Rule Name and Description
Each rule lets you specify a name and optionally, a description for the rule.
Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (i.e. on the Risk or Alerts report).
By default, the rule stays active for 24 hours. However, you can adjust it to match your employee work schedule. For example, you can have the rule active during work hours but disable it during the employee lunch breaks. To change when the rule is active, drag the two Circles to adjust the time. You can click the Plus (+) and Minus (–) buttons to add/remove additional time slots.
|Agent Schedule rules and Anomaly rules do not have this scheduling module. Their scheduling is done in a different way.|
You use the CONDITION fields in a rule to specify what values to compare the rule parameters with. To specify a rule condition, start typing in the relevant CONDITION field, then select an option from the pop-up to tell Teramind what type of value it is.
There are many ways you can use the conditions. For example:
Use the Contains or Equals conditions for a partial or extract text match. For example, to block certain applications from running, you can type them in the CONDITION field and choose one of these conditions. Note that, these conditions aren’t case sensitive.
You can create a Shared List containing items of text, Regular Expressions or network addresses. For example, you can create a list of websites and use the Match list condition to block multiple applications without creating separate rule for each. Check out the Shared List section on the Teramind User Guide to learn more about Shared Lists.
For complex matches, such as Credit Card Numbers, Social Security Numbers etc., you can use the Match RegExp option. Teramind supports the standard Regular Expression library.
Rule logic binds two or more Conditions or Content Definitions together. So, they can be applied to both the rule Conditions and the Content Definitions.
Rule conditions can either have a ‘OR’ logic or an ‘AND’ logic.
- Each value in a rule condition is considered as an ‘OR’ logic. In the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit.exe’ or ‘pseditor.exe’.
- Each condition parameter is considered as an ‘AND’ logic. In the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meets the condition.
- If you have multiple condition blocks, each new condition is considered as an ‘OR’ logic. In the above example, if either the Condition 1 or Condition 2 meets the criterion, the rule will be triggered.
You can see how the rule condition logics relate to each other on the Rule’s Summary panel.
When creating a Content Sharing rule and you have multiple content definitions, you can use logics to bind the definitions together. You can do so under the Advanced: Setup Logics section of the Content tab. Click on the logic between two conditions, a pop-up menu will appear where you can select a logic out of four options.
You can see how the content definition logics relate to each other on the Rule’s Summary panel:
The table below explains each type of logic and how they are evaluated:
|Logic||Evaluates true if:||Example|
|AND||BOTH of the definitions are met.||In the above example, we are using the tags field from the File Properties in Definition 1 and the title field in Definition 2. The logic will return true if file tags equals the text ‘CONFIDENTIAL’ and the title contains ‘PRIVATE’. So, basically, it will process the files that are both confidential and private.|
|OR||EITHER of the definitions is met.||Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ or the title contains the text ‘PRIVATE’. So, basically, it will process the files that are either confidential or private.|
|AND NOT||the first definition is met AND the second definition is NOT met.||Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ and the title does not contain the text ‘PRIVATE’. So, basically, it will process the files that are confidential and not private.|
|OR NOT||the first definition is met OR the second definition is NOT met.||Using the above example, the logic will return true if file tags equals the text ‘CONFIDENTIAL’ or the title does not contain the text ‘PRIVATE’. So, basically, it will process all files except the private ones.|
On Teramind, you can assign risk levels to the rules. While optional, assigning risk levels has some advantages. It will let you analyse risk on the Risk Report, view risk trend and identify high risk users and rules.
There are two places you can assign risks.
Setting the Risk Levels in a Regular Rule
You assign risk level to a regular rule from the Advanced Mode of the Rule Editor’s Actions tab. You can choose from: No Risk, Low, Moderate, High and Critical.
You can assign risk levels to each action block separately (you create action blocks by clicking the ADD THRESHOLD button).
Setting the Risk Level in an Anomaly Rule
You assign risk level to an Anomaly rule Under its RULE RISK LEVEL section. You can choose from: No Risk, Low, Moderate, High and Critical. You can also turn on its ACCUMULATES RISK option on. If turned on, the risk associated with the rule will be counted multiple times for multiple violations. Otherwise it will be counted once for all violations.
Unlike the regular rules which support multilevel risk assignments, you can assign only one risk level per anomaly rule.
The right-most panel of the Rules Editor shows a summary of the rule in easy to follow language. You can see the values used in different tabs; what conditions are used and the logical connection among them; rule actions etc.