The Behavior Policies screen allows you to view, create, and manage behavior policies and rules.

A policy is like a container or folder that contains rules.

A rule allows you to set up conditions to detect harmful, dangerous, or unproductive behavior in real-time and, optionally, take automated action (such as warning the user, blocking the activity, notifying an admin, etc.). You can see the rule violations report from the Dashboards > Behavior Alerts dashboard.

The Behavior Policies screen comes with the following columns:

1. You can click a policy row’s Right Arrow icon to expand it to view the rules under it. You can click the Bottom Arrow icon to collapse the policy.

You can also double-click a policy’s name to expand/collapse it.

You can also click the Expand/Collapse buttons to expand or collapse all policies.

2. You can use the Toggle button under the Enabled column to enable/disable a policy or rule.

The following sections provide more information about policies and rules.

A policy is like a container/folder that contains rules.

1. Click the New Policy button on the Configurations > Behavior policies screen. A panel on right will open:

2. Enter a name for the policy in the Policy Name field.

3. From the Apply Policy to field, select users, departments, or computers to track.

4. Optionally, you can exclude targets (users, departments, etc.) from the policy. This is useful in certain situations. For example, suppose you want to monitor most employees in the "Sales" department but exclude a few. In that case, you can select the department in the Apply Policy to field and select the employees you want to exclude in the Exclude targets from this Policy field.

5. Click the Submit button to create the policy.

From the Configurations > Behavior policies screen, click the Three Dots in front of a policy. The Context Menu for the policy will open:

A rule allows you to set up conditions to detect harmful, dangerous, or unproductive behavior in real-time and, optionally, take automated action (such as warning the user, blocking the activity, notifying an admin, etc.). You can see the rule violations report from the Dashboards > Behavior Alerts dashboard.

You can create a new rule in two ways:

1. Click the New Rule button on the Configurations > Behavior policies screen.

2. Expand a policy by double-clicking its name. You can also click the Right Arrow icon in front of its name. Click the New Rule for this Policy near the bottom.

In both cases, the Rule Editor will open:

3. The left-most part of the Rule Editor is the General settings section. It’s where the main tabs/steps of a rule are displayed. A basic rule has at least three tabs: General, User, selected Type(s), and Action. The Type(s) will change based on which Type of Content you select from the General section. For example, on the screenshot above, the types selected are ‘Applications’ and ‘Webpages’. Note that Agent schedule rules don’t use any types.

4. The middle section of the editor is where you specify the actual rule parameters.

5. The right-most part of the editor displays the Rule Summary section. Each tab/step of the rule will show as a separate section with details about what criteria, conditions, or options you have selected. The Rule Summary section will also provide guidance if there are any errors in a step, such as if you forgot to fill out a mandatory field. As you go through each tab/step, the corresponding summary section will expand. You can also manually expand/collapse a section by clicking the section’s name or by using the Up Arrow/Down Arrow icons.

6. As you complete a step/tab of a rule, click the Continue button to move to the next step. You can also click the tabs on the left to switch to that tab. However, note that you cannot move to the next step unless you have filled out/selected all the mandatory fields/options in the current step. The Rule Summary section will tell you if you have missed anything.

The General Settings tab allows you to specify the basic settings for the rule. You also select which activity or content the rule will detect.

1. Enter a Rule name.

2. Optionally, provide a Rule description.

3. Select the Parent Policy the rule will belong to.

4. Select a Rule Type from the drop-down menu. There are three types of rules you can select from:

5. Once you select a Rule Type, you can then Select the type of activities (for Activity rule type) or Select the type of contents (for Content Sharing rule type), such as Webpages, Applications, Emails, etc. These are the systems the rule will monitor for user activities or contents. See the Type of Activities/Contents section below for more information.

6. Rule violation severity allows you to specify a risk level for the rule. You can either drag the slider or use the number field to enter a number between 0-100. This risk value is used in various dashboards/reports.

7. By default, the rule stays active for 24 hours. However, you can change the rule schedule under the Time when rule is active section. For example, you can have the rule to be active during work hours, but disable it during the employee's lunch breaks. Drag the two small Orange Circles to adjust the time.

The Employees tab allows you to specify which target employees, departments, computers, etc., the rule will apply to.

1. By default, the rule will inherit the rule targets (employees, computers, departments, etc.) from its parent policy. However, you can turn off the Inherit settings from Parent Policy option to select them manually:

a. Enter employees, computers, and/or departments in the Apply rule to field.

b. Optionally, you can exclude any targets you don’t want to be included using the Exclude from rule field.

1. Activity/Content: Depending on what you selected under the Select the type of activities/Select the type of contents section in the General tab, you will see different activities/contents (e.g., Webpages, Applications, etc.) on the left side of the Rule Editor.

2. Condition Blocks: Each rule comes with a default “Condition 1” block. To add additional condition blocks, click the Add threshold button. Each new condition is considered as an ‘OR’ clause. So, if either of the conditions is true, the rule will be triggered. In the above example, the rule will trigger if the user tries to run an application named “regedit.exe” OR if they try to run any elevated application (e.g., UAC-protected apps).

3. You can remove a condition block by clicking the X button.

4. Rule Criteria: Click the Add button to add a criterion to a Condition. A small drop-down menu will appear where you can select a criterion. You can select multiple criteria for a condition. In such cases, the criterion will show up as separate tabs. The criteria are different for each content type. For example, the Applications content type might have criteria such as ‘Application name’, ‘Application caption’, ‘Launched from CLI’, etc., while the Emails content type might have ‘Mail Body’, ‘Mail Subject’, etc.

You can delete a criterion by clicking the small X button next to its name.

5. Conditions Values: There are several types of CONDITION fields:

The Content tab allows you to define what makes content sensitive and specify the values to look for.

1. Data Definitions: First, you can select from different data definitions in the Type of sensitive data list, such as Data Content, Predefined Classified Data, or Clipboard Origin.

The options available to you will depend on the type of content you selected in the General Settings tab. For example, if you choose the Clipboard type of content, you will then see 'Clipboard Origin' in the data definition list.

2. Advanced Logics: When you have multiple content definitions, you can use logical operators to bind them together under the Advanced logics section.

a. Click the logic operator (e.g., "and," "or") between two conditions to select a different one from the pop-up menu. You can see how your logical relationships are structured in the Rule Summary section.

b. Click the Two Small Dots icon to add additional definitions and logic to your rule.

Data Content allows you to search for content within the content types you've selected from the General Settings tab. For example, by using it with the Clipboard option, you can detect anything a user has copied.

Sensitive data to detect: You can search for Text, Binary, or Both types of data.

Conditions: You can use conditions like contains, equals, and matches regex with the values you've entered. Alternatively, you can use the matches list or equals list conditions with available Shared Lists.

Predefined Classified Data detects content based on pre-defined categories such as credit card numbers, social security numbers, and email addresses. For example, you can use it to create a rule that warns a user if they share credit card numbers via email or instant messages.

Sensitive data category: You can choose from Financial Data, Health Data, Personally Identifiable Data, and Code Snippets.

Sensitive data to detect: The options in this list change depending on your selection in the Sensitive data category list. For example, if you select 'Financial Data', you can choose from Credit Card Number, Magnetic Data, SWIFT Code, etc. If you choose 'Health Data', the options will include Disease Name, DNA Profile, etc.

Pattern frequency trigger: You can specify the data pattern's frequency in this field. For example, you might choose to ignore a single credit card number in an email but set a warning to be triggered if more than five are detected.

Clipboard Origin is used to detect data that has been pasted into the clipboard from a specific webpage or application. For example, you can create a rule that prevents a user from copying customer data from your CRM site.

Sensitive data to detect: You can choose from Webpage URL or Application.

Conditions: You can use conditions like contains, equals, and matches regex with the values you've entered. Alternatively, you can use the matches list or equals list conditions with available Shared Lists.

File Origin detects file sharing based on its origin or source. You can choose from Network, Cloud, or URL.

Sensitive data to detect: If you choose the Cloud option, you will see a Select provider list. From this list, you can choose a cloud provider such as Box, Dropbox, etc.

Conditions: If you choose the Network or URL option from the Sensitive data to detect list, you can use conditions like contains, equals, and matches regex with the values you've entered. Alternatively, you can use the matches list or equals list conditions with available Shared Lists.

File Properties detects Microsoft Office files based on their file properties or meta-tags. As an example, you can create a rule that prevents sharing any Microsoft Word documents outside your company that has a ‘Restricted’ property containing the string value of ‘Yes’. You can create such tags/fields/properties from an application (such as Microsoft Word) or Windows Explorer.

Field type: You can choose a field type from options like Any, Integer, String, or Date. The String type is the most commonly used.

Specify value: The type of value and condition you can use depends on the Field type you select:

The Actions tab is where you define the system's response to a rule violation. This can include warning or blocking a user, sending a notification email to an admin, or recording a video of the desktop.

Keep in mind that not all actions are available for every rule type. For example, most Agent Schedule rules only support the Notify action. Similarly, certain rule types have unique actions. For instance, Webpages has a Redirect action that isn't available for other rule types.

In some cases, you can use multiple actions as long as they don't conflict. For example, you can use the Notify and Block actions together because they serve different purposes. However, you can't use Block and Lock User simultaneously, as both prevent the user from performing an action. The Rule Editor will automatically disable any actions that conflict with your current selections.

There are two ways you can set up actions:

The Basic mode is the easiest way to configure actions and is recommended for beginners. With this mode, you can set up simple actions, but you cannot configure any advanced options like the alert frequency, risk thresholds, etc.

The Notify action sends an email notification to the specified users or email addresses whenever a rule is violated. You can select recipients from your existing user list or manually add email addresses.

You can configure how the emails will be sent from the Settings > Alerts > Alert emails limit field.

The Block action stops a user activity from completing. For example, it can block a web upload before any data is sent to a site.

You can choose to display a message to the user when this action is triggered. To format the message and improve its appearance, you can use the Use HTML Template option. To learn more about this, see the Settings > Alerts > Custom Alert Template section.

You can use the Settings > Alerts > User notification alert threshold option to specify the duration Teramind should wait before showing multiple alert messages.

The Lock User action displays a standard message box to the user if you have set a message. When they click the "OK" button, they will be taken to the lock screen and locked out of the system:

If you don't specify a message, no message box will be shown, and the user will be locked out immediately.

If the user tries to log back in, they will be logged out automatically. An administrator must unlock the user for them to be able to log in again. You can find more information on unlocking a user in the Employee Actions Menu section.

The Redirect action sends a user to a different website when they try to access a specific URL. For example, if a user attempts to visit a gambling site, you can redirect them to your company's policy page instead.

The Warn action displays a warning message to the user. To format the message and improve its appearance, you can use the Use HTML Template option. To learn more about this, see the Settings > Alerts > Custom Alert Template section.

You can use the Settings > Alerts > User notification alert threshold option to specify how long Teramind should wait before showing multiple alert messages.

With the Switch Task action, you can automatically assign a new task to a user when a rule is violated. For instance, if you detect a user is idle (by using the "Time idle" criterion in an Applications or Webpages rule), you can automatically switch their task to "Break" or a similar designation.

You can use the Settings > Alerts > Rule task selection action timeout option to specify how long Teramind should wait before assigning the new task to the user.

The Record action automatically captures a video clip of a rule violation incident. You can specify how many minutes before and after the incident the recording should be.

This action is useful if you don't want to record the screen continuously, but only during and around a specific rule violation.

The Command action allows you to automatically execute a Windows command or script when a rule is violated.

This is a powerful feature because it lets you run any application or script on a user's computer. For example, you could force a PC to shut down with shutdown /s /f /t 0, kill a specific task using taskkill -im, and much more.

In Advanced mode, you can set up risk thresholds and severity levels for a rule. This allows you to add multiple thresholds, assign different risk levels, and trigger various actions based on how often a rule is violated.

For example, you could create a Files rule that:

The risk levels you define in this mode are used to calculate the overall risk score, which is reflected in places like the Risk column on the Behavior Alerts dashboard.

1. From the Choose time period for threshold list, select the desired time period for your thresholds (e.g., Hourly, Daily, Monthly).

2. In the Choose maximum numbers of saved alerts per day field, enter the maximum number of alerts that can be triggered for this rule in a single day. If the number of alerts exceeds this limit, Teramind will not save any further alerts, and they will not appear on the Behavior Alerts dashboard. Leaving the field empty means there is no daily limit. Setting it to 0 will prevent any alerts from being generated for the rule, though the rule will still trigger. Note that you can also set a global daily maximum for alerts in the Settings > Alerts screen.

3. Click the New Threshold button to add a new threshold. For each threshold you add, you can set the following:

a. Enter a number in the Frequency field to define how many times the rule can be violated before an action is triggered.

b. Select a risk severity from the Severity drop-down list. Your options are None, Low, Moderate, High, or Critical.

c. Click the Add button to add one or more actions. These actions (e.g., Notify, Warn) are the same as those available in the Basic mode.

You can manage rules from the Configurations > Behavior policies screen:

1. Click the Right Arrow icon in front of a policy’s name to expand it and view the rules under it (you can also double-click a policy name to expand/collapse it).

2. Click the Three Dots in front of a rule. The Context Menu for the rule will open with several options: