Clipboard content type detects text copied to the clipboard from any applications or websites.

Clipboard Rule Examples

  • Prevent sharing of customer data outside of your CRM site.

  • Warn users when they copy social security numbers from an Excel spreadsheet and paste it on an email client like Outlook.

  • Prevent data marked as sensitive in the Predefined Classified Data list to be pasted on an image application. So that the user cannot later upload the image to bypass your document upload rules.

Clipboard Rule Criteria

The table below shows what criteria the Clipboard supports and what conditions you can use with them.

Any

image-93__1_.png

Lets you detect the clipboard text in any applications or websites.

If you use this option without any other criteria, Teramind will trigger the rule anytime a clipboard paste operation is performed in any applications or websites where the content is detected.

Application Name

mceclip1.png

Used to specify the applications in which the Clipboard action will be detected.

You can choose from ‘Contains’, ‘Equals’ or ‘Equals List’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or 'Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

The Application Name and the Webpage URL criteria cannot be used together in the same condition block.

Webpage URL

image-95__1_.png

Used to specify the webpage URL (website address) in which the Clipboard action will be detect.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

The Webpage URL and the Application Name criteria cannot be used together in the same condition block.

Files (Windows & Mac)

Files content type works in the same way as it does in the Files Activity rules. However, there are certain file operations that you cannot use in the Content Sharing rules. For example, the Download operation or none of the folder operations are supported.

Note that not all criteria are available for all file operations. Teramind will automatically show or hide the criteria based on which file operation you select. So, if you select the Access or the Delete operation, you will only see the Program criterion. Some file operation may have additional detection criteria. For example, the Upload operation lets you specify the Upload URL.

image-96__1_.png

Select a file operation by clicking the CONDITION filed.

Click the Plus (+) button to add a criterion to the operation.

If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected.

If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected.

Files Rule Examples

  • Prevent sharing of files that contain sensitive information, such as: Credit Card Numbers, Social Security Numbers, Health Records or your own custom data type.

  • Prevent sharing of a file based on certain properties, such as, when a document contains a ‘confidential’ watermark.

  • Create rules based on file origin, such as, stop all network sharing from certain applications.

These are some examples of Content Sharing rules for Files. For other examples of the Files rules, check out the Files Activity rule examples.

Files Rule Criteria

The table below describes the criteria you can use for the Files sharing rules, and which file operations are supported for each criterion.

Program

image-97__1_.png

Lets you specify in which program/app the file operation took place.

You can choose from ‘Contains’, ‘Equals’, ‘Match RegExp’ or ‘Match Glob’.

Similarly, you can exclude any programs you do not want to track in the EXCEPT field.

Network Host

image-98__1_.png

Used for network-based file operations. Detects the host name of the file operation. For example: http://sharepoint.com, ftp://filevault.net etc.

You can choose from ‘Contains’, ‘Equals’, ‘All Shares’. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any hosts you do not want to track in the EXCEPT field.

This criterion is only supported in the Write and Copy operations.

Drive

mceclip0.png

Detects the local, network or external drives.

You can enter a drive name (e.g., ‘c’) and select that particular drive or choose from ‘All Drives’ or ‘All External Drives’ conditions.

File Path

mceclip1.png

Used to detect a file path. For example: \windows\system32\.

You can only choose the ‘Starts with’, condition with any path you enter.

The path is treated as relative if root is defined, otherwise it’s treated as absolute.

Cloud Provider

image-99.png

Used to detect cloud providers.

You can choose from ‘All Cloud Providers’, ‘Dropbox’, ‘Google Drive’, ‘OneDrive’ or ‘Box’, etc.

Similarly, you can exclude any provider you do not want to track in the EXCEPT field.

This criterion is only supported in the Write and Copy operations.

RDP File Transfer

image-100__1_.png

Detects if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.

You can select either YES or NO.

This criterion is only supported in Copy operations.

Upload URL

image-101__1_.png

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs you do not want to track in the EXCEPT field.

This criterion is only supported in Upload operations.

External Drive

image-102__1_.png

You do not need to specify any conditions in this criterion.

This criterion is only supported in the Write and Copy operations.

Emails

Emails content type works in the same way as it does in the Email Activity rules. Except, the Mail Body criterion is not supported.

Emails lets you detect content sharing over outgoing and incoming emails, draft emails* and email attachments.

*Rules on a draft email is trigged when the draft is saved.

Emails Rule Examples

  • Detect sensitive information like Credit Card Numbers, Social Security Numbers, Health Records or your own custom data types inside attachments and act based on what’s detected.

  • Detect if an internal memo is shared outside the company.

  • For example, warn the user when sending out an email that contains a document containing contacts to prevent data exfiltration or comply with privacy laws.

These are some examples of Content Sharing rules for Emails. For other examples of the Emails rules, check out the Emails Activity rule examples.

Emails Rule Criteria

The table below shows what criteria the Emails sharing supports and what conditions you can use with them.

Any

image-103__1_.png

Lets you detect if an email is sent or received.

If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received and the content is detected in any of the supported mail parts (i.e. Mail Subject, Mail Attachments etc.).

Mail Subject

image-104__1_.png

Used for detecting text inside the mail subject.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail CC

image-105__2_.png

Detects the CC addresses in an email.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail To

image-106__2_.png

Similar to Mail CC criterion but used to detect the Mail To addresses instead.

Mail From

image-107.png

Similar to Mail CC and Mail To criterion but used to detect the Mail From addresses instead.

Mail Direction

image-108__1_.png

Lets you detect if the mail is being sent or received.

Select either the INCOMING or OUTGOING option.

Mail Client

image-109__1_.png

Used to specify the mail client you want to detect.

You can choose from ‘Gmail’, ‘Outlook Client’, ‘Outlook Web Client’, ‘Live.com’, ‘Yahoo Mail’, and ‘Yandex Mail’. Teramind keeps adding support for new clients so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Has Attachments

image-110__1_.png

Used to detect if the mail has any attachment.

Select either the YES or NO option.

Attachment Name

image-111__1_.png

Used to detect the names or extensions for the attached files. File extension are used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can check for file extensions using one of the ‘Extension Contains’, ‘Extension Equals’, ‘Extension Does Not Contain’ options.

The Attachment Name criterion is only shown when you have already selected YES for the Has Attachment criterion.

Mail Size

image-112__1_.png

Used to detect the size (in bytes) of the mail.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

IM – Instant Messaging

IM content type works in the same way as it does in the IM Activity rules. Except, the Message Body criterion is not supported.

IM lets you detect content sharing over instant messaging conversations and group chats for popular IMs such as: Skype, Slack etc. You can detect both incoming and outgoing messages, detect the participants and search in the message body for keywords or text.

IM Rule Examples

  • Improve productivity and data security. For example, detect if customer service agents are not responding to complaints or queries coming through your Instant Messaging channels.

  • Create rules that warn the HR about angry exchanges, harassment or other potential negative sentiments in chat conversations.

  • Detect if a user is targeted for phishing or social engineering online.

These are some examples of Content Sharing rules for IM. For other examples of the IM rules, check out the IM Activity rule examples.

IM Rule Criteria

The table below shows what criteria the IM sharing supports and what conditions you can use with them.

Any

image-113__1_.png

Lets you detect if an IM is sent or received.

If you use this option without any other criteria, Teramind will trigger the rule anytime an IM is sent or received where the content is detected.

Message Direction

image-114__1_.png

Lets you detect if the message is being sent or received.

Select either the INCOMING or OUTGOING option.

Messaging App

image-115__1_.png

Used to specify the messaging app you want to detect.

You can choose from ‘Facebook, ‘Skype Web’, ‘Skype for Business’, ‘LinkedIn’, ‘Google Hangouts’, ‘WhatsApp Web’, ‘Slack Web’, ‘Slack’, ‘Microsoft Team Web’ and ‘Microsoft Team’. Teramind keeps adding support for new apps so you might see more clients than mentioned here.

Similarly, you can exclude any app(s) you do not want to track in the EXCEPT field.

Contact Name

image-116__1_.png

Used to detect the contacts/participants of the IM conversation.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any contacts you do not want to track in the EXCEPT field.

Keystrokes (Windows)

A Keystrokes Content Sharing rule works similarly to the Keystrokes Activity rule. Except, it also comes with the Content tab with support for the Data Content and Predefined Classified Data definitions. This allows you to detect two sets of specialized contents easily.

A Keystrokes Content Sharing rule will only trigger if both the condition(s) under the Keystrokes tab and the definition(s) under the Content tabs are met. For example, the rule below will trigger if the user types something like, "creditcard 4233198522419042". But if the user typed just a credit card number, such as "4233198522419042", the rule will not trigger:

Picture1.png

Keystrokes Rule Examples

  • Detect sensitive content as they are being typed by a user to proactively prevent potential data leaks.

  • Detect two sets of data and specialized contents easily. For example, a user typing something like “Credit Card XXXXXXXXXXXXXXXX”. Where, “Credit Card” is a static text while “XXXXXXXXXXXXXXXX” can be any credit card number.

Keystrokes Rule Criteria

The table below shows what criteria the Keystrokes content sharing rules supports and what conditions you can use with them.

Text Typed

image-43__1_.png

Used to detect continuous text without any word break. For example, if text typed = “password”, the rule will be triggered when the last letter ‘d’ is typed.

You can enter any text in the CONDITION field and choose the ‘Contains’ or ‘Match RegExp’ option. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text you do not want to detect in the EXCEPT field.

Word Typed

image-44__1_.png

Used to detect word typed with breaks. For example, if word typed = “password” the rule will be triggered when you finish typing the word and then type separation key, such as: <Space> or ‘!’ or ‘.’ (dot).

You can enter any text in the CONDITION field and choose the ‘Contains’ option. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any word you do not want to detect in the EXCEPT field.

Difference Between Text Typed and Word Typed

Text Typed will detect any partial text while Word Typed will detect only full words. For example, if you are looking to detect club, and the user typed golfclub, Text Type will detect it but Word Typed will not. If the user typed golf club, then both the Text Typed and Word Typed criteria will detect the keystrokes.

Special Key Typed

mceclip0.png

You can detect special keys such as the function keys, (i.e. F1), PrtScr or key combinations such as <Shift+P>. When you select the Special Key Typed criteria and click on the CONDITION field, Teramind will pop-up a virtual keyboard where you can select the special keys.

Application Name

image-45__1_.png

Specifies which applications will be tracked.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

The Application Name criterion is only shown when you have already selected a Text Typed or Word Typed criterion. Also, if you use this criterion, you cannot use the Webpage URL criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e. Condition 1 and Condition 2).

Webpage URL

image-46.png

Used to detect an URL (webpage address) or part of an URL.

You can enter some text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

The Webpage URL criterion is only shown when you have already selected a Text Typed or Word Typed criterion. Also, if you use this criterion, you cannot use the Application Name criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e. Condition 1 and Condition 2).

Anomaly Rules: What Behavioral Anomaly Can You Detect (On-Premise/Windows)?

The Anomaly Rule is only available on Windows for On-Premise deployments.

Anomaly rules are special types of rules that allow you to identify anomalies in a user’s behavior by utilizing behavioral baselines. It also allows you to assign risk levels to any anomalous behavior and a notification action to inform admins or managers about the anomaly.

The Anomaly Rules Editor is an intuitive, visual editor where you can create sophisticated behavioral-anomaly rules on a single screen.

To access the Anomaly Rules Editor, create a new anomaly rule or edit an existing rule from the Behavior > Anomaly rules menu.

Check out the Anomaly Rules section on the Teramind User Guide to learn more about creating / editing anomaly rules, managing anomaly rule templates etc.

Anomaly Rule Examples

  • Detect when employees spend more than certain percentage of their work hours on unproductive or entertainment sites such as Facebook, YouTube etc.

  • Detect if an employee is idling for too long.

  • Get notified if an employee’s productivity drops by certain rate.

  • Get notified when a user sends an unusual number of emails than they normally do in a day-to-day basis.

  • Detect if the file upload activity of a user exceeds some threshold.

  • Detect if your network activity suddenly spikes or drops indicating something unusual happening.

Setting Up the Rule Basics

You specify the basic settings for an anomaly rule on the Anomaly Rules Editor’s General Settings section.

image-117-1024x539.png

You can specify a name for the rule in the RULE NAME field. You can select which users, groups, departments or computers the rule will apply to in the APPLIES TO field. If you select a computer, the rule will apply to all the users on that computer. Optionally, you can exclude anyone you don’t want to be included using the EXCLUDING field. You can also specify the rule’s tags in the TAGS field. Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters on various reports (i.e. Risk or Alerts report).

Detection Criteria – What Behavioral Anomalies Trigger the Rules?

You define the detection criteria under the RULE TRIGGER section of the Anomaly Rules Editor.

image-118-1024x494.png

You can select an action that will trigger the rule and then specify the conditions to evaluate. There are several types of actions you can choose from: Applications, Websites, Emails, Activity, Files, Network etc.

Each action has different conditions you can select from, such as: Time, Name, Anomaly Baseline etc. After you have selected a condition, you can choose a logic, such as: ‘>’, ‘<’, ‘Equals’ etc. from the middle field. Finally, you specify value(s) to detect in the right-most field.

You can add multiple conditions to an action by clicking the ADD CONDITION button. For example, you can create an anomaly rule using the URL condition and a Time condition with a Websites action to detect if a user spent >20% in ‘youtube.com’.

In the next few sections, we will walk you through all the available options for setting detection criteria for each action type.

Time

image-119__1_.png

Detects time spent (%) in an application or website.

Enter a percent value and use the ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Applications and Webpages actions.

Name

image-120__1_.png

Used to specify a name for an application.

Enter a text value and use the ‘Equals’, ‘Contains’, ‘Does Not Contain’ ‘Regular Expression Match’, or ‘Regular Expression Not Match’ logic for the condition.

This condition is only supported in the Applications action.

URL

image-121__1_.png

Used to detect the URL of a webpage.

Enter a text value and use the ‘Equals’, ‘Contains’, ‘Does Not Contain’ ‘Regular Expression Match’, or ‘Regular Expression Not Match’ logic for the condition.

This condition is only supported in the Webpages action.

Productivity

image-123__1_.png

Detects the productivity level (in percent) of a user. To learn more about how productivity is measured in Teramind, check out this article, Productivity Metrics: How is Work Time / Idle Time / Activity Percentage / Productive Time / Unproductive Time / Total Time determined?. For more information on productivity reports, check out the BI Reports > Productivity section on the Teramind User Guide.

Enter a percent value and use the ‘<’, ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Activity: Productivity action.

Rate

image-124.png

Detects the idle rate (in percent) of a user. To learn how idle time and other productivity metrics are measured in Teramind, check out this article, Productivity Metrics: How is Work Time / Idle Time / Activity Percentage / Productive Time / Unproductive Time / Total Time determined?. For more information on productivity reports, check out the BI Reports > Productivity section on the Teramind User Guide.

Enter a percent value and use the ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Activity: Idle Rate action.

Size

image-125__1_.png

Detects the size (in Mega Bytes) of data in a network operation.

Enter a value in Mega Bytes and use the ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Network: Data In and Network: Data Out actions.

Anomaly Baseline

Anomaly Baseline uses algorithm to determine if certain user behavior is outside a baseline. This can be the user’s current behavior compared to their past behavior; an employee’s behavior compared to their departmental baseline; or an employee’s behavior compared to the baseline of the entire organization. Using a baseline lets you, for example, set an anomaly rule to notify you when a user uploads an unusual number of files than they normally do in a day-to-day basis.

A special formula is used to check for anomaly baseline. The formula is:

Anomaly Score = (Current Activity Value - Mean) / Standard Deviation

The Current Activity Value is the amount of activity. For example, the number of File Uploads by a user. The score is measured automatically every hour to determine if it crossed the baseline. The default value of this is 3.5.

As an example, consider a user uploaded [1, 2, 3, 4, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 30] times every day for 15 days. And on the 16th day, the uploaded for 80 times.

In this case, their anomaly score will be:

3.62 = (80-8.125) / 19.82

Which is greater than the default value of 3.5. So, this means the user exceeded the anomaly baseline on the 16th day.

The anomaly baseline can be applied to a user’s own activities (Self), the activities compared to a department (Department) or the entire organization. If you choose anything other than Self, then the Anomaly Score of the user activities will be compared against the Score of the Department/Organization for the same period.

Threshold Count

The anomaly threshold is like the threshold value available in a regular rule action (Advanced Mode). It will trigger the rule action if the total count of Anomaly Baseline violation crosses the set number of threshold.

For example:

If you set the threshold to >0 then the rule will be triggered immediately (as soon as the anomaly baseline crosses the first time). As an example, consider a user uploaded [1, 2, 3, 4, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 30] times every day for 15 days. And on the 16th day, the uploaded for 80 times. In this case, the user will cross the Anomaly Baseline on the 16th day (see Anomaly Baseline above). And as soon as the baseline is crossed, the rule action will be triggered.

However, say, you set the threshold to >1 then the baseline has to be crossed twice before the rule action is triggered. In the above example, if the user keeps uploading the file at the similar rate, the rule action will be triggered in about 32 days or so.

Note that, anomaly threshold works for a user’s own activities (Self) and not for any department or entire organization.

This condition is supported in all actions except for Applications and Webpages.

Defining Rule Actions

Actions let you specify what the system will do when a rule is violated. You can warn a user or block them, receive notification, record a video of the desktop etc.

You can assign actions to a rule from the Actions tab on the Rules Editor for regular rules. Or, from the RULE ACTIONS section on the Anomaly Rules.

Note that, not all rule categories support all actions. For example, the Agent Schedule only supports the NOTIFY action for most of its schedule violation types except for the Login and Idle activities. Same way, different Types of Activity / Types of Content may also have their own special actions. For example, Webpages have an action called REDIRECT which is not available for other activity. Also, not all actions are available on all the operation systems. For example, the COMMAND action does not work on the macOS at the moment.

On Mac, only the following actions are supported: Notify, Block, Warn, Lock Out User. Some actions might not be supported for all rule criteria. Actions may also behave slightly differently than Windows.

Note that, Anomaly Rules only support the Notify action.

In some cases, you can use multiple actions as long as they do not conflict with each other. For example, you can use the NOTIFY and BLOCK actions together as they do different things. But you cannot use the BLOCK and LOCK OUT USER actions together because they both prevent the user from completing an activity. The Rules Editor will automatically disable actions that conflict with the currently selected action(s).

There are two ways you can setup actions: Simple Mode and Advanced Mode.

Simple Mode Actions

Simple Mode is the easiest way to create rules and is recommended for beginners. In the Simple Mode, you can specify actions, but you cannot set any risk thresholds.

Here are the actions you can use:

Notify Action (Windows & Mac)

image-127__1_.png

Teramind will send an email notification to the specified email accounts whenever any user violates the rule. You can manage how such notification emails are handled from the Settings > Alerts screen (ALERT EMAILS LIMIT option).

You can send the notification to up to 15 email addresses.

Notes for the OCR Rules

By default, the OCR notify alerts are limited to 1 per rule, app, agent and computer in a 4-minute window. But On-Premise customers can change this default behavior by adding the following line to their teramind.config file:

web_instances_disable_ocr_alert_throttling = onsite

When this feature is enabled, all violations will be emailed (unless you have the Settings > Alerts > ALERT EMAIL LIMIT option set) and recorded in the Behavior Alerts report.

Note that after editing the config file, you will need to restart your teraweb container for the changes to take effect.

Notes for the Mac Users:

On the Mac, the Notify action is supported for all rules (that are available on Mac) except for the Keystrokes rules.

Block Action (Windows & Mac)

mceclip0__2_.png

Blocks the user activity and shows a message*. You can use a HTML template to display the message. See the Customizing the HTML Alert Template article to learn more.

You can also specify how long Teramind should wait between multiple alert messages that the user sees. The setting can be found under Settings > Alerts screen (USER ALERTS THRESHOLD option).

*Notes:

  • The MESSAGE option isn't available for Content Sharing rules.

  • In most cases, if you use this action with a Webpages rule, then the browser tab for the webpage/URL will be closed immediately after showing the MESSAGE. However, if a rule criterion (e.g., Idle Time) causes the rule to trigger after some delay, then the tab will not be closed but the webpage will be replaced by a blank page showing the MESSAGE (if any present) + a pop-up window showing the same MESSAGE.

  • If you use this action with an Emails rule, such as block a user from sending an email, then the email will not be sent, and it will be deleted.

Lock Out User Action (Windows & Mac)

image-129__1_.png

Shows a warning message to the user and then when they press the OK button, they are locked out of the system. If the user logs back in, they will be logged out automatically. An administrator will have to unlock the user for them to be able login again. Check out the Employee Action Menu section on the Teramind User Guide for more information on unlocking a user.

This action works on the Hidden Agent only. By design, it will not be enforced on the Revealed Agent. Please also note that the lock out feature isn’t a full protection from user tampering. It has the following limitations:

  • Only the selected user account will be locked out. If there are other users on the computer, they will be able to log in.

  • If the user may be able to log in using the Windows Recovery mode.

  • The user may be able to take out the disk and connect with another computer and access data.

Notes for the Mac users:

  • On the Mac, when the rule is triggered, the user is locked out only once and taken to the login screen. They can log back in. In case the action is configured with an Applications condition, then the last active application specified in the condition will be terminated and the user will be locked out. In case the action is used with a Network-based rule, the network connection that triggered the rule will be closed.

  • The Notify action for Websites-rules is supported on Webpage URL and Webpage Title criterion only and the Lock Out action is supported on Webpage Title criterion only.

Redirect Action (Windows)

mceclip2__1_.png

Redirects the user to a different website when they try to access certain URL(s).

This action is available to Webpages-based rules only.

Warn Action (Windows & Mac)

image-131__1_.png

Warns a user with a message. Similar to the message in the Block action, you can use a HTML template to display the warning message.

You can specify how long Teramind should wait between multiple alert messages that the user sees. The setting can be found under Settings > Alerts screen (USER ALERTS THRESHOLD option).

Set User’s Active Task Action (Windows)

image-132__1_.png

You can automatically assign the user a task based on their activities.

You can specify how long Teramind will wait before assigning a new task to a user. The setting can be found under Settings > Alerts screen (RULE TASK SELECTION ACTION TIMEOUT option).

Applicable only if the user is using the Teramind Hidden Agent. Check out the Hidden Agent section on the Agent installation article to learn how to install the Hidden Agent.

Record Video Action (Windows)

image-133__1_.png

If video recording is disabled in your Screen monitoring settings, you can still record a video of the rule violation incident with this action. The system will automatically record for the specified number of minutes before and after the incident.

If you don’t want to record screen all the time but just before and after a rule violation incident, you can use this action and then turn on the RECORD ONLY WHEN BEHAVIOR RULE WAS VIOLATED option under Monitoring Settings > Monitoring Profile > Screen window.

Command Action (Windows)

image-134__1_.png

With this action, you can execute a Windows command automatically when a rule is violated.

This is a powerful action as it allows you to run any application or script on the user’s computer. For example, you can force shutdown the pc (shutdown /s /f /t 0), kill a task (taskkill -im ixplore.exe) and do much more.

Advanced Mode Actions

In the Advanced Mode, you can specify risk thresholds for a rule. You can add multiple thresholds, assign risk levels and take different actions depending on how often the rule is violated. For example, you can set an email rule that sets a Low risk and a Warn action when a user sends 5 emails in a day. However, if they send more than 10 emails a day, then set a Moderate risk level and trigger a Notification action.

The risk levels that you assign in the Advanced Mode are used by Teramind to calculate risk scores (see the Using the Risk Report section to learn more about risk analysis) and can also be used to filter other reports (e.g., BI Reports > Behavior Alerts).

1. You can choose the time period for the thresholds such as Hourly, Daily, Monthly etc.

2. Select/enter the maximum number of alerts that can be triggered for this rule in a day. If more than the specified number of alerts are triggered for this rule in a single day, Teramind will not save further alerts and the alerts will not appear on the BI Reports > Behavior Alerts or other alert logs. If you leave the field empty or use an invalid value (entering a string, a negative number, etc.) then no daily limit will be applied. If you set it to 0, then no alerts for the rule will be generated (the rule will still trigger). Note that, you can set the global maximum alerts per alert type in the Settings > Alerts > MAXIMUM DAILY ALERTS COUNT field.

3. The threshold slider lets you adjust the frequency once you have added one or more thresholds. Note that, each small orange dots on the slider is connected to a Frequency field of an action. Changing one will update the other.

4. Click the ADD THRESHOLD button to add new threshold (actions). For example, in the picture above, we added two actions (action 1 and action 2). For each threshold, you can set frequency, risk level and action. Note that, the actions (e.g., Notify, Warn) are same as the Simple Mode actions.

5. You can use the Frequency field to set a frequency.

6. Use the Define a risk level field to set a risk level. You can choose from: No Risk, Low, Moderate, High or Critical.

7. Use the small + button (under the Choose an action text) to add an action.

Enforcing the Rules

Automatic Enforcement

When you create a new rule, by default it’s automatically turned on. You can edit a rule even when it’s running. Any changes you make to the rule will be enforced immediately if the user is online and connected to the Teramind server or as soon as they connect.

It’s always a good idea to test a rule when you create or edit it to see if it’s working as intended. You can do so by checking the BI Reports > Behavior Alerts report.

Rules are enforced depending on what type of Teramind Agent is installed on the user’s computer:

If the user is using a Stealth Agent:

  • Regular Rules: The rule will be enforced according to any Rule Schedule you have setup or for 24/7 if no such schedule exists. The rule will be enforced even if the user is offline or disconnected from the Teramind server.

  • Anomaly Rules: Since an anomaly rule does not have a schedule, it will run for 24/7.

If the user is using a Revealed Agent:

  • Regular Rules: The rule will only be enforced when the user has logged in to the Agent and clicked the Start button to begin their shift. The rule will still follow any Rule Schedule you have setup. The rule will continue to be enforced until the user clicks the Stop button to end their shift or as soon as the rule schedule has ended – whichever comes first.

  • Anomaly Rules: Since an anomaly rule does not have a schedule, it will run until the user clicks the Stop button on the Revealed Agent.

Manual Enforcement

You can manually turn a rule on/off from the Teramind Dashboard. To do so:

Regular Rules

You can manually control the rules from the Behavior Policies screen. To access the Behavior Policies screen, click the BEHAVIOR > Policies menu.

image-238.png

Use the ON/OFF button next to a rule’s name to turn it on or off. You can also use the ON/OFF button next to the Policy’s name for which the rule is a part of. If you turn off the policy, all rules under the policy will be deactivated even if the individual rules are turned on. If the policy is turned on, the rules that has the ON status will be activated and the OFF rules will remain inactive.

Anomaly Rules

The only way to turn off an anomaly rule is to remove it from the Anomaly rules screen. To access the Anomaly rules screen, click the BEHAVIOR > Anomaly rules menu.

image-239.png

Click the X button besides an anomaly rule to remove it.

Customizing the Rule Messages and Alerts

Alerts tab allows you to define how rule violation messages will be displayed to the users. It’s a good idea to customize your alert messages so that they are visually distinctive and match with you company’s branding.

You can find more information alert customization and step by step instruction on this article: How to customize alert messages with the HTML template.

Using the Prebuilt Rule-Templates

Using the Regular Rule Templates

When creating a new rule, you can choose from a list of pre-built templates. Click the CHOOSE A TEMPLATE pull-down menu to choose a template on the Rules Editor’s General tab:

mceclip3__1_.png

Teramind has many templates for Data Loss Prevention, Email, Applications, Websites, File Operations etc. Once you select a template, the rest of the rule’s tabs will be automatically populated with pre-configured settings and sample data. You can, of course, change them to meet your needs.

Check out the List of Prebuilt Rule Templates articles for a list of all the prebuilt regular rule templates available in Teramind.

Using the Anomaly Rule Templates

When creating a new anomaly rule, you can choose from a list of pre-built templates. Click the USE TEMPLATE button, then choose a template from the TEMPLATE TO USE pull-down menu to choose a template:

mceclip2__2_.png

Teramind comes with many anomaly rules templates. You can choose from a list of types such as: Applications, Emails, File Operations etc.

Check out the List of Prebuilt Anomaly Rule Templates article for a list of all the prebuilt anomaly rule templates available in Teramind.

Investigating the Rule Violation Incidents

There are multiple ways you can investigate rule violation incidents on Teramind.

Using the Behavioral Alerts Report

This is your primary source to view all rule violation incidents. You can use the Alerts report to view a list of rule violation incidents with all the necessary details, such as: the date/time the incident happened, the user or activity involved and other pertinent information. You can also view a session recording of an alert, export the alerts report or schedule it for auto delivery to selected email addresses.

You can access the Alerts report from the BI Reports > Behavior Alerts menu, under the Basic tab.

mceclip7.png

For more information on the Alerts report and to learn how to use its different features, check out the BI Reports > Behavior Alerts section on the Teramind User Guide.

Using the BI Report’s Investigate / View Record Feature

On the Behavior Alerts screen, you will see a table/grid widget. If you right-click on row, you will see a pop-up menu:

mceclip0__3_.png

1. Click the Investigate option from the pop-up menu to view the Employee’s Activity Monitoring Report From that report, you can see all the alerts for the employee under the Alerts tab.

2. Click the View record option to view the Session Recording of the employee at the selected timestamp.

Using the Alerts Log Widget

You can also add an Alerts Log widget to your dashboard. The widget allows you to view the most recent alerts in real-time or for the selected date range. You can add the Alerts Log widget to a dashboard by clicking the ADD WIDGETS button on the Dashboard’s screen.

image-143.png

For more information on the Widgets and to learn how to use them, check out the Dashboard Widgets sections on the Teramind User Guide.

Using the Session Player

Session Player allows you to view a user’s desktop in live view or history playback mode. You can precisely locate when a rule violation incident occurred, check out all the alert notifications the user received and investigate the trail of user activities leading up to the incident. If the user is online, you can take remote control of their computer or freeze their inputs to prevent further incidents.

If Audio recording is enabled, you can also hear recordings of both sound outputs and inputs (speakers/line-out, microphone/line-in). Finally, you can take snapshots of the user’s desktop, forward the recordings to select email addresses or download them as MP4 files.

You can access the Session Player from the BI Reports, from the Employee’s Activity Monitoring Report or even from the Dashboards. Click the Movie Camera icon, wherever you see it, to access the Session Player.

image-144__1_.png

For more information on the Session Player and to learn how to use its different features, check out the Session Player section on the Teramind User Guide.

Using the Risk Report

The Risk report allows you to analyze the impact of rule violation incidents and the risks they pose to your organization. The report shows top risky rules, users, applications and websites. You can drill-down each risk category to further investigate what caused the risk level to change. You can also plot the risk trend by department, severity, number of violations, tag etc. Unique risk scores help you identify high-risk rules or users so that plans can be developed for treating the risks.

You can access the Alerts report from the BI Reports > Behavior Alerts menu, under the Risk tab.

mceclip1__1_.png

For more information on the Risk report and to learn how to use its different features, check out the BI Reports > Behavior Alerts section on the Teramind User Guide.

Using the Risk Widget

You can also add a Risk widget to your dashboard. The widget allows you to view the most recent risk trend and risk scores for users, activities or rules in real-time or for the selected date range. You can add the Risk widget to a dashboard by clicking the ADD WIDGETS button on the Dashboard’s screen.

image-147__1_.png

For more information on the Widgets and to learn how to use them, check out the Dashboard Widgets sections on the Teramind User Guide.

Using OMNI

You can use the OMNI dashboard to have a snapshot view of the most critical insights and incidents about your organization in a social media-like interface. You can view behavior alerts and drill down to investigate what activity caused the rule to trigger.

OMNI also features machine learning based threat detection and abnormalities identification. To learn more about OMNI, please check out the OMNI section on Teramind User Guide.

Sample Rules Walkthrough / Rule Examples

Rule Sample 1: User logs in during off hours

Rule Summary

image-148__1_.png

This example shows how you can create an Agent Schedule rule to detect a user attempting to login during off hours.

Setting Up the Rule

General Tab

image-149__1_.png

On the first tab, General, we assigned a name.

We have chosen an Agent Schedule rule type under the Rules Category since we are looking to detect a user’s login time.

To learn more:

User Tab

image-150__1_.png

For the users, we choose to manually add the users (by turning off the INHERIT POLICY SETTINGS).

We also decided to apply this rule to external contractors only. To do so, we first created a department named ‘External Contractors’ and then edited the selected users’ profiles to assign them to this department.

To learn more:

Schedule Tab

image-151__1_.png

We have selected the Login schedule violation type so that we can monitor the login attempts.

We have also setup two time slots that will be considered as off-hours (12am-8am and 6pm-12am). Any attempt to login in these two periods will trigger the rule.

If you wanted, you could setup additional options such as restricted IPs or exclude any days you don’t want to monitor.

To learn more:

Actions Tab

image-152__1_.png

Finally, for the last tab, ‘Actions’, we have selected to use a NOTIFY action to notify the security admin.

We also selected a WARN action to show a warning to the offending user. For this action, we decided to use the HTML template option to make the alert prominent to the user.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip0__4_.png

You can see that, on 2019-08-05 at 16:03:31, employee Martin Sutherland signed in. Since the action meets the rule criteria (Login: between 12am – 8am and 6pm – 12am), it is triggered.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-154__1_.png

When a user logs in outside our set schedule, they will see a warning message. Note that, the login time is based on the user’s local time.

Rule Sample 2: User sending emails with attachments to non-business address

Rule Summary

image-155__1_.png

This example shows how you can create a simple Activity rule to warn a user when they send an email with attachment(s) to a non-business email address.

Setting Up the Rule

General Tab

image-156.png

On the first tab, General, we assigned a name for the rule and a description. We also used some tags to identify the rule easily.

We have chosen an Activity rule type since we are looking to detect a user action (the act of sending an email) and not any content. We have selected Emails as the Types of Activities.

We left the rule schedule to its default 24-hour setting.

To learn more:

User Tab

image-157__1_.png

For the users, we used the default policy settings (by leaving the INHERIT POLICY SETTINGS option turned on).

To learn more:

Emails Tab

Mail To

image-158.png

We have added three criteria to the Emails activity. For the first criterion, ‘Mail to’, we have specified several email domains that we would consider as ‘non-business’ addresses and used a contains logic to detect even a partial match.

Mail Direction

image-159__1_.png

For the second criterion, ‘Mail Direction’, we have selected OUTGOING to detect only the outgoing emails.

Has Attachments

image-160__1_.png

For the second criterion, ‘Mail Direction’, we have selected OUTGOING to detect only the outgoing emails.

To learn more:

Actions Tab

image-161__1_.png

Finally, for the last tab, ‘Actions’, we have selected to use a WARN action to just show a simple warning to the user.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip1__2_.png

You can see that, on 2019-07-28 at 06:02:33, employee John Doe sent an outgoing email to a non-business email account and the rule gets triggered.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-163__1_.png

You can see that, as soon as the user sends an email to a non-business address, the rule’s warning message is shown on the top-right corner of their screen.You will notice that, the message is very bare-bone and may fail to attract any attention. You can change that by customizing the rule messages and alert.

Rule Sample 3: User attempting to upload a sensitive file to a cloud drive

Rule Summary

image-164__1_.png

This example shows how you can create an Activity rule to block a user and display a message for attempting to upload certain files to a cloud drive.

Setting Up the Rule

General Tab

image-166.png

On the first tab, General, we assigned a name for the rule and a description.

We have chosen an Activity rule type since we are looking to detect a user action (the act of uploading a file) and not any content. And we have selected Files as the Types of Activities.

We left the rule schedule to its default 24-hour setting.

To learn more:

User Tab

image-167__1_.png

For the users, we choose to manually add the users (by turning off the INHERIT POLICY SETTINGS). We have also excluded the Management department from the rule’s scope.

To learn more:

Files Tab

File Operation

image-168__1_.png

We have added two criteria to the Files activity. For the first criterion, ‘File Operation’, we have selected the Upload operation.

Upload File Name

image-169__1_.png

For the second criterion, ‘Upload File Name’, we have specified some keywords that we would like to detect in the file names.

To learn more:

Actions Tab

image-170__1_.png

Finally, for the last tab, ‘Actions’, we have selected a BLOCK action to block the activity and at the same time show a message to the user. For this demonstration, we used a HTML template. This will allow us to use a customized template. We can also use simple HTML tags (such as <b>, <a> etc.) in the message itself.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip2__3_.png

You can see that, on 2019-07-08 at 08:58:54, employee Kate Sparrow tried to upload a file to Google Drive and the rule blocked her action.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-172__2_.png

You can see that, as soon as the user attempts to uploads a file named ‘sensitive.txt’ the rule is triggered as the filename contains one of our specified keywords, ‘sensitive’.The rule shows the message we specified, and the upload operation is blocked.

Also, unlike the previous example, this time we used a customized HTML template and you can see the result. The warning message is now shown in a nice alert box.

Rule Sample 4: User attempting to share files containing sensitive content

Rule Summary

image-173__2_.png

This example shows how you can create a Content rule to block a user and display a message for attempting to upload a file containing credit card numbers. The user will be given a choice to continue or cancel the file operation. In any case, a rule alert will be recorded.

Setting Up the Rule

General Tab

image-174.png

On the first tab, General, we assigned a name for the rule and a description.

We have chosen a Content Sharing rule type since we are interested in detecting sensitive content. We have selected Files as the Types of Content.

We changed the rule schedule so that it will monitor 9am-12pm and 12:30pm-5:00pm, a typical work time taking into account a 30-minute lunch break.

To learn more:

User Tab

image-175__1_.png

For the users, we used the default policy settings (by leaving the INHERIT POLICY SETTINGS option turned on).

To learn more:

Content Tab

image-176__1_.png

For content, we used a built-in template, ‘Predefined Classified Data’ and then sleeted the ‘Financial Data’ category to detect ‘All credit card numbers’. The rule will trigger even if there’s only one credit card number detected in a file. We did so by entering a value of ‘1’ in the TRIGGER ON PATTERN FREQUENCY IN CONTENT field.

Actions Tab

image-177__1_.png

Finally, for the last tab, ‘Actions’, we have selected a BLOCK action but turned on the ALLOW BYPASS WITH CONFIRMATION? option. This will show a warning to the user and block the action. But it will also show two YES and NO buttons. If the user clicks YES, they will be able to override the block.

DEPRECATED FEATURE

ALLOW BYPASS WITH CONFIRMATION and MANAGER CAN MAKE EXCEPTIONS options are no longer supported.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip3__2_.png

You can see that, on 2019-08-05 at 12:17:45, employee Simon Woodly tried to upload a file containing credit card data to a Box drive and the rule got triggered.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-179__1_.png

On this screen, you can see that the user creating a text file containing some credit card numbers and saving it on their desktop.

image-181__1_.png

The user then attempts to copy the file to a network folder. You can see that, as soon as the user attempts to copy the file, the rule is triggered giving the user the option to continue or not. If the user clicks YES, the file copy operation will continue as usual. If they click NO, the copy operation will be cancelled.

Also, in this example, we used yet another customized HTML template to show the warning message.

Rule Sample 5: Employee productivity anomaly

Rule Summary

This example shows how you can create an Anomaly rule to monitor the productivity level of employees and receive a notification when it goes below a certain threshold. You will also be able to compare this against their Departmental and Organizational average.

Setting Up the Rule

General Settings Section

image-182__1_.png

On the first section, General Settings, we assigned a name for the rule and a description.

For the users, we have selected All employees.

We have also used a tag to find the rule easily.

To learn more:

Rule Trigger Section

image-183__1_.png

We chose the Activity: Productivity as the rule trigger.

For the rule’s condition, we selected the Productivity criterion and chose a less than ‘<’ logic to detect when the productivity goes below 20%.

To learn more:

Rule Risk Level Section

image-184__1_.png

We left the risk level’s default settings (No Risk) and ACCUMULATES RISK option turned on so that multiple violations of the rule will add up towards the risk score for this rule.

To learn more:

Rule Actions Section

image-185__1_.png

Finally, for the last section, ‘Actions’, we have turned on the NOTIFY action to inform a manager about the productivity loss.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip4__1_.png

You can see that, on 2021-04-11 at 04:44:45, employee Leo Gross triggered an anomaly rule due to his productivity dropping to 11% where his usual productivity was above 52% before.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

mceclip6.png

You can click the Notification (Bell) icon near the top-right corner of the Session Player to see all the alerts/notifications.

Click a Notification to see what the user was during when the rule was triggered.

Rule Sample 6: Using Windows Log Event to Detect Software Installation/Uninstallation

Rule Summary

This example shows how you can create a simple Windows Log Event-based Activity rule to warn a user when they are installing or uninstalling any application.

Setting Up the Rule

General Tab

On the first tab, General, we assigned a name for the rule.

We have chosen an Activity rule type since we are looking to detect a user action (the act of installing/uninstalling a file) and not any content. And we have selected Window Log Event as the Types of Activities.

We left the rule schedule to its default 24-hour setting.

To learn more:

User Tab

We turned off the INHERIT POLICY SETTINGS on the User tab so that we can manually select Everyone.

To learn more:

Windows Log Event Tab

Event ID

For the Event ID criteria, we have entered 1040 with the equal '=' condition. Windows uses this Event ID to log anytime the MSI Installer is run. This installer is used to install application packages (usually with a .msi extension). By looking for this event, we can detect whenever a user tries to install an application. Note that there other other methods/events to detect installation of applications, but this is one of the most common events you can check.

To learn more:

Actions Tab

Finally, for the last tab, ‘Actions’, we have selected a WARN action to let the user know that their activity is being tracked. For this demonstration, we used the HTML template option so that the message is displayed in a nice pop-up window.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

You can see that, on 2023-11-19 at 09:07:26, the rule was triggered for employee John Simmons.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

You can see that, the user is installing the "ScreenToGif" software. As soon as the Windows installer launches, the rule's warning message pops up.

For additional details, you can check the Windows Event Viewer on the user's computer and search for Event ID 1040:

Other Rule Examples

List of Prebuilt Rule Templates

You can access the prebuilt templates from the CHOOSE A TEMPLATE pull-down menu on the Rule Editor's General tab:

mceclip0__5_.png

Data Loss Prevention
Credit Card Number: Wide
Credit Card Number: Narrow
Credit Card Number: At least 50 numbers
Credit Card Magnetic Strip Data: Wide
Credit Card Magnetic Strip Data: Narrow
Credit Card Magnetic Strip Data: 50 Track1 entities
Office Document: Confidential Watermark
Credit Card Magnetic Strip Data: 50 entities
Health Data: Disease or Drug names
Health Data: Drug names or NDC identifiers
Personal Data: US SSN and Date of Birth
Health Data: US SSN with Health Information
Health Data: UK NHS Numbers and Medical Information

Emails
Outbound email with social security number
Outgoing email to non-business address
Email contains a CV
Outgoing email w-attachment to non-business address
Email contains accusative sentiment
Email contains angry sentiment
Email contains discouraged sentiment
Email contains dissatisfied sentiment
Email contains lawsuit threat
Email contains profanity
Email contains sexual harassment content
Email contains unresponsive complaint
Incoming email from competitors
Outbound email with attachment
Outbound email with credit card number
Outbound email with sensitive keywords

Keystrokes
Screenshot taken

Printer
Large print job

Application
Anonymous browser detected
MSIExec program installation or removal
Network sniffer launched
Non-whitelisted application executed
Registry editor launched
Running peer-to-peer file sharing applications
Running screen sharing applications
Snipping tool used

File Operations
Access sensitive files
Driver tampering
Hosts file edited
Program installation
Write to cloud drive (native)
Write to config file
Write to removable media
Copy file from RDP
Copy file from RDP to removable media

Websites
Non-whitelisted website accessed
Adult websites
Excessive time on job search websites
Excessive usage of social media
Gaming or gambling sites
Streaming movies

IMs
IM contains accusative sentiment
IM contains angry sentiment
IM contains discouraged sentiment
IM contains dissatisfied sentiment
IM contains lawsuit threat
IM contains sexual harassment content
IM contains unresponsive complaint

List of Prebuilt Anomaly Rule Templates

Applications
Application usage anomaly

Emails
Outgoing email anomaly
Outgoing email attachments anomaly

File Operations
External storage insertion anomaly
File copy anomaly
File creation anomaly
File delete anomaly
File rename anomaly
Files downloaded by browser anomaly
Files downloaded by cloud client anomaly
Files uploaded by browser anomaly
Files uploaded by cloud client anomaly

Instant Messages
Instant messages count anomaly

Networking
Network connection count (no https) anomaly
Network connection count anomaly
Network data in (no https) anomaly
Network data in anomaly
Network data out (no https) anomaly
Network data out anomaly

Printers
Documents printed count anomaly

User Activity
Idle time anomaly
User productivity rate anomaly

Websites
Website usage anomaly

List of Predefined Classified Data

Financial Data

All Credit Card Numbers
Magnetic Data
Magnetic Data (Track 1)
Magnetic Data (Track 2)
Swift Code
ABA Route Numbers

By Type
Visa
Mastercard
American Express
Bankcard
Dinners International
Dinners USA & Canada
Discover
En Route
JCB
Maestro
Switch
Solo
RuPay

By Country
USA
Japan
Israel
Europe
United Kingdom
Canada

USA
Visa
Mastercard
American Express
Bankcard
Dinners International
Dinners USA & Canada
Discover
En Route
JCB
Maestro

Japan
Visa
Mastercard
American Express
JCB
Maestro

Israel
Visa
Mastercard
American Express
JCB
Maestro

Europe
Visa
Mastercard
American Express
Discover
Maestro
Switch
Solo

United Kingdom
Visa
Mastercard
American Express
Discover
Maestro
Switch
Solo

Canada
Visa
Mastercard
American Express
Dinners
Discover
Maestro

Health Data

Common Drug Names
Common Disease Names
DNA Profiles

NDC Number
HICN

NHS Number
ICD10 Code

Personally Identifiable Data

USA Zip Code and Address
UK Postal Code and Address
USA Cities
SSN
English Names

Dates
Phone Numbers
IPv4 Addresses
IPv6 Addresses
Email Addresses

URL
VIN
Personal Cryptographic Keys
USA Vehicle License Plates
USA Driver License Number (All States)

Code Snippets

Clang
C++
C#
Go

Haskell
Java
JavaScript
Objective-C

PHP
Python
Ruby
SQL

Did this answer your question?