ITM / Endpoint DLP Detection Rules
This topic is for ITM / Endpoint DLP rules only.
Detection rules are used to detect user activities and system events. Detection rules let you raise alerts, fire notifications or tag activities.
You can create detection rules using any field or condition. You create rules using if-then logic with Boolean operators.
Rules can be created from scratch, using conditions (see Conditions) or using items from the Threat Library. (See Using the Threat Library.)
Rules are assign a severity level (low, medium, high, critical) according to your organization's needs.
For example, you can create rules that detect accidental or malicious activities such as downloading, uploading, deleting, and more.
Examples of detection rules for triggering alerts include:
- triggering a low alert whenever a file is copied to a USB
- triggering a medium alert whenever a file is exfiltrated to Dropbox or Google Drive
- triggering a high alert when users logs in to unauthorized servers
- triggering a critical alert when sensitive files or folders are copied during irregular hours
- triggering an alert for when a specific detector is scanned, such as credit card numbers
Detection of file exfiltration to USB is supported for exfiltration via Windows/File Explorer only. File exfiltration from other applications, such as Outlook is not supported.
Related Topics:
ITM / Endpoint DLP Prevention Rules