Activity rules are useful for detecting and controlling user activities for a range of monitored systems. For example, restricting app launch, blocking websites, preventing file transfers, etc.
You can specify the detection criteria for the Activity rules from their respective activity tab(s). For example, if you selected Webpages and Emails from the Select the type of activities section (in the General Settings tab), you will have two tabs called “Webpages” and “Emails” where you can add the rule criteria, conditions, and values.
Webpages (Windows & Mac)
Webpages Activity rules allow you to detect web browsing activities through URL, title, browser name, query arguments, etc., and time spent on webpages.
Webpages Rule Examples
Warn users when spending excessive time on social media or entertainment sites such as YouTube.
Restrict access to non-whitelisted/unauthorized websites but allow managers to override if needed.
Find out potential turnover by checking if employees are searching on job sites. Get notified if the time spent on such sites exceeds a threshold.
Webpages Rule Criteria
The table below shows what criteria the Webpages Activity rules support and what conditions you can use with them.
On Mac, only the following criteria are supported: Webpage URL, Webpage Title, Request Type, and Query Argument Name, Private Mode (Safari only).
Capture Any Events
This criterion lets you detect if any webpage is visited.
If you use this option without any other criteria, Teramind will trigger the rule anytime a webpage is visited.
Webpage URL
This criterion can be used to detect a URL (webpage address) or part of a URL.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any URLs by specifying them in the Except field.
To avoid false positives, we recommend using most of the URL or the full URL if possible when using any of the conditions. For example, use “https://www.facebook.com” instead of “facebook”.
To further refine which type of URL requests your rule should detect, you can use the following two options to distinguish user-initiated queries from automated or secondary resource queries, helping you avoid false positives:
Ignore background or automated requests?*:
Choose Yes to make the rule detect only direct user visits to the webpage, while ignoring any automated or background requests by embedded ads or source codes in the page.
Here’s an example:
1. Imagine you have a rule that blocks the Webpage URL “facebook.com”.
2. A user visits an unrelated website, such as “news.com”. , which has some Facebook ads.
If you enable the Ignore background or automated requests? option, the user will be able to visit “news.com” without the rule being triggered. The rule will only block direct attempts to visit “facebook.com”.
Ignore when an webpage request static content?* :
If you select Yes for this option, the rule will ignore browser requests for static content (e.g., JS, CSS, images), pages opened through an iframe, and API requests.
Here’s an example:
1. Imagine, you have a rule that blocks the Webpage URL, “imagehub.com”.
2. A user visits an unrelated website, such as “news.com”, which loads some CSS images from “imagehub.com”.
In the case above, if you enabled the Ignore when a webpage requests static content? option, the user will be able to visit “news.com” freely, but the images will not load.
Webpage Title
This criterion is similar to the Webpage URL criterion, just use the webpage title instead.
If the rule fails to detect webpage titles, ensure the Track window titles option is enabled in the Websites monitoring settings.
Browser
This criterion allows you to specify one or more browsers to detect. You can choose from the list of predefined browsers. You can also enter the browser’s process name (for example, enter msedge.exe for the Microsoft Edge browser). *See the notes below for more information.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List and specify a “matches list”, or “equals list” condition.
You can exclude any browser(s) from the condition in the Except field.
* Tracking Browsers not in the Predefined List
If you want to use the Browser criterion with a browser not in the predefined list, you will need to include it in the Network processes to track field (Monitoring Profiles > select a monitoring profile > Network). For example, if you want to detect if the user is browsing a particular site (e.g., teramind.co) on the Epic Privacy Browser, you will need to specify it in the Network processes to track field and then use a rule like this:
If you don’t include the process name in the Network processes to track field, the rule might not work.
Query Argument Name
A query argument name is the portion of a URL where data is passed to a website. It usually starts with a “?” or “&”. For example: "www.contacts.com/saved?company=teramind". Here, “company” is the query argument name.
Using this criterion, you can create interesting detection rules. For example, by checking for the “compose” argument on the Gmail website, you can detect if the user is composing an email. Combining this with the Webpage URL or Webpage Title criterion, you can detect more granular activities. For example, using the text “new” in the Webpage URL and specifying “compose” in the Query Argument Name, you can tell if a user is composing a new email or editing an existing draft.
Private Mode
This criterion can be used to detect private/incognito/anonymous browsing.
Select Yes or No under the Private mode section to define if you want to detect private browsing mode.
On Windows, this criterion isn't supported on Firefox at the moment.
On Mac, this criterion is supported on Safari only at the moment.
Any
Use this condition to detect both the website visits and resource request events.
The Request Type criterion is only shown when you have already selected a Website URL criterion.
* This feature may not work properly on older browsers. You need at least Chrome version 79, Edge version 79, Firefox version 89, Opera version 66, etc.
Time Active
This criterion can be used to detect how long the user has been active on the webpage(s).
You can enter a minute value in the condition field and use the “>=” logic.
The Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.
Time Idle
This criterion is similar to the Time Active criterion, but detects how long the user has been idle/inactive on the webpage(s).
You can enter a minute value in the condition field and use the “>=” logic.
The Time Idle criterion is only shown when you have already selected a Website Title or a Website URL criterion.
This criterion works independently of the Idle time threshold value in the Applications monitoring settings.
Time Focused
Time Focused = Time Active + Time Idle.
This criterion detects if a user stayed on certain webpage(s) for the specified duration. It doesn’t matter whether the user was active (e.g., keyboard/mouse is used) or idle (no keyboard/mouse activity); as long as they stayed on the webpage without switching to other webpages/tabs/windows, the condition will be triggered.
You can enter a minute value in the condition field and use the “>=” logic.
The Time Focused criterion is only shown when you have already selected a Website Title or a Website URL criterion.
Day Time Active
This criterion is similar to the Time Active criterion, but detects the total active time accumulated throughout the day.
The time will reset at the end of the day. This reset happens when the date of the last total time update differs from the current date. For the reset, the user's local time zone is followed.
You can enter a minute value in the condition field and use the “>=” logic.
The Day Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.
Day Time Idle
This criterion is similar to the Time Idle criterion, but detects the total idle time accumulated throughout the day.
The time will reset at the end of the day. This reset happens when the date of the last total time update differs from the current date. For the reset, the user's local time zone is followed.
You can enter a minute value in the condition field and use the “>=” logic.
The Day Time Active criterion is only shown when you have already selected a Website Title or a Website URL criterion.
This criterion works independently of the Idle time threshold value in the Applications monitoring settings.
Day Time Focused
This criterion is similar to the Time Focused criterion, but detects the total focused time accumulated throughout the day.
The time will reset at the end of the day. This reset happens when the date of the last total time update differs from the current date. For the reset, the user's local time zone is followed.
You can enter a minute value in the condition field and use the “>=” logic.
The Day Time Focused criterion is only shown when you have already selected a Website Title or a Website URL criterion.
Applications (Windows & Mac)
Applications Activity rules allow you to detect application launches and users’ time spent in apps.
Applications Rule Examples
Detect and block when a dangerous application (e.g., Windows Registry Editor) or an unauthorized application is launched.
Warn users when spending time on unproductive applications such as games, music/video players, etc.
Detect when anonymous browsers, such as “Tor”, are used.
Detect when screen sharing applications, snipping tools, or peer-to-peer file sharing/torrent software are used.
Applications Rule Criteria
The table below explains what criteria the Applications Activity rules support and what conditions you can use with them.
On Mac, only the Application Name, Application Caption, Time Active (min), Time Idle (min), Time Focused (min), Day Time Active (min), Day Time Idle (min), Day Time Focused (min) criteria are supported at the moment.
Capture Any Events
This criterion can be used to detect the launch of any application.
If you use this criterion without any other criteria, Teramind will trigger the rule anytime any application is launched.
Application Name
This criterion can be used to detect the name or part of the name of an application. For example: “regedit.exe”.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any applications by specifying them in the Except field.
Application Caption
This criterion is similar to the Application Name criterion, just use the application caption instead. For example: “Registry Editor”.
If the rule fails to detect application titles, ensure the Track window titles option is enabled in the Applications monitoring settings are configured properly.
Launched from CLI
This criterion detects if an application is launched from the CLI (Command Line Interface).
Select Yes or No under the Launched from CLI section to define if you want to detect apps launched from the command line.
Run Elevated
This criterion detects if an application is launched with elevated permissions using Windows User Account Control (UAC).
An app is usually run as elevated when you launch it from the Windows Start menu while holding down the SHIFT+CTRL keys. Or, when you run it from the Windows Explorer with the right-click and then select the Run as administrator option. An application is also run elevated when it might make changes to the system (e.g., a software being installed for all users instead of just the current user). In such cases, Windows will invoke the UAC, and the application will be considered as running elevated.
This criterion will help enhance the security of your system, as software that usually requires admin permission might make changes to your system. It can also help you mitigate the impact of malware and prevent unauthorized privilege escalation, etc.
Select Yes or No under the Run elevated section to detect if the app was run with admin privileges.
Application Args
Application arguments (also known as 'command line arguments' are additional parameters, options, or values passed to an application when launching it from the command line interface (CLI)/terminal. They usually start with a “/”, “-”, or a space after the application name. For example: “C:\ipconfig /renew”. Here, renew is an argument.
By using this criterion, you can, for example, disable certain functions of an application. For example, in the second screenshot, we blocked the launch of the ipconfig application when the release or renew arguments are used. Otherwise, it will run as usual.
You can only use text value with the “contains”, “matches regex”, or exact text match conditions for the condition field.
The Application Args criterion is only shown when you have already selected Yes for the Launched from CLI criterion.
Time Active
This criterion can be used to detect how long a user has been active on the application(s).
You can enter a minute value in the condition field and use the “>=” logic.
The Time Active criterion is only shown when you have already selected an Application Name or an Application Caption criterion.
Time Idle
This criterion is similar to the Time Active criterion, but detects how long the user has been idle/inactive on the application(s).
You can enter a minute value in the condition field and use the “>=” logic.
The Time Idle criterion is only shown when you have already selected an Application Name or an Application Caption criterion.
This criterion works independently of the Idle time threshold value in the Applications monitoring settings.
Time Focused
Time Focused = Time Active + Time Idle.
This criterion detects if a user stayed on certain webpage(s) for the specified duration. It doesn’t matter whether the user was active (e.g., keyboard/mouse is used) or idle (no keyboard/mouse activity); as long as they stayed on the webpage without switching to other webpages/tabs/windows, the condition will be triggered.
You can enter a minute value in the condition field and use the “>=” logic.
The Time Idle criterion is only shown when you have already selected an Application Name or an Application Caption criterion.
Day Time Active
This criterion is similar to the Time Active criterion, but detects the total active time accumulated throughout the day.
The time will reset at the end of the day. This reset happens when the date of the last total time update differs from the current date. For the reset, the user's local time zone is followed.
You can enter a minute value in the condition field and use the “>=” logic.
The Time Idle criterion is only shown when you have already selected an Application Name or an Application Caption criterion.
Day Time Idle
This criterion is similar to the Time Idle criterion, but detects the total idle time accumulated throughout the day.
The time will reset at the end of the day. This reset happens when the date of the last total time update differs from the current date. For the reset, the user's local time zone is followed.
You can enter a minute value in the condition field and use the “>=” logic.
The Time Idle criterion is only shown when you have already selected an Application Name or an Application Caption criterion.
This criterion works independently of the Idle time threshold value in the Applications monitoring settings.
Day Time Focused
This criterion is similar to the Time Focused criterion, but detects the total focused time accumulated throughout the day.
The time will reset at the end of the day. This reset happens when the date of the last total time update differs from the current date. For the reset, the user's local time zone is followed.
You can enter a minute value in the condition field and use the “>=” logic.
The Time Idle criterion is only shown when you have already selected an Application Name or an Application Caption criterion.
OS Version
This criterion can be used to detect the name or part of the name of the operating system installed on the user's computer. For example: “Windows 10”, “Windows 11”, etc. As an example, you can use this criterion to block certain apps on Windows 10 but not on Windows 11.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list”, or “equals list” condition.
Similarly, you can exclude any operating systems you do not want to track in the Except field.
Minimum Windows Agent 24.35.1996 and Server 24.35.5836 are required to use this feature.
OCR (Windows & Mac)
The OCR Activity rules can help you detect on-screen text, even inside images or videos. It works with multi-screen setups, virtual desktops, and terminal servers. By default, OCR detects English text. But you can also use a few other languages (check out the Teramind Agent specifications and supported platforms article on our Knowledge Base to learn which languages are supported). You can change the detection language from the OCR monitoring settings.
OCR Rule Examples
Generate an alert when a user sees a full credit card number on the screen, violating the PCI DSS compliance requirements.
Get notified when your employees visit sites that contain illegal or questionable content, such as hacking, pornographic, or pirated content.
Detect if an unauthorized user is viewing a document that contains sensitive words.
Prevent steganographic data exfiltration by detecting information hidden inside images or videos.
OCR Rule Criteria
The table below shows what criteria the OCR rules support and what conditions you can use with them.
On-Screen Text
This criterion can be used to specify the on-screen text to be detected.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list”, or “equals list” condition.
Similarly, you can exclude any text you do not want to track in the Except field.
Be careful while using the Except field, as it will detect all text on the screen except the ones you exclude, triggering the rule every time!
If you are using any regular expressions (e.g., Matches regex, Matches list with a regular expression-based shared list) in the On-Screen Text field, please remember that Teramind supports the Elasticsearch regular expression syntax for OCR rules. More information can be found about it in the Elastic documentation (!external link).
Application Name
This criterion can be used to specify the applications in which the OCR content will be detected.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list”, or “equals list” condition.
Similarly, you can exclude any applications you do not want to track in the Except field.
The Application Name criterion is only shown when you have already specified an On-Screen Text condition.
Keystrokes (Windows & Mac)
Keystrokes Activity rules can be used to detect keystrokes entered by users in applications or websites. In addition to regular keys, you can also detect the clipboard operations (copy/paste commands), use of special keys (e.g., PrtScr, F1), and multiple simultaneous keypresses/combo keys such as CTRL+C.
Keystrokes Rule Examples
Detect if someone is taking screenshots with the likely intention of stealing information.
Detect if an employee is using unprofessional language with a customer on live chat.
A user repeating easy-to-guess passwords, hence, creates a security risk.
Disable keyboard macros or select combo keys in certain applications or for some users.
Keystrokes Rule Criteria
The table below shows what criteria the Keystrokes Activity rules support and what conditions you can use with them.
On Mac, only the Text Typed, Word Typed, and the Application Name criteria are supported.
Text Typed
This criterion can be used to detect continuous text without any word breaks. For example, if text typed = "confidential", the rule will be triggered when the last letter “l” is typed.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any applications you do not want to track in the Except field.
Word Typed
This criterion can be used to detect words typed with breaks. For example, if word typed = "password", the rule will be triggered when you finish typing the word and then type the separation key, such as: <Space> or “!” or “.” (dot).
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list”, or “equals list” condition.
Similarly, you can exclude any applications you do not want to track in the Except field.
Difference Between Text Typed and Word Typed
Text Typed will detect any partial text, while Word Typed will detect only full words. For example, if you are looking to detect 'club', and the user typed 'golfclub', Text Type will detect it, but Word Typed will not. If the user typed 'golf club', then both the Text Typed and Word Typed criteria will detect the keystrokes.
Special Key Typed
By using this criterion, you can detect special keys such as the function keys (e.g., F1), PrtScr, or key combinations such as <Shift+P>. You can only use the "equals" condition with the values.
Application Name
Use this criterion to specify which applications to detect.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list”, or “equals list” condition.
Similarly, you can exclude any applications you do not want to track in the Except field.
The Application Name criterion is only shown when you have already selected a Text Typed, Word Typed, or Special Key Typed criterion. Also, if you use this criterion, you cannot use the Webpage URL criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e., Condition 1 and Condition 2).
Webpage URL
Use this criterion to specify which websites to detect. This is the same as the Webpage URL criterion under the Webpages activity.
The Application Name criterion is only shown when you have already selected a Text Typed, Word Typed, or Special Key Typed criterion. Also, if you use this criterion, you cannot use the Application Name criterion in the same condition block. However, you can use both criteria in separate condition blocks (i.e., Condition 1 and Condition 2).
Files (Windows & Mac)
Files Activity rules let you detect file operations such as access, read, write, upload, download, create a folder, rename a folder, etc. Each operation allows you to further specify additional detection criteria. For example, the Download operation lets you detect the program, file name, URL, and file size.
Note that Teramind cannot track the copy operation for a file from one network server to the same network server (i.e., source and destination are the same). For example, copying of a file from \\103.247.55.101\source_folder to \\103.247.55.101\destination_folder cannot be tracked. Copy to and from the same local drives is detected as usual.
Also, copying of an empty file cannot be tracked since it will be impossible for the system to distinguish between the file create and copy operations due to the zero size of the file.
Files Rule Examples
Detect/block access to sensitive folders.
Turn a folder or drive write-proof, preventing any changes to the files in that folder.
Get notified when files are uploaded to Cloud sharing sites, such as Dropbox, Google Drive, etc.
Block files from being copied to/from removable media, such as USB drives.
Prevent changes to program settings or tampering with configuration files.
Block certain file transfer protocols, such as FTP, SMTP, etc.
Restrict the transfer of large files.
Files Rule Criteria
In Mac, only the following criteria and conditions are supported:
File Operation conditions: Access, Copy, Write, Rename, and Delete.
Program conditions: Contains and Equals.
File Path conditions: Contains and Equals.
Drive conditions: All drives and All external drives.
The table below shows what criteria the Files Activity rules support and what conditions you can use with them.
File Operation
The first criterion you must select when creating a Files rule is the File Operation criterion. You can select from a list of operations such as Access, Access Folder, Copy, Create Folder, Delete, Rename, Write, Upload, Download, etc.
The conditions you specify in this criterion will determine which other criteria are available to you. Teramind will automatically show or hide criteria based on your selection.
For example, if you select the Insert or Eject conditions in the File Operation criterion, you can only add the Drive criterion as an additional criterion.
Program
By using this criterion, you can specify which program(s) to detect (the app that initiated the File Operation).
You can choose from “contains”, “equals”, “match regex”, or 'matches glob' conditions.
Similarly, you can exclude any programs you do not want to track in the Except field.
Network Host
This criterion can be used to detect the hostname of a network-based file operation. For example: "http://sharepoint.com", "ftp://filevault.net", etc.
You can choose from “contains”, “equals”, or “all shares”. Or, you can select a Shared List (Network type) and specify a “matches list' condition.
Similarly, you can exclude any hosts you do not want to track in the Except field.
This criterion is not supported in: Insert, Eject, Download, and Upload operations.
Source Network Host
This criterion is similar to the Network Host criteria, but detects the source network host of a Copy or Move operation.
You can exclude any hosts you do not want to track in the Except field.
This criterion is only available with the Any, Copy, Move, and Rename operations.
File Path
This criterion can be used to detect parent folders or file extensions. For example: document, c:\windows, etc. File extensions are used to identify a file type and usually start with a “. (dot)”. For example: .doc, .pdf, etc. Note: you do not need to specify the “.” when entering the extension.
You can choose from various “contains”, “equals”, and “matches” conditions. When using one of the “match” options, you can use a wildcard such as “*”, “?”, “[abc] ”, “[a-z] ”, etc. For example, “?at” will match “Cat”, “cat”, “Bat”, or “bat”.
You can exclude any path(s) you do not want to track in the Except field.
This criterion is not supported in: Insert, Eject, Download, and Upload operations.
Source File Path
This criterion is similar to the File Path criteria, but detects the source folder, file name, or extension of a Copy or Move operation.
You can exclude any path(s) you do not want to track in the Except field.
This criterion is only available with the Any, Copy, Move, and Rename operations.
Drive
This criterion can be used to detect where the file operation took place, such as a local, network, or external drive.
You can enter a drive name (e.g., “C”) and select that particular drive or choose from “All drives” or “All external drives” conditions.
You can exclude any drive you do not want to track in the Except field.
This criterion is not supported in Download and Upload operations.
Source Drive
This criterion is similar to the Drive criteria, but detects the source drive of a Copy or Move operation.
This criterion is only available with the Any, Copy, Move, and Rename operations.
Cloud Provider
This criterion can be used to detect the cloud provider of a file operation.
You can choose from “Any”, “Dropbox”, “Google Drive”, “OneDrive”, “Box”, etc.
Similarly, you can exclude any providers you do not want to track in the Except field.
This criterion is not supported in the Insert, Eject, Download, and Upload operations.
Source Cloud Provider
This criterion is similar to the Cloud Provider criteria, but detects the source cloud provider of a Copy or Move operation.
This criterion is only available with the Any, Copy, Move, and Rename operations.
RDP File Transfer
This criterion can detect if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.
Select either Yes or No under the RDP transfer section to define if RDP transfers will be detected.
This criterion is only supported in the Copy operation.
Download File Name
This criterion lets you detect the download file name.
You can choose from “contains”, “equals”, or “matches regex”.
Similarly, you can exclude any files you do not want to track in the Except field.
This criterion is only available with the Download operation.
Download URL
This criterion is similar to the Download File Name criterion, but used to detect the download URL instead.
This criterion is only available with the Download operation.
Download File Size
This criterion can be used to detect the size (in bytes) of the file being downloaded.
You can enter a byte value in the condition field and use “=”, “>”, “<”, and “>=” logic.
Similarly, you can use the Except field to specify an exception.
This criterion is only available with the Download operation.
Upload File Name
This criterion is similar to the Download File Name criterion, but used for the Upload operation instead.
This criterion is only available with the Upload operation.
Upload URL
This criterion is similar to the Download URL criterion but used for the Upload operation instead.
This criterion is only available with the Upload operation.
Upload File Size
This criterion is similar to the Download File Size criterion, but used for the Upload operation instead.
This criterion is only available with the Upload operation.
Upload Client
This criterion lets you detect what kind of application or protocol is being used for the upload operation.
You can choose from “Browser”, “FTP”, “Outlook”, or “SMTP”.
Similarly, you can use the Except field to ignore any protocol/application you do not want to track.
This criterion is only available with the Upload operation.
Emails (Windows)
Emails Activity rules let you detect outgoing and incoming emails, including any email attachments.
Emails Rule Examples
Prevent attaching files from certain location(s) such as a folder, a network path, or a Cloud drive.
Restrict sending of work emails from personal email accounts.
Prevent sending of attachments to non-business addresses.
Detect if a competitor is contacting your employees or vice versa.
Get notified if a user is sending emails with large attachments.
Emails Rule Criteria
The table below shows what criteria the Email Activity rules support and what conditions you can use with them.
Capture Any Events
This criterion lets you detect any email being sent or received.
If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received.
Mail Body
This criterion can be used for detecting text inside the mail body.
You can choose from “contains” or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Mail Subject
This criterion can be used for detecting text inside the mail subject.
You can choose from “Contains”, “Equals”, or “RegExp” with any text. Or, you can select a Shared List and specify a “Match List” or “Equals List” condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Mail CC
This criterion detects the CC addresses in an email.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Mail To
This criterion is similar to the Mail CC criterion, but used to detect the Mail To addresses instead.
Mail From
This criterion is similar to the Mail CC and Mail To criteria, but is used to detect the Mail From addresses instead.
Mail Direction
This criterion lets you detect if a mail is being sent or received.
You can select either the “Incoming”, “Outgoing”, or both options.
Mail Client
Use this criterion to specify the mail client you want to detect.
You can choose from “Gmail”, “Live”, “Outlook”, etc. Teramind keeps adding support for new clients, so you might see more clients in the future.
Similarly, you can exclude any client(s) you do not want to track in the Except field.
Has Attachments
This criterion can be used to detect if an email has any attachments.
Select either the Yes or No option under the Has attachments section to define if emails with attachments will be detected.
Attachment Extension
Used to detect the extensions for the attached files. A file extension is used to identify a file type and usually starts with a “. (dot)”. For example: .doc, .pdf, etc. Note: you do not need to specify the “.” when entering the extension.
You can choose from “contains”, “equals”, or “matches regex” with any text.
The Attachment Extension criterion is only shown when you have already selected YES for the Has Attachment criterion.
Mail Size
This criterion can be used to detect the email size (in bytes).
You can enter a byte value in the condition field and use the “=”, “>”, “<”, and “>=” logic.
You can use the Except field to specify an exception or use it to define a range. For example, you can specify >=2048 in the Mail Size field and <=5120 in the Except field to detect emails between 2 MB to 5 MB in size.
Instant Messaging (Windows)
Instant Messaging Activity rules let you detect instant messaging conversations and group chats for popular IMs such as WhatsApp, Slack, etc. You can detect both incoming and outgoing messages, detect the participants, and search the message body for keywords or text.
Instant Messaging Rule Examples
Restrict messages to/from select contacts.
Detect if a user is in contact with suspicious people or criminal groups.
Monitor support chat conversations to improve the quality of customer service and SLA.
Get notified if the chat body contains specific keywords or sensitive phrases such as lawsuit threats, angry sentiments, sexual harassment, etc.
Instant Messaging Rule Criteria
The table below shows what criteria the Instant Messaging Activity rules support and what conditions you can use with them.
Capture Any Events
This criterion can be used to detect any IM send/receive events.
If you use this option without any other criteria, Teramind will trigger the rule anytime an IM is sent or received.
Message Body
This criterion can be used for detecting text inside the message body.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Message Direction
This criterion lets you detect if a message is being sent or received.
Select either the “Incoming”, “Outgoing”, or both options under the Message direction section to define what message origin will be detected.
Messaging App
Use this criterion to specify the messaging app you want to detect.
You can choose from “Facebook, “Google Chat”, “LinkedIn”, etc. Teramind keeps adding support for new apps, so you might see more apps in the future.
Similarly, you can exclude any app(s) you do not want to track in the Except field.
Messaging Contact
This criterion can be used to detect the contacts/participants of an instant messaging conversation.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Browser Plugins (Windows)
Browser Plugins Activity rules let you detect any installed browser plugins or extensions and what permissions they are using.
Browser Plugins Rule Examples
Restrict the use of a browser, such as an older version of a browser that has security flaws.
Block user installation of browser plugins and extensions by regular users to prevent malware infection and prevent security or privacy breaches.
Prevent a plugin from utilizing certain permissions, such as the ability to access critical proxy settings or user data.
Browser Plugins Rule Criteria
The table below shows what criteria the Browser Plugins Activity rules support and what conditions you can use with them.
Capture Any Events
This criterion can be used to detect if any browser plugin is launched/activated.
If you use this option without any other criteria, Teramind will trigger the rule anytime a plugin is launched or activated.
Browser
Use this criterion to specify the browser(s) you want to detect.
You can choose from “Chrome”, “Opera”, “Firefox”, “Internet Explorer”, etc. Teramind keeps adding support for new browsers, so you might see more browsers in the future.
Similarly, you can exclude any client(s) you do not want to track in the Except field.
Plugin Name
Use this criterion to specify the plugin(s) you want to detect.
You can choose from “contains”, “equals”, or “matches regex” conditions with any text.
Similarly, you can exclude any plugins you do not want to track in the Except field.
Plugin Permissions
You can use this criterion to detect what permissions a plugin is using.
You can choose from any of these conditions:
Proxy VPN - detects if the plugin is accessing the browser's proxy settings.
Request - detects if the plugin is making a web request. This permission allows a plugin to observe and analyze traffic and intercept, block, or modify web requests.
User Data - detects if the plugin is accessing any user data, such as cookies.
Similarly, you can exclude any permission you do not want to track in the Except field.
Printing (Windows & Mac)
Printing Activity rules let you detect print jobs across local or network printers. You can use criteria, such as the document and printer names, and the number of pages being printed.
Printing Rule Examples
Prevent data leaks over hard copies by restricting what documents can be printed.
Warn the user about large print jobs to reduce waste.
Restrict how many pages can be printed in a certain printer to reduce expense when taking an expensive/color print.
Implement printer use policies for users/departments. For example, which departments/users can use which printer, how much, or what they can print.
Printing Rule Criteria
The table below shows what criteria the Printing Activity rules support and what conditions you can use with them.
On Mac, only the following criteria are supported: Number of Pages, Document Name, and Printer Name.
Document Name
Use this criterion to specify the document name(s) you want to detect.
You can choose from “contains”, “equals”, or “matches regex” conditions with any text.
Similarly, you can exclude any documents you do not want to track in the Except field.
Printer Name
Use this criterion to specify the printer(s) you want to track.
You can choose from “contains”, “equals”, or “matches regex” conditions with any text.
Similarly, you can exclude any printers you do not want to track in the Except field.
Number of Pages
This criterion can be used to detect the number of pages of the document being printed.
You can enter a page value in the condition field and use the “=”, “>”, “<”, and “>=” logic.
You can use the Except field to specify an exception or use it to define a range. For example, you can specify >20 in the Mail Size field and <50 in the Except field to detect printed documents between 20 to 50 pages.
Networking (Windows & Mac)
The Networking Activity rules let you detect network activities such as bytes sent/received, hosts, apps making the network connections, etc.
Networking Rule Examples
Implement network security-related rules, for example, restrict outgoing internet traffic from the payment server (to comply with PCI DSS regulation).
Limit network access, such as disabling login via RDP (Remote Desktop Protocol).
Implement geo-fencing, for example, restrict access to your EU server from US users.
Get notified when abnormal network activity (i.e. sudden spike in network traffic) is detected, which might indicate an intrusion.
Using the Local IP criterion, you can detect if a user has established a connection to a peripheral local or VPN network or has changed the network route to bypass your corporate VPN. This might indicate a serious security threat.
Networking Rule Criteria
The table below explains what criteria the Networking Activity rules support and what conditions you can use with them.
On Mac, only the following criteria are supported: Application Name, Remote Host, Remote Port, Bytes Sent, and Bytes Received.
Application Name
Use this criterion to specify the application(s) using a network connection.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Remote Host
Use this criterion to specify the remote host(s) the network is connected to.
You can enter a host address (such as: "google.com") or an IP address (such as: "10.52.22.1/32") in the condition field, or you can select a Shared List (Network type) and specify a “matches list” condition.
Similarly, you can exclude any host you do not want to track in the Except field.
Remote Port
This criterion be used to detect the port of the network connection.
You can enter a port value in the conditions field and use the “=” logic.
Similarly, you can use the Except field to specify an exception.
Bytes Sent
Use this criterion to specify the number of bytes sent over the network connection.
You can enter a byte value in the condition field and use the “=”, “>”, or “>=” logic.
Similarly, you can use the Except field to specify an exception.
Bytes Received
Use this criterion to specify the number of bytes received over the network connection.
You can enter a byte value in the condition field and use the “=”, “>”, or “>=” logic.
Similarly, you can use the Except field to specify an exception.
Local IP
This criterion can be used to detect local IP addresses.
You can enter an IP address (such as "11.1.1.2/32") in the condition field, or you can select a Shared List (Network type) and specify a “matches list” condition.
Similarly, you can exclude any host you do not want to track in the Except field.
This criterion detects local IP addresses in a network connection and adds another layer of security to subnets, enabling you to enforce policies pertaining to local and external VPN connections. For example:
If your company uses a work VPN connection, it means that the user has connected to an extraneous local or VPN network or has changed the network route to work, not through a working VPN.
If your company doesn't use a work VPN connection, it means that the user has connected to an extraneous local or VPN network from a working computer.
Registry (Windows)
Registry activity rules let you detect changes to the registry. You can detect registry keys, names, values (data assigned to keys), and programs.
The Windows Registry Editor is a great tool for exploring and editing the Windows Registry. You can use it to examine registry keys and values, which is helpful for creating custom registry rules.
The screenshot below shows how to discover keys, names and values from the Registry Editor:
Registry Rule Examples
Prevent changes to sensitive keys/programs or other items in the registry. For example, network or internet settings, security policies, etc.
Detect/prevent unauthorized changes of permissions or privileges of files, folders, drives, or applications. For example, a malicious user or intruder can change the USBSTOR values to enable the use of external drives, compromising security. By monitoring the registry key, you can prevent such changes.
Detect if a user is trying to install dangerous or problematic software by monitoring what changes the software is making to the system.
Registry Rule Criteria
The table below explains what criteria the Registry Activity rules support and what conditions you can use with them.
Key
This criterion can be used to specify the registry key(s) to detect.
You can enter any text in the condition field and choose from “contains” or “equals” conditions. Or, you can select the “matches glob” condition and use wildcards such as "*", "?", "[abc]", "[a-z]", etc. For example, "?at" will match "Cat", "cat", "Bat", or "bat".
Similarly, you can exclude any key you do not want to track in the Except field.
Note that actual registry keys differ from what they look like in the Windows Registry Editor.
For example, the “\registry\machine” key is represented as “Computer\HKEY_LOCAL_MACHINE” on the Registry Editor. Or, the “\registry\users’ is represented as “Computer\HKEY_USERS’.
Teramind will use the actual keys to match the conditions instead of what's shown on the Windows Registry. For convenience, if the string condition for the key starts with one of the following, it will be recoded for the actual search accordingly:
hkey_current_user\
hkcu\
hkey_local_machine\
hklm\
hkey_users\
Name
Use this criterion to specify the name of a registry value. For example, the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” key may contain a value called “Start”.
You can enter any text in the condition field and choose from “contains” or “equals” conditions. Or, you can select the “matches glob” condition and use wildcards such as "*", "?", "[abc]", "[a-z]", etc. For example, "?at" will match "Cat", "cat", "Bat", or "bat".
Similarly, you can exclude any name you do not want to track in the Except field.
Value
This criterion can be used to detect the value of a registry name. Windows registry values can contain a String, Multi-String, Binary, etc. So, enter a value accordingly.
You can enter any text in the condition field and choose from “contains” or “equals” conditions. Or, you can select the “matches glob” condition and use wildcards such as "*", "?", "[abc]", "[a-z]", etc. For example, "?at" will match "Cat", "cat", "Bat", or "bat".
Similarly, you can exclude any name you do not want to track in the Except field.
Program
This criterion can help you identify which application or service is responsible for making the registry changes.
You can enter any text in the condition field and choose from “contains” or “equals” conditions. Or, you can select the “matches glob” condition and use wildcards such as "*", "?", "[abc]", "[a-z]", etc. For example, "?at" will match "Cat", "cat", "Bat", or "bat".
Similarly, you can exclude any name you do not want to track in the Except field.
Camera Usage (Windows)
The Camera Usage Activity rule lets you detect when a camera/webcam is used. You can detect the camera name and the application in which the camera is being used.
Camera Usage Rule Examples
Implement a privacy-friendly Webcam recording feature without actually interfering with an employee's camera. For example, create a Camera Usage rule with the RECORD VIDEO action to automatically start recording the screen when camera use is detected so that you can, for example, record meeting sessions.
Allow webcam usage only in your company's approved apps, such as Webex, and lock out the user when other apps try to use the camera to reduce security and privacy risks.
Respect user privacy by only recording with a specific camera. For example, record screen sessions of remote users by tracking the camera supplied by the company, and do not record when the user is using their personal/built-in webcam.
Camera Usage Rule Criteria
The table below explains what criteria the Camera Usage Activity rules support and what conditions you can use with them.
Capture Any Events
This criterion lets you detect if any camera is turned on in any application.
If you use this option without any other criteria, Teramind will trigger the rule for any camera use activity in any application.
Camera Name
Use this criterion to specify the camera(s) you want to detect.
Finding the Camera Names
You can find the name of all the available cameras (built-in or external) on the Windows Device Manager, under Cameras:
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any applications by specifying them in the Except field.
Camera Application Name
Use this criterion to specify the applications you want to detect that might be using the camera.
You can enter some text in the condition field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List and specify a “matches list”, or “equals list” condition.
Similarly, you can exclude any applications by specifying them in the Except field.
Windows Log Event (Windows)
This is a preview feature and might not always produce the expected results. We do not recommend using it for any critical operations.
We also do not recommend using this rule on a shared machine such as a Citrix/RDP server. There are often multiple users - all contributing to a much bigger event log. This might cause performance issues.
If you have any feedback or bug reports about this feature, please send them to [email protected].
Windows events are all the activities tracked by the OS. These include Applications, System, Security, Hardware, etc.
You can see a list of all Windows events on the Windows Event Viewer:
The ability to detect these events is a very powerful tool because it allows an administrator to identify issues with the computer, discover security gaps, and stop potential threats.
The Windows Log Event Activity rule allows you to detect these Windows events.
Windows Log Event Rule Examples
Detect if a user or an app has cleared the audit log (e.g., event ID 1102) - often used by attackers to cover their footprint.
Identify failed attempts to log in (event ID 4625) by potential hackers.
Detect unplanned hash access (event ID 4798) that might indicate malicious activity.
Monitor if scheduled tasks were created (4698) because malware often creates automated tasks to provide persistent access to a compromised system.
Diagnose errors, system failures, performance issues, and other problems.
Windows Log Event Rule Criteria
The Windows Log Event Activity rules come with only one criterion.
Event ID
Use this criterion to specify one or more Windows event IDs.
You can enter numeric values in the condition field and use the “=”, “>”, “>=”, and “<” logic.
Similarly, you can use the Except field to specify an exception.
