The Rules Editor is an intuitive, visual editor where you can create sophisticated threat detection, productivity optimization or data loss prevention rules easily without going through multiple screens or coding.
To access the Rules Editor, create a new rule or edit an existing rule from the Behavior > Policies menu.
|Check out the Behavior section on the Teramind User Guide to learn more about creating / editing rules, managing policies etc.|
Setting Up the Rule Basics
You specify the basic settings for the rule on the Rules Editor’s General tab.
On the top fields, specify a Name and optionally, a Description for the rule.
You can also specify the rule’s Tags on this tab. Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (i.e. on the Risk or Alerts report).
Selecting Rule Categories and Types
You can select the Rule Category and Types of Activities (for Activity-based rules) or the Types of Content (for Content Sharing rules) from the Rules Editor’s General tab.
There are three types of rule categories you can choose from: Agent Schedule, Activity and Content Sharing. Each category further supports different activities or content types. The table below shows which categories supports which activity/content types and their use cases:
|Agent Schedule||Activity||Content Sharing|
|Use Cases||Useful for detecting discrepancies in employee schedules or workflow. For example, receive notification when an employee is late. Or, block remote login during odd-hours or from unrecognized IPs.||Useful for detecting and controlling user activities for a range of monitored objects. For example, restricting app/website usage. Or, preventing file transfer operations (copy, upload, download etc.) on a folder/app/URL.||Useful for protecting sensitive data. For example, block and email that contains personally identifiable information. Or, preventing file transfer operations when certain content is detected in the file.|
|Type of Activity/Content||
You specify the users for the rules on the Rules Editor’s User tab.
Here you specify which users, groups, departments or computers the rule will apply to. If you select a computer, the rule will apply to all the users on that computer.
By default, the rule will inherit the user settings from the policy the rule is a part of. However, you can turn off the INHERIT POLICY SETTINGS to select users manually.
You can specify who the rule will apply to and optionally, exclude anyone you don’t want to be included using the EXCLUDE FROM RULE field.
Check out the Teramind User Guide to learn how to add users, computers, groups and departments.
Defining Detection Criteria
After you have decided what type of rule you need and which users the rule will apply to, the next part is defining the detection criteria and scope. You will specify what, how or when the rule will be activated. You do this by selecting different parts of the selected Activity Type or Content Type. For example, the URL of the Webpage activity or the Application Name of the Clipboard content etc. You can then specify Condition Logics against the part(s) and the values you want to detect. Here’s how a detection criterion may look like: