Introduction to the Anomaly Rules
Anomaly rules are special types of rules that allow you to identify anomalies in a user’s behavior by utilizing behavioral baselines. It also allows you to assign risk levels to any anomalous behavior and a notification action to inform admins or managers about the anomaly.
Accessing the Anomaly Rules Menu
- Hover your mouse over the BEHAVIOR menu, then
- Select Anomaly rules from the sub-menu.
Filtering / Editing / Deleting / Copying Anomaly Rules
- If you have many anomaly rules, you can decide what’s displayed by using the filters on the left side of the Anomaly Rules screen. You can clear the filters by clicking the small Funnel icon.
- To edit an anomaly rule, click the Pencil icon. You will be taken to a rule editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.
- Click the Copy icon to duplicate a rule.
- Click the X icon to delete a rule.
Creating Anomaly Rules
- Click the ADD ANOMALY RULE button at the top-right corner of the screen. A pop-up window will open.
- Click the CREATE NEW RULE button if you want to create a rule from the scratch. You will be taken to the Anomaly Rules Editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.
- Click the USE TEMPLATE button to create a rule based on a template. Teramind comes with many anomaly rules templates. You can choose from a list of types such as: Applications, Emails, File Operations etc. Click on a type to expand it. Pick a rule template and click the LOAD TEMPLATE TO USE button. You will be taken to the rule editor. Follow the Anomaly Rules Editor section to learn how to edit an anomaly rule.
Anomaly Rules Editor
The Anomaly Rules Editor is an intuitive, visual editor. The single-page interface of the editor makes it easier to view and edit the rules.
You can specify basic rule settings on the General Settings section of the Anomaly Rules Editor.
- Give the rule a name on the RULE NAME field.
- Select the users the rule will apply to on the APPLIES TO field.
- Select any users that should be excluded on the EXCLUDING field.
- Optionally, you can assign tags to a rule on the TAGS field to easily identify it.
The Rule Trigger section lets you specify which activity the rule engine will monitor and what conditions it will evaluate.
- Select a trigger from the list. You can choose from many pre-built options such as Webpages, Applications, Emails, Productivity, Network etc.
- Under CONDITIONS, you can choose different types of conditions such as:
- Time (%): with this you can create a rule for time spent on certain task. For example, you can create a rule that gets triggered if a user spends more than 10% time on a certain website.
- Anomaly baseline: uses algorithm to determine if certain user behavior is outside their normal behavior. This can be the user’s current behavior compared to their past behavior; an employee’s behavior compared to their departmental baseline; or an employee’s behavior compared to baseline of the entire organization. Using a baseline lets you, for example, set an anomaly rule to notify you when a user sends an unusual number of emails than they normally do in a day-to-day basis.
- Other Conditions: depending on what trigger you selected, you may see additional conditions. For example, if you choose the Webpages trigger, you will see the Url condition listed as an option on the menu.
- Click the ADD CONDITION button to add a new condition row.
- Click the X button next to a condition to delete it.
Rule Risk Level
Rule Risk Level section lets you assign a risk level to the rule. The risk level is used by Teramind to calculate risk scores (see the Conducting Risk Analysis with the Risk Report article to learn more about risks) and can also be used to filter reports (i.e. Alerts).
- Click and drag the Circle to adjust the risk level.
- You can turn risk accumulation on/off. If turned on, the risk associated with this rule will be counted multiple times for multiple violations. Otherwise it will be counted once for all violations.
Anomaly rules only support the NOTIFY action.
- Turn the notification on/off by using the NOTIFY button.
- Select the users who will get notified when the rule is violated.
Saving the Rule / Creating a Rule Template
- Click the SAVE AND LAUNCH RULE to save and activate it.
- Click the SAVE RULE AS TEMPLATE button to save it as a template. This way, the template will be available when you are creating a new anomaly rule (see the Creating Anomaly Rules section to learn how to use an anomaly rule template).