Detection Rules

Detection rules are used to detect user activities and system events. Detection rules let you raise alerts, fire notifications or tag activities.

You can create detection rules using any field or condition. You create rules using if-then logic with Boolean operators.

Rules can be created from scratch, using conditions (see Conditions) or using items from the Threat Library. (See Using the Threat Library.)

Rules are assign a severity level (low, medium, high, critical) according to your organization's needs.

For example, you can create rules that detect accidental or malicious activities such as downloading, uploading, deleting, and more.

Examples of detection rules for triggering alerts include:

• triggering a low alert whenever a file is copied to a USB
• triggering a medium alert whenever a file is exfiltrated to Dropbox or Google Drive
• triggering a high alert when users logs in to unauthorized servers
• triggering a critical alert when sensitive files or folders are copied during irregular hours
• triggering an alert for when a specific detector is scanned, such as credit card numbers

Detection of file exfiltration to USB is supported for exfiltration via Windows/File Explorer only. File exfiltration from other applications, such as Outlook is not supported.

Alerts and Detection Rules

When creating alerts from detection rules, you determine what the rule will apply to. You may want the rule to apply to all endpoint agents across the Realm or apply the rule across other products as well. You can apply more granular control and assign the rules to specific Realms.

Source Defaults (Source Target Rules)

This feature is available on request. Contact your Proofpoint Account Representative or the Support Team for more information.

Source Defaults let you assign a detection rule to activity event sources. Endpoint Agent Source is selected by default.   By selecting additional sources, you can use detection rules across activities provided by other products in the Information and Cloud Security suite.

For more information, see Source Defaults for Detection Rules.

Rule Sets

This feature is available on request. Contact your Proofpoint Account Representative or the Support Team for more information.

Use this option to assign a rule to specific Agent Realms. The rule is included in the Rule Set you previously define. This provides more granular control so this rule only fires according when the activity occurs in the Agent Realm specified in the selected Rule Set. (See Rule Sets.)

Rule sets take priority over the selected Source Defaults. The Source Default will not apply if a Rule Set is selected.

Detection Rule Features

Detection rules support the following features.

Rule Tags

This feature is available on request. Contact your Proofpoint representative.

Rule Tags are tags associated with a rule that help you identify, filter and categorize rules. You can assign multiple tags to a rule. (See .)

Rule tags are assigned in the Rules view in the General tab. Tags are created in Tag Management. (See Tag Management .)

Tag Matching Activities

Tag matching activities let you assign tags in the Then section of the rule. These tags will be added to all activities that match this rule.

To display the tags in the Alerts view, edit the columns to include rule tags by clicking Edit Columns and selecting Alert > Rule Tags from the fields. (See Alerts.)

Alert Management

Alert Management lets you update the alert severity, its status and assignee.

• Severity: Select Critical, High, Medium or Low severity level.

• Status: Select from the status from the dropdown. Statuses are workflow statuses that you can customize in Alerts Workflow (Admin> Definitions > Alerts Workflow). See Alerts Workflow.
  

• Assignee: Select from the list, which users will receive the alert.

In the Advanced Options area, you can define the order when multiple alerts have the same status and/or assignee. The alert with the highest order is assigned the status and/or assignee.

Notification Policies

Notification Policies let you select the notifications that you assign to an ITM / Endpoint DLP rule.

You can set up Notification Policy that sends an SMS, email or webhook message when an activity is detected. notifications to users so they are informed when an alert is triggered.

(See Creating a Notification Policy for a Rule.)

You can create, modify and review notifications from Integrations > Notifications in the Administration app.

In the Then area, you select which notifications you want to add to the rule clicking Add Notification Policy and then selection the notification you want from the list.

Drop Matching Activity

This feature is available on request. Contact your Proofpoint representative.

Turn on Drop Matching Activity if you want to drop any activity that matches the rule. When this option is turned on, matching activity is not ingested or displayed in the Rule Versions

Rule Versions

As you modify your rules you can always view and previous versions. This is useful to keep track of changes and if you want revert to a previous version.

1. To see the versions, from the list of rules, click the rule you want.

   The versions display in the Versions area of the details.

   

2. To view the versions, click View.

   

3. For more details. click the version you want.

   To revert to a version, select the version you want, and click Revert to this version.

   To view as a JSON, click View as JSON.

   

4. Click Done.

---

Related Topics:

ITM / Endpoint DLP Prevention Rules

Explorations

Alerts