Proofpoint | ObserveIT On-Premises Insider Threat Management

Email - Did What

This topic describes how to define alert rule conditions using the options available in the Email group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)

You can set up alert rules to help prevent exfiltration by email.

When Email Monitoring and File Activity Monitoring and are enabled in the System Policy settings, you can configure alerts for:

  • Sent email using an email client: An alert is triggered when an email is sent using an email client.

  • Exfiltrated file by sending it via email: An alert is triggered when an attached file is sent via email.

  • Exfiltrated file by attaching it to an email client: An alert is triggered when a file is attached to an email.

  • Saved file from an email client: An alert is triggered when a file attachment from an email is saved.

In some options, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the values. Alternatively, when Lists are supported, you can choose to select a predefined List instead of entering a set of values. By hovering over the values field, two icons appear that enable you to switch between the Values and List modes: or . When List mode is selected, a drop-down list shows all the predefined Public and Private lists that are authorized for this Console User. You can edit the list contents, if required. For details, see Editing Lists.

ClosedTo create a rule to alert when an email is sent using an email client:

You can define an alert to trigger when an email is sent from an email client. You can specify recipient, sender, subject, and/or attachment details about the email.

  1. In the Email option, click Sent email using an email client.

    The conditions for defining the alert rule are displayed:

  2. To specify the email recipients (in the To field of the email), you can accept the default which is Any recipient, or click the downward arrow to access options that enable you to define specific recipients.

    1. All recipients are within trusted domains: To specify whether the recipients are within trusted domains, select Yes or No.

      • Yes: Trigger an alert only when all recipients are within a trusted a domain. For example, if your trusted domain consists of your organization's domain, you could define an alert to trigger an alert when an email is sent and all the recipients are in your organization's domain. If one or more recipients is not in the trusted domain, the alert is not triggered.
      • No:  Trigger an alert when at least one recipient of the email is not within the trusted domain. For example, if your trusted domain is your organization's domain, and an email is sent to 10 recipients within you organization and one recipient with a domain outside your organization, an alert is triggered.

      (For details about defining a trusted domain, see Email Monitoring Settings.)

    2. At least one recipient address: To specify the recipient addresses that trigger an alert, select the relevant operator from the drop-down list. For example, to trigger an alert for any Gmail recipient, you would define: At least one recipient address contains gmail.

    3. Number of recipients: To specify the number of recipient addresses that trigger an alert, select the relevant operator from the drop-down list.

    4. Bcc recipients exist: To specify whether the Bcc recipients are included in the recipients of the emails, select Yes or No.

      • Yes: Trigger an alert only if there are recipients in the Bcc field.
      • No: Trigger an alert only if there are not any recipients in the Bcc field.

  3. To specify the address of the sender, you can accept the default which is Any Address, or click the downward arrow to access options that enable you to define the sender address.

  4. To specify email subject, you can accept the default which is Any Subject, or click the downward arrow to access options that enable you to define the subject.

  5. To specify details about what type of attachment triggers an alert, you can accept the default which is Any Attachment, or click the downward arrow to access options that enable you to define attachment options.

    • Email includes attachments: Trigger an alert when an email has an attachment.
      • Yes: Trigger an alert only if the email has an attachment.
      • No: Trigger an alert for any email without an attachment.
    • Email attachment total size: Trigger by total minimum/maximum size of all attachments to the email.
    • At least one attachment name: Trigger an alert by the attachment name, select the relevant operator from the drop-down list. For example, you might set up an alert for any attachment with the word "finance" in it: At least one attachment name contains finance.
    • Number of attachments: Trigger by the minimum/maximum number of attachments. to the email.
ClosedTo create a rule to alert when a file is exfiltrated by sending it via email:

You can define alert to trigger when an attached file is sent via email. You can specify recipient, sender, subject details about the email. You can also specify details about the file and its origins.

  1. In the Email option, click Exfiltrated file by sending it via email.

    The conditions for defining the alert rule are displayed:

  2. To specify the email recipients (in the To field of the email), you can accept the default which is Any recipient, or click the downward arrow to access options that enable you to define specific recipients.

    1. All recipients are within trusted domains: To specify whether the recipients are within trusted domains, select Yes or No.

      • Yes: Trigger an alert only when all recipients are within a trusted a domain. For example, if your trusted domain consists of your organization's domain, you could define an alert to trigger an alert when an email is sent and all the recipients are in your organization's domain. If one or more recipients is not in the trusted domain, the alert is not triggered.
      • No:  Trigger an alert when at least one recipient of the email is not within the trusted domain. For example, if your trusted domain is your organization's domain, and an email is sent to 10 recipients within you organization and one recipient with a domain outside your organization, an alert is triggered.

      (For details about defining a trusted domain, see Email Monitoring Policies.)

    2. At least one recipient address: To specify the recipient addresses that trigger an alert, select the relevant operator from the drop-down list. For example, to trigger an alert for any Gmail recipient, you would define: At least one recipient address contains gmail.

    3. Number of recipients: To specify the number of recipients addresses that trigger an alert, select the relevant operator from the drop-down list.

    4. Bcc recipients exist: To specify whether the Bcc recipients are included in the recipients of the emails, select Yes or No.

      • Yes: Trigger an alert only if there are recipients in the Bcc field.
      • No: Trigger an alert only if there are not any recipients in the Bcc field.

  3. To specify the Sender Address, you can accept the default which is Any Address, or click the downward arrow to access options that enable you to define the sender address.

  4. To specify Email Subject, you can accept the default which is Any Subject, or click the downward arrow to access options that enable you to define the subject.

  5. To specify the where the file originated, you can accept the default which is Any origin, or click the downward arrow to access options that enable you to define the file origin.

    • Downloaded/Exported from Web: Trigger an alert when an attached file is downloaded from the web. To specify, you can accept the default which is Any website/web- application or specify
    • Saved via an email client: Trigger an alert when a file was originally saved from and email client

  6. To specify the file, you can accept the default which is Any file, or click the downward arrow to access options that enable you to define the file by name or size.

    • Exfiltrated File Name
    • File size in KBs.

  7. To specify the MIP label of the file, you can accept the default which is Any label or no label, or click the downward arrow to access options that enable you to define the MIP label.

    • Original file label
    • Exfiltrated file label.
ClosedTo create a rule to alert when a file is attached to an email client:

You can define alert to trigger when a file is attached to an email whether or not the email is sent. You can specify:

  • File origin: Create a rule that triggers an alert by the file origin. For example, you might want to trigger an alert for any files downloaded from outside your company's secure site and then attached.
  • File: Create a rule that triggers an alert by the filename, file path and/or file size.

  1. In the Email option, click Exfiltrated file by attaching it to an email client.

    The conditions for defining the alert rule are displayed with default values:

  2. To specify the file origin, you can accept the default which is Any origin, or click the downward arrow to access options that enable you to define specific origins.

  3. To specify the file, you can accept the default which is Any file, or click the downward arrow to specify which file.

    1. To specify the filename after it is attached to the email, select Exfiltrated File Name, select the relevant operator from the drop-down list.

    2. To specify the file path of the attached file, select Exfiltrated File Path, select the relevant operator from the drop-down list.

    3. To specify the original filename before it is attached to the email, select Original File Name, select the relevant operator from the drop-down list.

    4. To specify the size of the attached file, select File size (in KBs), select the relevant operator from the drop-down list.

  4. To specify the MIP label of the file, you can accept the default which is Any label or no label, or click the downward arrow to access options that enable you to define the MIP label.

    • Original file label
    • Exfiltrated file label.
ClosedTo create a rule to alert when a file is saved from an email client:

You can define alert to trigger when a file attachment from an email client is saved. You can specify:

  • File : Create a rule that triggers an alert by the filename, file path and/or file size.
  • Destination: Create a rule that triggers an alert by where the file is saved, such as path, USB or sync folder.

  1. In the Email option, click Saved attachment from an email client.

    The conditions for defining the alert rule are displayed with default values:

  2. To specify the file, you can accept the default which is Any file, or click the downward arrow to access options that enable you to specific which file.

    1. To specify the filename before it was attached to the email, select Original file name, select the relevant operator from the drop-down list.

    2. To specify the size of the attached file, select File size (in KBs), select the relevant operator from the drop-down list.

     

  3. To specify the destination of the file, you can accept the default which is Any destination, or click the downward arrow to specify which destination.

    1. To specify the path to which the attachment is saved, select Destination path, select the relevant operator from the drop-down list.

    2. To specify whether the file is saved to a USB , select The destination is a USB, select Yes or No.

    3. To specify whether the file is saved to a sync folder, select The destination is a sync folder, select Yes or No.

  4. To specify the MIP label of the file you can accept the default which is Any label or no label, or click the downward arrow to specify the original MIP label.

Related Topics:

Email Monitoring Policies

Email Clients Monitoring and Visibility

Email Activity Report Configuration

version 7.12.2

Copyright © 2021 ObserveIT a division of Proofpoint