Skip to main content

How to create a behavior rule

Updated over a month ago

Introduction

Behavior Rules are the central component of Teramind's platform, driving its capabilities in insider threat detection, data loss prevention, compliance, and productivity optimization.

This guide walks you through the steps required to build, configure, and activate a new Behavior Rule from start to finish. As a running example, we will create an Activity rule designed to detect when users visit a specific website in incognito/private mode and take appropriate action(s).

Step 1: Access the Rule Editor

1. From the main menu, navigate to Configurations > Behavior Policies.

2. Click the New Rule button. This will open the Rule Editor where you will configure your rule in the subsequent tabs.

Step 2: General Settings: Configure the rule's basic details

3. Enter a Rule Name.

4. Optionally, provide a Rule Description.

5. Select the Parent Policy the rule will belong to.

6. Select a Rule Type from the drop-down menu. There are three types of rules you can select from:

  • Activity: With this type of rule, you can detect user and application activities such as visiting a website, uploading a file, etc.

  • Content Sharing: These rules are used to detect content or text inside a monitored object. For example, detect uploading a file when it contains credit card numbers.

  • Schedule: This rules are used to detect employee schedule discrepancies such as when an employee is late, logged in odd hours, etc.

In our example, we selected the Activity rule type.

7. Optionally, select or enter Tags. Tags are keywords you can assign to a rule to easily identify it.

8. Once you select a Rule Type, you can then Select the type of activities (for Activity rule type) or Select the type of contents (for Content Sharing rule type). there are the monitoring channels the rule will detect.

In our example, we selected the Webpages activity type.

9. Optionally, you can set a Rule violation severity to specify a risk level for the rule. You can either drag the slider or use the number field to enter the severity.

10. Optionally, you can change the rule schedule under the Time when rule is active section by dragging the two small Orange Circles .

Check out the Understanding Common Rule Elements section of the Rules Guide to learn more about General Settings.

Step 3: Employees: Assign rule targets

The Employees tab allows you to specify which targets (employees, departments, computers, etc.) the rule will apply to.

11. By default, the rule will inherit the rule targets from its parent policy. However, you can turn off the Inherit targets from Parent Policy option to select them manually:

12. Select employees, computers, and/or departments from the Apply rule to field.

13. Optionally, you can exclude any targets you don’t want to be included using the Exclude from rule field. For example, if you included a department in the Assign to field, but want to exclude a few employees from the department, you can exclude them in the Exclude from rule field.

In our example, we selected an employee, a computer and a department in the Apply rule to field and specified a few employees in the Exclude from rule field.

  • Check out the Employees section of the Rules Guide to learn about how to assign employees to a rule.

  • Check out the Policies section of the User Guide to learn about policies.

Step 4: Webpages: Define detection criteria and conditions

This tab is dynamic and changes based on the monitoring channel selected in Step 6. This is where you define the specific conditions that must be met for the rule to trigger. In this case, since we selected the Webpages activity, we can set criteria and conditions to detect various web browsing activities.

14. You will see a default Condition 1 condition block already added. Click the Add button to add a rule criterion to this condition block. Rule criteria let you define detection parameters for the rule.

15. Select the Webpage url criterion and enter a URL or part of an an URL you want to detect. For example, "facebook.com". Then, select a match condition such as "Contains". Note that you can also use a Shared List, a regular expression and other conditions with the criteria.

16. Click the New Condition to add a second condition block.

17. Click the Add button in the second condition block to add a criterion to it.

18. Select the Private Mode criterion and set it to "Yes".

Note: Condition Blocks work together as an "AND" logic to trigger the rule. In our example, both the Condition 1 and Condition 2 must be satisfied for the rule to trigger.

  • Check out the Understanding Common Rule Elements section of the Rules Guide to learn more about rule conditions, criteria, rule logic, etc.

  • Check out the Webpages rule section of the Rules Guide to learn more about criteria supported by this rule type.

Step 5: Actions: Set up what actions to take on rule violation

The Actions tab is where you define the system's response to a rule violation.

Basic

The Basic mode is the easiest way to configure actions and is recommended for beginners.

19. Select one or more actions according to your need. For example, choose the Notify action to notify one or more users about the rule violation. Choose the Warn action to show the user a warning, etc.

Advanced

In Advanced mode, you can set up risk thresholds and severity levels for the rule and trigger different actions based on how often a rule is violated.

20. From the Choose time period for threshold list, select the desired time period for your thresholds (e.g., Hourly, Daily, Monthly).

21. In the Choose maximum numbers of saved alerts per day field, enter the maximum number of alerts that can be triggered for this rule in a single day.

22. Click the New Threshold button to add a new threshold. For each threshold you add, you can set the following:

  • Enter a number in the Frequency field to define how many times the rule can be violated before an action is triggered.

  • Select a risk severity from the Severity drop-down list. Your options are None, Low, Moderate, High, or Critical.

23. Click the Add button to add one or more actions. These actions (e.g., Notify, Warn) are the same as those available in the Basic mode.

Check out the Defining Rule Actions section of the Rules Guide to learn more about rule actions.

Step 6: Save and activate the rule

24. Click the Submit Rule button to save and active the rule.

Related Articles
Configurations > Behavior Policies
Things to Consider Before Creating a Rule
Schedule Rules: What Schedule Violations Can You Detect (Windows)?
Rule Example (Instant Messaging): Detect HR communications policy violations
Rule Example (Registry): Detect attempt to disable UAC
Did this answer your question?