|
Help Topics |
|---|
Rule Sample 1: User logs in during off hours
Rule Summary
This example shows how you can create an Agent Schedule rule to detect a user attempting to login during off hours.
Setting Up the Rule
General Tab
On the first tab, General, we assigned a name.
We have chosen an Agent Schedule rule type under the Rules Category since we are looking to detect a user’s login time.
To learn more:
- Agent Schedule Rules: What Schedule Violations Can You Detect?
- Understanding Common Rule Elements – name, description, tags, schedule etc.
User Tab
For the users, we choose to manually add the users (by turning off the INHERIT POLICY SETTINGS).
We also decided to apply this rule to external contractors only. To do so, we first created a department named ‘External Contractors’ and then edited the selected users’ profiles to assign them to this department.
To learn more:
Schedule Tab
We have selected the Login schedule violation type so that we can monitor the login attempts.
We have also setup two time slots that will be considered as off-hours (12am-8am and 6pm-12am). Any attempt to login in these two periods will trigger the rule.
If you wanted, you could setup additional options such as restricted IPs or exclude any days you don’t want to monitor.
To learn more:
- Rule Criteria – for Agent Schedule rules
Actions Tab
Finally, for the last tab, ‘Actions’, we have selected to use a NOTIFY action to notify the security admin.
We also selected a WARN action to show a warning to the offending user. For this action, we decided to use the HTML template option to make the alert prominent to the user.
To learn more:
Viewing the Rule Alerts
Here you can see the Alerts report for the rule:
You can see that, on 2019-08-05 at 16:03:31, user Martin Sutherland signed into their computer. Since the action meets our rule criteria (Login: between 12am – 8am and 6pm – 12am), the rule is triggered. The user is shown a warning and also a notification email is sent to the assigned manager/admin.
The Alerts screen shows the rule violation date/time, employee, policy, which rule was violated, what action was taken and a detailed description of the violation incident.
By clicking the Movie Camera 
icon, you can view a session recording of the alert (see below).
Viewing the Session Recording
Here you can see the Session Recording of how the rule message will look on the user’s desktop:
When a user logs in outside our set schedule, they will see a warning message. Note that, the login time is based on the user’s local time.
Rule Sample 2: User sending emails with attachments to non-business address
Rule Summary
This example shows how you can create a simple Activity rule to warn a user when they send an email with attachment(s) to a non-business email address.
Setting Up the Rule
General Tab
On the first tab, General, we assigned a name for the rule and a description. We also used some tags to identify the rule easily.
We have chosen an Activity rule type since we are looking to detect a user action (the act of sending an email) and not any content. We have selected Emails as the Types of Activities.
We left the rule schedule to its default 24-hour setting.
To learn more:
- Activity Rules: What Activities Can You Detect?
- Emails– emails activity rule
- Understanding Common Rule Elements – name, description, tags, schedule etc.
User Tab
For the users, we used the default policy settings (by leaving the INHERIT POLICY SETTINGS option turned on).
To learn more:
Emails Tab
Mail To
We have added three criteria to the Emails activity. For the first criterion, ‘Mail to’, we have specified several email domains that we would consider as ‘non-business’ addresses and used a contains logic to detect even a partial match.
Mail Direction
For the second criterion, ‘Mail Direction’, we have selected OUTGOING to detect only the outgoing emails.
Has Attachments
For the second criterion, ‘Mail Direction’, we have selected OUTGOING to detect only the outgoing emails.
To learn more:
Actions Tab
Finally, for the last tab, ‘Actions’, we have selected to use a WARN action to just show a simple warning to the user.
To learn more:
Viewing the Rule Alerts
Here you can see the Alerts report for the rule:
You can see that, on 2019-07-08 at 06:02:33, user John Doe sent an email to a Yahoo Mail user. Since the action meets all the three of our rule criteria (Mail To: address containing condition word, ‘@yahoo.com’; Mail Direction: outgoing; and Has Attachment: true), the rule is triggered and the user is warned.
The Alerts screen shows the rule violation date/time, employee, policy, which rule was violated, what action was taken and a detailed description of the violation incident.
By clicking the Movie Camera 
icon, you can view a session recording of the alert (see below).
Viewing the Session Recording
Here you can see the Session Recording of how the rule message will look on the user’s desktop:
You can see that, as soon as the user sends an email to a non-business address, the rule’s warning message is shown on the top-right corner of their screen.You will notice that, the message is very bare-bone and may fail to attract any attention. You can change that by customizing the rule messages and alert.
Rule Sample 3: User attempting to upload a sensitive file to a cloud drive
Rule Summary
This example shows how you can create an Activity rule to block a user and display a message for attempting to upload certain files to a cloud drive.
Setting Up the Rule
General Tab
On the first tab, General, we assigned a name for the rule and a description.
We have chosen an Activity rule type since we are looking to detect a user action (the act of uploading a file) and not any content. And we have selected Files as the Types of Activities.
We left the rule schedule to its default 24-hour setting.
To learn more:
- Activity Rules: What Activities Can You Detect?
- Files– files activity rule
- Understanding Common Rule Elements – name, description, tags, schedule etc.
User Tab
For the users, we choose to manually add the users (by turning off the INHERIT POLICY SETTINGS). We have also excluded the Management department from the rule’s scope.
To learn more:
Files Tab
File Operation
We have added two criteria to the Files activity. For the first criterion, ‘File Operation’, we have selected the Upload operation.
Upload File Name
For the second criterion, ‘Upload File Name’, we have specified some keywords that we would like to detect in the file names.
To learn more:
Actions Tab
Finally, for the last tab, ‘Actions’, we have selected a BLOCK action to block the activity and at the same time show a message to the user. For this demonstration, we used a HTML template. This will allow us to use a customized template. We can also use simple HTML tags (such as <b>, <a> etc.) in the message itself.
To learn more:
Viewing the Rule Alerts
Here you can see the Alerts report for the rule:
You can see that, on 2019-07-08 at 08:58:54, user Kate Sparrow tried to upload a file named sensitive.txt to drive.google.com. Since the action meets both of our rule criteria (File Operation: Upload and File Name: containing one of the condition words, ‘sensitive’), the rule is triggered, and the user is blocked from completing the operation.
The Alerts screen shows the rule violation date/time, employee, policy, which rule was violated, what action was taken and a detailed description of the violation incident.
By clicking the Movie Camera 
icon, you can view a session recording of the alert (see below).
Viewing the Session Recording
Here you can see the Session Recording of how the rule message will look on the user’s desktop:
You can see that, as soon as the user attempts to uploads a file named ‘sensitive.txt’ the rule is triggered as the filename contains one of our specified keywords, ‘sensitive’.The rule shows the message we specified, and the upload operation is blocked.
Also, unlike the previous example, this time we used a customized HTML template and you can see the result. The warning message is now shown in a nice alert box.
Rule Sample 4: User attempting to share files containing sensitive content
Rule Summary
This example shows how you can create a Content rule to block a user and display a message for attempting to upload a file containing credit card numbers. The user will be given a choice to continue or cancel the file operation. In any case, a rule alert will be recorded.
Setting Up the Rule
General Tab
On the first tab, General, we assigned a name for the rule and a description.
We have chosen a Content Sharing rule type since we are interested in detecting sensitive content. We have selected Files as the Types of Content.
We changed the rule schedule so that it will monitor 9am-12pm and 12:30pm-5:00pm, a typical work time taking into account a 30-minute launch break.
To learn more:
- Content Sharing Rules: What Contents Trigger the Rules?
- Files– files content sharing rule
- Understanding Common Rule Elements – name, description, tags, schedule etc.
User Tab
For the users, we used the default policy settings (by leaving the INHERIT POLICY SETTINGS option turned on).
To learn more:
Content Tab
For content, we used a built-in template, ‘Predefined Classified Data’ and then sleeted the ‘Financial Data’ category to detect ‘All credit card numbers’. The rule will trigger even if there’s only one credit card number detected in a file. We did so by entering a value of ‘1’ in the TRIGGER ON PATTERN FREQUENCY IN CONTENT field.
Actions Tab
Finally, for the last tab, ‘Actions’, we have selected a BLOCK action but turned on the ALLOW BYPASS WITH CONFIRMATION? option. This will show a warning to the user and block the action. But it will also show two YES and NO buttons. If the user clicks YES, they will be able to override the block.
To learn more:
Viewing the Rule Alerts
Here you can see the Alerts report for the rule:
You can see that, on 2019-08-05 at 12:17:45, user Simon Woodly tried to upload a file named credit card.txt. The file contains some credit card numbers (you can verify what the file contains by checking the session recording – see below). Since the content meets all our rule criteria (Content Type: file; Rule Schedule: 12:17pm, that’s within our rule schedule, ‘9am – 12pm and 12:30pm – 5:00pm’; Content: credit card numbers as per the condition, ‘Classified Financial Data’), the rule is triggered, and the user is blocked but will be given an opportunity to override or cancel the upload operation.
The Alerts screen shows the rule violation date/time, employee, policy, which rule was violated, what action was taken and a detailed description of the violation incident.
By clicking the Movie Camera 
icon, you can view a session recording of the alert (see below).
Viewing the Session Recording
Here you can see the Session Recording of how the rule message will look on the user’s desktop:
On this screen, you can see that the user creating a text file containing some credit card numbers and saving it on their desktop.
The user then attempts to copy the file to a network folder. You can see that, as soon as the user attempts to copy the file, the rule is triggered giving the user the option to continue or not. If the user clicks YES, the file copy operation will continue as usual. If they click NO, the copy operation will be cancelled.
Also, in this example, we used yet another customized HTML template to show the warning message.
Rule Sample 5: Employee productivity anomaly
Rule Summary
This example shows how you can create an Anomaly rule to monitor the productivity level of employees and receive a notification when it goes below a certain threshold. You will also be able to compare this against their Departmental and Organizational average.
Setting Up the Rule
General Settings Section
On the first section, General Settings, we assigned a name for the rule and a description.
For the users, we have selected All employees.
We have also used a tag to find the rule easily.
To learn more:
- Creating Anomaly Rules
- Setting Up the Rule Basics – name, description, user, tags etc.
Rule Trigger Section
We chose the Activity: Productivity as the rule trigger.
For the rule’s condition, we selected the Productivity criterion and chose a less than ‘<’ logic to detect when the productivity goes below 20%.
To learn more:
- Detection Criteria – What Behavioral Anomalies Trigger the Rules?
- List of Prebuilt Anomaly Rule Templates
- Productivity Reports in the User Guide
Rule Risk Level Section
We left the risk level’s default settings (No Risk) and ACCUMULATES RISK option turned on so that multiple violations of the rule will add up towards the risk score for this rule.
To learn more:
Rule Actions Section
Finally, for the last section, ‘Actions’, we have turned on the NOTIFY action to inform a manager about the productivity loss.
To learn more:
Viewing the Rule Alerts
Here you can see the Alerts report for the rule:
You can see that, on 2019-08-03 at 23:44:50, the productivity rate for the user Seth Mcgregor dropped to 61%. For comparison purposes, the average for the company (82%) and the department (87.8%) are also shown in the Description field. Since this meets our anomaly condition (Productivity: <20), the rule is triggered, and a notification is sent to the assigned manager/admin.
The Alerts screen shows the rule violation date/time, employee, policy, which rule was violated, what action was taken and a detailed description of the violation incident.
Viewing the Session Recording
Anomaly rules do not have any session recordings. However, if you have enabled 24/7 recording (you can do so by Editing the Screen Settings) you can take the following steps to view the user’s desktop at the time of the anomaly rule violation:
- Take note of the date and time when the anomaly rule was trigger from the Alerts screen’s Date/time column.
- Open the Session Player for the user. You can access the Session Player from the Alerts screen, from any of the Monitoring Reports or even from the Dashboards. Click the Movie Camera
icon, wherever you see it, to access the Session Player. - Change the date on the Session Player to the date you noticed on the Alerts screen. Move the player head to the required time.
Comments
0 comments
Please sign in to leave a comment.