Threat Library Rules
This topic describes the rules in the Threat Library. The rules are grouped by categories to help navigation and facilitate using and maintaining them.
For more information about the Threat Library and how to use it see:
Categories
Threat Library rules are associated with a category to help you navigate and see what is available and facilitate using and maintaining the rules.
If you have the DLP-only solution, only some items are included, see Data Exfiltration. In the Threat Library list, these are indicated by 
tag.
- Bypassing Security Controls
- Careless Behavior
- Copyright Infringement
- Creating Backdoor
- Data Exfiltration
- Data Infiltration
- Hiding Information and Covering Tracks
- Installing/Uninstalling Questionable Software
- Observing Proofpoint Components
- Performing Unauthorized Admin Tasks
- Running Malicious Software
- Searching for Information
- Time Fraud
- Unauthorized Active Directory Activity
- Unauthorized Activity on Server
- Unauthorized Data Access
- Unauthorized DBA Activity
- Unacceptable Use
- Unauthorized Machine Access
Bypassing Security Controls
| Item Name | Description |
|---|---|
| Adding Windows Firewall Rules | Detects when a user opens the built-in Windows screen of Add New Rule in Firewall settings to define a new rule. This condition does not apply to Windows 10. |
| Browsing to website related to MIMIKATZ utility | Detects when a user browses or searches website related to the MIMIKATZ utility which allows playing with Windows security. |
| Changing computer date or time | Detects when a user opens the date and time settings dialog, potentially to manipulate the documentation of user actions, or to avoid expiration of time-limited SW license. This condition does not apply to Windows 10. |
| Changing Internet security settings on Internet Explorer | Detects when a user customizes the security level in Internet Properties of Internet Explorer. The operation can indicate an early intent to bypass security controls and bring in some danger. |
| Configuring Windows Firewall status | Detects when a user opens the built-in Windows screen of Firewall settings, potentially to turn it off before performing networking that is usually blocked by Firewall. This condition does not apply to Windows 10. |
| Configuring Windows LAN or Proxy Settings | Detects when a user opens the LAN/Proxy settings, potentially to configure one that will allow internet access through a 3rd party in order to hide the user identity. This condition does not apply to Windows 10. |
| Configuring Windows VPN Connection | Detects when a user opens the built-in Windows screen of VPN settings, potentially to configure one that will allow accessing a private network that is not available otherwise. This condition does not apply to Windows 10. |
| Creating a new virtual machine instance | Detects when a user creates a new virtual machine instance in one of the predefined virtualization solutions. |
| Downloading the MIMIKATZ utility | Detects when a user downloads a file related to the MIMIKATZ utility which allows playing with Windows security. |
| Running a partially monitored browser | Detects when a user uses Opera browser which is only partially monitored by ObserveIT (no URL capturing). This operation can indicate an early intent to hide information and cover tracks from the organization. |
| Running TOR browser | Detects when a user runs a TOR (The Onion Ring) browser in order to access the TOR network (the Dark Web). Such operation can indicate on a user that wants to hide his identity while performing illegal activity. |
| Running VPN, Proxy or Tunneling tool | Detects when a user uses advanced networking tools either to have access to private network or to hide the user identity. |
Careless Behavior
| Item Name | Description |
|---|---|
| Accessing file or folder sharing settings | Detects when a user opens the Windows dialog for file sharing settings or folder sharing settings. |
| Enabling Windows Remote Assistance from System Properties | Detects when a user opens the Remote tab within System Properties dialog to enable remote assistance. This action can indicate that the user plans to grant an access to this endpoint to a remote user. |
| Enabling Windows Remote Assistance | Detects when a user opens the Windows Remote Assistance dialog that is built in to the Windows Operating System. This action can indicate that the user plans to grant an access to this machine to a remote user. |
| Opening a clear text file that potentially stores passwords | Detects when a user potentially stores passwords in a file whose name is based on the word PASSWORD (and its variants). Being a bad security practice, such file names are searched by malicious codes as part of password harvesting. |
| Opening sharing settings on Mac | Detects when a user opens the Sharing settings in System Preferences on Mac, potentially to enable sharing and by that allow accessing this Mac from remote. |
| Running program with invalid digital signature | Detects cases where Windows Operating System displays a special warning popup upon opening a file with invalid digital signature. It usually happens upon running either files downloaded from Internet or files executed directly from a remote machine (using UNC). |
| Running software to enable sharing and access from remote machine | Detects when a user runs applications that enable desktop sharing with remote computers or applications that allow remote computers to access and control this computer. |
Copyright Infringement
| Item Name | Description |
|---|---|
| Running P2P tool to get or share copyrighted media | Detects when a user runs P2P (Peer to Peer) tools to either share or consume content that can be copyrighted and can expose the organizations to actions against copyright-violation. |
Creating Backdoor
| Item Name | Description |
|---|---|
| Adding a local Windows User | Detects when a user opens the Local Users and Groups screen potentially in order to add a local user. Such operation can indicate a potential security backdoor to be exploited later on. |
| Creating a new user in Active Directory | Detects when a user opens the Active Directory screen that is used for creating a new user. This action can be an indication to a potential security backdoor to be exploited later on. |
| Enabling unauthorized access via Network Policy Server | Detects when a user invokes Windows Network Policy Server that can be used in order to enable unauthorized access to a specific endpoint or from a specific endpoint. |
| Opening Users and Groups Preferences on Mac | Detects when a user opens the Users and Groups dialog which is part of the Preferences screens on Mac. |
| Resetting the password of Active Directory user | Detects when a user opens the Reset Password dialog of Active Directory in order to reset a user’s password. This action could indicate an intent to exploit a potential security backdoor by logging in to systems using the credentials of other users. |
| Setting up a VPN server | Detects when a user creates a new incoming connection by changing network adapter settings. The new incoming connection allows other people to access the endpoint and the network. |
Data Exfiltration
If you have the Endpoint DLP-only solution, only some items are included, see Data Exfiltration. In the Threat Library list, these are indicated by tag.
| Item Name | Description |
Endpoint DLP |
|---|---|---|
| Block any file copying or moving to USB device | Prevents any file copy or file move to any USB storage device. | X |
| Block any file exfiltration to any cloud sync folder | Block exfiltration of any file (regardless its origin, extension, classification label) to a local folder of any of the supported cloud sync vendors. | X |
| Block any file exfiltration to the web by uploading | Block exfiltration of any file (regardless its origin, extension, classification label) to any website by uploading it. | X |
| Block exfiltration to any cloud sync folder of a file with sensitive classification label | Block exfiltration to a local folder of any of the supported cloud sync vendors of any file which was set with a predefined sensitive classification label (such as MIP Label). | X |
| Block exfiltration to any cloud sync folder of a file with sensitive content | Block exfiltration to a local folder of any of the supported cloud sync vendors of any file with sensitive content based on predefined sensitive Detectors. | X |
| Block exfiltration to any USB device of a file with sensitive classification label | Block exfiltration to any USB device of any file which was set with a predefined sensitive classification label (such as MIP Label). | X |
| Block exfiltration to any USB device of a file with sensitive content | Block exfiltration to any USB device of any file with sensitive content based on predefined sensitive Detectors. | X |
| Block exfiltration to the web by uploading a file with sensitive classification label | Block exfiltration to the web by uploading of any file which was set with a predefined sensitive classification label (such as MIP Label) | X |
| Block exfiltration to the web by uploading a file with sensitive content | Block exfiltration to the web by uploading any file with sensitive content based on predefined sensitive Detectors | X |
| Browsing for files to be inserted as attachment in Outlook | Detects when a user browses for files to be inserted as attachment to email in Outlook. | |
| Connecting a USB device | Detects either a user that inserts a USB device or when an already connected USB device is detected. If there are USB devices that are officially approved to be used internally, it is recommended to exclude them either by their Serial Number or other property of USB devices. | X |
| Exfiltrating a file with sensitive file name to any destination | Detects when a user exfiltrates a file whose name is (or contains) a string which is predefined as sensitive. | X |
| Exfiltrating a non-tracked file larger than 1 GB to a cloud sync folder | Detects when a user exfiltrates a non-tracked file larger than 1 GB by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a non-tracked file larger than 1 GB to a USB device | Detects when a user exfiltrates a non-tracked file larger than 1 GB to a USB storage device. | X |
| Exfiltrating a non-tracked file larger than 1 GB to the web by uploading | Detects when a user exfiltrates a non-tracked file larger than 1 GB to the web by uploading it. | X |
| Exfiltrating a non-tracked file larger than 10 MB to a cloud sync folder | Detects when a user exfiltrates a non-tracked file larger than 10 MB by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a non-tracked file larger than 10 MB to a USB device | Detects when a user exfiltrates a non-tracked file larger than 10 MB to a USB storage device. | X |
| Name Exfiltrating a non-tracked file larger than 10 MB to the web by uploading | Detects when a user exfiltrates a non-tracked file larger than 10 MB to the web by uploading it. | X |
| Exfiltrating a non-tracked file larger than 100 MB to a cloud sync folder | Detects when a user exfiltrates a non-tracked file larger than 100 MB by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a non-tracked file larger than 100 MB to a USB device | Detects when a user exfiltrates a non-tracked file larger than 100 MB to a USB storage device. | X |
| Exfiltrating a non-tracked file larger than 100 MB to the web by uploading | Detects when a user exfiltrates a non-tracked file larger than 100 MB to the web by uploading it. | X |
| Exfiltrating a non-tracked file to a cloud sync folder | Detects when a user exfiltrates a non-tracked file (in any size) by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a non-tracked file to a USB device | Detects when a user exfiltrates a non-tracked file (in any size) to a USB storage device. | X |
| Exfiltrating a non-tracked file to any destination | Detects when a user exfiltrates a non-tracked file in any size to any supported destination (such as by copying to USB, uploading to the web, copying to cloud sync folder). | X |
| Exfiltrating a non-tracked file to the web by uploading | Detects when a user exfiltrates a non-tracked file (in any size) to the web by uploading it. | X |
| Exfiltrating a tracked file larger than 1 GB to a cloud sync folder | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 1 GB by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a tracked file larger than 1 GB to a USB device | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 1 GB to a USB storage device. | X |
| Z Exfiltrating a tracked file larger than 1 GB to the web by uploading | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 1 GB to the web by uploading it. | X |
| Exfiltrating a tracked file larger than 10 MB to a cloud sync folder | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 10 MB by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a tracked file larger than 10 MB to a USB device | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 10 MB to a USB storage device. | X |
| Exfiltrating a tracked file larger than 10 MB to the web by uploading | Exfiltrating a tracked file larger than 10 MB to the web by uploading | X |
| Exfiltrating a tracked file larger than 100 MB to a cloud sync folder | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 100 MB by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a tracked file larger than 100 MB to a USB device | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 100 MB to a USB storage device. | X |
| Name Exfiltrating a tracked file larger than 100 MB to the web by uploading | Detects when a user exfiltrates a tracked file (e.g., downloaded file) larger than 100 MB to the web by uploading it. | X |
| Exfiltrating a tracked file to a cloud sync folder | Detects when a user exfiltrates a tracked file (e.g., downloaded file) in any size by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating a tracked file to a USB device | Detects when a user exfiltrates a tracked file (e.g., downloaded file) in any size to a USB storage device. | X |
| Exfiltrating a tracked file to any destination | Detects when a user exfiltrates a tracked file (e.g., downloaded file) in any size to any supported destination (such as by copying to USB, uploading to the web, copying to cloud sync folder). | X |
| Exfiltrating a tracked file to the web by uploading | Detects when a user exfiltrates a tracked file (e.g., downloaded file) in any size to the web by uploading it. | X |
| Exfiltrating any file to a cloud sync folder | Detects when a user exfiltrates any file type (tracked or non-tracked) in any size by copying or moving it to a cloud storage local sync folder of one of the supported vendors. | X |
| Exfiltrating any file to a predefined encrypted USB device | Detects when a user exfiltrates any file (tracked or non-tracked) to a USB device whose USB Product Name is predefined as an encrypted USB device. | X |
| Exfiltrating any file to a USB device | Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to a USB storage device. | X |
| Exfiltrating any file to a predefined encrypted USB device | Detects when a user exfiltrates any file (tracked or non-tracked) to a USB device whose USB Product Name is predefined as an encrypted USB device | X |
| Exfiltrating any file to any destination | Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to any supported destination (such as by copying to USB, uploading to the web, copying to cloud sync folder). | X |
| Exfiltrating any file to the web by uploading | Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it. | X |
| Exfiltrating any file to unauthorized USB device | Detects when a user exfiltrates any file type (tracked or non-tracked) to a USB device which is not part of the predefined list of authorized USB devices based on the USB Device ID field | X |
| Exfiltrating any file with sensitive classification label to any destination | Detects when a user exfiltrates any file type (tracked or non-tracked) which was set with a sensitive classification label (such as MIP Label) in any size to any supported destination (such as by copying to USB, uploading to the web, copying to cloud sync folder). | X |
| Exfiltrating any file with sensitive content to any destination | Detects when a user exfiltrates any file type (tracked or non-tracked) that contains sensitive content (based on predefined Detectors) in any size to any destination (copying to USB, uploading to the web, copying to cloud sync folder). | X |
| Exfiltrating a file with sensitive file name to any destination | Detects when a user exfiltrates a file whose name is (or contains) a string which is predefined as sensitive | X |
| Exporting data from enterprise web application by file downloading | Detects when a user downloads a file with a sensitive extension from a list of popular enterprise web application. | X |
| Opening AirDrop sharing folder on Mac | Detects when a user opens Mac's AirDrop virtual folder that allow sharing with a remote device. This operation can indicate an early intent to copy sensitive information to other devices in order to take it out of the organization | X |
| Opening Bluetooth file transfer dialog box | Detects when a user opens the Bluetooth File Transfer dialog box on Windows or Mac that allows sending a file via Bluetooth. This activity indicates a potential file data leak via Bluetooth. | |
| Opening cloud storage sync folder | Detects when a user opens a local folder whose content is always synchronized with a remote cloud storage service. This operation can indicate an early intent to copy sensitive information to this folder in order to take it out of the organization. | X |
| Opening cloud storage sync folder on Mac | Detects when a user opens a local folder whose content is always synchronized with a remote cloud storage service. This operation can indicate an early intent to copy sensitive information to this folder in order to take it out of the organization | X |
| Printing a large document (above 20 pages | Detects when a user sends to a printer a document which has more than 20 pages. | X |
| Running a cloud backup application | Detects when a user runs a cloud backup software that can copy files/folders to a remote location. This action can indicate an early intent to take out sensitive information from the organization. | |
| Running Android File Transfer on Mac | Detects when a user uses the Android File Transfer application on Mac. This operation can indicate an early intent to copy sensitive information to the private phone to take it out of the organization. | |
| Running CD or DVD burning tool | Detects when a user runs a CD/DVD burning software. This operation can indicate an early intent to take out sensitive information from the organization. | |
| Sending a document to an unauthorized printer | Detects when a user sends a document to a printer which is not in the list of authorized printers (based on Printer Name). | X |
| Synchronizing MS-Office document with another Microsoft account | Detects when a user opens the Switch Account window in Microsoft Office applications. This action could indicate an intent to send the currently opened document out of the organization to a private account. |
Data Infiltration
| Item Name | Description |
|---|---|
| Downloading a file with potentially malicious extension | Detects when a user downloads a file whose extensions is part of the list of potentially malicious file extensions. |
| Using FTP or SFTP protocol in browser | Detects when a user browses FTP/SFTP site via the browser, by using the FTP/SFTP protocol in the URL address field, potentially in order to download files/folders. |
Hiding Information and Covering Tracks
| Item Name | Description |
|---|---|
| Clearing browsing history in Google Chrome | Detects when a user opens the settings window of Google Chrome in order to clear the browser history data. This action can indicate that the user has something to hide. |
| Clearing browsing history in Internet Explorer | Detects when a user opens the settings window of Internet Explorer in order to clear the browser history data. This action can indicate that the user has something to hide. |
| Exporting Windows Registry data | Detects when a user opens Windows Registry and invoking the Export command. This action can indicate that the user plans to manipulate Windows Registry data. |
| Importing Windows Registry data | Detects when a user opens Windows Registry and invoking the Import command. This action can indicate that the user plans to manipulate Windows Registry data. |
| Password protecting a file in UltraEdit text editor | Detects when a user encrypts files from within UltraEdit text editor. This operation can indicate an early intent to hide information from the organization. |
| Password protecting Microsoft Office file | Detects when a user opens the dialogs in Microsoft Excel, Word and PowerPoint to potentially set a password protection upon saving a file. This action can indicate that the user has something to hide. |
| Running a secured or encrypted email client | Detects when a user runs a secured or encrypted email client which can be used to bring in or send out information that cannot be monitored. This action can indicate that the user behind it has something to hide. |
| Running steganography tools | Detects when a user runs one of the predefined stenography tools that are usually used to conceal text information within images, and by that to block data ex-filtration tools to detect this data leak. |
| Zipping file with password | Detects when a user runs a compression solution and setting a password protection for the compressed file. This action can indicate that the user has something to hide. |
Installing/Uninstalling Questionable Software
| Item Name | Description |
|---|---|
| Accessing Programs and Features screen on Windows | Detects when a user opens Windows Programs and Features screen, potentially in order to uninstall a program. |
| Installing advanced monitoring tools | Detects when a user runs an installation file of a predefined advanced monitoring tool in order to reveal information that can be sensitive. |
| Installing Dynamic-DNS tools | Detects when a user runs an installation file of a predefined Dynamic-DNS tool in order to hide his identity. |
| Installing file transfer applications | Detects when a user runs an installation file of an FTP/SFTP desktop application that can be used to bring in or send out files/folders. |
| Installing hacking or spoofing tools | Detects when a user runs an installation file of a predefined hacking or spoofing tool that can be used in order to gain access to restricted area or to create damage the organization assets. |
| Installing P2P file sharing tools | Detects when a user runs an installation file of a peer-to-peer (P2P) application that can be used to share/consume content that can be copyrighted, to bring in malicious content or to take out sensitive information. |
| Installing password cracking tools | Detects when a user runs an installation file of a predefined password cracking tool in order to try and break a password-protected file with potentially sensitive information. |
| Installing Remote Access and Sharing Desktop tools | Detects when a user runs an installation file of a remote PC access or other desktop sharing application that can be used to allow taking control on this machine from remote or taking control on other remote machine. |
| Installing secured or encrypted email client | Detects when a user runs an installation file of a secured or encrypted email client which can be used to bring in or send out information that cannot be monitored. This action can indicate that the user behind it has something to hide. |
| Installing TOR (The Onion Router) tools | Detects when a user runs an installation file of a predefined TOR tool such as TOR browser in order access the Dark Web. Such operation can indicate on a user that wants to hide his identity while performing illegal activity. |
| Installing virtualization solution | Detects when a user runs an installation file of various predefined virtualization solutions. This action can indicate that the user wants to perform his activity on a virtual machine to be later destroyed while leaving no traces. |
| Installing VPN, Proxy or Tunneling tools | Detects when a user runs an installation file of a predefined VPN/Proxy/Tunneling tool that can be used in order to gain access to restricted area or to hide the real identity of a user. |
| Uninstalling a program on Windows Desktop | Detects when a user uninstalls any software on an endpoint that acts as a desktop and not as a server (installed with Windows Server OS). |
| Uninstalling a program on Windows Server | Detects when a user uninstalls any software on an endpoint that acts as a server (installed with Windows Server OS). |
| Item Name |
|---|
| Account Access Removal |
| Cloud Service Dashboard |
| Email Collection - Email Forwarding Rule |
| Valid Accounts |
| Trusted Relationship |
| Phishing - Spearphishing Link |
| Account Manipulation - Additional Cloud Credentials |
| Phishing - Spearphishing Attachment |
| Steal Application Access Token |
| Brute Force |
| Account Manipulation - Additional Email Delegate Permissions |
| Create Account |
| Account Manipulation - Additional Cloud Roles |
| Office Application Startup |
| Impair Defenses |
| Use Alternate Authentication Material |
| Data from Information Repositories |
| Multi-Factor Authentication Request Generation |
| Drive by Compromise |
| Unsecured Credentials - Credentials In Files |
| Taint Shared Content |
| Unsecured Credentials - Private Keys |
| Hide Artifacts |
| Cloud Service Discovery |
| Account Discovery |
| Email Collection - Remote Email Collection |
Observing Proofpoint Components
| Item Name | Description |
|---|---|
| Opening Proofpoint Agent folder | Detects when a user opens the folder in which Proofpoint (ObserveIT) Agent is installed, potentially for tampering or covering tracks. |
| Searching for technical information on Proofpoint monitoring solution | Detects when a user browses ObserveIT (Proofpoint) website or the official documentation. Any of these actions could potentially indicate an attempt to tamper with the monitoring solution. |
Performing Unauthorized Admin Tasks
| Item Name | Description |
|---|---|
| Accessing Windows Environment Variables screen | Detects when a user accesses the Environment Variables screen on Windows, potentially to make changes in internal Windows settings. |
| Changing Internet protocol properties | Detects when a user opens the Internet Protocol Properties window. The operation can indicate an intent to change connected DNS servers and IP addresses. |
| Changing the state of a Windows service | Detects when a user potentially changes the state of a Windows service (e.g. starting or stopping) from the Services screen. |
| Connecting to a remote Registry on Windows | Detects when a user opens Registry Editor and trying to connect to a remote computer in order view of modify Registry keys. |
| Connecting to Amazon FTP server on Mac | Detects when a user tries to connect the Amazon EC2 (with the default user account), potentially in order to transfer data to it. |
| Editing Registry Editor entry | Detects when a user opens the various edit dialog of Windows Registry Editor. This action can indicate that the user plans to make changes in a Registry key, which usually should not be done by a non-Administrator user. |
| Editing User Account Control (UAC) Settings | Detects when a user opens the User Account Control settings screen, potentially to change the settings (when to get notifications from the operating system on programs that are about to make changes on a machine). |
| Granting full access to Office 365 mailbox | Detects when a user uses Office 365 web interface, opening the access settings window and granting a full access to a user for a specific Outlook mailbox. This action should not be done by non-Administrators. |
| Opening Startup and Recovery dialog Description | Detects when a user opens the Startup and Recovery dialog, potentially to make changes on local computer. |
| Opening Windows Services screen | Detects when a user opens the Services screen on Windows, potentially in order to stop or start one of the Windows Services. |
| Opening Windows system certificates screen | Detects when a user opens the certificates screen within Microsoft Management Console (MMC). |
| Running Command Line Shell programs | Detects when a user runs one of the command line shell programs (like CMD, PowerShell), which are powerful utilities to make changes in the system. |
| Running DBA tools | Detects when a user runs one of the predefined DBA tools that can be used to read sensitive information, to make changes in it, or to delete it. |
| Trying to change computer name or domain | Detects when a user opens the Computer Name/Domain Changes dialog, potentially in order to change the computer name or the domain name membership. |
| Viewing network connections and network adapters settings | Detects when a user opens the Network Connection screen on Windows. |
Running Malicious Software
| Item Name | Description |
|---|---|
| Running hacking or spoofing tool | Detects when a user runs a hacking or spoofing tool that can be used in order to gain access to restricted area or to create damage to the organization assets. |
| Running password or license cracking tool | Detects when a user runs one of the predefined password or license cracking tools that can be used to try and break a password-protected files or installations with potentially sensitive information. |
| Running port scanning tools | Detects when a user runs a port scanning tool that can be used as part of port scanning attack to gain knowledge on what services are running on a specific endpoint, and what OS is installed on it. |
Searching for Information
| Item Name | Description |
|---|---|
| Browsing information outlets (WikiLeaks-like) | Detects when a user browses to information-leak website such as WikiLeaks in order to either publish or read sensitive information. |
| Running advanced monitoring or sniffing | Detects when a user runs a monitoring or sniffing tool which is part of a predefined list. The usage of such tools can indicate a trial of a user to get information which might be sensitive. |
| Searching data on Darknet TOR (The Onion Router) | Detects when a user searches predefined keywords (inc. name of tools) related to TOR (The Onion Router) which is part of the Darknet in web search engines. |
| Searching data on Dynamic-DNS | Detects when a user searches predefined keywords (inc. name of tools) related to Dynamic-DNS tools in web search engines. |
| Searching data on file transfer (FTP or SFTP) | Detects when a user searches predefined keywords (inc. name of tools) related to FTP/SFTP tools in web search engines. |
| Searching data on hacking or spoofing | Detects when a user searches predefined keywords (inc. name of tools) related to hacking or spoofing tools in web search engines. |
| Searching data on monitoring or sniffing | Detects when a user searches predefined keywords (inc. name of tools) related to monitoring or sniffing tools in web search engines. |
| Searching data on password cracking | Detects when a user searches predefined keywords (inc. name of tools) related to password cracking tools in web search engines. |
| Searching data on Remote Access and Desktop Sharing | Detects when a user searches predefined keywords (inc. name of tools) related to remote access and desktop sharing tools in web search engines. |
| Searching data on steganography | Detects when a user searches predefined keywords (inc. name of tools) related to steganography tools in web search engines. Such tools are usually used to conceal text information within images to bypass detection by data exfiltration tools. |
| Searching data on VPN, Proxy or Tunneling | Detects when a user searches predefined keywords (inc. name of tools) related to VPN, proxy or tunneling tools in web search engines. |
Time Fraud
| Item Name | Description |
|---|---|
| Browsing job searching sites | Detects when a user browses to websites dedicated for job searching. This action can indicate that the user plans to leave the organization. |
| Browsing Social Media sites | Detects when a user browses to Social Media websites, which can affect the employee productivity. |
Unauthorized Active Directory Activity
| Item Name | Description |
|---|---|
| Adding new Printer object in Active Directory | Detects when a user adds new object from type Printer in Active Directory. |
| Adding group membership to Active Directory user | Detects when a user clicks the Add button in the Member Of tab within the properties dialog of an Active Directory user, in order to add groups in which the user will be a member. |
| Adding members to Active Directory group | Detects when a user clicks the Add button in the Members tab within the properties dialog of an Active Directory group, in order to add users, contacts, computers, service accounts and groups to this group. |
| Adding new Group object in Active Directory | Detects when a user adds new object from type Group in Active Directory. |
| Adding new InetOrgPerson object in Active Directory | Detects when a user adds new object from type InetOrgPerson in Active Directory. |
| Adding new msDS-ResourcePropertyList object in Active Directory | Detects when a user adds new object from type msDS-ResourcePropertyList in Active Directory. |
| Adding new msImaging-PSPs object in Active Directory | Detects when a user adds new object from type msImaging-PSPs in Active Directory. |
| Adding new msMQ-Custom-Recipient object in Active Directory | Detects when a user adds new object from type msMQ-Custom-Recipient in Active Directory. |
| Adding new Shared Folder object in Active Directory | Detects when a user adds a new object from type Shared Folder in Active Directory. |
| Using diagnostic tool to manage Active Directory | Detects when a user opens NTDSUTIL which is a diagnostic tool for Active Directory. |
Unauthorized Activity on Server
| Item Name | Description |
|---|---|
| Installing software on Server | Detects when a user runs a software installations on a machine that functions as server. Usually servers are installed only with applications that are critical for performing their business tasks. |
| Running unauthorized Instant Messaging application on Server | Detects when a user runs an Instant Messaging application on a machine that functions as a server. This operation can indicate on early intent to take out sensitive information from the server, or to download files/folders to this server. |
Unauthorized Data Access
| Item Name | Description |
|---|---|
| Accessing system folders | Detects when a user opens in Windows Explorer one of the system folders as defined in external list. |
| Invoking Mac authentication service dialog | Detects when a user performs an action on Mac that requires administrative privileges to be set via the authentication service dialog. |
| Trying to access a system, file or folder that requires credentials | Detects whenever the Windows Security popup that prompts for entering credentials is displayed to the user. It happens upon trying to access a web-based system or a folder that requires credentials. |
Unauthorized DBA Activity
| Item Name | Description |
|---|---|
| Adding new Server Role on SQL Server Management Studio | Detects when a user opens the New Server Role window on SQL Server Management Studio. |
| Backing up database on SQL Server Management Studio | Detects when a user opens the Back Up Database window on SQL Server Management Studio. |
| Deleting object on SQL Server Management Studio | Detects when a user opens the Delete Object window on SQL Server Management Studio. |
| Adding new Credential on SQL Server Management Studio Description | Detects when a user opens the New Credential window on SQL Server Management Studio. |
| Adding new Login ID on SQL Server Management Studio | Detects when a user opens the New Login window on SQL Server Management Studio. |
| Copying database on SQL Server Management Studio | Detects when a user opens the Copy Database window on SQL Server Management Studio. |
| Detaching database on SQL Server Management Studio | Detects when a user opens the Detach Database window on SQL Server Management Studio. |
| Exporting database or tables on SQL Server Management Studio | Exporting database or tables on SQL Server Management Studio |
| Opening Server Properties window on SQL Server Management Studio | Detects when a user opens the Server Properties window on SQL Server Management Studio. |
Unauthorized Machine Access
| Item Name | Description |
|---|---|
| Taking control on remote machine from Mac | Detects when a user opens Terminal application on Mac and runs SSH to take control over a remote machine. |
| Connecting to a new FTP or SFTP server using FTP application | Detects when a user uses an FTP application and connecting to a remote FTP or SFTP server. |
| Running a remote PC access tool to access a remote machine | Detects when a user runs a remote login utility in order to take control over a remote machine, or to open a telnet/SSH session on a remote machine. |
Unacceptable Use
| Item Name | Description |
|---|---|
| Browsing Adult sites | Detects when a user browses to websites with adult content. |
| Downloading a computer anti-sleep software | Detects when a user downloads an installation file or ZIP file that is part of a list of computer anti-sleep software that can be used by employees to make it appear as they're working, while they're actually not. |
| Running a computer anti-sleep software | Detects when a user runs an executable file that is part of a list of computer anti-sleep software that can be used by employees to make it appear as they're working, while they're actually not. |
| Running Bitcoin mining tools | Detects when the user runs various tools for Bitcoin mining. Being a digital payment system and a currency, a high computing power is required for this resource-intensive process. This action indicates that usage of IT resources for private needs. |
| Browsing Generative AI sites | Detects when a user browses Generative AI websites. |
Related Topics: