Skip to main content

Things to Consider Before Creating a Rule

Updated over a month ago

Why are You Creating the Rule?

Consider what you are trying to achieve. Do you want to monitor user activities to prevent insider threats? Are you suspicious that an employee is committing a crime or colluding with an outsider? Or, are you trying to prevent IP leaks through external vendors? Do you need to comply with regulations, such as HIPAA, GDPR, etc.?

Create a new policy or assign it under an existing policy that fits the rule’s purpose.

What Activity, Content, or Behavioral Anomaly Do You Want to Detect?

Are you trying to detect discrepancies in employees’ schedules? Does it involve an “activity” such as uploading a document? Or do you need to protect “content” such as sensitive information within a document?

Select a Rule Type from the Rule Editor’s General Settings tab.

Where is the Activity Performed or Content Located?

Next, you need to figure out where the activity or content sharing takes place. Does it involve emails? Transfer of files? Or, are there multiple ingress/egress points that you need to monitor, for example, emails + IM + website uploads?

Use the Select the type of activities or Select the type of contents option from the Rule Editor’s General Settings tab.

When Should the Rule be Active?

Do you want the rule to run 24/7 or follow a schedule? For example, do you want the rule active during work hours but disabled during employee lunch breaks?

  • You can turn rules on/off from the Behavior Policy screen.

  • Alternatively, you can select a schedule under Time when rule is active from the Rule Editor’s General Settings tab.

Whom Should it Apply to?

Do you need the rule for everyone? Certain users, groups, or departments? How about setting up a terminal server to monitor all your vendors or external partners? Do you need to exclude anyone from the rule’s enforcement?

You can choose all these from the Employees tab on the Rule Editor. You can also select users on a policy basis by turning on the Inherit targets from Parent Policy.

What Makes the Data Sensitive?

If you are trying to detect content, can you describe how the data looks? Does it have a clear structure, such as a credit card number? Or, do you need to detect information that is unstructured or dynamic in nature?

Use the Content tab on the Rule Editor to define your content. You can choose from Predefined Classified Data or create your own custom data types by selecting other options from the list.

What Scenarios Violate the Rule?

Now, you have to think about scenarios that will trigger the rule. You might need multiple criteria, conditions, and logic to detect the rule violation. Remember, there are also multiple ways of achieving the same result.

For example, if you wanted to prevent uploading of files to cloud drives, you could use the File Operation criterion with the “Upload” condition. Then, use a second criterion, Upload URL, and specify website addresses such as “google.com/upload”, dropbox.com”, etc., as the condition. This will help you detect file uploads via the websites.

Alternatively, you could select the “Write” condition for the File Operation criterion with the Cloud Providers criterion to detect file uploads via the desktop app of the cloud drive.

Use the individual Rule Types/Content (e.g., Websites, Applications, etc.) tab on the Rule Editor to define the criteria and conditions for the activity or content.

Before you begin setting up rules and conditions, we recommend you first explore the different dashboards and reports using a test computer. This will help you understand how Teramind detects certain activities.

For example:

  • To create rules for specific apps or websites, check the Applications & Websites dashboard. Pay close attention to the App/Domain and Title columns—they show you the exact application names and window captions you can use for rule criteria such as Application Name, Caption, etc.

  • To create rules for files, look at the File Events and Web File Events dashboards. They will show you the exact file names, paths, and URLs you need.

By checking these dashboards first, you can find the precise information needed to configure your rules correctly. For instance, while you might assume the upload URL for Google Drive is "drive.google.com", the dashboards would show you the actual URL is something more specific, like "...google.com/upload...". This process ensures your rules are accurate and effective.

What Action(s) Do You Want to Take?

What should the system do when a rule is broken? Do you want it to notify you immediately? Or, do you want it to take some preventive actions too? For example, block the action? Or do you need to take a sequence of actions? For example, block the action but also record the incident? Or, take different actions depending on how often they broke the rule? Assign a risk level to the action?

Use the Actions tab on the Rule Editor to define the action(s). Use the Advanced tab to assign multilevel thresholds and risks.

Related Articles
Understanding Common Rule Elements
Schedule Rules: What Schedule Violations Can You Detect (Windows)?
Activity Rules: What Activities Can You Detect (Windows & Mac)?
Content Sharing Rules: What Contents Trigger the Rules (Windows)?
Sample Rules Walkthrough
Did this answer your question?