Proofpoint | ObserveIT On-Premises Insider Threat Management
Ran Application - Did What
This topic describes how to define alert rule conditions using the options available in the Ran Application group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)
The Ran Application option is available only for alert type rules on Windows operating systems.
The Ran Application options enable you to generate an alert when a user runs one or more particular applications on a Windows computer. Running certain applications may signal, for example, that the user may be tampering with settings that may affect system security, user permissions, installed software/services, or accessing sensitive data.
When defining the values by which to evaluate the condition of an alert rule, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value. When Lists are supported, you can choose to select a predefined List instead of entering a set of values. You can use Lists to define values for the Application name, Application full path, Process name, and Window title options. The operator for the condition also depends on whether you are defining values or Lists; for example, "contains" in "Values mode" would be "contains value from the list" in List mode. For more information, see Understanding the Logic for Defining Rule Conditions.
For general information about defining Did What? conditions, see Defining the "Did What?" Conditions.
The Ran Application group includes the following options for configuring conditions:
|
Option |
Description & Usage |
Example Conditions |
|---|---|---|
|
Application name |
Name of the application that the user ran. Use this option to configure an alert when the user runs a specific application. Note: Application names are listed in the Windows Task Manager. |
A user opens an Excel file containing sensitive company data, and the keywords, "budget, fiscal, or transactions," appear in the window title: "Ran Application: Application name contains excel" and "Ran Application: Window title contains budget, fiscal, transactions" |
|
Application full path |
Full path of the application that the user ran. Use this option to configure an alert based on the explicit path to the application. |
"Ran Application: Application full path is C:\Program Files\OpenVPN\bin\openvpn.exe" |
|
Process name |
Name of the process that the user ran. Use this option to configure an alert when the user runs a specific process related to the active application. |
"Ran Application: Process name is regedit, WINWORD, iexplore, services" Note: You must specify the process name without the file extension (for example, "regedit" instead of "regedit.exe"). |
|
Window title |
Title of a window that was opened by the user. Use this option to configure an alert according to keywords that appear in the titles of windows with which the user interacts. For example, to detect user actions to exfiltrate data, you could configure an alert if a window title contains the text FILECOPY or LARGEFILECOPY or has a prefix USBCONNECT. |
|
|
Permission level |
Logged-in user's permissions level.
|
|
Example Scenario
The following scenario provide some examples of how to use some of the Ran Application options to configure the conditions for an alert rule.
Alert rule example: Trigger an alert when an unauthorized (non-administrator) user tries to view a sensitive system or configuration file (such as regedit).
For purposes of this example, the scope of the alert rule is "per session", which means that an alert will be generated only on the first occurrence of every unique match of the rule in each session. Full details about defining the scope of rules are provided in Defining the "Did What?" Conditions.
|
Condition Example |
Description |
User Activity |
Alert Generated? |
|---|---|---|---|
|
"Ran application: Application name is Regedit, SSMS - SQL Server Management Studio, Setup, Notepad" |
This condition specifies that every first time in a session that the user runs the Regedit, SQL Manager, Setup or Notepad applications, an alert should be generated. |
1. User logs in to a session and runs the Regedit application. |
YES Alert will be generated because the application name matches the condition. |
|
2. Within the same session, the user runs Setup. |
YES An alert is generated because even though this is the same session, this application name also matches the condition. |
||
|
3. Within the same session, the user runs the Regedit application. |
NO An alert is not generated because this is not the first time in the session that the user runs this application. |
||
|
"Ran application: Window title contains hosts, permissions, security" |
This condition specifies that every first time in a session a window title contains the word "hosts", "permissions" or "security", an alert should be generated. |
1. User logs in to a session and opens the sensitive "hosts.txt" file in Notepad. The window title shows "hosts.txt" - Notepad". |
YES |
|
2. Within the same session, the user opens a document entitled "Viewing permissions.docx - Microsoft Word". |
YES An alert is generated because even though this is the same session, the window title contains a word that matches the condition. |
||
|
"Ran application: Permission level is not Admin" |
This condition specifies that an alert should be generated if the logged-in user does not have Administrator permissions. |
User tries to access the "hosts.txt" file without root/admin permissions. |
YES |
When you have finished defining the conditions for this scenario, the Did What? details in the Activity Alert Rules tab should look like this:
