Rule Editor
When you create or edit a rule, the Rule Editor opens, where you can define the rule elements.
The following sections describe what the common elements are and how to use them.
Rule Name and Description
Each rule lets you specify a name and, optionally, a description for the rule. You can set them from the General Settings tab.
Parent Policy
Each rule needs to belong to a policy. Select the policy from the General Settings > Parent Policy drop-down menu.
Tags
Tags are keywords you can assign to a rule to easily identify it. They are useful in searching for the rule and can also be used as filters (e.g., on the Behavior Alerts report). You can define Tags from the General Settings tab.
Rule Type
You can select the Rule Type from the General Settings tab:
There are three types of rules you can choose from: Activity and Content Sharing, and Schedule.
After selecting a Rule Type, you can select which activities (for Activity rule type) or content (for Content Sharing rule type) to detect. For example, Applications, Websites, Emails, etc. Note that Schedule rules don’t have any additional options for this setting.
The table below shows which rule type supports which activity/content and their use cases:
| Activity | Content Sharing | Schedule |
Use Cases | Useful for detecting and controlling user activities for a range of monitored objects. For example, restricting app/website usage. Or, preventing file transfer operations (copy, upload, download, etc.) on a folder/app/URL. | Useful for protecting sensitive data. For example, block an email that contains personally identifiable information. Or, preventing file transfer operations when certain content is detected in the file. | Useful for detecting discrepancies in employee schedules or workflow. For example, receive a notification when an employee is late. Or, block remote login during off-hours or from unrecognized IPs. |
Type of Activity/Content |
|
Notes:
Content Sharing rule is only available on Teramind DLP.
OCR rule is available as an add-on.
Teramind Starter only has these rules available: Agent Schedule, Webpages, Applications, IM, Browser Plugins, Registry, Windows Log Event.
Rule Schedule
By default, the rule stays active for 24 hours. However, you can adjust it to match your employees' work schedule. To change when the rule is active, drag the two Orange Circles 
to adjust the time. Click the Reverse 
icon to reverse the time.
The rule schedule is based on the Dashboard's localization settings (the Timezone option under the Configurations > Settings > Locale screen).
Rule Violation Severity
The Rule violation severity allows you to specify a risk level for the rule. You can either drag the slider or use the number field to enter a number between 0-100.
Condition Blocks
Condition blocks contain a set of criteria, conditions, condition values and logic that defines the rule’s overall detection capabilities.
In the above example, there are two condition blocks, “Condition 1” and “Condition 2”
You can use the New Condition button to add a condition block to the rule.
Rule Criteria
Rule Criteria let you define detection parameters for the rule.
For example, in an Applications rule, you might want to detect the Application Name or Application Caption. In a Files rule, you might want to detect the File Path, etc. These are all examples of rule criteria.
You can use the Add button to add a criterion to a condition block.
Condition Fields
You use the conditions fields in a rule to specify what values to compare the rule criteria (parameters) with.
You can add a field value by clicking on a blank space in the field or by clicking the small Plus button.
In most condition fields, you can also start typing in the field, then select an option from the pop-up to tell Teramind what type of condition/match to use.
Other fields come with a drop-down list, checkmarks, or toggle options.
There are several conditions you can use within the fields to compare/match with the values. For example:
Contains
Use the Contains conditions for a partial text match. So, say you were searching for “you”, then the Contains condition will detect any of these texts: “YouTube”, “youtube.com”, “youth”, “layout”, since they all contain the text “you”.
Note that this condition isn’t case-sensitive. So, words like “You”, ”YOU”, ”you” – will have the same result.
Equals
Similar to the Contains condition, but in this case, the text has to be an exact match. So, say you were searching for “you”, then the Equals condition will NOT detect any of these texts: “YouTube”, “youtube.com”, “youth”, “layout”. However, it will detect “You”, ”YOU”, ”you” since they are exact matches even though the cases don’t match, and that doesn’t matter because the Equals condition isn’t case sensitive.
Matches Regex
For complex matches, such as Credit Card Numbers, Social Security Numbers, etc., you can use the Match RegExp option. For example, the regular expression “[a-zA-Z]{2}[0-9]{12}” will detect any text that starts with 2 alphabet characters and ends with 12 digits, such as “PO123456789123” or “ab123456789012”.
Teramind supports the standard Regular Expression library available in C++.
Check out this article on our Knowledge Base to learn more about Regular Expressions.
Matches Glob
This condition can be used in some specific cases, e.g., in File-based rules. It finds texts which follow a specific pattern or 'glob'.
The "*" glob will match zero or more characters. For example, the pattern, glob match *.exe in the File path criteria of a File-based rule will match all the executable files.
The "?" glob will match exactly one character, but you can also use more than one together. For example, glob match Sales????.doc will match “Sales2022.doc”, “SalesACME.doc”, “Sales23NA”, etc.
The special "**" glob (called "globstar") can be used to detect any directories and subdirectories. This allows for recursive directory searching easily. Here’s an example:
The above example, with the glob match "\Users\**\Documents\*.docx" condition, will detect any Word document in paths like:
\Users\Danny\Documents
\Users\Brian\Documents
\Users\Public\Documents\Jason\Sales\Documents
\Users\Joe\Sensitive\Proposals\Documents
etc.
Matches List
This is similar to the Contains condition, but matches with any item on a Shared List. So, for example, if you had a shared list containing “YouTube”, “youtube.com”, “youth”, “layout”, etc., then any text like “you”, “tube”, “You”, “Out”, etc., will be detected.
Check out the Shared List section on the Teramind User Guide to learn more about Shared Lists.
Equals List
This is similar to the Equals condition but will check for an exact match with any item on a Shared List. So, for example, if you had a shared list containing “YouTube”, “youtube.com”, “youth”, “layout”, etc., then any text like “youtube”, “Youtube”, “YouTube” will be detected. However, “you”, or “tube”, etc., will NOT be detected.
Check out the Shared List section on the Teramind User Guide to learn more about Shared Lists.
Rule Logic
Rule logic binds two or more Condition Blocks, Condition Fields, Criteria or Content Definitions together.
Condition Logic
Rule conditions can either have an “OR” logic or an “AND” logic.
1. Each value in a rule condition is considered as an “OR” logic. In the above example, the rule will trigger in Condition 1 if the “Application caption' matches with value “Excel” or the value “Notepad'.
2. Each rule criterion is considered as an “AND” logic. In the above example, the rule will trigger if in Condition 1, the criterion “Application caption” matches 'Excel' and the criterion “Application name” matches 'excel.exe'.
3. If you have multiple condition blocks, each new condition block is considered as an “OR” logic. In the above example, if either Condition 1 or Condition 2 meets the criterion, the rule will be triggered.
4. If you use multiple rule types (e.g., Applications, Files, etc.), then each rule type is considered an OR condition. Each rule type is evaluated independently. Meaning the rule will trigger if any of the rule types’ conditions are met. You can see how the rule type condition logic relates to each other in the Rule Summary section.
Content Logic
When creating a Content Sharing rule and you have multiple content definitions, you can use logic to bind the definitions together. You can do so under the Advanced logics section of the Content tab.
Click on the logic between two conditions, and a pop-up menu will appear where you can select a logic out of four options:
You can see how the content definition logic relates to each other in the Rule Summary section.
The table below explains each type of logic and how they are evaluated:
Logic | Evaluates true if: | Example |
AND | BOTH definitions are met. | In the above example, we are using the tags field from the File Properties in Definition 1 and the title field in Definition 2. The logic will return true if file tags equal the text “CONFIDENTIAL” and the title contains “PRIVATE”. As a result, the rule will detect files that are both confidential and private. |
OR | EITHER of the definitions is met. | Using the above example, the logic will return true if file tags equal the text “CONFIDENTIAL” or the title contains the text “PRIVATE”. As a result, the rule will detect files that are either confidential or private. |
AND NOT | The first definition is met AND the second definition is NOT met. | Using the above example, the logic will return true if file tags equal the text “CONFIDENTIAL” and the title does not contain the text “PRIVATE”. As a result, the rule will detect files that are both confidential and not private. |
OR NOT | The first definition is met OR the second definition is NOT met. | Using the above example, the logic will return true if file tags equal the text “CONFIDENTIAL” or the title does not contain the text “PRIVATE”. As a result, the rule will detect all files except the private ones. |
Employees
The Employees tab allows you to specify which target employees, departments, computers, etc., the rule will apply to.
1. By default, the rule will inherit the rule targets (employees, computers, departments, etc.) from its parent policy. However, you can turn off the Inherit settings from Parent Policy option to select them manually:
a. Enter employees, computers, and/or departments in the Apply rule to field.
b. Optionally, you can exclude any targets you don’t want to be included using the Exclude from rule field.
Action
The Actions tab is where you define the system's response to a rule violation. This can include warning or blocking a user, sending a notification email to an admin, recording a video of the desktop, and so on.
See the Defining Rule Actions section to learn more about actions.
Rule Summary
On the far right of the editor, you'll find the Rule Summary. This section provides an overview of your rule, with each tab or step displayed as a separate entry. It shows the criteria, conditions, and other options you've selected.
The Rule Summary also alerts you to any errors, such as a missed mandatory field. As you move through each tab, the corresponding summary section automatically expands. You can also manually expand or collapse a section by clicking its name or using the Up Arrow/Down Arrow icons.