Rules Guide

Rules Guide Overview

This guide explains how to utilize Teramind’s behavioral based rules to detect insider threats, protect your organization from malicious or accidental security incidents, prevent data loss or to conform with regulatory compliances. The guide explains rule structures, conditions, logic, data types etc. It shows you the steps for creating a rule, their uses cases, best practices and advanced capabilities.

The guide is designed for the managers, administrators and security personnel who are responsible for configuring and maintaining the Teramind solution in your organization.

You can download a PDF version of the guide by clicking the button below, or view the articles from the Quick Links below.

 

Download the Rules Guide

Introduction to Rules

Behavioral rules are a core part of Teramind’s automated insider threats detection and data loss prevention capabilities. They allow you to identify unproductive, harmful or dangerous activity in real-time and optionally, act on your behalf to thwart such threats. The Intelligent Rules Engine is tightly integrated throughout Teramind platform:

  • The Rules Engine utilizes Teramind’s granular Activity Monitoring (using the BI Reports) capabilities, such as: apps, websites, emails etc. to determine what activity or content the rule should detect.
  • It uses the User Profiles to determine whom the rule will apply to.
  • You can use the Configurations settings to supply additional inputs such as employee Schedule, Shared List etc. for use with the Rules Editor to speedup the rule creation process and to share parameters across different rules.
  • You can use the Monitoring Settings to control when and how the rule should work, minimizing privacy concerns.
  • You can get detailed report of the rule violation incidents and associated risks on the BI Reports > Behavior Alerts, view recordings and gather evidence from the Session Player and get notified with the Rule Notification Emails.
  • Teramind Agent enforces the rules you create from the Teramind Dashboard on the user’s computer.

With hundreds of pre-built rule templates, pre-defined data categories and sample rules, you can get started with Teramind right away. You can create your own rules very easily with an intuitive, visual Rules Editor. The editor allows you to use natural language, regular expressions, shared list and pre-built data classifications to define what makes an activity or data sensitive and use simple conditions that will trigger a rule violation incident. When a rule is violated, you can be notified about the incident and optionally, the system can take actions automatically in different ways, such as: warning the user, blocking the activity etc.

Teramind keeps detailed records of each rule violation incident complete with detailed information and relevant metadata. You can see the rule violations report from the Alerts screen and quickly search for an incident.

Teramind also captures video and optionally, audio for a rule violation incident. You can view the recordings with the Session Player. The player allows you to see what rule notifications the user received and the trail of activities leading up to the incident. You can also export recordings for evidence or forensic investigation purposes. These recordings are automatically analyzed and index by Teramind’s advanced OCR-engine. You can conduct high-speed OCR search for on-screen content or create OCR rules that will activate whenever certain text is detected on the screen, in real-time.

You can conduct risk analysis and identify high risk rules, users or objects from the Risk report. This also gives you ideas on how to adjust your rules’ detection settings to focus on key areas of vulnerabilities or reduce false positives.

Finally, you can get scheduled delivery of rule violation reports or ‘just-in-time’ notifications in your inbox with the Email Notifications feature.

Common Use Cases

You can create powerful rules to prevent data loss, detect insider threats, identify abusive behavior and accidental threats, improve employee productivity and conform with regulatory compliance.

Preventing Data Loss

Uploading documents that contain sensitive data to personal Cloud drives.
Sharing documents outside the organization that has a confidential watermark.
Sending out emails with sensitive files to non-corporate emails.
Sending out emails with large attachments, too many attachments or zipped files.
Printing during irregular hours.
Printing a large number of sensitive documents.
Taking screenshots, using screen capture or snipping tools.
Copying CRM data and pasting it in emails, an external site or in an unauthorized application.
Non-authorized use of Cloud sharing drives as an attempt to exfiltrate data.
Saving files on a removable media.
Sharing files with protected properties such as Tags, Attribute, Document Category etc.
Employees communicating with competitors.

Detecting Insider Threats

Sign of discontent, harassment, legal threats or other sentiment in emails or IM chats indicating underlying issues.
Development team using production data for testing and development.
IT department storing authentication information such as credit card magnetic data which is prohibited under compliance laws.
Accessing internet from restricted servers.
Installing RDP clients or opening ports.
User entering sensitive data such as passwords or personal details on potentially harmful or phishing sites.
Employee using the browser’s incognito/private mode frequently.
Clearing browser history or deleting cache files.
Sudden change in schedules or work pattern.
Using code snippets in database queries.
A vendor attempting to bypass security clearances and gain additional access by exploiting a bug, design flaw or configuration oversight in an operating system or software application.
Contractor attempting to log in to database servers during off-hours or after the completion of a project.
External user or freelancer accessing confidential customer and employee records.

Identifying Abusive Behavior and Accidental Threats

Employees looking at materials online that are questionable, suspicious or otherwise dangerous. For example, hacking sites, pornography or piracy content.
Abusing company resources, such as, printing unnecessary copies of documents, throttling the network etc.
Customer agent asking for credit card numbers in unsecure email or support chat without using the proper communications channel.
Sharing ‘not for the pubic’ files on social media or IMs.
Employee opening emails that contain phishing links, viruses or malwares.
Installing browser plugins that aren’t secure or known to be problematic.
Entering passwords or personal details in unsecure websites.

Detecting Malicious Intent

Unauthorized user reading a document they should not have access to.
User trying to hide information in an image.
Employee participating in insider trading by sharing embargoed information such as M&A documents.
Searching the internet for suspicious keywords and phrases, such as: ‘how to disable firewall’, ’recover password’, ’steganography’ etc.
Running the Tor browser or accessing the darknet sites.
Attempting to bypass the proxy server.
Installing VPN client.
Running network snooper, registry editor or other dangerous applications.
Running password crackers, keyloggers or other malicious tools.
Running software from external media or Cloud services.
Changing the configuration of the network or system settings.
Opening up blocked ports in the router settings.

Improving Productivity and HR Management

Get notified when workers spending too much time on Facebook, watching YouTube videos or surfing online shopping sites.
Warn employees when they are spending excess time on personal tasks such as applying for jobs.
Using applications or sites that are unproductive.
Not following prescribed policy when dealing with customers.
Not following corporate etiquette policy, for example, visiting gambling sites.
Contractor submitting invoices that do not match work hours or task completion status.

Conforming with Regulatory Compliance

Prevent exfiltration of PHI (Protected Health Information) such as EHR, FDA recognized drug names, ICD codes, NHS numbers etc. to comply with HIPAA and HITECH policies (HIPAA 164.500 – 164.532).
Automatically log-out user when inactive for certain time (HIPAA 174.312).
Block unauthorized traffic from EHR/EMR and clinical applications (HIPAA 164.306).
Restrict access based on a user’s ‘need to know’ clearance. For example, block IT admins from accessing cardholder data while performing support tasks (PCI-DSS 10.1).
Use OCR-based rules to detect when user has access to full view of a PAN (Personal Account Number) violating PAN-masking or PAN-unreadable rules (PCI-DSS 3.4/3.5).
Block file-write operation when credit card numbers or magnetic track data is detected that would violate the storing of authentication data rule (PCI-DSS 3.2).
Prevent sharing of contact list containing EU PII (personally identifiable information) such as English names, EU addresses or EU phone numbers (GDPR 5).
Warn user when sharing files containing data such as DNA profile, NHS/NI number and sexual orientation data, hence preventing the violation of processing of special categories of personal data rule (GDPR 9).
Ensure that non-EU admins cannot access the records of EU employees preventing the violation of transfers of personal data to third countries rule (GDPR 44).
Enforce security-compliant behavior and take immediate action on detection of anomalies or rule violations and train employees with detailed rule-alerts (ISO 27001, Standard Enforcement).

Steps for Creating a Rule

Why are You Creating the Rule?

Consider what you are trying to achieve. Do you want to monitor users’ activities to prevent insider threats? Suspicious that an employee is committing a crime or colluding with an outsider? Or, are you trying to prevent IP leaks through external vendors? Do you need to comply with regulations, such as: HIPAA, GDPR etc.?

Create a new policy or assign it under an existing policy that fits the rule’s purpose.

What Activity, Content or Behavioral Anomaly Do You Want to Detect?

Are you trying to detect discrepancies in employees’ schedule? Does it involve an ‘activity’ such as, uploading a document? Or do you need to protect some ‘content’ such as, sensitive information inside a document?

Select a Rule Type from the Rules Editor’s General tab.

If you are trying to detect behavioral anomalies such as an employee sending abnormal amount of emails than normal, then you should consider creating an anomaly rule.

Create an anomaly rule.

Where is the Activity Performed or Content Located?

Next you need to figure out where the activity or content sharing takes place. Does it involve emails? Transfer of files? Or, are there multiple ingress/egress points that you need to monitor, for example, emails + IM + website uploads?

Select Types of Activities  or Types of Contents from the Rules Editor’s General tab.

When Should the Rule be Active?

Do you want the rule to run 24/7 or follow a schedule? For example, do you want the rule active during work hours but disable it during the employee lunch breaks?

You can turn rules on/off, or schedule when they will be active from the Behavior menu.
Or, you can select a schedule under When is this rule active?  from the Rules Editor’s General tab.

Whom Should it Apply to?

Do you need the rule for everyone? Certain users, groups or departments? How about setting up a terminal server to monitor all your vendors or external partners? Do you need to exclude anyone from the rule’s enforcement?

You can choose all these from the User tab on the Rules Editor. You can also select users on a policy basis by turning on the INHERIT POLICY SETTINGS.

What Makes the Data Sensitive?

If you are trying to detect Content, can you describe how the data looks? Does it have a clear structure such as a credit card number? Or, do you need to detect information that are unstructured or dynamic in nature?

Use the Content tab on the Rules Editor to define your content. You can choose from a Predefined Classified Data or create your own custom data types by selection other options from the list.

What Scenarios Violate the Rule?

Now, you have to think about scenarios that will trigger the rule. You might need multiple conditions and logics to detect the rule violation. Remember, there are also multiple ways of achieving the same result.

For example, if you wanted to prevent uploading of files to a personal Cloud drive, you could use a condition to detect file operation ‘upload’. And use a second condition, ‘upload URL’ and specify website addresses such as ‘google.drive.com, dropbox.com’ etc. Or, you could just select file operations for ‘write’ and select the ‘Cloud providers’ from the built-in list.

Use rule logics on the Rules Editor to define condition or content logics for the activity or content.

What Action(s) Do You Want to Take?

What should the system do when a rule is broken? Do you want it to notify you immediately? Or, do you want it to take some preventive actions too? For example, block the action? Or do you need to take a sequence of actions? For example, block the action but also record the incident? Or, take different action depending on how often they broke the rule? Assign a risk level to the action?

Use the Actions tab on the Rules Editor to define the action(s). Use the Advanced Mode to assign multi-level thresholds and risks.

Understanding Common Rule Elements

Rule Name and Description

image__5_.png

Each rule lets you specify a name and optionally, a description for the rule.

Tags

image-1__3_.png

Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (i.e. on the Risk or Alerts report).

Schedule

image-2__4_.png

By default, the rule stays active for 24 hours. However, you can adjust it to match your employee work schedule. For example, you can have the rule active during work hours but disable it during the employee lunch breaks. To change when the rule is active, drag the two Circles to adjust the time. You can click the Plus (+) and Minus () buttons to add/remove additional time slots.

i
Agent Schedule rules and Anomaly rules do not have this scheduling module. Their scheduling is done in a different way.

Rule Conditions

You use the CONDITION fields in a rule to specify what values to compare the rule parameters with. To specify a rule condition, start typing in the relevant CONDITION field, then select an option from the pop-up to tell Teramind what type of value it is.

image-3__3_.png

There are many ways you can use the conditions. For example:

Contains/Equals:

Use the Contains or Equals conditions for a partial or extract text match. For example, to block certain applications from running, you can type them in the CONDITION field and choose one of these conditions. Note that, these conditions aren’t case sensitive.

Match List:

You can create a Shared List containing items of text, Regular Expressions or network addresses. For example, you can create a list of websites and use the Match list condition to block multiple applications without creating separate rule for each. Check out the Shared List section on the Teramind User Guide to learn more about Shared Lists.

Match RegExp:

For complex matches, such as Credit Card Numbers, Social Security Numbers etc., you can use the Match RegExp option. Teramind supports the standard Regular Expression library.

i
You can use multiple values in a CONDITION field by clicking on a blank space in the field.

Rule Logic

Rule logic binds two or more Conditions or Content Definitions together. So, they can be applied to both the rule Conditions and the Content Definitions.

Condition Logic

image-4__3_.png

Rule conditions can either have a ‘OR’ logic or an ‘AND’ logic.

  • Each value in a rule condition is considered as an ‘OR’ logic. In the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit.exe’ or ‘pseditor.exe’.
  • Each condition parameter is considered as an ‘AND’ logic. In the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meets the condition.
  • If you have multiple condition blocks, each new condition is considered as an ‘OR’ logic. In the above example, if either the Condition 1 or Condition 2 meets the criterion, the rule will be triggered.

You can see how the rule condition logics relate to each other on the Rule’s Summary panel.

Content Logic

When creating a Content Sharing rule and you have multiple content definitions, you can use logics to bind the definitions together. You can do so under the Advanced: Setup Logics section of the Content tab. Click on the logic between two conditions, a pop-up menu will appear where you can select a logic out of four options.

image-4__3_.png

You can see how the content definition logics relate to each other on the Rule’s Summary panel:

image-6-1024x374.png

The table below explains each type of logic and how they are evaluated:

Logic Evaluates true if: Example
AND BOTH of the definitions are met. In the above example, we are using the tags field from the File Properties in Definition 1 and the title field in Definition 2. The logic will return true if file tags equals the text ‘CONFIDENTIAL’ and the title contains ‘PRIVATE’. So, basically, it will process the files that are both confidential and private.
OR EITHER of the definitions is met. Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ or the title contains the text ‘PRIVATE’. So, basically, it will process the files that are either confidential or private.
AND NOT the first definition is met AND the second definition is NOT met. Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ and the title does not contain the text ‘PRIVATE’. So, basically, it will process the files that are confidential and not private.
OR NOT the first definition is met OR the second definition is NOT met. Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ or the title does not contain the text ‘PRIVATE’. So, basically, it will process all files except the private ones.

Risk Level

On Teramind, you can assign risk levels to the rules. While optional, assigning risk levels has some advantages. It will let you analyse risk on the Risk Report, view risk trend and identify high risk users and rules.

There are two places you can assign risks.

Setting the Risk Levels in a Regular Rule

image-7__3_.png

You assign risk level to a regular rule from the Advanced Mode of the Rule Editor’s Actions tab. You can choose from: No Risk, Low, Moderate, High and Critical.

You can assign risk levels to each action block separately (you create action blocks by clicking the ADD THRESHOLD button).

Setting the Risk Level in an Anomaly Rule

image-8__3_.png

You assign risk level to an Anomaly rule Under its RULE RISK LEVEL section. You can choose from: No Risk, Low, Moderate, High and Critical. You can also turn on its ACCUMULATES RISK option on. If turned on, the risk associated with the  rule will be counted multiple times for multiple violations. Otherwise it will be counted once for all violations.

Unlike the regular rules which support multilevel risk assignments, you can assign only one risk level per anomaly rule.

Rule Summary

The right-most panel of the Rules Editor shows a summary of the rule in easy to follow language. You can see the values used in different tabs; what conditions are used and the logical connection among them; rule actions etc.

image-9__2_.png

i
Anomaly Rules editor does not have a Summary panel.

Creating Regular Rules

The Rules Editor is an intuitive, visual editor where you can create sophisticated threat detection, productivity optimization or data loss prevention rules easily without going through multiple screens or coding.

To access the Rules Editor, create a new rule or edit an existing rule from the Behavior > Policies menu.

i
Check out the Behavior section on the Teramind User Guide to learn more about creating / editing rules, managing policies etc.

Setting Up the Rule Basics

You specify the basic settings for the rule on the Rules Editor’s General tab.

image-11__1_.png

On the top fields, specify a Name and optionally, a Description for the rule.

image-12.png

You can also specify the rule’s Tags on this tab. Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (i.e. on the Risk or Alerts report).

Selecting Rule Categories and Types

You can select the Rule Category and Types of Activities (for Activity-based rules) or the Types of Content (for Content Sharing rules) from the Rules Editor’s General tab.

There are three types of rule categories you can choose from: Agent Schedule, Activity and Content Sharing. Each category further supports different activities or content types. The table below shows which categories supports which activity/content types and their use cases:

  Agent Schedule Activity Content Sharing
Use Cases Useful for detecting discrepancies in employee schedules or workflow. For example, receive notification when  an employee is late. Or, block remote login during odd-hours or from unrecognized IPs. Useful for detecting and controlling user activities for a range of monitored objects. For example, restricting app/website usage. Or, preventing file transfer operations (copy, upload, download etc.) on a folder/app/URL. Useful for protecting sensitive data. For example, block and email that contains personally identifiable information. Or, preventing file transfer operations when certain content is detected in the file.
Type of Activity / Content
  • Schedule
  • Webpages
  • Applications
  • OCR
  • Keystrokes
  • Files
  • Emails
  • IM
  • Browser
  • Printing
  • Networking
  • Content
  • Clipboard
  • Files
  • Emails
  • IM

Defining Users

You specify the users for the rules on the Rules Editor’s User tab.

Here you specify which users, groups, departments or computers the rule will apply to. If you select a computer, the rule will apply to all the users on that computer.

image-13__1_.png

By default, the rule will inherit the user settings from the policy the rule is a part of. However, you can turn off the INHERIT POLICY SETTINGS to select users manually.

You can specify who the rule will apply to and optionally, exclude anyone you don’t want to be included using the EXCLUDE FROM RULE field.

Check out the the Knowledge Base to learn how to add users/computers or add groups/departments.

Defining Detection Criteria

After you have decided what type of rule you need and which users the rule will apply to, the next part is defining the detection criteria and scope. You will specify what, how or when the rule will be activated. You do this by selecting different parts of the selected Activity Type or Content Type. For example, the URL of the Webpage activity or the Application Name of the Clipboard content etc. You can then specify Condition Logics against the part(s) and the values you want to detect. Here’s how a detection criterion may look like:

image-10__1_.png

Agent Schedule Rules: What Schedule Violations Can You Detect?

You can specify the detection criteria for the Agent Schedule-based rules from the Schedule tab. Agent Schedule-based rules are the easiest to define as most of it deals with only one detection criterion, schedule/time.

i
Agent Schedule-based rules use the employee schedules to determine their detection criteria. Check out the Schedules section on the Teramind User Guide to learn how to configure schedules for employees.

Agent Schedule Rule Examples

  • Get notified when a user attempts to login during abnormal hours or on off days.
  • Warns user or automatically locks out their computer if they are idling for too long.
  • Notify supervisor automatically when an employee is absent or late.
  • Notify HR and/or payroll if employee’s work time or scheduled work hours change.
  • Create a list or range of restricted IPs and disallow login from those IPs.

Agent Schedule Rule Criteria

The table below explains what criteria or schedule violation incidents the Agent Schedules supports and what conditions you can use with them.

Daily Work Time

image-15__1_.png

Used to detect if there are any discrepancies in the employee’s daily work time. You can detect if their work hour is less than or more than specified hour(s).

Select either IS LESS THAN or IS GREATER THAN and enter an hour value in the SPECIFY VALUE field.

Scheduled Work Time

image-16.png

Used to detect if the employee is working longer or shorted than scheduled.

Select either IS SHORT BY or IS OVER BY and enter a minute value in the SPECIFY VALUE field.

Starts Early

image-17__1_.png

Detects if the employee started their work earlier than scheduled, by specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Ends Early

image-18__1_.png

Detects if the employee ends their work earlier than scheduled, by specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Ends Late

image-19__1_.png

Detects if the employee ends their work later than scheduled, by specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Arrives Late

image-20__1_.png

Detects if the employee starts their work later than scheduled, by specified minutes. Note that, unlike the ‘Is Late’ condition, this will trigger the rule after the employee has logged in.

Enter a minute value in the DEFINE THE TIME RANGE field.

Is Absent

image-21.png

Detects if the employee is absent.

No value is required.

Is Late

image-22__1_.png

Detects if the employee is late in logging in to their computer according to their scheduled start time. Note that, unlike the ‘Arrives Late’ condition, this will trigger the rule before the employee has logged in.

Enter a minute value in the DEFINE THE TIME RANGE field.

Works on Day-Off

image-23__2_.png

Detects if the employee is working on their day off.

No value is required.

Login

image-24__2_.png

Detects if the employee logs in during off hours and optionally also detects if they are trying to login from a restricted IP.

Set the off-hour range on the SETUP THE OFF-HOURS slider. You can click the + /  buttons to add/remove hours. Drag the slider Circles  to adjust the hours.

You can restrict IPs from where the login is not permitted in the RESTRICTED IPS field. You can enter any text in the IPv4 format, i.e.: 101.10.2.1/32 and choose a ‘Equals’ or ‘Not Equals’ conditions. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ or ‘Does Not Match’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

If you check the ‘Apply on screen unlock’ box, then the login event will be triggered when the user unlocks their screen. Click on the days under the EXCLUDE DAYS section to include/exclude days in the detection criterion.

Idle

image-25__2_.png

Detects if the employee is idling (no keyboard or mouse activity) for more than specified minutes.

Enter a minute value in the DEFINE THE TIME RANGE field.

Activity Rules: What Activities Can You Detect?

You can specify the detection criteria for the Activity-based rules from their respective activity tab(s). For example, if you selected Webpages and Emails from the Type of Activity section (in the General tab), you will have two tabs called ‘Webpages’ and ‘Emails’ where you can add the rule conditions and values.

Webpages

Webpages activity allows you to detect web browsing activities through URL, title and query arguments and browsing-related timing (i.e. idle/active).

Webpages Rule Examples

  • Warn users when spending excessive time on social media or entertainment sites such as YouTube.
  • Restrict access to non-whitelisted/unauthorized websites but allow managers to override if needed.
  • Find out potential turnover by checking if employees are searching on jobsites. Get notified if the time spent on such sites exceeds a threshold.

Webpages Rule Criteria

The table below shows what criteria the Webpages activity supports and what conditions you can use with them.

Any

image-26__1_.png

Lets you detect if a webpage is visited.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime a webpage is visited.

Webpage URL

image-27__2_.png

Used to detect an URL (webpage address) or part of an URL.

You can enter some text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

Webpage Title

image-28__1_.png

Similar to the Webpage URL criterion, just use the webpage title instead.

Query Argument Name

image-29__2_.png

A query argument name is the portion of a URL where data is passed to a website. It usually starts with a ‘?’ or ‘&’. For example: www.contacts.com/saved?company=teramind. Here, company is the query argument name.

Using this criterion, you can create interesting detection rules. For example, by checking for the composeargument in the Gmail website, you can detect if the user is composing an email. Combining this with the Webpage URL or Webpage Title criterion, you can detect more granular activities. For example, using the text new in the Webpage URL and specifying compose in the Query Argument Name, you can tell if a user is composing a new mail or editing an existing draft.

Time Active

image-30__2_.png

Used to detect how long the user has been active on the website.

You can enter a minute value in the CONDITION field and use ‘=’, ‘>’, ‘>=’ logics.

i
The Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Time Idle

image-31__2_.png

Similar to the Time Active criterion but shows how long the user has been idle/inactive on the site.

You can enter a minute value in the CONDITION field and use the  ‘>’ logic

i
The Time Idle criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Total Time Active

image-32.png

Similar to the Time Active criterion but shows the total time active (a combination of all the active times during an entire session).

You can enter a minute value in the CONDITION field and use ‘=’, ‘>’, ‘>=’ logics.

i
The Total Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Total Time Idle

image-33__1_.png

You can enter a minute value in the CONDITION field and use ‘=’, ‘>’, ‘>=’ logics.

i
The Total Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.

Applications

Applications activity allows you to detect the launch of any application including the ones run from the command line interface or through the Windows Run command.

Applications Rule Examples

  • Detect and block when a dangerous application (i.e. Windows Registry Editor) or an unauthorized application is launched.
  • Warn users when spending time on unproductive applications such as games, music/video player etc.
  • Detect when anonymous browsers, such as, ‘Tor’ is used.
  • Detect when screen sharing applications, snipping tools or peer-to-peer file sharing/torrent software are used.

Applications Rule Criteria

The table below explains what criteria the Applications activity supports and what conditions you can use with them.

Any

image-34__1_.png

Lets you detect if an application is launched.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime, any application is launched.

Application Name

image-35.png

Used to detect the name or part of the name of an application. For example: ‘regedit.exe’.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based)  and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Application Caption

image-36.png

Similar to the Application Name criterion, just use the application caption instead. For example: ‘Registry Editor’.

Launched from CLI

image-37.png

Detects if an application is launched from the CLI (Command Line Interface).

Select YES or NO.

Command Line Arguments

image-38.png

Command line arguments are additional parameters, options or values passed to an application when launching it from the CLI. They usually start with a ‘/’, ‘-‘ or a space after the application name. For example:

c:\ipconfig /renew. Here, renew is an argument.

Using this criterion, you can, for example, disable certain functions of an application. For example, in the second screenshot on the left, we blocked the launch of the ipconfig application when the release or renew arguments are used. Otherwise, it will run as usual. You can only use text value with the ‘Contains’, ‘RegExp’ or exact text match conditions for the CONDITION field.

i
The Command Line Arguments criterion is only shown when you have already selected YES for the Launched from CLI criterion.

Time Active

image-39.png

Used to detect how long the user has been active on an application.

You can enter a minute value in the CONDITION field and use ‘=’, ‘>’, ‘>=’ logics.

i
The Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

Time Idle

image-40__1_.png

Similar to the Time Active criterion but shows how long the user has been idle/inactive on an  application.

You can enter a minute value in the CONDITION field and use the  ‘>’ logic.

i
The Time Idle criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

Total Time Active

image-41__1_.png

Similar to the Time Active criterion but shows the total time active (a combination of all the active times during an entire session).

You can enter a minute value in the CONDITION field and use ‘=’, ‘>’, ‘>=’ logics.

i
The Total Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

Total Time Idle

image-42__1_.png

You can enter a minute value in the CONDITION field and use ‘=’, ‘>’, ‘>=’ logics.

i
The Total Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.

OCR

The OCR detects on-screen text in real-time, even inside images or videos. It works with multi-screen setups, virtual desktops and terminal servers. By default, OCR detects English text. But you can also use few other languages (check out the Teramind Agent specifications and supported platforms article to learn which languages are supported). Check out the Editing Screen Settings section on the Teramind User Guide to learn how to change the default OCR language.

OCR Rule Examples

  • Generate an alert when a user sees a full credit card number on the screen violating the PCI DSS compliance requirements.
  • Get notified when your employees visit sites that contain illegal or questionable content, such as: hacking, pornographic or piracy related content.
  • Detect if an unauthorized user is viewing a document that contains sensitive words.
  • Prevent steganographic data exfiltration by detecting information hidden inside images or videos.

OCR Rule Criteria

The table below shows what criteria the OCR supports and what conditions you can use with them.

On-Screen Text

image-231__1_.png

Used to specify the text to detect on-screen.

You can choose from ‘Contains’, ‘Match regexp’, ‘Match list’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can use the EXCEPT field to do detect any text except for the ones defined in this field.

Be careful while using the EXCEPT field as it will detect all text on the screen except the ones you exclude, triggering the rule every time!

Application Name

image-92.png

Used to specify the applications in which the OCR content will be detect.

You can choose from ‘Contains’, ‘Equals’ or ‘Equals List’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Keystrokes

Keystrokes activity is used to detect keystrokes entered by the users in applications or websites. In addition to regular keys, you can also detect the clipboard operations (copy/paste commands), use of special keys such as the Print Screen or multiple simultaneous keypress or combo keys such as CTRL+C.

Keystrokes Rule Examples

  • Detect if someone is taking screenshots with the likely intention of stealing information.
  • Detect if an employee is using unprofessional language with a customer on live chat.
  • A user repeating easy to guess passwords, hence, creating a security risk.
  • Disable keyboard macros or select combo keys in certain applications or for some users.

Keystrokes Rule Criteria

The table below shows what criteria the Keystrokes activity supports and what conditions you can use with them.

Text Typed

image-43__1_.png

Used to detect continuous text without any word break. For example, if text typed = “password”, the rule will be triggered when the last letter ‘d’ is typed.

You can enter any text in the CONDITION field and choose the ‘Contains’ or ‘Match RegExp’ option.

Similarly, you can exclude any text you do not want to detect in the EXCEPT field.

Word Typed

image-44__1_.png

Used to detect word typed with breaks. For example, if word typed = “password” the rule will be triggered when you finish typing the word and then type separation key, such as: <Space> or ‘!’ or ‘.’ (dot).

You can enter any text in the CONDITION field and choose the ‘Contains’ option.

Similarly, you can exclude any word you do not want to detect in the EXCEPT field.

Special Key Typed

mceclip0.png

You can detect special keys such as the function keys, (i.e. F1), PrtScr or key combinations such as <Shift+P>. When you select the Special Key Typed criteria and click on the CONDITION field, Teramind will pop-up a virtual keyboard where you can select the special keys.

Application Name

image-45__1_.png

Specifies which applications will be tracked.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based)  and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

i
The Application Name criterion is only shown when you have already selected a Text Typed or Word Typed criterion. Also, if you use this criterion, you cannot use the Webpage URL criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e. Condition 1 and Condition 2).

Webpage URL

image-46.png

Used to detect an URL (webpage address) or part of an URL.

You can enter some text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

i
The Webpage URL criterion is only shown when you have already selected a Text Typed or Word Typed criterion. Also, if you use this criterion, you cannot use the Application Name criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e. Condition 1 and Condition 2).

Files

Files activity lets you detect file operations such as access, read, write, upload, download etc. There are ten such file operations you can detect. Each operation allows you to further specify additional detection criteria. For example, the Download operation lets you detect the program, file name, URL and file size.

i
Note that Teramind cannot track the copy operation for a file from one network server to the same network server (e.g. source and destination is the same). For example, copying of a file from \\103.247.55.101\source_folder to \\103.247.55.101\destination_folder cannot be tracked. Copy to and from same local drives is detected as usual.

Also copying of an empty file cannot be tracked since it will be impossible for the system to distinguish between the file create and copy operations due to the zero size of the file.

Note that not all criteria are available for all file operations. Teramind will automatically show or hide the criteria based on which file operation you select. For example, if you select the Insert or the Eject operation, you will only see the Program and Drive criterion.

image-47__1_.png

Select a file operation by clicking the CONDITION filed. Click the Plus (+) button to add a criterion to the operation.

i
If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operations.

Files Rule Examples

  • Detect/block access to sensitive folders.
  • Turn a folder or drive write proof, preventing any changes to the files in that folder.
  • Get notified when files are uploaded to Cloud sharing sites, such as, Dropbox, Google Drive etc.
  • Block files from being copied to/from removable media, such as, USB drives.
  • Prevent changes of program settings or tampering of configuration files.
  • Block certain file transfer protocols, such as, FTP.
  • Restrict the transfer of large files.

Files Rule Criteria

The table below describes the criteria you can use for the Files activity, and which file operations are supported for each criterion.

Program

image-48.png

Lets you specify in which program/app the file operation took place.

You can choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’.

Similarly, you can exclude any programs you do not want to track in the EXCEPT field.

Network Host

image-49.png

Used for network-based file operations. It detects the host name of the file operation. For example: http://sharepoint.com, ftp://filevault.net etc.

You can choose from ‘Contains’, ‘Equals’, ‘All Shares’. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any hosts you do not want to track in the EXCEPT field.

i
This criterion is not supported in: Insert, Eject, Download and Upload operations.

File Path

mceclip0__1_.png

Used to detect a file path, folder or extension. For example: document, c:\windows etc. File extension are used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from ‘Contains’, ‘Equals’, ‘Exact Folder’. Or, you can check for file extensions using one of the ‘Extension Contains’, ‘Extension Equals’, ‘Extension Does Not Contain’ options.

i
This criterion is not supported in: Insert, Eject, Download and Upload operations.

Drive

image-51__1_.png

Detects the local, network or external drives.

You can choose either ‘All Drives’ or ‘All External Drives’.

i
This criterion is not supported in: Download and Upload operations.

Cloud Provider

image-52__1_.png

Used to detect the cloud provider.

You can choose from ‘All Cloud Providers’, ‘Dropbox’, ‘Google Drive’, ‘OneDrive’ or ‘Box’.

Similarly, you can exclude any providers you do not want to track in the EXCEPT field.

i
This criterion is not supported in: Insert, Eject, Download and Upload operations.

RDP File Transfer

image-53__1_.png

Detects if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.

You can select either YES or NO.

i
This criterion is only supported in the Copy operation.

Download File Name

image-54__1_.png

Lets you detect the download file name.

You can choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’.

Similarly, you can exclude any files you do not want to track in the EXCEPT field.

i
This criterion is only supported in the Download operation.

Download URL

image-55__1_.png

Similar to the Download File Name criterion but used to detect the download URL instead.

i
This criterion is only supported in the Download operation.

Download File Size

image-56__1_.png

Used to detect the size (in bytes) of the file being downloaded.

You can enter a byte value in the CONDITION field and use ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

i
This criterion is only supported in the Download operation.

Upload File Name

image-57__1_.png

Similar to the Download File Name criterion but used for Upload operation instead.

i
This criterion is only supported in the Upload operation.

Upload URL

image-58__1_.png

Similar to the Download URL criterion but used for the Upload operation instead.

i
This criterion is only supported in the Upload operation.

Upload File Size

image-59__1_.png

Similar to the Download File Size criterion but used for the Upload operation instead.

i
This criterion is only supported in the Upload operation.

Upload Via

image-60__1_.png

Lets you detect what kind of application or protocol is used for the upload operation.

You can choose from ‘FTP’, ’SMTP’, ‘Outlook’ or ‘Browser’.

Similarly, you can use the EXCEPT field to ignore any protocol/application you do not want to track.

i
This criterion is only supported in the Upload operation.

Emails

Emails activity lets you detect outgoing and incoming emails including any email attachments.

Emails Rule Examples

  • Prevent attaching files from certain location(s) such as, a folder, a network path or a Cloud drive.
  • Restrict sending of work emails from personal email accounts.
  • Prevent sending of attachments to non-business addresses.
  • Detect if a competitor is contacting your employees or vice versa.
  • Get notified if a user is sending emails with large attachments.

Emails Rule Criteria

The table below shows what criteria the Email activity supports and what conditions you can use with them.

Any

image-61__1_.png

Lets you detect if an email is sent or received. If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received.

Mail Body

image-62__1_.png

Used for detecting text inside the mail body.

You can choose from ‘Contains’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail Subject

image-63__1_.png

Used for detecting text inside the mail subject.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail CC

image-64__1_.png

Detects the CC addresses in an email.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail To

image-65__1_.png

Similar to Mail CC criterion but used to detect the Mail To addresses instead.

Mail From

image-66__1_.png

Similar to Mail CC and Mail To criterion but used to detect the Mail From addresses instead.

Mail Direction

image-67__1_.png

Lets you detect if the mail is being sent or received.

Select either the INCOMING or OUTGOING option.

Mail Client

image-68__1_.png

Used to specify the mail client you want to detect.

You can choose from ‘Gmail’, ‘Outlook Client’, ‘Outlook Web Client’, ‘Live.com’, ‘Yahoo Mail’, and ‘Yandex Mail’. Teramind keeps adding support for new clients so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Has Attachments

image-69__1_.png

Used to detect if the mail has any attachment.

Select either the YES or NO option.

Attachment Name

image-70__1_.png

Used to detect the names or extensions for the attached files. A file extension is used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can check for file extensions using one of the ‘Extension Contains’, ‘Extension Equals’, ‘Extension Does Not Contain’ options.

i
The Attachment Name criterion is only shown when you have already selected YES for the Has Attachment criterion.

Mail Size

image-71__1_.png

Used to detect the size (in bytes) of the mail.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

IM – Instant Messaging

IM activity lets you detect instant messaging conversations and group chats for popular IMs such as: Facebook, Skype, Slack etc. You can detect both incoming and outgoing messages, detect the participants and search the message body for keywords or text.

IM Rule Examples

  • Restrict messages to/from select contacts.
  • Detect if a user is in contact with suspicious people or criminal groups.
  • Monitor support chat conversations to improve quality of customer service and SLA.
  • Get notified if the chat body contains specific keywords or sensitive phrases such as lawsuit threats, angry sentiments, sexual harassment etc.

IM Rule Criteria

The table below shows what criteria the IM activity supports and what conditions you can use with them.

Any

image-72__1_.png

Lets you detect if an IM is sent or received.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime an IM is sent or received.

Message Body

image-73__1_.png

Used for detecting text inside the message body.

You can choose from ‘Contains’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Message Direction

image-74__1_.png

Lets you detect if the message is being sent or received.

Select either the INCOMING or OUTGOING option.

Messaging App

image-75__1_.png

Used to specify the messaging app you want to detect.

You can choose from ‘Facebook, ‘Skype Web’, ‘Skype for Business’, ‘LinkedIn’, ‘Google Hangouts’, ‘WhatsApp Web’, ‘Slack Web’, ‘Slack’, ‘Microsoft Team Web’ and ‘Microsoft Team’. Teramind keeps adding support for new apps so you might see more clients than mentioned here.

Similarly, you can exclude any app(s) you do not want to track in the EXCEPT field.

Contact Name

image-76__1_.png

Used to detect the contacts/participants of the IM conversation.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any contacts you do not want to track in the EXCEPT field.

Browser

Browser activity lets you detect any installed browser, plugins or extensions, what they are doing or what data they are accessing.

Browser Rule Examples

  • Restrict the use of a browser such as an older version of a browser that has security flaws.
  • Block user installation browser plugins and extensions by regular users to prevent malware infection and prevent security or privacy breaches.
  • Prevent a plugin from utilizing certain permissions such as the ability to access critical proxy settings or user data.

Browser Rule Criteria

The table below shows what criteria the Browser activity supports and what conditions you can use with them.

Any

image-77__1_.png

Lets you detect if a browser is launched/activated.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime a browser is launched or activated.

Browser

image-78__1_.png

Used to specify the browser you want to detect.

You can choose from ‘Chrome’, ‘Opera’, ‘Firefox’, ‘Internet Explorer’ or ‘All Browsers’. Teramind keeps adding support for new browsers so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Plugin Permissions

image-79__1_.png

You can detect what permissions the plugin is using.

You can choose from any of these conditions:

  • Proxy VPN – detects if the plugin is accessing the browser’s proxy settings.
  • Request – detects if the plugin is making a web request. This permission allows a plugin to observe and analyze traffic and intercept, block, or modify web requests.
  • User Data – detects if the plugin is accessing any user data such as cookies.

Similarly, you can exclude any permission you do not want to track in the EXCEPT field.

Printing

The Printing activity lets you detect print jobs across local or network printers. You can use criteria, such as: the document and printer and number of pages being printed.

Printing Rule Examples

  • Prevent data leaks over hard copies by restricting what documents can be printed.
  • Warn the user about large print jobs to reduce waste.
  • Restrict how many pages can be printed in a certain printer to reduce expense when taking an expensive/color print.
  • Implement printer use policies by users/departments. For example, which departments/users can use which printer, how much or what they can print.

Printing Rule Criteria

The table below shows what criteria the Printing activity supports and what conditions you can use with them.

Any

image-80__1_.png

Lets you detect if any print job is sent to the printer.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime a print job is sent to the printer.

Document Name

image-81__1_.png

Used to specify the document names you want to detect.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any plugins you do not want to track in the EXCEPT field.

Printer Name

image-81__1_.png

Used to specify the printers you want to track.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any plugins you do not want to track in the EXCEPT field.

Number of Pages

image-83__1_.png

Used to detect the number of pages of the document being printed.

You can enter a page value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Networking

The Network activity lets you detect network activities using criteria such as the applications using the network, byte sent/received, remote host etc..

Networking Rule Examples

  • Implement network security related rules, for example, restrict outgoing internet traffic from the payment server (to comply with PCI DSS regulation).
  • Limit network access such as, disable login via RDP (Remote Desktop Protocol).
  • Implement geofencing, for example, restrict access to your EU server from the US users.
  • Get notified when abnormal network activity (i.e. sudden spike in network traffic) is detected which might indicate an intrusion.

Networking Rule Criteria

The table below explains what criteria the Network activity supports and what conditions you can use with them.

Application Name

image-84__1_.png

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

Remote Host

image-85__1_.png

Used to specify the network the remote host is connected to.

You can enter a host address (such as: google.com) in the CONDITION field and choose the ‘Match List’ option. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any network you do not want to track in the EXCEPT field.

Remote Port

image-86__1_.png

Used to detect the port of the network connection.

You can enter a port value in the CONDITION field and use the ‘=’ logic.

Similarly, you can use the EXCEPT field to specify an exception.

Bytes Sent

image-87__1_.png

Used to specify the number of bytes sent over the network connection.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’ or the ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Bytes Received

image-88__1_.png

Used to specify the number of bytes received over the network connection.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’ or the ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

Content Sharing Rules: What Contents Trigger the Rules?

Content Sharing rules are used to detect content or text inside an object. The object can be a file, an email or IM chat, data in the clipboard or even any text displayed on the screen. You can use these powerful rules to prevent data exfiltration attempts, such as: block transferring of a file when it contains credit card numbers; warn a user when they attempt to send emails containing sensitive keywords etc.

You can specify the detection criteria for the Content Sharing rules in two places:

  • On the special Content Tab: This tab allows you to define what makes the content sensitive and specify the data values to look for. This tab is automatically added when you select the Content Sharing rule type (in the General tab).
  • On the selected Content Type Tabs: For example, if you selected Clipboard and Emails from the Type of Content section (in the General tab), you will have two tabs called ‘Clipboard’ and ‘Emails’ where you can add the rule conditions and values.
i
The basic premise of the Content Sharing rule is: you describe the data in the Content tab and then you tell Teramind where to look for that data in the Content Type Tabs. You need to use both of them for creating a Content Sharing rule.

The Content Tab

This tab allows you to define what makes the content sensitive and specify the values to look for. You need to select at least one Types of Content, such as: Clipboard, File etc. to be able to use the Content tab.

image-89__1_.png

You can select from different data definitions depending on what Types of Content you have selected in the General tab (i.e. Clipboard, Files, Emails, IM).

For example, if you have selected the Clipboard content type, then you will see the ‘Clipboard Origin’ in the data definition list.

The table below shows what criteria the Content definition supports and what conditions you can use with them.

Data Content

content-tab-768x1225.png

Data Content is a generic criterion that can be used to look for any text or binary data. For example, by using it with the Clipboard, you can detect anything copied on the clipboard.

You can select TEXT, BINARY or BOTH as the CONTENT TYPE.

For SELECT MATCH TYPE, you can choose ‘Contains’, ‘Equals’ or ‘RegExp’ and specify the text or binary values in the bottom field. Use the + button to add multiple values. Or, you can choose ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Text-based or Regular Expressions-based) from the SELECT SHARED LIST drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

i
The Data Content criterion can be used with any content types (i.e. Files, Email etc.).

Clipboard Origin

clipboard.png

Clipboard Origin detects data pasted into the clipboard from a specific webpage or application. By using it you can, for example, build a rule that prevents copy pasting of customer data from your CRM site.

You can select WEBPAGE or APPLICATION as the source of the clipboard copy operation.

For SELECT MATCH TYPE, you can choose ‘Contains’, ‘Equals’ or ‘RegExp’ and specify the text values in the bottom field. Use the + button to add multiple values. Or, you can choose ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Text-based or Regular Expressions-based) from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

i
The Clipboard Origin criterion can only be used with the Clipboard content type.

File Origin

file-origin-526x1024.png

File Origin detects file sharing based on its origin or source. It supports local, Cloud and web sharing. By using it you can, for example, build a rule that prevents sharing of files to Cloud drives.

You can select from several sharing options under the SELECT FILE ORIGIN section. SHARE = any type of network shares, CLOUD = sharing over Cloud services, such as, Dropbox and URL = sharing over any websites.

Depending on which origin (SHARE / CLOUD / URL) you selected, you can choose from ‘All Share’, ‘Contains’, ‘Equals’ or ‘RegExp’ in the SELECT MATCH TYPE field and specify the text values in the bottom field. Use the + button to add multiple values. Or, if available, you can choose the ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Network-based) from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

i
The File Origin criterion can only be used with the Files content type.

File Properties

mceclip3.png

File Properties detect files based on their meta-tags (also know as ‘file property’ or ‘field’). By using it you can, for example, build a rule that prevents sharing of any documents outside your company that has has a specific property/field containing a specific value. For example, a 'Restricted' field/property with the string value 'Yes'.

i
The File Properties criterion can only be used with MS Office or Office 365 files (e.g. doc, docx, xls, xlsx etc.).

 To use this criterion, first create the rule:

  1. Select a FIELD TYPE such as: ANY, STRING, INTEGER or DATE.
  2. Select MATCH TYPE for the condition. If you have selected the STRING field type, you can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ options. Use the + button to add multiple values. Or, you can choose the ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists. If you chose INTEGER or DATE field type, you can choose one of the ‘=’, ‘>’, ‘<’ logics.
  3. Enter the name of the file property the rule will detect in the FIELD NAME field.
  4. Specify the value the file property should contain in the SPECIFY VALUE field.

After you have created the rule, you can now add Custom tag(s) in the file(s) you want the rule to detect.  You can create a custom tag from the Office apps such as Word, Excel, PowerPoint etc. Here's an example showing how to create a custom tag in Microsoft Word:

  1. Click File > Info
  2. Click on Properties on the right-panel and select Advanced Properties:

mceclip2.png

  1. Click the Custom tab and enter a Name, Type and Value for the property. Click the Add button when done:

mceclip4.png

  1. Save the document.
i
The File Properties criterion can only be used with the Files content type.

Predefined Classified Data

classified-768x1186.png

Predefined Classified Data detects content based on predefined data categories.

There are several types of data categories you can choose from: Financial Data, Health Data, Personally Identifiable Data etc.

The SENSITIVE DATA TO DETECT field will have different menu options depending on what you choose in the SELECT SENSITIVE DATA CATEGORY field. For example, if you choose Financial Data in the previous field, you can choose from ‘All credit card numbers’, ‘SWIFT code’ etc. Or, if you choose the Health Data, you can choose from ‘Common drug names’, ’DNA profile’ etc. Check out the List of Predefined Classified Data article for a list of all the predefined classified data supported in Teramind.

Finally, specify how often a data pattern can appear in the content before the rule is triggered in the TRIGGER ON PATTERN… field.

Clipboard

The Clipboard content type detects text copied to the clipboard from any applications or websites.

Rule Examples

  • Prevent sharing of customer data  outside of your CRM site.
  • Warn users when they copy social security numbers from an Excel spreadsheet and paste it on an email client like Outlook.
  • Prevent data marked as sensitive in the Predefined Classified Data list to be pasted on an image application. So that the user cannot later upload the image to bypass your document upload rules.

Rule Criteria

The table below shows what criteria the Clipboard supports and what conditions you can use with them.

Any

image-93__1_.png

Lets you detect the clipboard text in any applications or websites.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime a clipboard paste operation is performed in any applications or websites where the content is detected.

Application Name

mceclip1.png

Used to specify the applications in which the Clipboard action will be detected.

You can choose from ‘Contains’, ‘Equals’ or ‘Equals List’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

i
The Application Name and the Webpage URL criteria cannot be used together in the same condition block.

Webpage URL

image-95__1_.png

Used to specify the webpage URL (website address) in which the Clipboard action will be detect.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

i
The Webpage URL and the Application Name criteria cannot be used together in the same condition block.

Files

Files content type works in the same way as it does in the Files Activity rules. However, there are certain file operations that you cannot use in the Content Sharing rules. For example, the Download operation isn’t supported.

Note that not all criteria are available for all file operations. Teramind will automatically show or hide the criteria based on which file operation you select. So, if you select the Access or the Delete operation, you will only see the Program criterion. Some file operation may have additional detection criteria. For example, the Upload operation lets you specify the Upload URL.

image-96__1_.png

Select a file operation by clicking the CONDITION filed.

Click the Plus (+) button to add a criterion to the operation.

If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected.

i
If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected.

Files Rule Examples

  • Prevent sharing of files that contain sensitive information, such as: Credit Card Numbers, Social Security Numbers, Health Records or your own custom data type.
  • Prevent sharing of a file based on certain properties, such as, when a document contains a ‘confidential’ watermark.
  • Create rules based on file origin, such as, stop all network sharing from certain applications.
i
These are some examples of Content Sharing rules for Files. For other examples of the Files rules, check out the Files Activity rule examples.

Files Rule Criteria

The table below describes the criteria you can use for the Files sharing rules, and which file operations are supported for each criterion.

Program

image-97__1_.png

Lets you specify in which program/app the file operation took place.

You can choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’.

Similarly, you can exclude any programs you do not want to track in the EXCEPT field.

Network Host

image-98__1_.png

Used for network-based file operations. Detects the host name of the file operation. For example: http://sharepoint.com, ftp://filevault.net etc.

You can choose from ‘Contains’, ‘Equals’, ‘All Shares’. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any hosts you do not want to track in the EXCEPT field.

i
This criterion is only supported in the Write and Copy operations.

Cloud Provider

image-99.png

Used to detect cloud providers.

You can choose from ‘All Cloud Providers’, ‘Dropbox’, ‘Google Drive’, ‘OneDrive’ or ‘Box’.

Similarly, you can exclude any provider you do not want to track in the EXCEPT field.

i
This criterion is only supported in the Write and Copy operations.

RDP File Transfer

image-100__1_.png

Detects if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.

You can select either YES or NO.

i
This criterion is only supported in Copy operations.

Upload URL

image-101__1_.png

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs you do not want to track in the EXCEPT field.

i
This criterion is only supported in Upload operations.

External Drive

image-102__1_.png

You do not need to specify any conditions in this criterion.

i
This criterion is only supported in the Write and Copy operations.

Emails

Files content type works in the same way as it does in the Email Activity rules. Except, the Mail Body criterion is not supported.

Emails lets you detect content sharing over outgoing and incoming emails including any email attachments.

Emails Rule Examples

  • Detect sensitive information like Credit Card Numbers, Social Security Numbers, Health Records or your own custom data types inside attachments and act based on what’s detected.
  • Detect if an internal memo is shared outside the company.
  • For example, warn the user when sending out an email that contains a document containing contacts to prevent data exfiltration or comply with privacy laws.
i
These are some examples of Content Sharing rules for Emails. For other examples of the Emails rules, check out the Emails Activity rule examples.

Emails Rule Criteria

The table below shows what criteria the Emails sharing supports and what conditions you can use with them.

Any

image-103__1_.png

Lets you detect if an email is sent or received.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received and the content is detected in any of the supported mail parts (i.e. Mail Subject, Mail Attachments etc.).

Mail Subject

image-104__1_.png

Used for detecting text inside the mail subject.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail CC

image-105__2_.png

Detects the CC addresses in an email.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail To

image-106__2_.png

Similar to Mail CC criterion but used to detect the Mail To addresses instead.

Mail From

image-107.png

Similar to Mail CC and Mail To criterion but used to detect the Mail From addresses instead.

Mail Direction

image-108__1_.png

Lets you detect if the mail is being sent or received.

Select either the INCOMING or OUTGOING option.

Mail Client

image-109__1_.png

Used to specify the mail client you want to detect.

You can choose from ‘Gmail’, ‘Outlook Client’, ‘Outlook Web Client’, ‘Live.com’, ‘Yahoo Mail’, and ‘Yandex Mail’. Teramind keeps adding support for new clients so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Has Attachments

image-110__1_.png

Used to detect if the mail has any attachment.

Select either the YES or NO option.

Attachment Name

image-111__1_.png

Used to detect the names or extensions for the attached files. File extension are used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can check for file extensions using one of the ‘Extension Contains’, ‘Extension Equals’, ‘Extension Does Not Contain’ options.

i
The Attachment Name criterion is only shown when you have already selected YES for the Has Attachment criterion.

Mail Size

image-112__1_.png

Used to detect the size (in bytes) of the mail.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

IM – Instant Messaging

IM content type works in the same way as it does in the IM Activity rules. Except, the Message Body criterion is not supported.

IM lets you detect content sharing over instant messaging conversations and group chats for popular IMs such as: Facebook, Skype, Slack etc. You can detect both incoming and outgoing messages, detect the participants and search in the message body for keywords or text.

IM Rule Examples

  • Improve productivity and data security. For example, detect if customer service agents are not responding to complaints or queries coming through your Instant Messaging channels.
  • Create rules that warn the HR about angry exchanges, harassment or other potential negative sentiments in chat conversations.
  • Detect if a user is targeted for phishing or social engineering online.
i
These are some examples of Content Sharing rules for IM. For other examples of the IM rules, check out the IM Activity rule examples.

IM Rule Criteria

The table below shows what criteria the IM sharing supports and what conditions you can use with them.

Any

image-113__1_.png

Lets you detect if an IM is sent or received.

i
If you use this option without any other criteria, Teramind will trigger the rule anytime an IM is sent or received where the content is detected.

Message Direction

image-114__1_.png

Lets you detect if the message is being sent or received.

Select either the INCOMING or OUTGOING option.

Messaging App

image-115__1_.png

Used to specify the messaging app you want to detect.

You can choose from ‘Facebook, ‘Skype Web’, ‘Skype for Business’, ‘LinkedIn’, ‘Google Hangouts’, ‘WhatsApp Web’, ‘Slack Web’, ‘Slack’, ‘Microsoft Team Web’ and ‘Microsoft Team’. Teramind keeps adding support for new apps so you might see more clients than mentioned here.

Similarly, you can exclude any app(s) you do not want to track in the EXCEPT field.

Contact Name

image-116__1_.png

Used to detect the contacts/participants of the IM conversation.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any contacts you do not want to track in the EXCEPT field.

Anomaly Rules: What Behavioral Anomaly Can You Detect?

Anomaly rules are special types of rules that allow you to identify anomalies in a user’s behavior by utilizing behavioral baselines. It also allows you to assign risk levels to any anomalous behavior and a notification action to inform admins or managers about the anomaly.

The Anomaly Rules Editor is an intuitive, visual editor where you can create sophisticated behavioral-anomaly rules on a single screen.

To access the Anomaly Rules Editor, create a new anomaly rule or edit an existing rule from the Behavior > Anomaly rules menu.

Check out the Anomaly Rules section on the Teramind User Guide to learn more about creating / editing anomaly rules, managing anomaly rule templates etc.

Anomaly Rule Examples

  • Detect when employees spend more than certain percentage of their work hours on unproductive or entertainment sites such as Facebook, YouTube etc.
  • Detect if an employee is idling for too long.
  • Get notified if an employee’s productivity drops by certain rate.
  • Get notified when a user sends an unusual number of emails than they normally do in a day-to-day basis.
  • Detect if the file upload activity of a user exceeds some threshold.
  • Detect if your network activity suddenly spikes or drops indicating something unusual happening.

Setting Up the Rule Basics

You specify the basic settings for an anomaly rule on the Anomaly Rules Editor’s General Settings section.

image-117-1024x539.png

You can specify a name for the rule in the RULE NAME field. You can select which users, groups, departments or computers the rule will apply to in the APPLIES TO field. If you select a computer, the rule will apply to all the users on that computer. Optionally, you can exclude anyone you don’t want to be included using the EXCLUDING field. You can also specify the rule’s tags in the TAGS field. Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters on various reports (i.e. Risk or Alerts report).

Detection Criteria – What Behavioral Anomalies Trigger the Rules?

You define the detection criteria under the RULE TRIGGER section of the Anomaly Rules Editor.

image-118-1024x494.png

You can select an action that will trigger the rule and then specify the conditions to evaluate. There are several types of actions you can choose from: Applications, Websites, Emails, Activity, Files, Network etc.

Each action has different conditions you can select from, such as: Time, Name, Anomaly Baseline etc. After you have selected a condition, you can choose a logic, such as: ‘>’, ‘<’, ‘Equals’ etc. from the middle field. Finally, you specify value(s) to detect in the right-most field.

You can add multiple conditions to an action by clicking the ADD CONDITION button. For example, you can create an anomaly rule using the URL condition and a Time condition with a Websites action to detect if a user spent >20% in ‘youtube.com’.

In the next few sections, we will walk you through all the available options for setting detection criteria for each action type.

Time

image-119__1_.png

Detects time spent (%) in an application or website.

Enter a percent value and use the ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Applications and Webpages actions.

Name

image-120__1_.png

Used to specify a name for an application.

Enter a text value and use the ‘Equals’, ‘Contains’, ‘Does Not Contain’ ‘Regular Expression Match’,  or ‘Regular Expression Not Match’ logic for the condition.

This condition is only supported in the Applications action.

URL

image-121__1_.png

Used to detect the URL of a webpage.

Enter a text value and use the ‘Equals’, ‘Contains’, ‘Does Not Contain’ ‘Regular Expression Match’,  or ‘Regular Expression Not Match’ logic for the condition.

This condition is only supported in the Webpages action.

Threshold Count

image-122__1_.png

Sets the threshold count for how many times an activity occurs before triggering the rule. For example, no. of emails sent, no. of download operation, no. documents printed etc.

Enter a number value and use the ‘>’ or ‘>=’ logic for the condition.

This condition is supported in all actions except for Applications and Webpages.

Productivity

image-123__1_.png

Detects the productivity level (in percent) of a user. To learn more about how productivity is measured in Teramind, check out this article, Productivity Metrics: How is Work Time / Idle Time / Activity Percentage / Productive Time / Unproductive Time / Total Time determined?. For more information on productivity reports, check out the BI Reports > Productivity section on the Teramind User Guide.

Enter a percent value and use the ‘<’, ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Activity: Productivity action.

Rate

image-124.png

Detects the idle rate (in percent) of a user. To learn how idle time and other productivity metrics are measured in Teramind, check out this article, Productivity Metrics: How is Work Time / Idle Time / Activity Percentage / Productive Time / Unproductive Time / Total Time determined?. For more information on productivity reports, check out the BI Reports > Productivity section on the Teramind User Guide.

Enter a percent value and use the ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Activity: Idle Rate action.

Size

image-125__1_.png

Detects the size (in Mega Bytes) of data in a network operation.

Enter a value in Mega Bytes and use the ‘>’ or ‘>=’ logic for the condition.

This condition is only supported in the Network: Data In and Network: Data Out actions.

Anomaly Baseline

image-126__1_.png

Anomaly Baseline uses algorithm to determine if certain user behavior is outside a baseline. This can be the user’s current behavior compared to their past behavior; an employee’s behavior compared to their departmental baseline; or an employee’s behavior compared to the baseline of the entire organization. Using a baseline lets you, for example, set an anomaly rule to notify you when a user sends an unusual number of emails than they normally do in a day-to-day basis.

You can select either the ‘Company’, ‘Department’ or the ‘Self’ as the rule’s condition.

Defining Rule Actions

Actions let you specify what the system will do when a rule is violated. You can warn a user or block them, receive notification, record a video of the desktop etc.

You can assign actions to a rule from the Actions tab on the Rules Editor for regular rules. Or, from the RULE ACTIONS section on the Anomaly Rules.

Note that, not all rule categories support all actions. For example, the Agent Schedule only supports the NOTIFY action for most of its schedule violation types except for the Login and Idle activities. Same way, different Types of Activity / Types of Content may also have their own special actions. For example, Webpages have an action called REDIRECT which is not available for other activity. Also, not all actions are available on all the operation systems. For example, the LOCK OUT USER action does not work on the Mac OS at the moment.

i
Note that, Anomaly Rules only support the Notify action.

In some cases, you can use multiple actions as long as they do not conflict with each other. For example, you can use the NOTIFY and BLOCK actions together as they do different things. But you cannot use the BLOCK and LOCK OUT USER actions together because they both prevent the user from completing an activity. The Rules Editor will automatically disable actions that conflict with the currently selected action(s).

Here are the actions you can use:

Notify Action

image-127__1_.png

Teramind will send an email notification to the specified email accounts whenever any user violates the rule. You can manage how such notification emails are handled from the Settings > Alerts screen (ALERT EMAILS LIMIT option).

Block Action

mceclip0__2_.png

Blocks the user activity and shows a message. You can use a HTML template to display the message. See the Customizing the HTML Alert Template article to learn more.

If you are using the HTML template option, you can use simple HTML tags in the message itself. For example, you can put a link in the message to your company policy to refresh the user’s knowledge, like this:

Uploading data to personal Cloud drives is prohibited. Please <a href='www.abc.com/policy'>click here</a> to read the policy.

You can also specify how long Teramind should wait between multiple alert messages that the user sees. The setting can be found under Settings > Alerts screen (USER ALERTS THRESHOLD option).

Lock Out User Action (Windows)

image-129__1_.png

Shows a warning message to the user and then when they press the OK button, they are locked out of the system. If the user logs back in, they will be logged out automatically. An administrator will have to unlock the user for them to be able login again. Check out the Employee Action Menu section on the Teramind User Guide for more information on unlocking a user.

i
This action works on Windows only.

Redirect Action

mceclip2__1_.png

Redirects the user to a different website when they try to access certain URL(s).

i
This action is available to Webpages-based rules only.

Warn Action

image-131__1_.png

Warns a user with a message. Similar to the message in the Block action, you can use a HTML template to display the warning message.

You can specify how long Teramind should wait between multiple alert messages that the user sees. The setting can be found under Settings > Alerts screen (USER ALERTS THRESHOLD option).

Set User’s Active Task Action

image-132__1_.png

You can automatically assign the user a task based on their activities.

You can specify how long Teramind will wait before assigning a new task to a user. The setting can be found under Settings > Alerts screen (RULE TASK SELECTION ACTION TIMEOUT option).

i
Applicable only if the user is using the Teramind Hidden Agent. Check out the Hidden Agent section on the Agent installation article to learn how to install the Hidden Agent.

Record Video Action

image-133__1_.png

If video recording is disabled in your Screen monitoring settings, you can still record a video of the rule violation incident with this action. The system will automatically record for the specified number of minutes before and after the incident.

Command Action (Windows)

image-134__1_.png

With this action, you can execute a Windows command automatically when a rule is violated.

This is a powerful action as it allows you to run any application or script on the user’s computer. For example, you can force shutdown the pc (shutdown /s /f /t 0), kill a task (taskkill -im ixplore.exe) and do much more.

i
This action works on Windows only.

Enforcing the Rules

Automatic Enforcement

When you create a new rule, by default it’s automatically turned on. You can edit a rule even when it’s running. Any changes you make to the rule will be enforced immediately if the user is online and connected to the Teramind server or as soon as they connect.

i
It’s always a good idea to test a rule when you create or edit it to see if it’s working as intended. You can do so by checking the BI Reports > Behavior Alerts report.

Rules are enforced depending on what type of Teramind Agent is installed on the user’s computer:

If the user is using a Stealth Agent:

  • Regular Rules: The rule will be enforced according to any Rule Schedule you have setup or for 24/7 if no such schedule exists. The rule will be enforced even if the user is offline or disconnected from the Teramind server.
  • Anomaly Rules: Since an anomaly rule does not have a schedule, it will run for 24/7.

If the user is using a Revealed Agent:

  • Regular Rules: The rule will only be enforced when the user has logged in to the Agent and clicked the Start button to begin their shift. The rule will still follow any Rule Schedule you have setup. The rule will continue to be enforced until the user clicks the Stop button to end their shift or as soon as the rule schedule has ended – whichever comes first.
  • Anomaly Rules: Since an anomaly rule does not have a schedule, it will run until the user clicks the Stop button on the Revealed Agent.

Manual Enforcement

You can manually turn a rule on/off from the Teramind Dashboard. To do so:

  • Regular Rules: You can manually control the rules from the Behavior Policies screen. To access the Behavior Policies screen, click the BEHAVIOR > Policies menu.

image-238.png

Use the ON/OFF button next to a rule’s name to turn it on or off. You can also use the ON/OFF button next to the Policy’s name for which the rule is a part of. If you turn off the policy, all rules under the policy will be deactivated even if the individual rules are turned on. If the policy is turned on, the rules that has the ON status will be activated and the OFF rules will remain inactive.

  • Anomaly Rules: The only way to turn off an anomaly rule is to remove it from the Anomaly rules screen. To access the Anomaly rules screen, click the BEHAVIOR > Anomaly rules menu.

image-239.png

Click the X button besides an anomaly rule to remove it.

Customizing the Rule Messages and Alerts

Alerts tab allows you to define how rule violation messages will be displayed to the users. It’s a good idea to customize your alert messages so that they are visually distinctive and match with you company’s branding.

You can find more information alert customization and step by step instruction on this article: How to customize alert messages with the HTML template.

Using the Prebuilt Rule-Templates

Using the Regular Rule Templates

When creating a new rule, you can choose from a list of pre-built templates. Click the CHOOSE A TEMPLATE pull-down menu to choose a template on the Rules Editor’s General tab:

mceclip3__1_.png

Teramind has many templates for Data Loss Prevention, Email, Applications, Websites, File Operations etc. Once you select a template, the rest of the rule’s tabs will be automatically populated with pre-configured settings and sample data. You can, of course, change them to meet your needs.

Check out the List of Prebuilt Rule Templates articles for a list of all the prebuilt regular rule templates available in Teramind.

Using the Anomaly Rule Templates

When creating a new anomaly rule, you can choose from a list of pre-built templates. Click the USE TEMPLATE button, then choose a template from the TEMPLATE TO USE pull-down menu to choose a template:

mceclip2__2_.png

Teramind comes with many anomaly rules templates. You can choose from a list of types such as: Applications, Emails, File Operations etc.

Check out the List of Prebuilt Anomaly Rule Templates article for a list of all the prebuilt anomaly rule templates available in Teramind.

Investigating the Rule Violation Incidents

There are multiple ways you can investigate rule violation incidents on Teramind.

Using the Behavioral Alerts Report

This is your primary source to view all rule violation incidents. You can use the Alerts report to view a list of rule violation incidents with all the necessary details, such as: the date/time the incident happened, the user or activity involved and other pertinent information. You can also view a session recording of an alert, export the alerts report or schedule it for auto delivery to selected email addresses.

You can access the Alerts report from the BI Reports > Behavior Alerts menu, under the Basic tab.

mceclip7.png

For more information on the Alerts report and to learn how to use its different features, check out the BI Reports > Behavior Alerts section on the Teramind User Guide.

Using the BI Report’s Investigate / View Record Feature

On the Behavior Alerts screen, you will see a table/grid widget. If you right-click on row, you will see a pop-up menu:

mceclip0__3_.png

  1. Click the Investigate option from the pop-up menu to view the Employee’s Activity Monitoring Report From that report, you can see all the alerts for the employee under the Alerts tab.
  2. Click the View record option to view the Session Recording of the employee at the selected timestamp.

Using the Alerts Log Widget

You can also add an Alerts Log widget to your dashboard. The widget allows you to view the most recent alerts in real-time or for the selected date range. You can add the Alerts Log widget to a dashboard by clicking the ADD WIDGETS button on the Dashboard’s screen.

image-143.png

For more information on the Widgets and to learn how to use them, check out the Widgets sections on the Teramind User Guide.

Using the Session Player

Session Player allows you to view a user’s desktop in live view or history playback mode. You can precisely locate when a rule violation incident occurred, check out all the alert notifications the user received and investigate the trail of user activities leading up to the incident. If the user is online, you can take remote control of their computer or freeze their inputs to prevent further incidents.

If Audio recording is enabled, you can also hear recordings of both sound outputs and inputs (speakers/line-out, microphone/line-in). Finally, you can take snapshots of the user’s desktop, forward the recordings to select email addresses or download them as MP4 files.

You can access the Session Player from the BI Reports, from the Employee’s Activity Monitoring Report or even from the Dashboards. Click the Movie Camera image-145__2_.png icon, wherever you see it, to access the Session Player.

image-144__1_.png

For more information on the Session Player and to learn how to use its different features, check out the Session Player section on the Teramind User Guide.

Using the Risk Report

The Risk report allows you to analyze the impact of rule violation incidents and the risks they pose to your organization. The report shows top risky rules, users, applications and websites. You can drill-down each risk category to further investigate what caused the risk level to change. You can also plot the risk trend by department, severity, number of violations, tag etc. Unique risk scores help you identify high-risk rules or users so that plans can be developed for treating the risks.

You can access the Alerts report from the BI Reports > Behavior Alerts menu, under the Risk tab.

mceclip1__1_.png

For more information on the Risk report and to learn how to use its different features, check out the BI Reports > Behavior Alerts section on the Teramind User Guide.

Using the Risk Widget

You can also add a Risk widget to your dashboard. The widget allows you to view the most recent risk trend and risk scores for users, activities or rules in real-time or for the selected date range. You can add the Risk widget to a dashboard by clicking the ADD WIDGETS button on the Dashboard’s screen.

image-147__1_.png

For more information on the Widgets and to learn how to use them, check out the Widgets sections on the Teramind User Guide.

Sample Rules Walkthrough / Rule Examples

Rule Sample 1: User logs in during off hours

Rule Summary

image-148__1_.png

This example shows how you can create an Agent Schedule rule to detect a user attempting to login during off hours.

Setting Up the Rule

General Tab

image-149__1_.png

On the first tab, General, we assigned a name.

We have chosen an Agent Schedule rule type under the Rules Category since we are looking to detect a user’s login time.

To learn more:

User Tab

image-150__1_.png

For the users, we choose to manually add the users (by turning off the INHERIT POLICY SETTINGS).

We also decided to apply this rule to external contractors only. To do so, we first created a department named ‘External Contractors’ and then edited the selected users’ profiles to assign them to this department.

To learn more:

Schedule Tab

image-151__1_.png

We have selected the Login schedule violation type so that we can monitor the login attempts.

We have also setup two time slots that will be considered as off-hours (12am-8am and 6pm-12am). Any attempt to login in these two periods will trigger the rule.

If you wanted, you could setup additional options such as restricted IPs or exclude any days you don’t want to monitor.

To learn more:

Actions Tab

image-152__1_.png

Finally, for the last tab, ‘Actions’, we have selected to use a NOTIFY action to notify the security admin.

We also selected a WARN action to show a warning to the offending user. For this action, we decided to use the HTML template option to make the alert prominent to the user.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip0__4_.png

You can see that, on 2019-08-05 at 16:03:31, employee Martin Sutherland signed in. Since the action meets the rule criteria (Login: between 12am – 8am and 6pm – 12am), it is triggered.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-154__1_.png

When a user logs in outside our set schedule, they will see a warning message. Note that, the login time is based on the user’s local time.

Rule Sample 2: User sending emails with attachments to non-business address

Rule Summary

image-155__1_.png

This example shows how you can create a simple Activity rule to warn a user when they send an email with attachment(s) to a non-business email address.

Setting Up the Rule

General Tab

image-156.png

On the first tab, General, we assigned a name for the rule and a description. We also used some tags to identify the rule easily.

We have chosen an Activity rule type since we are looking to detect a user action (the act of sending an email) and not any content. We have selected Emails as the Types of Activities.

We left the rule schedule to its default 24-hour setting.

To learn more:

User Tab

image-157__1_.png

For the users, we used the default policy settings (by leaving the INHERIT POLICY SETTINGS option turned on).

To learn more:

Emails Tab

Mail To

image-158.png

We have added three criteria to the Emails activity. For the first criterion, ‘Mail to’, we have specified several email domains that we would consider as ‘non-business’ addresses and used a contains logic to detect even a partial match.

Mail Direction

image-159__1_.png

For the second criterion, ‘Mail Direction’, we have selected OUTGOING to detect only the outgoing emails.

Has Attachments

image-160__1_.png

For the second criterion, ‘Mail Direction’, we have selected OUTGOING to detect only the outgoing emails.

To learn more:

Actions Tab

image-161__1_.png

Finally, for the last tab, ‘Actions’, we have selected to use a WARN action to just show a simple warning to the user.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip1__2_.png

You can see that, on 2019-07-28 at 06:02:33, employee John Doe sent an outgoing email to a non-business email account and the rule gets triggered.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-163__1_.png

You can see that, as soon as the user sends an email to a non-business address, the rule’s warning message is shown on the top-right corner of their screen.You will notice that, the message is very bare-bone and may fail to attract any attention. You can change that by customizing the rule messages and alert.

Rule Sample 3: User attempting to upload a sensitive file to a cloud drive

Rule Summary

image-164__1_.png

This example shows how you can create an Activity rule to block a user and display a message for attempting to upload certain files to a cloud drive.

Setting Up the Rule

General Tab

image-166.png

On the first tab, General, we assigned a name for the rule and a description.

We have chosen an Activity rule type since we are looking to detect a user action (the act of uploading a file) and not any content. And we have selected Files as the Types of Activities.

We left the rule schedule to its default 24-hour setting.

To learn more:

User Tab

image-167__1_.png

For the users, we choose to manually add the users (by turning off the INHERIT POLICY SETTINGS). We have also excluded the Management department from the rule’s scope.

To learn more:

Files Tab

File Operation

image-168__1_.png

We have added two criteria to the Files activity. For the first criterion, ‘File Operation’, we have selected the Upload operation.

Upload File Name

image-169__1_.png

For the second criterion, ‘Upload File Name’, we have specified some keywords that we would like to detect in the file names.

To learn more:

Actions Tab

image-170__1_.png

Finally, for the last tab, ‘Actions’, we have selected a BLOCK action to block the activity and at the same time show a message to the user. For this demonstration, we used a HTML template. This will allow us to use a customized template. We can also use simple HTML tags (such as <b>, <a> etc.) in the message itself.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip2__3_.png

You can see that, on 2019-07-08 at 08:58:54, employee Kate Sparrow tried to upload a file to Google Drive and the rule blocked her action.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-172__2_.png

You can see that, as soon as the user attempts to uploads a file named ‘sensitive.txt’ the rule is triggered as the filename contains one of our specified keywords, ‘sensitive’.The rule shows the message we specified, and the upload operation is blocked.

Also, unlike the previous example, this time we used a customized HTML template and you can see the result. The warning message is now shown in a nice alert box.

Rule Sample 4: User attempting to share files containing sensitive content

Rule Summary

image-173__2_.png

This example shows how you can create a Content rule to block a user and display a message for attempting to upload a file containing credit card numbers. The user will be given a choice to continue or cancel the file operation. In any case, a rule alert will be recorded.

Setting Up the Rule

General Tab

image-174.png

On the first tab, General, we assigned a name for the rule and a description.

We have chosen a Content Sharing rule type since we are interested in detecting sensitive content. We have selected Files as the Types of Content.

We changed the rule schedule so that it will monitor 9am-12pm and 12:30pm-5:00pm, a typical work time taking into account a 30-minute lunch break.

To learn more:

User Tab

image-175__1_.png

For the users, we used the default policy settings (by leaving the INHERIT POLICY SETTINGS option turned on).

To learn more:

Content Tab

image-176__1_.png

For content, we used a built-in template, ‘Predefined Classified Data’ and then sleeted the ‘Financial Data’ category to detect ‘All credit card numbers’. The rule will trigger even if there’s only one credit card number detected in a file. We did so by entering a value of ‘1’ in the TRIGGER ON PATTERN FREQUENCY IN CONTENT field.

Actions Tab

image-177__1_.png

Finally, for the last tab, ‘Actions’, we have selected a BLOCK action but turned on the ALLOW BYPASS WITH CONFIRMATION? option. This will show a warning to the user and block the action. But it will also show two YES and NO buttons. If the user clicks YES, they will be able to override the block.

i
DEPRECATED FEATURE
ALLOW BYPASS WITH CONFIRMATION and MANAGER CAN MAKE EXCEPTIONS options are no longer supported.

 

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip3__2_.png

You can see that, on 2019-08-05 at 12:17:45, employee Simon Woodly tried to upload a file containing credit card data to a Box drive and the rule got triggered.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

image-179__1_.png

On this screen, you can see that the user creating a text file containing some credit card numbers and saving it on their desktop.

image-181__1_.png

The user then attempts to copy the file to a network folder. You can see that, as soon as the user attempts to copy the file, the rule is triggered giving the user the option to continue or not. If the user clicks YES, the file copy operation will continue as usual. If they click NO, the copy operation will be cancelled.

Also, in this example, we used yet another customized HTML template to show the warning message.

Rule Sample 5: Employee productivity anomaly

Rule Summary

This example shows how you can create an Anomaly rule to monitor the productivity level of employees and receive a notification when it goes below a certain threshold. You will also be able to compare this against their Departmental and Organizational average.

Setting Up the Rule

General Settings Section

image-182__1_.png

On the first section, General Settings, we assigned a name for the rule and a description.

For the users, we have selected All employees.

We have also used a tag to find the rule easily.

To learn more:

Rule Trigger Section

image-183__1_.png

We chose the Activity: Productivity as the rule trigger.

For the rule’s condition, we selected the Productivity criterion and chose a less than ‘<’ logic to detect when the productivity goes below 20%.

To learn more:

Rule Risk Level Section

image-184__1_.png

We left the risk level’s default settings (No Risk) and ACCUMULATES RISK option turned on so that multiple violations of the rule will add up towards the risk score for this rule.

To learn more:

Rule Actions Section

image-185__1_.png

Finally, for the last section, ‘Actions’, we have turned on the NOTIFY action to inform a manager about the productivity loss.

To learn more:

Viewing the Rule Alerts

Click BI Reports > Behavior Alerts then select the Basic tab to view a report of all rule violation alerts and trends. The ‘Grid Widget’ located below the screen shows a list of all the alerts:

mceclip4__1_.png

You can see that, on 2021-04-11 at 04:44:45, employee Leo Gross triggered an anomaly rule due to his productivity dropping to 11% where his usual productivity was above 52% before.

Right-click on that row and then select View record to view the Session Recording of the alert.

Viewing the Session Recording

Here you can see the Session Recording of how the rule message will look on the user’s desktop:

mceclip6.png

You can click the Notification mceclip5.png icon near the top-right corner of the Session Player to see all the alerts/notifications.

Click a Notification to see what the user was during when the rule was triggered.

Other Rule Examples

List of Prebuilt Rule Templates

You can access the prebuilt templates from the CHOOSE A TEMPLATE pull-down menu on the Rule Editor's General tab:

mceclip0__5_.png

 

Data Loss Prevention
Credit Card Number: Wide
Credit Card Number: Narrow
Credit Card Number: At least 50 numbers
Credit Card Magnetic Strip Data: Wide
Credit Card Magnetic Strip Data: Narrow
Credit Card Magnetic Strip Data: 50 Track1 entities
Office Document: Confidential Watermark
Credit Card Magnetic Strip Data: 50 entities
Health Data: Disease or Drug names
Health Data: Drug names or NDC identifiers
Personal Data: US SSN and Date of Birth
Health Data: US SSN with Health Information
Health Data: UK NHS Numbers and Medical Information
 
Emails
Outbound email with social security number
Outgoing email to non-business address
Email contains a CV
Outgoing email w-attachment to non-business address
Email contains accusative sentiment
Email contains angry sentiment
Email contains discouraged sentiment
Email contains dissatisfied sentiment
Email contains lawsuit threat
Email contains profanity
Email contains sexual harassment content
Email contains unresponsive complaint
Incoming email from competitors
Outbound email with attachment
Outbound email with credit card number
Outbound email with sensitive keywords
 
Keystrokes
Screenshot taken
 
Printer
Large print job
Application
Anonymous browser detected
MSIExec program installation or removal
Network sniffer launched
Non-whitelisted application executed
Registry editor launched
Running peer-to-peer file sharing applications
Running screen sharing applications
Snipping tool used
 
File Operations
Access sensitive files
Driver tampering
Hosts file edited
Program installation
Write to cloud drive (native)
Write to config file
Write to removable media
Copy file from RDP
Copy file from RDP to removable media
 
Websites
Non-whitelisted website accessed
Adult websites
Excessive time on job search websites
Excessive usage of social media
Gaming or gambling sites
Streaming movies
 
IMs
IM contains accusative sentiment
IM contains angry sentiment
IM contains discouraged sentiment
IM contains dissatisfied sentiment
IM contains lawsuit threat
IM contains sexual harassment content
IM contains unresponsive complaint

List of Prebuilt Anomaly Rule Templates

Applications
Application usage anomaly
 
Emails
Outgoing email anomaly
Outgoing email attachments anomaly
 
File Operations
External storage insertion anomaly
File copy anomaly
File creation anomaly
File delete anomaly
File rename anomaly
Files downloaded by browser anomaly
Files downloaded by cloud client anomaly
Files uploaded by browser anomaly
Files uploaded by cloud client anomaly
 
Instant Messages
Instant messages count anomaly
Networking
Network connection count (no https) anomaly
Network connection count anomaly
Network data in (no https) anomaly
Network data in anomaly
Network data out (no https) anomaly
Network data out anomaly
 
Printers
Documents printed count anomaly
 
User Activity
Idle time anomaly
User productivity rate anomaly
 
Websites
Website usage anomaly

List of Predefined Classified Data

Financial Data

All Credit Card Numbers
Magnetic Data
Magnetic Data (Track 1)
Magnetic Data (Track 2)
Swift Code
ABA Route Numbers
 
By Type
Visa
Mastercard
American Express
Bankcard
Dinners International
Dinners USA & Canada
Discover
En Route
JCB
Maestro
Switch
Solo
RuPay
 
By Country
USA
Japan
Israel
Europe
United Kingdom
Canada
USA
Visa
Mastercard
American Express
Bankcard
Dinners International
Dinners USA & Canada
Discover
En Route
JCB
Maestro
 
Japan
Visa
Mastercard
American Express
JCB
Maestro
 
Israel
Visa
Mastercard
American Express
JCB
Maestro
Europe
Visa
Mastercard
American Express
Discover
Maestro
Switch
Solo
 
United Kingdom
Visa
Mastercard
American Express
Discover
Maestro
Switch
Solo
 
Canada
Visa
Mastercard
American Express
Dinners
Discover
Maestro

Health Data

Common Drug Names
Common Disease Names
DNA Profiles
NDC Number
HICN
NHS Number
ICD10 Code

Personally Identifiable Data

USA Zip Code and Address
UK Postal Code and Address
USA Cities
SSN
English Names
Dates
Phone Numbers
IPv4 Addresses
IPv6 Addresses
Email Addresses
URL
VIN
Personal Cryptographic Keys
USA Vehicle License Plates
USA Driver License Number (All States)

Code Snippets

Clang
C++
C#
Go
Haskell
Java
JavaScript
Objective-C
PHP
Python
Ruby
SQL
Was this article helpful?
0 out of 0 found this helpful