The Behavior menu consists of the Polices, Alerts and Anomaly Rules. These features utilize Teramind’s core Behavioral Engine. With the rules, you can set up conditions to detect any unproductive, harmful or dangerous activity in real-time, while having Teramind act on your behalf. When a rule is violated, you can be notified about incident and optionally, the system can take actions automatically in different ways (such as warning the user, blocking the activity etc.). You can see the rule violations report from the Alerts screen. Teramind also lets you create Anomaly Rules. These special types of rules use behavioral baselines to detect and prevent behavioral anomalies that’s harder to implement with the regular policies and rules.

1. Hover your mouse over the BEHAVIOR menu, then

2. Select and item from the sub-menu:

Policy helps you organize similar rules together. In a sense, policies are like folders where you keep your rules. For example, you can have all your PCI related rules under a policy called ‘PCI compliance’. Or, keep all your HR specific rules such as ‘Preventing email harassment’, ‘Limiting social media use’ etc. under the ‘Business Etiquette’ policy.

Each Teramind solution comes with a sample policy containing several sample rules. You can experiment with the sample rules to learn how the rules work. Once you are comfortable, you can create your own rules with the intuitive, visual rules editor.

1. Click the COLLAPSE ALL button near the top-right corner of the screen to collapse all policies.

2. You can also set up the dashboard to auto-collapse policies each time the page is loaded. To do so, click the small Gear icon. It will open the Settings window:

3. Toggle the COLLAPSE POLICIES ON PAGE LOAD option to enable/disable auto-collapsing of the policies on page load.

4. Click the SAVE button to save your changes or the CANCEL button to close the window without saving.

1. Click the CREATE NEW POLICY button. A pop-up window will appear.

2. On the Create a New Policy window, enter a name for the policy. Select the users the policy will apply to and optionally, select any users you want to exclude from the policy. Click the CREATE button to create the policy.

1. Click the IMPORT POLICY button near the top-right side of the screen. You will then be prompted to upload a policy file (with a .tm extension) that you previously exported from the current account or another account.

1. Click the Dotted menu at the top-right corner of the policy. A pop-up menu will open.

2. To move a policy up on the list, click the Move Policy up button.

3. To move a policy down on the list, click the Move Policy down button.

4. To export a policy, click the Export Policy button. The policy will be saved with a .tm extension.

5. Click the Import Rule button to import a rule file (with a .tm extension) that you previously exported from the current account or another account.

6. To edit a policy, click the Edit Policy button. An Edit Policy window will pop-up where you can edit the policy.

7. To delete/remove a policy, click the Delete Policy button.

1. Click the the BEHAVIOR > Policies menu. Click the ADD RULE FOR THIS POLICY button near the bottom of the policy to add a rule to the policy.

2. Click a rule’s name to edit it. This will open the Rules Editor.

The Rules Editor is an intuitive, visual editor where you can create sophisticated behavioral rules easily without going through multiple screens or coding. Here are the main parts of the editor:

1. The left-most part of the editor is where the main tabs/steps of a rule are displayed. A basic rule has at least three tabs: General, User, Category and Action. Note that, the exact name for the Category will change based on which rule category you select on the General tab. For example, on the screenshot above, the Category is ‘Emails’.

2. The middle part of the editor is where you specify the actual rule parameters.

3. The right-most part of the editor displays a summary of the rule in easy to follow language.

In the first tab, General, you specify the basic settings for the rule. You also select which activity or content the rule will detect.

1. On the top fields, you can specify a name and optionally, a description for the rule.

1. When creating a new rule, you can choose from a list of pre-built templates. Click the CHOOSE A TEMPLATE field to choose a template on the General tab. Teramind has many templates for Data Loss Prevention, Email, Applications, Websites, File Operations etc. Once you select a template, the rest of the rule’s tabs will be automatically populated with pre-configured settings and sample data. You can, of course, change the settings.

1. There are three categories of rules you can select from the SELECT THE TYPE OF RULE drop-down menu on the General tab:

Note that Content sharing rule is available on Teramind DLP only..

2. Optionally, you can assign tags to a rule to easily identify it or use them as filters (i.e. on the Risk or Alerts report).

3. Once you select a rule type, you can then select the Types of Activity (for Activity-based rules) or Types of Content (for Content-based rules). You can select multiple activity or contents. If you select multiple activities/contents, the rule will trigger separately for each of the activity/content. Note that, rules based on the Agent schedules do not have this section.

1. By default, the rule stays active for 24 hours. However, you can change the time. For example, you can have the rule active during work hours but disable it during the employee lunch breaks. To change when the rule is active, drag the two small Circles to adjust the time. You can click the Plus (+) and Minus (–) buttons to add/remove additional time slots.

Here you specify which users, groups or departments the rule will apply to.

1. By default, the rule will inherit the user settings from the policy. However, you can turn it off to select users manually.

2. You can specify who the rule will apply to and optionally, exclude anyone you don’t want to be included using the EXCLUDE FROM RULE field.

Categories is where you define the conditions for the rules.

1. The Categories tab will change depending on what Types of activities / Types of content you choose from the General tab. So, for example, if you choose Applications and Files, you will have two tabs named Applications and Files here.

2. Condition Parameters – Option 1: For categories that support it, click the Plus (+) button to add parameters to a condition. A small pop-up menu will appear where you can select a parameter. You can select multiple parameters for a condition. In such cases, the conditions will show up as separate tabs. Condition parameters are different for each category. For example, the Application category might have parameter such as ‘Application Name’, ‘Application Caption’ etc. while the Emails category might have ‘Mail Body’, ‘Mail Subject’ etc. You can delete a condition parameter by clicking the small X button next to its name.

3. Condition Parameters – Option 2: For categories (i.e. Files) that do not have a Plus (+) button, the CONDITION field is used to set its rule parameters.

4. Conditions Values: For categories that support it, you use the CONDITION field to specify what values to compare the rule parameters with. Start typing, then select an option from the pop-up to tell Teramind what type of value it is. There are may ways you can use the conditions. For example, to block certain applications from running, you can type them in the CONDITION field and choose the Contains or Equals from the list. Or, you can create a Shared List containing all the names (see Shared Lists section for more information on how to create shared lists). For complex matches, such as Credit Card Numbers, Social Security Numbers etc., you can use the RegEx option. Each value is considered as an ‘OR’ clause. So, in the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit’ or ‘pseditor.exe’. Each condition parameter is considered as an ‘AND’ clause. So, in the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meets the condition.

5. Addition Conditional Blocks: To add additional condition blocks, click the ADD CONDITION button. Each new condition is considered as an ‘OR’ clause. So, if either of the conditions meets the criteria, the rule will be triggered.

6. Deleting Conditional Blocks: To remove a condition block, click the small X button at the top-right corner of the condition block.

This tab allows you to define what makes the content sensitive and specify values to look for. Note that, Content tab is available only on Teramind DLP and is shown only when you select the Content sharing rule type.

1. You can specify several content types depending on what Types of activities / Types of content you have selected in the General tab (i.e. Clipboard, Files, Emails, IM).

Actions tab is where you specify what the system will do when a rule is violated. You can warn a user or block them, receive notification, record a video of the desktop etc. Note that, not all rule categories support all actions. For example, most of the Agent Schedule-based rules only support the NOTIFY action (except for the Login and Idle schedules). Same way, different Activity Type or Content Type may also have their own special actions. For example, Webpages have an action called REDIRECT which is not available for other activity types. Also, not all actions are available on all the operation systems. For example, the COMMAND action does not work on the macOS at the moment.

In some cases, you can use multiple actions as long as they do not conflict with each other. For example, you can use the NOTIFY and BLOCK actions together as they do different things. But you cannot use the BLOCK and LOCK OUT USER actions together because they both prevent the user from doing something. The Rule Editor will automatically grey-out/disable actions that conflict with the currently selected action(s).

There are two ways you can setup actions: Simple Mode and Advanced Mode.

1. Click the Dotted menu at the top-right corner of the rule. A pop-up menu will open.

2. You can import a rule from the Policy context menu (see the Moving / Exporting / Editing / Deleting Policies section above).

3. To export a policy, click the Export rule button. The rule will be saved as a .tm file.

4. To edit a rule, click the Edit rule button. Note that, you can also click the rule’s name to edit it. In both cases, you will be taken to the Rules Editor where you can edit the rule (check out the Rules Guide to learn how to create/edit rules).

5. To duplicate a rule or to move it to another policy, click the Copy or Move Rule button. A pop-up window will open where you can choose to copy or move the rule.

6. To delete/remove a policy, click the Delete Policy button.

The Alerts report shows all the rule violation incidents (triggered by the regular Rules) and any anomalies (triggered by the Anomaly Rules). The report shows the date/time the incident happened, which user was involved, what policy and rule were violated, what action was taken by the system and a description of the incident (i.e. what applications the employee was using and what triggered the alert).

The report also shows a trend graph for the number of alerts triggered over the period. Like all other reports, you can view a session recording of an alert incident by clicking the movie camera icon on the Employee column. Same way, you can also export an alert report or schedule it for auto delivery to selected email addresses.

The Alerts report is similar to a Monitoring Report. As such, you can perform similar reporting tasks such as configuring, filtering, exporting, etc. Check out the Performing Common Reporting Tasks section to learn how to perform these common report actions.

1. There are multiple ways to filter the Alerts report. You can do so by using the drop-down menus located at the top-left corner of the report. You can filter by Policy, Severity, Tags or Actions. This is helpful if you have many alerts and wanted to narrow down the list.

1. You can use the SHOW TRIGGERS button to toggle the display of additional information about a rule violation incident. When triggers are turned on, the Display column will show additional information such as what part of the rule condition was trigger and for which activity or content.

Anomaly rules are special types of rules that allow you to identify anomalies in a user’s behavior by utilizing behavioral baselines. It also allows you to assign risk levels to any anomalous behavior and a notification action to inform admins or managers about the anomaly.

1. If you have many anomaly rules, you can decide what’s displayed by using the filters on the left side of the Anomaly Rules screen. You can clear the filters by clicking the small Funnel icon.

2. To edit an anomaly rule, click the Pencil icon. You will be taken to a rule editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.

3. Click the Copy icon to duplicate a rule.

4. Click the X icon to delete a rule.

1. Click the ADD ANOMALY RULE button at the top-right corner of the screen. A pop-up window will open.

2. Click the CREATE NEW RULE button if you want to create a rule from the scratch. You will be taken to the Anomaly Rules Editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.

3. Click the USE TEMPLATE button to create a rule based on a template. Teramind comes with many anomaly rules templates. You can choose from a list of types such as: Applications, Emails, File Operations etc. Click on a type to expand it. Pick a rule template and click the LOAD TEMPLATE TO USE button. You will be taken to the rule editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.

The Anomaly Rules Editor is an intuitive, visual editor. The single-page interface of the editor makes it easier to view and edit the rules.

You can specify basic rule settings on the General Settings section of the Anomaly Rules Editor.

1. Give the rule a name on the RULE NAME field.

2. Select the users the rule will apply to on the APPLIES TO field.

3. Select any users that should be excluded on the EXCLUDING field.

4. Optionally, you can assign tags to a rule on the TAGS field to easily identify it.

The Rule Trigger section lets you specify which activity the rule engine will monitor and what conditions it will evaluate.

1. Select a trigger from the list. You can choose from many pre-built options such as Webpages, Applications, Emails, Productivity, Network etc.

2. Under CONDITIONS, you can choose different types of conditions such as:

3. Click the ADD CONDITION button to add a new condition row.

4. Click the X button next to a condition to delete it.

Rule Risk Level section lets you assign a risk level to the rule. The risk level is used by Teramind to calculate risk scores (see the Risk section on the User Guide to learn more about risks) and can also be used to filter reports (i.e. Alerts).

1. Click and drag the Circle to adjust the risk level.

2. You can turn risk accumulation on/off. If turned on, the risk associated with this rule will be counted multiple times for multiple violations. Otherwise it will be counted once for all violations.

Anomaly rules only support the NOTIFY action.

1. Turn the notification on/off by using the NOTIFY button.

2. Select the users who will get notified when the rule is violated.

1. Click the SAVE AND LAUNCH RULE to save and activate it.

2. Click the SAVE RULE AS TEMPLATE button to save it as a template. This way, the template will be available when you are creating a new anomaly rule (see the Creating Anomaly Rules section to learn how to use an anomaly rule template).