For some of the Warn and Block actions for the sample rules, we enabled the Use HTML Template option and used the following Custom alert template settings (Configurations > Settings > Alerts screen):

If you want your rule alerts to look like the samples, you can use the following settings:

To learn how to customize the alert message, HTML template, and other settings, check out the How to customize Teramind to suit your preferences and brand article in the Knowledge Base.

This example shows how you can create a Schedule rule to detect a user attempting to log in during off-hours.

On the first tab, General Settings, we assigned a Rule Name and a Parent Policy for the rule since these are mandatory.

For Rule Type we selected Schedule since we are looking to detect a user’s login time.

We left the other settings untouched as we don’t need them for this example.

For the Employees tab, we choose to manually add the users (by disabling the Inherit targets from Parent Policy option). We also decided to apply this rule to the employees in the Marketing department only. To do so, we first created a department named “Marketing” and then edited the selected users’ profiles and assigned them to this department.

We have selected the Login schedule violation type so that we can monitor the login attempts.

We have set up off-hours from 00:00 – 08:00 (12:00 AM – 8:00 PM). Any attempt to log in during this period will trigger the rule.

If you wanted, you could set up additional options such as restricted IPs or exclude any days you don’t want to monitor.

Finally, for the last tab, Actions, we have selected the Warn action to show a warning to the offending user. For this last action, we decided to enable the Use HTML Template option to make the alert prominent to the user.

You can use the Behavior Alerts dashboard to view a report of all rule violation alerts and trends. The “Grid” widget located below the screen shows a list of all the alerts:

You can see that John Smith triggered the rule.

Click the Movie Camera icon to view the Session Recording of the incident.

Here you can see the Session Player showing how the alert message looks on the employee’s desktop:

When a user logs in outside our set schedule, they will see a warning message. Note that the login time is based on the user’s local time.

In the screenshot, you can see that John Smith signed in at 2:25 AM. Since the action meets the rule criteria (Login: between 12:00 AM – 8:00 AM), the rule is triggered.

This example shows how you can create a simple Activity rule to warn a user when they send an email to a non-business email address.

On the first tab, General Settings, we assigned a Rule Name and a Parent Policy for the rule since these are mandatory.

For Rule Type we selected Activity since we are looking to detect a user action (the act of sending an email). We have selected Emails for Select the type of activities because we want to track emails.

We left the other settings untouched as we don’t need them for this example.

For the Employees tab, we choose to use the policy’s setting (by enabling the Inherit targets from Parent Policy option).

We have added three criteria to the Emails activity.

Mail To

For the first criterion, Mail to, we have specified several email domains that we would consider as “non-business” addresses and used a contains logic to detect even a partial match.

Has Attachments

We have set Yes for the second criterion, Has Attachments, to detect emails with attachments.

Mail Direction

For the second criterion, Mail Direction, we have selected “Outgoing” to detect only the outgoing emails.

Finally, for the last tab, Actions, we have selected the Warn action to show a warning to the offending user. For this last action, we decided not to use the HTML template (disabled the Use HTML Template option).

You can use the Behavior Alerts dashboard to view a report of all rule violation alerts and trends. The “Grid” widget located below the screen shows a list of all the alerts:

You can see that, on 2025-08-06, employee John Doe sent an outgoing email to a non-business email account, and the rule gets triggered.

Click the Movie Camera icon to view the Session Recording of the incident.

Here you can see the Session Player showing how the alert message looks on the employee’s desktop:

As soon as the user sends an email to a non-business address, the rule’s warning message is shown on the top-right corner of their screen.

You will notice that the message is very barebones and may fail to attract any attention. You can change that by customizing the rule messages and alerts.

This example shows how you can create an Activity rule to block a user and display a message for attempting to upload files to certain cloud drive(s).

On the first tab, General Settings, we assigned a Rule Name and a Parent Policy for the rule since these are mandatory.

For Rule Type we selected Activity since we are looking to detect a user action (the act of sending an email). We have selected Files for Select the type of activities because we want to track file uploads.

We left the other settings untouched as we don’t need them for this example.

For the Employees tab, we choose to manually add the users (by disabling the Inherit targets from Parent Policy option). We added “Everyone” for the main targets (in the Assign to field), but we excluded the “Sales” department from the rule by assigning it in the Exclude from rule field.

For Files, we added two condition blocks and four criteria.

File Operation

We have added two conditions for the File Operation criterion. The first is “Upload” and the second is “Write”.

The first File Operation, “Upload” under Condition 1, will be used with the Upload URL criterion to detect file uploads via the web version of the cloud drive (e.g., Google Drive web).

The second File Operation, “Write” under Condition 2, will be used with the Cloud Provider criterion to detect file uploads via the desktop app version of the cloud drive.

Upload URL

For the third criterion, “Upload URL” under Condition 1, we have specified part of a URL with the “contains” logic to detect Google Drive’s web upload path.

Cloud Provider

For the fourth and final criterion, “Cloud provider” under Condition 2, we have selected “Google Drive”. You could select other drives like Box, Dropbox, etc. But remember to change the Upload URL accordingly.

Finally, for the last tab, Actions, we have selected the Block action to block the activity and, at the same time, show a message to the user. We decided to enable the Use HTML Template option to make the alert prominent to the user.

You can use the Behavior Alerts dashboard to view a report of all rule violation alerts and trends. The “Grid” widget located below the screen shows a list of all the alerts:

You can see that, on 2025-08-06, employee John Smith triggered the alert. If you look at the Triggers column, you will notice that the URL was “...google.com/upload/...”. That’s an upload attempt via Google Drive web version. The rule blocked his action.

Click the Movie Camera icon to view the Session Recording of the incident.

Here you can see the Session Player showing how the alert message looks on the employee’s desktop:

You can see that, as soon as the user attempts to upload a file named “sensitive.txt”, the rule is triggered as the filename contains one of our specified keywords, “sensitive”.

The rule shows the message we specified, and the upload operation is blocked.

This example shows how you can create a Content rule to block a user and display a message for attempting to send emails (including email attachments) containing credit card numbers. The numbers are detected using the built-in Predefined Classified Data discovery and classification feature.

On the first tab, General Settings, we assigned a Rule Name and a Parent Policy for the rule since these are mandatory.

For Rule Type we selected Content Sharing since we are interested in detecting sensitive content. We have selected Emails for Select the type of contents because we want to stop data exfiltration via emails.

We left the other settings untouched as we don’t need them for this example.

For the Employees tab, we choose to use the policy’s setting (by enabling the Inherit targets from Parent Policy option).

For the Content tab, we used a built-in template, “Predefined Classified Data”, and then selected the “Financial Data” category to detect “Credit Card Number”.

For the Detection mode, we selected “Loose” as we want to detect most ‘credit card-like’ numbers.

The rule will trigger even if there’s only one credit card number detected. We did so by entering a value of “1” in the Pattern frequency trigger field.

Has Attachment

For the Emails tab, the first criterion we used is “Has attachments”, which will detect if the email has any attachments.

Mail Direction

For the second criterion, Mail Direction, we selected “Outgoing” as we want to detect only outgoing emails.

Finally, for the last tab, Actions, we have selected the Block action to block the activity and, at the same time, show a message to the user. We decided to enable the Use HTML Template option to make the alert prominent to the user.

We used this test file, “payment info.csv”, that contains some sample credit card numbers. When the user tries to send the file via email, it will trigger the rule.

You can use the Behavior Alerts dashboard to view a report of all rule violation alerts and trends. The “Grid” widget located below the screen shows a list of all the alerts:

You can see that, on 2015-08-08, employee John Smith triggered the rule.

Click the Movie Camera icon to view the Session Recording of the incident.

Here you can see the Session Player showing how the alert message looks on the employee’s desktop:

You can see that, as soon as the user attempts to email a file named “payment info.csv”, the rule is triggered as the attachment contains credit card numbers.

Note that in Gmail, the attachment will get stuck after uploading for a bit.