List of Active Alert Rules

Alert Rule Name

Required Tuning (Mandatoryand Optional)

DATA EXFILTRATION

Performing large file or folder copy during irregular hours

  1. Optional: Irregular Hours/Days within the Alert Rule

Exporting data from enterprise web application by file downloading

  1. Optional: List - Enterprise web applications to detect download from

  2. Optional: List - File extensions to detect their exporting from enterprise apps

Accessing upload and sharing cloud services

-

Exfiltrating tracked file to the web by uploading

  1. Mandatory: List - Keywords in file names to trigger alert on uploading

  2. Optional: List - Excluded file names from alerts on exfiltration

Performing large file or folder copy

-

Exfiltrating a file to an unlisted USB device

  1. Optional: List – Allowed listed USB devices

  2. Optional: List - Excluded file names from alerts on exfiltration

Connecting unlisted USB device

  1. Optional: List – Allowed listed USB devices

  2. Optional: List - Excluded vendors/models from alert on detecting connected USB

Exfiltrating a file to the web by uploading

  1. Mandatory: List - Keywords in file names to trigger alert on uploading

  2. Optional: List - Excluded file names from alerts on exfiltration

Exfiltrating a file that was tagged with a sensitive MIP label
  1. Mandatory: List - Sensitive MIP labels

Exfiltrating tracked file to a cloud sync folder

  1. Optional: List - Excluded file names from alerts on exfiltration

Printing sensitive documents

  1. Mandatory: List – Sensitive files

Printing large number of pages during irregular hours

  1. Optional: Irregular Hours/Days within the Alert Rule

Sending email with sensitive keywords in Subject to untrusted domain

  1. Mandatory: List - Sensitive keywords to be detected in Subject of outgoing emails

Sending email with large file attachment to untrusted domain

  1. Optional: File size threshold (5000 KB by default)

Sending email with sensitive file attachment to untrusted domain

  1. Mandatory: List – Sensitive files

Saving email file attachment to a local sync folder

-

Saving email file attachment to a USB storage device

-

Pasting files copied from sensitive folders

  1. Mandatory: List - Sensitive folders

Pasting text that contains predefined sensitive keywords

  1. Mandatory: List - Keywords to be monitored upon copying them to clipboard

DATA INFILTRATION

Browsing harmful, risky or contaminating sites

-

Downloading file from a site dedicated to downloads

-

Downloading file from a cloud storage service site

  1. Optional: List - Excluded site names from alert on download from cloud services

Downloading file with potentially malicious extension

  1. Optional: List - File extensions to detect malicious file download

Downloading file from infected or malicious site

-

CARELESS BEHAVIOR

Running software to enable sharing and access from remote machine

-

Opening a clear text file that potentially stores passwords

-

BYPASSING SECURITY CONTROLS

Running TOR browser

-

Downloading the MIMIKATZ utility

-

Browsing to website related to MIMIKATZ utility

-

Running VPN, Proxy or Tunneling tools

-

HIDING INFORMATION AND COVERING TRACKS

Clearing browsing history in Google Chrome

-

Clearing browsing history in IE or Firefox

-

Running steganography tools

-

RUNNING MALICIOUS SOFTWARE

Running password and license cracking tools

-

Running hacking or spoofing tools

-

Running command-line-based hacking tool

-

Running port scanning tools

-

UNACCEPTABLE USE

Running computer anti-sleep software

-

Browsing Illegal activities, violence or hate sites

-

Browsing unauthorized predefined sites

  1. Mandatory: List - Unauthorized black-listed websites

Browsing Adult sites

-

Browsing Gambling sites

-

Browsing Illegal drugs sites

-

UNAUTHORIZED DATA ACCESS

Accessing sensitive folder

  1. Mandatory: List - Sensitive folders

UNAUTHORIZED MACHINE ACCESS

Logging in remotely (RDP) to sensitive Windows Server from unauthorized client

  1. Mandatory: List - Sensitive Windows servers

  2. Optional: List - Authorized addresses for login from

Logging in to any machine by disabled users (ex-employees)

-

Logging in Remotely (RDP) to sensitive Windows Desktop by unauthorized user

  1. Mandatory: List - Sensitive Windows desktops

SEARCHING FOR INFORMATION

Searching data on password cracking

-

Searching data on steganography

-

Searching data on monitoring or sniffing

  1. Optional: List - Monitoring/sniffing keywords

Searching data on Remote Access and Desktop Sharing

  1. Optional: List - Remote access and desktop sharing keywords

Running advanced monitoring or sniffing

  1. Optional: List - Monitoring/sniffing keywords

Searching data on hacking or spoofing

  1. Optional: List - Hacking/Spoofing keywords

Searching data on file transfer (FTP or SFTP)

  1. Optional: List - FTP keywords

Searching data on Dynamic-DNS

  1. Optional: List - Dynamic-DNS keywords

Searching data on Darknet TOR (The Onion Router)

  1. Optional: List - TOR (Darkweb) keywords

Searching data on VPN, Proxy or Tunneling

  1. Optional: List - VPN/Proxy/Tunneling keywords

PERFORMING UNAUTHORIZED ADMIN TASKS

Running PowerShell-specific dangerous command

  1. Optional: List - PowerShell dangerous commands

MESSING WITH OBSERVEIT COMPONENTS

Trying to kill ObserveIT processes on Windows

  1. Optional: List - Command line tools

  2. Optional: List - ObserveIT services on Windows

  3. Optional: List - Kill commands on Windows

Trying to Kill ObserveIT processes on Mac

  1. Optional: List - Command line tools

  2. Optional: List - ObserveIT services on MAC

  3. Optional: List - Kill commands on Mac and Unix/Linux

Opening ObserveIT Agent folder

-

INSTALLING/UNINSTALLING QUESTIONABLE SOFTWARE

Installing hacking or spoofing tools

  1. Optional: List - Hacking/Spoofing keywords

  2. Optional: List - Reserved keyword used in Window Title of OIT virtual screenshots

COPYRIGHT INFRINGEMENT

Downloading file from copyright-violating or P2P site

-

Browsing copyright-violating sites

-

CREATING BACKDOOR

Adding a local Windows User

-