Skip to main content
Behavior
A
Written by Arick Disilva
Updated over a month ago

Check out the Rules Guide for detailed descriptions, instructions and samples about Behavior Policies & Rules.

Introduction to the Behavior Policies & Rules

The Behavior menu consists of the Polices, Alerts, and Anomaly Rules. These features utilize Teramind’s core Behavioral Engine. With the rules, you can set up conditions to detect any unproductive, harmful, or dangerous activity in real-time, while having Teramind act on your behalf. When a rule is violated, you can be notified about incidents and, optionally, the system can take actions automatically in different ways (such as warning the user, blocking the activity, etc.). You can see the rule violations report from the Alerts screen. Teramind also lets you create Anomaly Rules in on-premise dashboards. These special types of rules use behavioral baselines to detect and prevent behavioral anomalies that’s harder to implement with the regular policies and rules.

Accessing the Behavior Menus

image-141.png

1. Hover your mouse over the BEHAVIOR menu, then

2. Select and item from the sub-menu:

  • Policies

  • Alerts

  • Anomaly Rules

Policies

A policy helps you organize similar rules together. In a sense, policies are like folders where you keep your rules. For example, you can have all your PCI related rules under a policy called ‘PCI compliance’. Or, keep all your HR specific rules such as ‘Preventing email harassment’, ‘Limiting social media use’ etc. under the ‘Business Etiquette’ policy.

Each Teramind solution comes with a sample policy containing several sample rules. You can experiment with the sample rules to learn how the rules work. Once you are comfortable, you can create your own rules with the intuitive, visual rules editor.

1. Name of the rule. Click a rule to edit it. See Rules Editor > General Tab > Rule Name and Description.

2. Rule Category. If the rule has any tags, you will also see them here. See Rules Editor > General Tab > Rule Category and Type.

3. Rule Audience/target users. If a rule has overridden the policy’s targeted users, computers, or departments, then “overridden audience” will be shown. See Rules Editor > User Tab.

4. Shows icons representing rules action(s). See Rules Editor > Actions Tab.

5. Shows the rule violation severity. See Rules Editor > General Tab > Rule Violation Severity.

6. Allows you to enable/disable the rule.

7. Shows a preview of the rule.

8. Shows rules context menu from where you can perform various rule actions. See the Moving / Importing / Exporting / Editing/ Deleting Rules section.

Collapsing the Policies

1. Click the COLLAPSE ALL button near the top-right corner of the screen to collapse all policies.

2. You can also set up the dashboard to auto-collapse policies each time the page is loaded. To do so, click the small Gear icon. It will open the Settings window:

3. Toggle the COLLAPSE POLICIES ON PAGE LOAD option to enable/disable auto-collapsing of the policies on page load.

4. Click the SAVE button to save your changes or the CANCEL button to close the window without saving.

Creating a New Policy

image-110.png

1. Click the CREATE NEW POLICY button. A pop-up window will appear.

image-111.png

2. On the Create a New Policy window, enter a name for the policy. Select the users the policy will apply to and optionally, select any users you want to exclude from the policy. Click the CREATE button to create the policy.

Importing a Policy

1. Click the IMPORT POLICY button near the top-right side of the screen. You will then be prompted to upload a policy file (with a .tm extension) that you previously exported from the current account or another account.

Moving / Exporting / Editing / Deleting Policies

1. Click the Dotted menu at the top-right corner of the policy. A pop-up menu will open.

2. To move a policy up on the list, click the Move Policy up button.

3. To move a policy down on the list, click the Move Policy down button.

4. To export a policy, click the Export Policy button. The policy will be saved with a .tm extension.

5. Click the Import Rule button to import a rule file (with a .tm extension) that you previously exported from the current account or another account.

6. To edit a policy, click the Edit Policy button. An Edit Policy window will pop-up where you can edit the policy.

7. To delete/remove a policy, click the Delete Policy button.

Creating / Editing Rules

image-113.png

1. Click the the BEHAVIOR > Policies menu. Click the ADD RULE FOR THIS POLICY button near the bottom of the policy to add a rule to the policy.

2. Click a rule’s name to edit it. This will open the Rules Editor.

Rules Editor

This section describes the basic principles of configuring a rule. Check out the Rules Guide to learn more about rules and how to create them to detect insider threats, protect your organization from malicious or accidental security incidents, prevent data loss, or to conform with regulatory compliances.

The Rules Editor is an intuitive, visual editor where you can create sophisticated behavioral rules easily without going through multiple screens or coding. Here are the main parts of the editor:

1. The left-most part of the editor is where the main tabs/steps of a rule are displayed. A basic rule has at least three tabs: General, User, Category and Action. Note that, the exact name for the Category will change based on which rule category you select on the General tab. For example, on the screenshot above, the Category is ‘Emails’.

2. The middle part of the editor is where you specify the actual rule parameters.

3. The right-most part of the editor displays a summary of the rule in easy to follow language.

General Tab – Setting the Rule Basics

In the first tab, General, you specify the basic settings for the rule. You also select which activity or content the rule will detect.

Rule Name and Description

image-116.png

1. On the top fields, you can specify a name and optionally, a description for the rule.

Rule Template

image-117.png

1. When creating a new rule, you can choose from a list of pre-built templates. Click the CHOOSE A TEMPLATE field to choose a template on the General tab. Teramind has many templates for Data Loss Prevention, Email, Applications, Websites, File Operations, etc. Once you select a template, the rest of the rule’s tabs will be automatically populated with pre-configured settings and sample data. You can, of course, change the settings.

Displaying the Rule in OMNI

Just under the rule templates selection, you will notice an option, “Display in OMNI feed”. If enabled, the rule will show up on the OMNI dashboard.

Rule Category and Type

1. There are three categories of rules you can select from the SELECT THE TYPE OF RULE drop-down menu on the General tab:

  • Agent schedule: This is the most basic rule type. It’s based on an agent/user’s schedule such as when an employee started work, if they are late at work, if a user is idle, etc. The rule takes input from the Schedules you create for employees to determine when a user/agent is supposed to start/finish.

  • Activity: Activity-based rules apply to majority of the monitored objects. With this type of rule, you can detect user and application activities. For example, warn a user when they visit a gambling site, Or, stop them from copying a sensitive file to an external drive.

  • Content sharing: These rules are used to detect content or text inside an object. The object can be a file, a web page, text in an email or IM chat, etc. These powerful rules can be used to prevent data exfiltration attempts such as, block transferring of a file when it contains credit card numbers, warn a user when they attempt to send emails containing sensitive keywords, etc.

Note that Content sharing rule is available on Teramind DLP only.

2. Optionally, you can assign tags to a rule to easily identify it or use them as filters (i.e. on the Risk or Alerts report).

You might also see some built-in tags such as Data Loss, Malicious Incident, Negligence, etc. that you can assign to the rule. These special tags are used with OMNI to categorize different types of risks.

3. Once you select a rule type, you can then select the Types of Activity (for Activity-based rules) or Types of Content (for Content-based rules). You can select multiple activity types or contents. If you select multiple activities/contents, the rule will trigger separately for each of the activities/content. Note that, rules based on the Agent schedules do not have this section.

Rule Schedule

image-119.png

1. By default, the rule stays active for 24 hours. However, you can change the time. For example, you can have the rule active during work hours but disable it during the employee lunch breaks. To change when the rule is active, drag the two small Circles to adjust the time. You can click the Plus (+) and Minus () buttons to add/remove additional time slots.

The rule schedule is based on the users’ local time zones. It does not use the TIMEZONE option under the Settings > Localization screen.

Agent Schedule rules and Anomaly rules do not have this scheduling module. Their scheduling is done in a different way.

Rule Violation Severity

1. The Rule Violation Severity allows you to specify a risk level for the rule. You can either drag the slider or use the number field to enter a number between 0-100. This value is then used in places like OMNI to measure the overall risk score.

User Tab – Specifying Users and Groups

Here you specify which users, computers, groups, or departments the rule will apply to.

image-120.png

1. By default, the rule will inherit the user settings from the policy. However, you can turn it off to select users manually.

2. You can specify who the rule will apply to and optionally, exclude anyone you don’t want to be included using the EXCLUDE FROM RULE field.

Categories Tab – Setting Rules Conditions

Categories is where you define the conditions for the rules.

image-121.png

1. The Categories tab will change depending on what Types of activities / Types of content you choose from the General tab. So, for example, if you choose Applications and Files, you will have two tabs named Applications and Files here.

2. Condition Parameters – Option 1: For categories that support it, click the Plus (+) button to add parameters to a condition. A small pop-up menu will appear where you can select a parameter. You can select multiple parameters for a condition. In such cases, the conditions will show up as separate tabs. Condition parameters are different for each category. For example, the Application category might have a parameter such as ‘Application Name’, ‘Application Caption’, etc. while the Emails category might have ‘Mail Body’, ‘Mail Subject’, etc. You can delete a condition parameter by clicking the small X button next to its name.

image-122.png

3. Condition Parameters – Option 2: For categories (i.e. Files) that do not have a Plus (+) button, the CONDITION field is used to set its rule parameters.

image-123.png

4. Conditions Values: For categories that support it, you use the CONDITION field to specify what values to compare the rule parameters with. Start typing, then select an option from the pop-up to tell Teramind what type of value it is. There are may ways you can use the conditions. For example, to block certain applications from running, you can type them in the CONDITION field and choose the Contains or Equals from the list. Or, you can create a Shared List containing all the names (see Shared Lists section for more information on how to create shared lists). For complex matches, such as Credit Card Numbers, Social Security Numbers etc., you can use the RegEx option. Each value is considered as an ‘OR’ clause. So, in the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit’ or ‘pseditor.exe’. Each condition parameter is considered as an ‘AND’ clause. So, in the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meets the condition.

5. Additional Conditional Blocks: To add additional condition blocks, click the ADD CONDITION button. Each new condition is considered as an ‘OR’ clause. So, if either of the conditions meets the criteria, the rule will be triggered.

6. Deleting Conditional Blocks: To remove a condition block, click the small X button at the top-right corner of the condition block.

Content Tab – Defining Sensitive Data Types

This tab allows you to define what makes the content sensitive and specify values to look for. Note that, the Content tab is available only on Teramind DLP and is shown only when you select the Content sharing rule type.

image-232.png

1. You can specify several content types depending on what Types of activities / Types of content you have selected in the General tab (i.e. Clipboard, Files, Emails, IM).

Actions Tab – Responding to Rule Violation Incidents

The actions tab is where you specify what the system will do when a rule is violated. You can warn a user or block them, receive a notification email, record a video of the desktop, etc. Note that, not all rule categories support all actions. For example, most of the Agent Schedule-based rules only support the NOTIFY action (except for the Login and Idle schedules). Same way, different Activity Types or Content Types may also have their own special actions. For example, Webpages have an action called REDIRECT which is not available for other activity types. Also, not all actions are available on all the operation systems. For example, the COMMAND action does not work on the macOS at the moment.

In some cases, you can use multiple actions as long as they do not conflict with each other. For example, you can use the NOTIFY and BLOCK actions together as they do different things. But you cannot use the BLOCK and LOCK OUT USER actions together because they both prevent the user from doing something. The Rule Editor will automatically grey-out/disable actions that conflict with the currently selected action(s).

There are two ways you can setup actions: Simple Mode and Advanced Mode.

Check out the Rules Guide to learn more about rules and how to create/edit rules to detect insider threats, protect your organization from malicious or accidental security incidents, prevent data loss, improve productivity or to conform with regulatory compliances.

Alerts [deprecated]

DEPRECATED FEATURE

The Alerts report is deprecated and will be removed from the dashboard. Please use the new BI Reports > Behavior Alerts report which offers more information, drill-down capabilities, enhanced export, and faster load time. Please contact Teramind support if you have any questions.

The Alerts report shows all the rule violation incidents (triggered by the regular Rules) and any anomalies (triggered by the Anomaly Rules). The report shows the date/time the incident happened, which user was involved, what policy and rule were violated, what action was taken by the system and a description of the incident (i.e. what applications the employee was using and what triggered the alert).

image-140.png

The report also shows a trend graph for the number of alerts triggered over the period. Like all other reports, you can view a session recording of an alert incident by clicking the movie camera icon on the Employee column. Same way, you can also export an alert report or schedule it for auto delivery to selected email addresses.

The Alerts report is similar to a Monitoring Report. As such, you can perform similar reporting tasks such as configuring, filtering, exporting, etc. Check out the Performing Common Reporting Tasks section to learn how to perform these common report actions.

Applying the Alert Filters

image-142.png

1. There are multiple ways to filter the Alerts report. You can do so by using the drop-down menus located at the top-left corner of the report. You can filter by Policy, Severity, Tags or Actions. This is helpful if you have many alerts and wanted to narrow down the list.

Showing / Hiding Alert Triggers

image-143-1024x141.png

1. You can use the SHOW TRIGGERS button to toggle the display of additional information about a rule violation incident. When triggers are turned on, the Display column will show additional information such as what part of the rule condition was trigger and for which activity or content.

Anomaly Rules (On-Premise/Windows)

Check out the Anomaly Rules: What Behavioral Anomaly Can You Detect? section on the Rules Guide to learn how to create/edit anomaly rules.

Anomaly rules are special types of rules that allow you to identify anomalies in a user’s behavior by utilizing behavioral baselines. It also allows you to assign risk levels to any anomalous behavior and a notification action to inform admins or managers about the anomaly.

Filtering / Editing / Deleting / Copying Anomaly Rules

image-146.png

1. If you have many anomaly rules, you can decide what’s displayed by using the filters on the left side of the Anomaly Rules screen. You can clear the filters by clicking the small Funnel icon.

2. To edit an anomaly rule, click the Pencil icon. You will be taken to a rule editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.

3. Click the Copy icon to duplicate a rule.

4. Click the X icon to delete a rule.

Creating Anomaly Rules

image-147.png

1. Click the ADD ANOMALY RULE button at the top-right corner of the screen. A pop-up window will open.

image-148.png

2. Click the CREATE NEW RULE button if you want to create a rule from the scratch. You will be taken to the Anomaly Rules Editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.

3. Click the USE TEMPLATE button to create a rule based on a template. Teramind comes with many anomaly rules templates. You can choose from a list of types such as: Applications, Emails, File Operations etc. Click on a type to expand it. Pick a rule template and click the LOAD TEMPLATE TO USE button. You will be taken to the rule editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.

Anomaly Rules Editor

The Anomaly Rules Editor is an intuitive, visual editor. The single-page interface of the editor makes it easier to view and edit the rules.

General Settings

You can specify basic rule settings on the General Settings section of the Anomaly Rules Editor.

image-149.png

1. Give the rule a name on the RULE NAME field.

2. Select the users the rule will apply to on the APPLIES TO field.

3. Select any users that should be excluded on the EXCLUDING field.

4. Optionally, you can assign tags to a rule on the TAGS field to easily identify it.

Rule Trigger

The Rule Trigger section lets you specify which activity the rule engine will monitor and what conditions it will evaluate.

image-150.png

1. Select a trigger from the list. You can choose from many pre-built options such as Webpages, Applications, Emails, Productivity, Network etc.

2. Under CONDITIONS, you can choose different types of conditions such as:

  • Time (%): with this you can create a rule for time spent on certain task. For example, you can create a rule that gets triggered if a user spends more than 10% time on a certain website.

  • Anomaly baseline: uses algorithm to determine if certain user behavior is outside their normal behavior. This can be the user’s current behavior compared to their past behavior; an employee’s behavior compared to their departmental baseline; or an employee’s behavior compared to baseline of the entire organization. Using a baseline lets you, for example, set an anomaly rule to notify you when a user sends an unusual number of emails than they normally do in a day-to-day basis.

  • Other Conditions: depending on what trigger you selected, you may see additional conditions. For example, if you choose the Webpages trigger, you will see the Url condition listed as an option on the menu.

3. Click the ADD CONDITION button to add a new condition row.

4. Click the X button next to a condition to delete it.

Rule Risk Level

Rule Risk Level section lets you assign a risk level to the rule. The risk level is used by Teramind to calculate risk scores (see the Risk section on the User Guide to learn more about risks) and can also be used to filter reports (i.e. Alerts).

image-151.png

1. Click and drag the Circle to adjust the risk level.

2. You can turn risk accumulation on/off. If turned on, the risk associated with this rule will be counted multiple times for multiple violations. Otherwise it will be counted once for all violations.

Rule Actions

Anomaly rules only support the NOTIFY action.

image-152.png

1. Turn the notification on/off by using the NOTIFY button.

2. Select the users who will get notified when the rule is violated.

Saving the Rule / Creating a Rule Template

image-153.png

1. Click the SAVE AND LAUNCH RULE to save and activate it.

2. Click the SAVE RULE AS TEMPLATE button to save it as a template. This way, the template will be available when you are creating a new anomaly rule (see the Creating Anomaly Rules section to learn how to use an anomaly rule template).

Check out the Anomaly Rules: What Behavioral Anomaly Can You Detect? section on the Rules Guide to learn how to create/edit anomaly rules.

Did this answer your question?