Why are You Creating the Rule?
Consider what you are trying to achieve. Do you want to monitor users’ activities to prevent insider threats? Suspicious that an employee is committing a crime or colluding with an outsider? Or, are you trying to prevent IP leaks through external vendors? Do you need to comply with regulations, such as: HIPAA, GDPR etc.?
Create a new policy or assign it under an existing policy that fits the rule’s purpose.
What Activity, Content or Behavioral Anomaly Do You Want to Detect?
Are you trying to detect discrepancies in employees’ schedule? Does it involve an ‘activity’ such as, uploading a document? Or do you need to protect some ‘content’ such as, sensitive information inside a document?
Select a Rule Type from the Rules Editor’s General tab.
If you are trying to detect behavioral anomalies such as an employee sending abnormal amount of emails than normal, then you should consider creating an anomaly rule.
Create an anomaly rule.
Where is the Activity Performed or Content Located?
Next you need to figure out where the activity or content sharing takes place. Does it involve emails? Transfer of files? Or, are there multiple ingress/egress points that you need to monitor, for example, emails + IM + website uploads?
When Should the Rule be Active?
Do you want the rule to run 24/7 or follow a schedule? For example, do you want the rule active during work hours but disable it during the employee lunch breaks?
Whom Should it Apply to?
Do you need the rule for everyone? Certain users, groups or departments? How about setting up a terminal server to monitor all your vendors or external partners? Do you need to exclude anyone from the rule’s enforcement?
What Makes the Data Sensitive?
If you are trying to detect Content, can you describe how the data looks? Does it have a clear structure such as a credit card number? Or, do you need to detect information that are unstructured or dynamic in nature?
Use the Content tab on the Rules Editor to define your content. You can choose from a Predefined Classified Data or create your own custom data types by selection other options from the list.
What Scenarios Violate the Rule?
Now, you have to think about scenarios that will trigger the rule. You might need multiple conditions and logics to detect the rule violation. Remember, there are also multiple ways of achieving the same result.
For example, if you wanted to prevent uploading of files to a personal Cloud drive, you could use a condition to detect file operation ‘upload’. And use a second condition, ‘upload URL’ and specify website addresses such as ‘google.drive.com, dropbox.com’ etc. Or, you could just select file operations for ‘write’ and select the ‘Cloud providers’ from the built-in list.
Use rule logics on the Rules Editor to define condition or content logics for the activity or content.
What Action(s) Do You Want to Take?
What should the system do when a rule is broken? Do you want it to notify you immediately? Or, do you want it to take some preventive actions too? For example, block the action? Or do you need to take a sequence of actions? For example, block the action but also record the incident? Or, take different action depending on how often they broke the rule? Assign a risk level to the action?